Differences between revisions 4 and 5
Revision 4 as of 2016-07-17 06:23:10
Size: 11892
Comment:
Revision 5 as of 2016-07-17 06:30:18
Size: 11961
Comment:
Deletions are marked like this. Additions are marked like this.
Line 25: Line 25:
Comunmente el cliente es instalado por defecto. Si no basta con ejecutar este comando como root: Comunmente el cliente es instalado por defecto. Si no, basta con ejecutar este comando como root:
Line 63: Line 63:
=== Regenración de claves del equipo === === Regeneración de claves del equipo ===
Line 90: Line 90:
=== Using shared keys === === Usando llaves compartidas ===
Line 114: Line 114:
== Securing == == Seguridad ==
Line 120: Line 120:
=== Configuration Options === === Opciones de configuración ===
Line 133: Line 133:
=== External Utilities === === Utilidades externas ===
Line 138: Line 138:
== Additional Functions ==

== Additional Commands ==
== Funciones adicionales ==

== Comandos adicionales ==
Line 155: Line 155:
[empty for now]

==== text mode ====
[empty for now]

==== graphical mode ====
[empty for now]
[vacio por ahora]

==== modo texto ====
[vacio por ahora]

==== modo grafico ====
[vacio por ahora]
Line 164: Line 164:
[empty for now]

=== ssh-agent and ssh-add ===
[vacio por ahora]

=== ssh-agent y ssh-add ===
Line 202: Line 202:
== Remote commands == == Comandos remotos ==
Line 210: Line 210:
== SSH into Debian from another OS == == SSH en Debian desde otro sistema operativo ==
Line 214: Line 214:
== SSH and security == == SSH y seguridad ==
Line 217: Line 217:
 * Use SSH keys rather than password.  * Use llaves SSH keys antes que claves.
Line 221: Line 221:
== Troubleshooting == == Solución de problemas ==
Line 228: Line 228:
Also see [[DebianBug:732940|the bug report]].


=== Keep SSH connection alive ===
También vea [[DebianBug:732940|the bug report]].


=== Mantiene la conexión SSH abierta ===
Line 235: Line 235:
==== For Debian 7.x server ==== ==== Para servidores Debian 7.x ====
Line 262: Line 262:
{{{{#!wiki warning {{{{#!Advertencia de Wiki

Translation(s): Deutsch - English - Français - Italiano - Español

ToDo: Fusionar (y traducir) esta página y la versión francesa (mas completa)

Introduccción

SSH significa Secure Shell es un protocolo para acceso remoto seguro y otros servicios de red seguros sobre una red insegura1. Vea Wikipedia - Secure Shell para información general y ssh, lsh-client o dropbear para la implementación de software de SSH de las cuales OpenSSH es la más popular y más usada2. SSH reemplaza los servicios sin cifrados como telnet,rlogin y rsh y agrega muchas más caracteristicas.

En este documento usaremos el conjunto de comandos OpenSSH, también se asumirá que estas dos variables están definidas:

equipo_remoto=<el equipo remoto>
usuario_remoto=<tu nombre de usuario en el $equipo_remoto>

Asi que, si quieres usar la receta de abajo, primero configura esas variables al nombre del equipo remoto y el nombre de usuario en ese equipo remoto. Luego corta y pega los comandos de mas abajo y debería funcionar.equipo_remoto podría ser una dirección IP.

Instalación

Instalación del cliente

Comunmente el cliente es instalado por defecto. Si no, basta con ejecutar este comando como root:

apt-get install openssh-client

Instalación del servidor

El servidor te permite conectar remotamente y se instala ejecutando el siguiente comando como root:

apt-get install openssh-server

Archivo de configuración

El archivo principal de configuración está en el directorio /etc/ssh :

  • ssh_config : archivo de configuración del cliente

  • sshd_config : archivo de configuración del servidor

Además este directorio contiene los pares de llaves privadas/públicas de identificación del equipo :

  • ssh_host_dsa_key
  • ssh_host_dsa_key.pub
  • ssh_host_rsa_key
  • ssh_host_rsa_key.pub

Desde OpenSSH 5.73, un nuevo par de llaves privadas/públicas están disponibles:

  • ssh_host_ecdsa_key
  • ssh_host_ecdsa_key.pub

Desde OpenSSH 6.54, un nuevo par de llaves privadas/públicas están disponibles:

  • ssh_host_ed25519_key
  • ssh_host_ed25519_key.pub

Regeneración de claves del equipo

rm /etc/ssh/ssh_host_*
dpkg-reconfigure openssh-server

Acceso remoto

Con clave

Si quieres acceder al $equipo_remoto con el $usuario_remoto simplemente escribe

ssh $usuario_remoto@$equipo_remoto

y luego escribe tu clave.

Si el nombre de usuario en el equipo local y remoto son iguales, puedes omitir la parte del $usuario_remoto@ y simplemente escribir.

ssh $equipo_remoto

If this is the first time you login to the remote computer, ssh will ask you whether you are sure you want to connect to the remote computer. Answer 'yes' after you verified the remote computer's fingerprint, type in your password, and ssh will connect you to the remote host.

Usando llaves compartidas

One of the functions of ssh is using a pair of private/public keys to connect to a remote host. This method allows you to login to a remote host without typing your password every time. To do this you must generate a pair of private/public keys on your local machine and deposit the public key on the remote host.

To generate the key, use the program ssh-keygen as follows

ssh-keygen -t rsa

This program generates a pair of private/public keys in the directory ~/.ssh. The program first asks for the destination files for the keys, by default located in ~/.ssh. Afterwards a passphrase is requested.

Note: We recommend not to leave the passphrase empty. An attacker who gets hold of your private key can otherwise connect to the hosts where you deposited you public key since the passphrase is empty. Choose a long and complex passphrase.

You private key is id_rsa (don't give it to someone else), the public key is id_rsa.pub.

You copy your public key to a remote host with the command ssh-copy-id

ssh-copy-id -i ~/.ssh/id_rsa.pub $remote_user@$remote_host

Now you can connect simply to the remote host and the passphase is asked for. Once done, you get connected to the remote host. In case of a new connection the passphrase does not get asked for again during your entire session.

Seguridad

By default a SSH server is relatively secure. With the help of some configuration options and external utilities it is possible to make it even harder for crackers.

/!\ Using the latest version of package openssh-server allows to protect against known security holes.

Opciones de configuración

(!) One should edit the file /etc/ssh/sshd_config to change the parameters and then restart the ssh server with

invoke-rc.d ssh restart
  • Deactivate using passwords for authentication (PasswordAuthentication no).

  • Deactivate using the root account (PermitRootLogin no).

  • Only allow login by certain users or groups (AllowUsers and AllowGroups)

{i} The options AllowUsers and AllowGroups do not improve the security of a SSH server. But in certain cases their use allows to resist a brute force attack a little longer.

Utilidades externas

  • fail2ban : allows to automatically blacklist IPs attempting to brute force a SSH server with the help of iptables.

  • denyhosts : as fail2ban, denyhosts allows to block IP addresses trying to brute force a connection to ssh. But in contrast to fail2ban it does not use iptables, but the file /etc/hosts.deny.

Funciones adicionales

Comandos adicionales

scp

scp is a command line utilty allowing to transfer files between two machines.

  • Sending a file:

scp $source_file $remote_user@$remote_host:$destination_file
  • Copying a file to the local machine:

scp $remote_user@$remote_host:$source_file $destination_file

sftp

[vacio por ahora]

modo texto

[vacio por ahora]

modo grafico

[vacio por ahora]

clusterssh

[vacio por ahora]

ssh-agent y ssh-add

ssh-agent is a useful utility to manage private keys and their passphrases. It should be invoked at the beginning of your session like so on a bourne shell:

eval `ssh-agent -s`

or on a C shell:

eval `ssh-agent -c`

When a private key is first needed, you are prompted for its passphrase and ssh-agent remembers the key. Whenever that private key is used later on, the passphrase doesn't get asked anymore.

ssh-add can be used to manage the remembered keys:

  • Adding a key: ssh-add $private_key

  • List the added keys: ssh-add -l

  • Remove all keys from the knowledge of ssh-agent: ssh-add -D

keychain

Keychain, provided by the package keychain, is a shell script allowing to use the ssh agent in multiple sessions of the same computer. In effect after the first start ssh-agent creates a permanent socket allowing the communication with ssh. This socket is referenced only in the enviromment of the session in which the agent was started. Keychain allows to detect the agent and propagate the access to this agent to other sessions; this allows to use a single instace of ssh-agent per user on a machine.

ssh-askpass

ssh-askpass is an utility to simply the question for the password of a private key when using it. Several implementations exist:

  • x11-ssh-askpass : version for X11

  • kaskpass : integration of ssh-askpass into the KDE environment

  • ssh-askpass-gnome : integration of ssh-askpass into the Gnome environment

libpam-usb

libpam-usb is an utility (only available up to Debian Jessie) allowing authentication with an USB stick. This package includes a useful utilty : pamusb-agent. This utility, once correctly configured, allows to load the SSH keys present on the USB stick once it is connected and to unload them when it is disconnected.


Comandos remotos

If you just want to run one command on the remote computer, you don't need to login. You can tell ssh to run the command without login, for instance,

ssh $remote_user@$remote_host 'ls *.txt'

lists all files with extension .txt on the remote computer. This works with single tick quotes '...' as shown here, with double tick quotes "...", and without quotes. There may be differences between these three cases, though, not yet documented here.

SSH en Debian desde otro sistema operativo

SSH y seguridad

SSH Server

  • Consider using fail2ban which is a log file monitor that automatically bans an ip address after a predefined number of failed login attempts. Guards against brute force attacks.

  • Use llaves SSH keys antes que claves.

SSH Client

Solución de problemas

OpenSSL version mismatch. Built against 1000105f, you have 10001060

If you get an error message like this when starting the ssh daemon, you need to run:

apt-get install openssh-server openssh-client

También vea the bug report.

Mantiene la conexión SSH abierta

For security reason, by default a SSH connection is automatically closed after a set period of time. But in some cases you want to keep that connection open. Such as cloud storage over SSH connection.

Para servidores Debian 7.x

Steps to keep SSH connection alive.

  1. On the SSH server edit "/etc/ssh/sshd_config" file

  2. Add the following at the bottom of that file

    # Keep client SSH connection alive by sending every 300 seconds a small keep-alive packet to the server in order to use ssh connection. 300 seconds equal 5 minutes.
    ClientAliveInterval 300
     
    # Disconnect client after 3333 "ClientAlive" requests. Format is (ClientAliveInterval x ClientAliveCountMax). In this example  (300 seconds x 3333) = ~999,900 seconds = ~16,665 minutes = ~277 hours = ~11 days.
    ClientAliveCountMax 3333
  3. As Root user restart the SSH service

    service sshd restart

    Please note that on recent Debian systems (e.g. Wheezy 7 with current updates as of Nov. 2015), the above command no longer works and returns the error:

    sudo service sshd restart
    sshd: unrecognized service

    However, the following works:

    sudo service ssh restart
    [ ok ] Restarting OpenBSD Secure Shell server: sshd.

One of the best security advice is to keep strong passwords and apply security updates as soon as possible. But what happens if even if your users have the strongest passwords, they leave their ssh session open, and unattended. This means that anyone can approach to the PC and just using the {{{passwd}}} command, may change the password, and thus gain access to the server. Please use your best judgment.