Differences between revisions 18 and 21 (spanning 3 versions)
Revision 18 as of 2008-05-13 21:03:07
Size: 4856
Editor: FranklinPiat
Comment: SSH and security
Revision 21 as of 2009-03-16 03:36:05
Size: 5093
Editor: anonymous
Comment: converted to 1.6 markup
Deletions are marked like this. Additions are marked like this.
Line 2: Line 2:
~-Translation(s): [:fr/ssh:Français].-~ ~-Translation(s): [[fr/ssh|Français]].-~
Line 4: Line 4:
[[TableOfContents]] <<TableOfContents>>
Line 9: Line 9:

ssh stands for '''s'''ecure '''sh'''ell and is a program for remote logins into other computers and for running single commands on other computers in a save way, see [http://en.wikipedia.org/wiki/Secure_Shell Wikipedia - Secure Shell] for more general information and [http://www.openssh.org/ OpenSSH] for the ssh homepage. (ssh replaces the unencrypted WikiPedia:telnet protocol, and add many features)
ssh stands for '''s'''ecure '''sh'''ell and is a program for remote logins into other computers and for running single commands on other computers in a save way, see [[http://en.wikipedia.org/wiki/Secure_Shell|Wikipedia - Secure Shell]] for more general information and [[http://www.openssh.org/|OpenSSH]] for the ssh homepage. (ssh replaces the unencrypted WikiPedia:telnet protocol, and add many features)
Line 14: Line 12:
Line 21: Line 20:
If you want to login to $remote_host as user $remote_user simply type
Line 22: Line 22:
If you want to login to $remote_host as user $remote_user simply type
Line 27: Line 26:
Line 30: Line 30:
Line 34: Line 33:
If you just want to run one command on the remote computer, you don't need to login. You can tell ssh to run the command without login, For instance,
Line 35: Line 35:
If you just want to run one command on the remote computer, you don't need to login. You can tell ssh to run the command without login, For instance,
Line 42: Line 41:
Line 46: Line 44:
Line 51: Line 50:
To provide the public key to the remote machine first create there an .ssh directory (if not present already) and then append the public key of your local machine to the authorized_keys file on the remote machine.  To provide the public key to the remote machine first create there an .ssh directory (if not present already) and then append the public key of your local machine to the authorized_keys file on the remote machine.
Line 58: Line 58:
or you can use

{{{
ssh-copy-id -i ~/.ssh/id_dsa.pub $remote_user@$remote_host
}}}

Line 60: Line 67:
 '''REMARK:''' If the usernames on the local and the remote machine are identical, and if the local and the remote computer have access to the same home-directory of that user, e.g. because they are different clients in the same LAN with a common home directory mounted via nfs, then the private key, the public key, and the authorized_keys file all reside in the same directory. Thus you cannot only login without password from the local to the remote machine but also vice versa. In fact you can login from any computer in the LAN to any other computer. (The username@hostname entry at the end of the public key in the authorized_keys file has no relevance to ssh, you may delete it or change it if you like (I think)).

'''REMARK:''' The example above assumes ssh protocol 2 and uses DSA encryption, which is currently recommended. One could also use RSA encryption for ssh protocol 2. ssh protocol 1 uses yet another encryption, but is obsolete.  
 '''TROUBLESHOOTING (ssh still asks for a password):''' Login without password does not work if group or world has write permissions for the home directory on the remote machine. To fix that, run 
 . '''REMARK:''' If the usernames on the local and the remote machine are identical, and if the local and the remote computer have access to the same home-directory of that user, e.g. because they are different clients in the same LAN with a common home directory mounted via nfs, then the private key, the public key, and the authorized_keys file all reside in the same directory. Thus you cannot only login without password from the local to the remote machine but also vice versa. In fact you can login from any computer in the LAN to any other computer. (The username@hostname entry at the end of the public key in the authorized_keys file has no relevance to ssh, you may delete it or change it if you like (I think)).
 '''REMARK:''' The example above assumes ssh protocol 2 and uses DSA encryption, which is currently recommended. One could also use RSA encryption for ssh protocol 2. ssh protocol 1 uses yet another encryption, but is obsolete.
 '''TROUBLESHOOTING (ssh still asks for a password):''' Login without password does not work if group or world has write permissions for the home directory on the remote machine. To fix that, run
Line 68: Line 73:

'''SOURCE:''' Mathias Kettner, ''SSH login without password'', [http://www.linuxproblem.org/art_9.html], visited 2007-10-06.
 '''SOURCE:''' Mathias Kettner, ''SSH login without password'', http://www.linuxproblem.org/art_9.html, visited 2007-10-06.
Line 72: Line 75:
 * [http://www.chiark.greenend.org.uk/~sgtatham/putty/ PuTTY] is a [:TerminalEmulator:terminal emulator] application which can act as a client for ["ssh"]. It'is widely used by Windows users.  * [[http://www.chiark.greenend.org.uk/~sgtatham/putty/|PuTTY]] is a [[TerminalEmulator|terminal emulator]] application which can act as a client for ssh. It'is widely used by Windows users.
Line 74: Line 77:
Line 77: Line 79:
 * Consider using DebPkg:fail2ban  * Consider using DebPkg:fail2ban which is a log file monitor that automatically bans an ip address after a predefined number of failed login attempts. Guards against brute force attacks.
Line 79: Line 81:

Translation(s): ?Français.

ToDo: merge (and translate) this page and the french one (more complete)

Introduction

ssh stands for secure shell and is a program for remote logins into other computers and for running single commands on other computers in a save way, see Wikipedia - Secure Shell for more general information and OpenSSH for the ssh homepage. (ssh replaces the unencrypted telnet protocol, and add many features)

Throughout this document it will be assumed that the following two variables are defined

remote_host=<the remote computer>
remote_user=<your user name on $remote_host>

So, if you want to use the recipes below, first set these variables to the remote computer name and the user name on that remote computer. Then cut and paste of the commands below should work. remote_host may also be an IP-address.

Remote login

If you want to login to $remote_host as user $remote_user simply type

ssh $remote_user@$remote_host

If the usernames on the local and the remote computer are identical, you can drop the $remote_user@-part and simply write

ssh $remote_host

If this is the first time you login to the remote machine, ssh will ask you whether you are sure you want to connect to the remote computer. Answer 'yes' and then type in your password, and ssh will do a remote login for you.

Remote commands

If you just want to run one command on the remote computer, you don't need to login. You can tell ssh to run the command without login, For instance,

ssh $remote_user@$remote_host 'ls *.txt'

lists all files with extension .txt on the remote computer. This works with single tick quotes '...' as shown here, with double tick qoutes "...", and without quotes. There may be differences between these three cases, though, not yet documented here.

ssh without password

If you work on a remote computer often, typing in the password each time you use ssh becomes annoying. You can configure ssh such that it does not ask you for a password anymore for that particular connection. You have to generate a private and public encryption key on your local machine and provide the public key to the remote machine.

To generate the keys run

ssh-keygen -t dsa

and reply to all questions just with return.

To provide the public key to the remote machine first create there an .ssh directory (if not present already) and then append the public key of your local machine to the authorized_keys file on the remote machine.

ssh $remote_user@$remote_host mkdir -p .ssh
cat .ssh/id_dsa.pub | ssh $remote_user@$remote_host 'cat >> .ssh/authorized_keys'

Note that here the cat command within the ssh command takes its input from the pipe.

or you can use

ssh-copy-id -i ~/.ssh/id_dsa.pub $remote_user@$remote_host

From now on, you should be able to login with ssh without password.

  • REMARK: If the usernames on the local and the remote machine are identical, and if the local and the remote computer have access to the same home-directory of that user, e.g. because they are different clients in the same LAN with a common home directory mounted via nfs, then the private key, the public key, and the authorized_keys file all reside in the same directory. Thus you cannot only login without password from the local to the remote machine but also vice versa. In fact you can login from any computer in the LAN to any other computer. (The username@hostname entry at the end of the public key in the authorized_keys file has no relevance to ssh, you may delete it or change it if you like (I think)). REMARK: The example above assumes ssh protocol 2 and uses DSA encryption, which is currently recommended. One could also use RSA encryption for ssh protocol 2. ssh protocol 1 uses yet another encryption, but is obsolete. TROUBLESHOOTING (ssh still asks for a password): Login without password does not work if group or world has write permissions for the home directory on the remote machine. To fix that, run

    ssh $remote_user@$remote_host chmod g-w,o-w /home/$remote_user

    SOURCE: Mathias Kettner, SSH login without password, http://www.linuxproblem.org/art_9.html, visited 2007-10-06.

SSH into Debian from another OS

SSH and security

SSH Server

  • Consider using fail2ban which is a log file monitor that automatically bans an ip address after a predefined number of failed login attempts. Guards against brute force attacks.

  • Use SSH keys rather than password.

SSH Client