Differences between revisions 1 and 44 (spanning 43 versions)
Revision 1 as of 2007-10-06 11:45:12
Size: 28
Editor: ?LaurenzWiskott
Comment:
Revision 44 as of 2013-01-21 14:51:06
Size: 11658
Editor: VincentBlut
Comment: German translation link added (sorted by name)
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
Describe SecureShell here. ## page was renamed from ssh
#language en
~-[[DebianWiki/EditorGuide#translation|Translation(s)]]: [[de/SSH|Deutsch]] - English - [[fr/SSH|Français]] - [[it/SSH|Italiano]] -~

<<TableOfContents>>

ToDo: merge (and translate) this page and the french one (more complete)

== Introduction ==
'''SSH''' stands for '''S'''ecure '''Sh'''ell and is a protocol for secure remote login and other secure network services over an insecure network<<FootNote(http://tools.ietf.org/html/rfc4252)>>.
See [[WikiPedia:Secure_Shell|Wikipedia - Secure Shell]] for more general information and DebPkg:ssh, DebPkg:lsh-client or DebPkg:dropbear for the SSH software implementations out of which [[http://www.openssh.org/|OpenSSH]] is the most popular and most widely used<<FootNote(http://www.openssh.org/users.html)>>.
SSH replaces the unencrypted [[WikiPedia:Telnet|telnet]],[[WikiPedia:Rlogin|rlogin]] and [[WikiPedia:Remote_shell|rsh]] and adds many features.

In this document we'll be using the OpenSSH command suite, it will also be assumed that the following two variables are defined:

{{{
remote_host=<the remote computer>
remote_user=<your user name on $remote_host>
}}}
So, if you want to use the recipes below, first set these variables to the remote computer name and the user name on that remote computer. Then cut and paste of the commands below should work. remote_host may also be an IP-address.

== Installation ==

=== Installation of the client ===
Normally the client is installed by default. If not it suffices to run as root:

{{{
apt-get install openssh-client
}}}

=== Installation of the server ===

The server allows to connect remotely and gets installed by running as root:

{{{
apt-get install openssh-server
}}}

== Configuration files ==

The main configuration files are in the directory ''/etc/ssh'' :

 * '''ssh_config''' : client configuration file
 * '''sshd_config''' : server configuration file

In addition this directory contains the private/public key pairs
identifying your host :

 * ssh_host_dsa_key
 * ssh_host_dsa_key.pub
 * ssh_host_rsa_key
 * ssh_host_rsa_key.pub

Since OpenSSH 5.7<<FootNote(http://openbsd.das.ufsc.br/openssh/txt/release-5.7)>>, a new private/public key pair is available:

 * ssh_host_ecdsa_key
 * ssh_host_ecdsa_key.pub

== Remote login ==

=== With password ===

If you want to login to $remote_host as user $remote_user simply type

{{{
ssh $remote_user@$remote_host
}}}

and then type in your password.

If the usernames on the local and the remote computer are identical, you can drop the $remote_user@-part and simply write

{{{
ssh $remote_host
}}}

If this is the first time you login to the remote computer, ssh will ask you whether you are sure you want to connect to the remote computer. Answer 'yes' after you verified the remote computer's fingerprint, type in your password, and ssh will connect you to the remote host.

=== Using shared keys ===

One of the function of ssh is using a pair of private/public keys for connecting to a remote host. This method allow to login to a remote host without typing every time ones password. To do this you must generate a pair of private/public keys on your local maschine and deposit the key on the remote host.

To generate the key one uses the program ssh-keygen

{{{
ssh-keygen -t rsa
}}}

This program generates a pair of private/public keys in the directory ~/.ssh. The program first asks for the destination files for the keys, by default located in ~/.ssh. Afterwards a passphrase is requested.

Note: We recommend to not leave the passphrase empty. An attacker who gets hold of your private key can otherwise connect to the hosts where you deposited you public key since the passphrase is empty. Choose a long and complex passphrase.

You private key is id_rsa (don't give it to someone else), the public key is id_rsa.pub.

You copy your public key to a remote host with the command '''ssh-copy-id'''

{{{
ssh-copy-id -i ~/.ssh/id_rsa.pub $remote_user@$remote_host
}}}

Now you can connect simply to the remote host and the passphase is asked for. Once done, you get connected to the remote host. In case of a new connection the passphrase does not get asked for again during your entire session.

== Securing ==

By default a SSH server is relatively secure. With the help of some configuration options and external utilities it is possible to make it even harder for ''crackers''.

/!\ Using the latest version of package DebPkg:openssh-server allows to protect against known security holes.

=== Configuration Options ===

(!) One should edit the file /etc/ssh/sshd_config to change the parameters and then restart the ssh server with
{{{
invoke-rc.d ssh restart
}}}

 * Deactivate using passwords for authentication (''UsePAM no'').
 * Deactivate using the root account (''!PermitRootLogin no'').
 * Only allow login by certain users or groups (''!AllowUsers'' and ''!AllowGroups'')

{i} The options ''!AllowUsers'' and ''!AllowGroups'' do not improve the security of a SSH server. But in certain cases their use allows to resist a ''brute force'' attack a little longer.

=== External Utilities ===

 * DebianPkg:fail2ban : allows to automatically blacklist IPs attempting to ''brute force'' a SSH server with the help of DebianPkg:iptables.
 * DebianPkg:denyhosts : as DebianPkg:fail2ban, DebianPkg:denyhosts allows to block IP addresses trying to brute force a connection to ssh. But in contrast to DebPkg:fail2ban it does not use DebPkg:iptables, but the file ''/etc/hosts.deny''.

== Additional Functions ==

== Additional Commands ==

=== scp ===
''scp'' is a command line utilty allowing to transfer files between two machines.

 * Sending a file:
{{{
scp $source_file $remote_user@$remote_host:$destination_file
}}}
 * Copying a file to the local machine:
{{{
scp $remote_user@$remote_host:$source_file $destination_file
}}}

=== sftp ===
[empty for now]

==== text mode ====
[empty for now]

==== graphical mode ====
[empty for now]

=== clusterssh ===
[empty for now]

=== ssh-agent and ssh-add ===
''ssh-agent'' is a useful utility to allowing to manage private keys : one can add a private key with ''ssh-add'' and has to enter the password for the private key. Whenever that private key is used later on for remote login the client asks ssh-agent for the key instead of asking for the password of the private key.

 * Adding a key: '''ssh-add $private_key'''
 * List the added keys: '''ssh-add -l'''
 * Remove all keys from the knowledge of ''ssh-agent'': '''ssh-add -D'''

[ToDo: French version is a bit different here.]

=== keychain ===

''DebPkg:keychain'' provided by the package DebPkg:keychain is a shell script allowing to use the ssh agent in multiple sessions of the same computer. In effect after the first start ssh-agent creates a permanent socket allowing the communication with ssh. This socket is referenced only in the enviromment of the session in which the agent was started. Keychain allows to detect the agent and propagate the access to this agent to other sessions; this allows to use a single instace of ssh-agent per user on a machine.

=== ssh-askpass ===

''DebPkg:ssh-askpass'' is an utility to simply the question for the password of a private key when using it. Several implementations exist:

   * '''x11-ssh-askpass''' : version for X11
   * '''kaskpass''' : integration of ssh-askpass into the KDE environment
   * '''ssh-askpass-gnome''' : integration of ssh-askpass into the Gnome environment

=== libpam-usb ===
''DebianPkg:libpam-usb'' is an utility allowing authentication with an USB stick. This package includes a useful utilty : ''pamusb-agent''. This utility, once correctly configured, allows to load the SSH keys present on the USB stick once it is connected and to unload them when it is disconnected.

----

== Remote commands ==
If you just want to run one command on the remote computer, you don't need to login. You can tell ssh to run the command without login, for instance,

{{{
ssh $remote_user@$remote_host 'ls *.txt'
}}}
lists all files with extension .txt on the remote computer. This works with single tick quotes '...' as shown here, with double tick quotes "...", and without quotes. There may be differences between these three cases, though, not yet documented here.

== SSH without password ==
If you work on a remote computer often, typing in the password each time you use ssh becomes annoying. You can configure ssh such that it does not ask you for a password anymore for that particular connection. You have to generate a private and public encryption key on your local machine and provide the public key to the remote machine.

To generate the keys run

{{{
ssh-keygen
}}}
and reply to all questions just with return.

To provide the public key to the remote machine first create there an .ssh directory (if not present already) and then append the public key of your local machine to the authorized_keys file on the remote machine.

{{{
ssh $remote_user@$remote_host mkdir -p .ssh
cat .ssh/id_rsa.pub | ssh $remote_user@$remote_host 'cat >> .ssh/authorized_keys'
}}}
Note that here the cat command within the ssh command takes its input from the pipe.

or you can use

{{{
ssh-copy-id -i ~/.ssh/id_rsa.pub $remote_user@$remote_host
}}}


From now on, you should be able to login with ssh without password.

 . '''REMARK:''' If the usernames on the local and the remote machine are identical, and if the local and the remote computer have access to the same home-directory of that user, e.g. because they are different clients in the same LAN with a common home directory mounted via nfs, then the private key, the public key, and the authorized_keys file all reside in the same directory. Thus you cannot only login without password from the local to the remote machine but also vice versa. In fact you can login from any computer in the LAN to any other computer. (The username@hostname entry at the end of the public key in the authorized_keys file has no relevance to ssh, you may delete it or change it if you like (I think)).

 '''REMARK:''' The example above assumes SSH protocol 2 and uses RSA encryption by default. DSA for SSH protocol 2 and SSH protocol 1 are both obsolete<<FootNote(http://www.debian.org/doc/manuals/reference/ch06.en.html#_connecting_without_remote_passwords)>> and '''not''' recommended<<FootNote(http://wiki.debian.org/SSLkeys#Identifying_Weak_Keys)>>

 '''TROUBLESHOOTING (ssh still asks for a password):''' Login without password does not work if group or world has write permissions for the home directory on the remote machine. To fix that, run
 {{{
ssh $remote_user@$remote_host chmod g-w,o-w /home/$remote_user
}}}
 '''SOURCE:''' Mathias Kettner, ''SSH login without password'', http://www.linuxproblem.org/art_9.html, visited 2007-10-06.

== SSH into Debian from another OS ==
 * [[http://www.chiark.greenend.org.uk/~sgtatham/putty/|PuTTY]] is a [[TerminalEmulator|terminal emulator]] application which can act as a client for ssh. It's widely used by Windows users.
 * Wikipedia has WikiPedia:Comparison_of_SSH_clients

== SSH and security ==
=== SSH Server ===
 * Consider using DebPkg:fail2ban which is a log file monitor that automatically bans an ip address after a predefined number of failed login attempts. Guards against brute force attacks.
 * Use SSH keys rather than password.
=== SSH Client ===
 * http://lackof.org/taggart/hacking/ssh/ - Good practices for using ssh

Translation(s): Deutsch - English - Français - Italiano

ToDo: merge (and translate) this page and the french one (more complete)

Introduction

SSH stands for Secure Shell and is a protocol for secure remote login and other secure network services over an insecure network1. See Wikipedia - Secure Shell for more general information and ssh, lsh-client or dropbear for the SSH software implementations out of which OpenSSH is the most popular and most widely used2. SSH replaces the unencrypted telnet,rlogin and rsh and adds many features.

In this document we'll be using the OpenSSH command suite, it will also be assumed that the following two variables are defined:

remote_host=<the remote computer>
remote_user=<your user name on $remote_host>

So, if you want to use the recipes below, first set these variables to the remote computer name and the user name on that remote computer. Then cut and paste of the commands below should work. remote_host may also be an IP-address.

Installation

Installation of the client

Normally the client is installed by default. If not it suffices to run as root:

apt-get install openssh-client

Installation of the server

The server allows to connect remotely and gets installed by running as root:

apt-get install openssh-server

Configuration files

The main configuration files are in the directory /etc/ssh :

  • ssh_config : client configuration file

  • sshd_config : server configuration file

In addition this directory contains the private/public key pairs identifying your host :

  • ssh_host_dsa_key
  • ssh_host_dsa_key.pub
  • ssh_host_rsa_key
  • ssh_host_rsa_key.pub

Since OpenSSH 5.73, a new private/public key pair is available:

  • ssh_host_ecdsa_key
  • ssh_host_ecdsa_key.pub

Remote login

With password

If you want to login to $remote_host as user $remote_user simply type

ssh $remote_user@$remote_host

and then type in your password.

If the usernames on the local and the remote computer are identical, you can drop the $remote_user@-part and simply write

ssh $remote_host

If this is the first time you login to the remote computer, ssh will ask you whether you are sure you want to connect to the remote computer. Answer 'yes' after you verified the remote computer's fingerprint, type in your password, and ssh will connect you to the remote host.

Using shared keys

One of the function of ssh is using a pair of private/public keys for connecting to a remote host. This method allow to login to a remote host without typing every time ones password. To do this you must generate a pair of private/public keys on your local maschine and deposit the key on the remote host.

To generate the key one uses the program ssh-keygen

ssh-keygen -t rsa

This program generates a pair of private/public keys in the directory ~/.ssh. The program first asks for the destination files for the keys, by default located in ~/.ssh. Afterwards a passphrase is requested.

Note: We recommend to not leave the passphrase empty. An attacker who gets hold of your private key can otherwise connect to the hosts where you deposited you public key since the passphrase is empty. Choose a long and complex passphrase.

You private key is id_rsa (don't give it to someone else), the public key is id_rsa.pub.

You copy your public key to a remote host with the command ssh-copy-id

ssh-copy-id -i ~/.ssh/id_rsa.pub $remote_user@$remote_host

Now you can connect simply to the remote host and the passphase is asked for. Once done, you get connected to the remote host. In case of a new connection the passphrase does not get asked for again during your entire session.

Securing

By default a SSH server is relatively secure. With the help of some configuration options and external utilities it is possible to make it even harder for crackers.

/!\ Using the latest version of package openssh-server allows to protect against known security holes.

Configuration Options

(!) One should edit the file /etc/ssh/sshd_config to change the parameters and then restart the ssh server with

invoke-rc.d ssh restart
  • Deactivate using passwords for authentication (UsePAM no).

  • Deactivate using the root account (PermitRootLogin no).

  • Only allow login by certain users or groups (AllowUsers and AllowGroups)

{i} The options AllowUsers and AllowGroups do not improve the security of a SSH server. But in certain cases their use allows to resist a brute force attack a little longer.

External Utilities

  • fail2ban : allows to automatically blacklist IPs attempting to brute force a SSH server with the help of iptables.

  • denyhosts : as fail2ban, denyhosts allows to block IP addresses trying to brute force a connection to ssh. But in contrast to fail2ban it does not use iptables, but the file /etc/hosts.deny.

Additional Functions

Additional Commands

scp

scp is a command line utilty allowing to transfer files between two machines.

  • Sending a file:

scp $source_file $remote_user@$remote_host:$destination_file
  • Copying a file to the local machine:

scp $remote_user@$remote_host:$source_file $destination_file

sftp

[empty for now]

text mode

[empty for now]

graphical mode

[empty for now]

clusterssh

[empty for now]

ssh-agent and ssh-add

ssh-agent is a useful utility to allowing to manage private keys : one can add a private key with ssh-add and has to enter the password for the private key. Whenever that private key is used later on for remote login the client asks ssh-agent for the key instead of asking for the password of the private key.

  • Adding a key: ssh-add $private_key

  • List the added keys: ssh-add -l

  • Remove all keys from the knowledge of ssh-agent: ssh-add -D

[ToDo: French version is a bit different here.]

keychain

keychain provided by the package keychain is a shell script allowing to use the ssh agent in multiple sessions of the same computer. In effect after the first start ssh-agent creates a permanent socket allowing the communication with ssh. This socket is referenced only in the enviromment of the session in which the agent was started. Keychain allows to detect the agent and propagate the access to this agent to other sessions; this allows to use a single instace of ssh-agent per user on a machine.

ssh-askpass

ssh-askpass is an utility to simply the question for the password of a private key when using it. Several implementations exist:

  • x11-ssh-askpass : version for X11

  • kaskpass : integration of ssh-askpass into the KDE environment

  • ssh-askpass-gnome : integration of ssh-askpass into the Gnome environment

libpam-usb

libpam-usb is an utility allowing authentication with an USB stick. This package includes a useful utilty : pamusb-agent. This utility, once correctly configured, allows to load the SSH keys present on the USB stick once it is connected and to unload them when it is disconnected.


Remote commands

If you just want to run one command on the remote computer, you don't need to login. You can tell ssh to run the command without login, for instance,

ssh $remote_user@$remote_host 'ls *.txt'

lists all files with extension .txt on the remote computer. This works with single tick quotes '...' as shown here, with double tick quotes "...", and without quotes. There may be differences between these three cases, though, not yet documented here.

SSH without password

If you work on a remote computer often, typing in the password each time you use ssh becomes annoying. You can configure ssh such that it does not ask you for a password anymore for that particular connection. You have to generate a private and public encryption key on your local machine and provide the public key to the remote machine.

To generate the keys run

ssh-keygen

and reply to all questions just with return.

To provide the public key to the remote machine first create there an .ssh directory (if not present already) and then append the public key of your local machine to the authorized_keys file on the remote machine.

ssh $remote_user@$remote_host mkdir -p .ssh
cat .ssh/id_rsa.pub | ssh $remote_user@$remote_host 'cat >> .ssh/authorized_keys'

Note that here the cat command within the ssh command takes its input from the pipe.

or you can use

ssh-copy-id -i ~/.ssh/id_rsa.pub $remote_user@$remote_host

From now on, you should be able to login with ssh without password.

  • REMARK: If the usernames on the local and the remote machine are identical, and if the local and the remote computer have access to the same home-directory of that user, e.g. because they are different clients in the same LAN with a common home directory mounted via nfs, then the private key, the public key, and the authorized_keys file all reside in the same directory. Thus you cannot only login without password from the local to the remote machine but also vice versa. In fact you can login from any computer in the LAN to any other computer. (The username@hostname entry at the end of the public key in the authorized_keys file has no relevance to ssh, you may delete it or change it if you like (I think)).

    REMARK: The example above assumes SSH protocol 2 and uses RSA encryption by default. DSA for SSH protocol 2 and SSH protocol 1 are both obsolete4 and not recommended5

    TROUBLESHOOTING (ssh still asks for a password): Login without password does not work if group or world has write permissions for the home directory on the remote machine. To fix that, run

    ssh $remote_user@$remote_host chmod g-w,o-w /home/$remote_user

    SOURCE: Mathias Kettner, SSH login without password, http://www.linuxproblem.org/art_9.html, visited 2007-10-06.

SSH into Debian from another OS

SSH and security

SSH Server

  • Consider using fail2ban which is a log file monitor that automatically bans an ip address after a predefined number of failed login attempts. Guards against brute force attacks.

  • Use SSH keys rather than password.

SSH Client