| Erik's linux page: Linux information for beginners and advanced users | ||
|---|---|---|
| Prev | Chapter 2. Some general words about Linux, mostly for new users. | Next |
Accessing a computer in a secure way - SSH
One of the really good things with UNIX computers is you can access them the same way wherever they are located. I can do the same things on my local computer, as I can do on a server in the US, by an interactive command line session. I can even run X window system programs on another computer, and get the window on my local screen.
telnet, rsh, rlogin
The old way of doing this is to use telnet, rlogin or rsh, all of them unencrypted standard protocols availiable at most UNIX computers. Sure they work, but you send your password in plaintext, not to mention all the data you enter during your session. That's not good, since network security is getting more important all the time.
ssh
There is an alternative. Secure Shell, developed in finland, encrypts everything you send, including your password. It has even more features, it can forward ports, and forward X window system connections. It also has quite a few ways of authentification.
Where do I get it ?
Most major distributions have a ssh package, though you may have to look in some special directory, since the US government by some reason doesn't permit export of programs with encryption, therefore those files has to be kept outside the US. Don't aks me why they do this, I can't find a reason. If you can't find a package, get the source from The ssh communications security, the company who developed it.
Version 1 or 2 ?
There are two major versions of the ssh protocol. Version 1, and version 2. Most systems in use runs version 1, it works well. The second version hasn't been out for a long time, and it has a license that gives some problems. Be sure to read the license for the ssh before you use it. Anyway, using version 1 works good.
Server and Client
The ssh protocol needs its own server, sshd, running. Well, it may be run from inetd, but it works best if it runs as a daemon.
To connect to a computer with sshd running, you use ssh, the client. You type something like ssh hostname, type your password, and gets connected.
Run ssh without arguments to see what command line parameters there are. One of the most used is -l which lets you specify your username on the remote machine.
Authentification
Ssh has a lot of ways to authenticate you to the server. The most basic one is by password, just the way you would do if you used telnet. The difference is your password is never sent in cleartext, it's encrypted, so a person listening to the network where you send your data can't fetch your password.
The second way is by RSAhost authentification. If the host you are connecting to has the host you are connecting from listed in either it's /etc/hosts.equiv or /etc/shosts.equiv or in .shosts or .rhosts in your home directory on the server host, it will permit your login if it recognizes the client hosts host key. A host key is uniqe for every single machine, and every time you connect to a new machine that machines host key is stored in the file $HOME/.ssh/known_hosts. This way of authentification closes security holes due to IP spoofing, DNS spoofing and routing spoofing.
A third way of authentification is a RSA based public-key technology. You generate a pair of keys (one private and one public) with the command ssh-keygen and place the public part of it in the file $HOME/.ssh/authorized_keys on every host where you want to login using this type of authentification. When you try to connect to one of these hosts the server and client finds out you have a .ssh/identity on your host, and a .ssh/authorized_hosts on the server. If they match, you are allowed access. If you encrypted your private key with a password, you'll have to type in that to get access.
A very good way of using RSA based public-key authentification is with the program ssh-agent. That program keeps your personal keys on it's mind, and if you have a passphrase for them you only need to enter them once, with the program ssh-add.
Another major feature is that the program automatically starts a new ssh-agent process on each host you logon. That way you can continue ssh:ing to other hosts, without irritating passwords. Does it sound like something that never happends ? Believe me, it does.
As you've probably foundout, this information is not at all complete, it isn't meant to be. When it comes to security related things, always read the manpages. I've only written enough to get you interested ;-)