26 February 2002

SSH (Secure Shell) first and foremost is a secure replacement for the r* programs (rlogin, rsh, rcp, rexec). The reason it is secure is because it uses all kinds of encryption type tomfoolery so that clear text is never sent over a network, it uses RSA keys to authenticate the user to the server and it also uses RSA keys to authenticate the server to the user.

I am making the assumption that you're using the Unix version of ssh (seeing as this is written for the consumption of the Irish Linux Users Group and that windows SSH is both commercial and crap I think it's valid)

Download yourself a copy of the latest ssh at ftp://ftp.cs.hut.fi/pub/ssh/ to begin with (version 1.2.26 as of this writing). After untarring the package type: 

./configure
make
make install
, standard installation procedure for any good GNU source package. All you have to do now is run sshd to start up the standalone ssh daemon listening on port 22 of your server. There's your basic ssh setup, type ssh host to login to host with your standard unix password. Xclients are automatically exported through the encrypted channel to your display and you can get a help screen of ssh escape sequences by typing ~?.

If you get adventurous and try sshing to other servers, be warned that you'll be told that the host key is not found from the list of known hosts. This is the public key found in the host's /etc/ssh_host_key.pub file. If you continue to connect, this key will be added to your $HOME/.ssh/known_hosts file. The rationale behind this is that if somebody else ever masquerades as this host, the host key would be different to the entry in known_hosts and ssh will instantly notice and tell you so. The ssh package comes with a script called make-ssh-known-hosts which looks up all the hosts in a DNS domain and adds their host keys to the /etc/ssh_known_hosts file which is also checked by ssh.

The programs themselves:

Sshd is configured via the /etc/sshd_config file. I recommend you look at the man page to pick out all the gory details, it lets you do stuff like only allow/deny certain hosts or users login access using ssh, set idle timeouts, specify what kind of authentication you want (unix password, rhost or RSA which I'll come back to later) and kerberos authentication. Most of these options are already in the default config file so you can just modify that as you like.

ssh reads $HOME/.ssh/config and the global configuration file /etc/ssh_config when it starts up. Yet again read the man page for details, most of it is pretty straight forward except for the TCP forwarding options -L and -R. This assumes that you can login to a remote host via ssh. If so then you can use ssh as a secure channel to access unencrypted remote network services such as ftp or pop (it's also a handy way of getting around firewalls).
example: 

ssh -L 12345:poo.smooch:21 poo.smooch
will make an ssh connection to host poo.smooch. If poo.smooch has sshd running you will be presented with what appears to be a normal login session. Behind the scenes however ssh is listening to port 12345 on your local machine and any connections to that port will be forwarded over your ssh session, then an unencrypted session is initiated from the remote side of your ssh session to port 21 on poo.smooch so that as far as the remote ftp server is concerned, somebody just ran a normal ftp session from poo.smooch to itself. Ssh -R does the same thing only in reverse.

ssh-keygen is the program used for generating RSA key pairs. Run ssh-keygen -f /etc/ssh_host_key -N '' if you need to generate new /etc/ssh_host_key and /etc/ssh_host_key.pub files (make install generates these for you by default). Running ssh-keygen on it's own you are asked for a passphrase, this can allegedly be any length you want and it is the passphrase you use to login to a host if you enable RSA authentication in the sshd configuration file. It generates two files, $HOME/.ssh/identity and $HOME/.ssh/identity.pub. These are your default RSA identity keys (you can create different identities by running ssh-keygen -f identity_file then use them by running ssh -i identity_file host). Appending identity.pub to $HOME/.ssh/authorized_keys of any account on any computer allows you the luxury of logging into that account with your RSA passphrase. It also has the added security that somebody must also possess your identity file before the passphrase would work. Another cool thing with authorized_keys is that you can prepend options to the start of a public key so that if somebody logs into an account with the corresponding passphrase and identity file, those options can do things like allow connections only from certain hosts, deny certain types of ssh forwardings, set environment variables or just execute certain commands.
example: 

from="localhost",command="echo potatoes" 1024 37 
1508741801398651929640224012546
535610929088627123641067454302800019367830331042978392793032882068267356835208
5596452813266000213480475567422647179234364246663801261753180562216515773813903
5417432487556956228238884121546196774730626451213382495086778016310334685244396
958654066227875380523910928543591111215801 root@poo.smooch

the above line in my $HOME/.ssh/authorized_keys will allow only people logging in from localhost to use that identity and it'll simply say potatoes and log you off. The root@poo.smooch part is just a comment that ssh-keygen puts in, it doesn't do anything.

ssh-agent is a daemon that stores a user's authentication keys and passphrase so that when that user runs ssh, ssh-agent automatically does the RSA authentication for that user saving him the bother of entering the password himself. What you do is run ssh-agent with an arbitrary command (usually a shell) as it's argument. Now command and all its' child ssh sessions can be automatically authenticated by ssh-agent, but ssh-agent authenticates nothing by default . You need to run ssh-add [file] where file contains a private identity key such as those generated by ssh-keygen ($HOME/.ssh/identity is the default if no files are specified). You'll be asked to enter the passphrase for that private key. From now on, any ssh session that uses that identity will be automatically authenticated. You can add as many identities as you like, ssh-add -l lists the ones currently loaded in ssh-agent.

scp is the ssh version of rcp which lets you copy a file to a remote host
example: 

scp $HOME/.ssh/identity plop@poo.smooch:.ssh/identity
would copy my identity file to my account on host poo.smooch

slogin is just a symlink to ssh

Addendums

  1. go to www.replay.com or ftp.replay.com for lots of info on encryption and security etc. but ESP. ssh rpms for redhat ssh-clients-XXXXX.rpm ssh-server-XXXXX.rpm etc.
  2. Teraterm Pro is a windows terminal emulator. Useful for telnetting to unix boxen from win95 etc. It has a SSH version called TTSSH which means that you can telnet to a secure linux box from win95 securely.
  3. I may at some stage in the future, explain the procedure involved in turning a default redhat box into a completely secure (as possible anyway) box.
    ie.
    1. Upgrading packages re errata
    2. Installing ssh bits
    3. Editing inetd.conf to strip out unnecessary bits.
  4. ftp://ftp.netsoc.ucd.ie/pub/computing/ssh has free win32 & win16 ssh clients, together with the cryptography .DLLs needed for using them.

Credits:


Copyright belongs to the author.



About the author, Ka Chun Leung.