OpenSSH

10.10. OpenSSH

Contributed by Chern Lee , April 21, 2001.

Secure shell is a set of network connectivity tools used to access remote machines securely. It can be used as a direct replacement for rlogin, rsh, rcp, and telnet. Additionally, any other TCP/IP connections can be tunneled/forwarded securely through ssh. ssh encrypts all traffic to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks.

OpenSSH is maintained by the OpenBSD project, and is based upon SSH v1.2.12 with all the recent bug fixes and updates. It is compatible with both SSH protocols 1 and 2. OpenSSH has been in the base system since FreeBSD 4.0.

10.10.1. Advantages of using OpenSSH

Normally, when using telnet(1) or rlogin(1), data is sent over the network in an clear, un-encrypted form. Network sniffers anywhere in between the client and server can steal your user/password information or data transferred in your session. OpenSSH offers a variety of authentication and encryption methods to prevent this from happening.

10.10.2. Enabling sshd

Be sure to make the following additions to your rc.conf file:

    sshd_enable="YES"

This will load the ssh daemon the next time your system initializes. Alternatively, you can simply run the sshd daemon.

10.10.3. SSH client

The ssh(1) utility works similarly to rlogin(1).

    # ssh user@foobardomain.com
    Host key not found from the list of known hosts.
    Are you sure you want to continue connecting (yes/no)? yes
    Host 'foobardomain.com' added to the list of known hosts.
    user@foobardomain.com's password: *******

The login will continue just as it would have if a session was created using rlogin or telnet. SSH utilizes a key fingerprint system for verifying the authenticity of the server when the client connects. The user is prompted to enter 'yes' only during the first time connecting. Future attempts to login are all verified against the saved fingerprint key. The SSH client will alert you if the saved fingerprint differs from the received fingerprint on future login attempts. The fingerprints are saved in ~/.ssh/known_hosts

10.10.4. Secure copy

The scp command works similarly to rcp; it copies a file to or from a remote machine, except in a secure fashion.

    #  scp user@foobardomain.com:/COPYRIGHT COPYRIGHT
    user@foobardomain.com's password: 
    COPYRIGHT            100% |*****************************|  4735       
    00:00    
    #

Since the fingerprint was already saved for this host in the previous example, it is verified when using scp here.

10.10.5. Configuration

The system-wide configuration files for both the OpenSSH daemon and client reside within the /etc/ssh directory.

ssh_config configures the client settings, while sshd_config configures the daemon.

10.10.6. ssh-keygen

Instead of using passwords, ssh-keygen(1) can be used to generate RSA keys to authenticate a user.

    % ssh-keygen
    Initializing random number generator...
    Generating p:  .++ (distance 66)
    Generating q:  ..............................++ (distance 498)
    Computing the keys...
    Key generation complete.
    Enter file in which to save the key (/home/user/.ssh/identity):
    Enter passphrase:
    Enter the same passphrase again:
    Your identification has been saved in /home/user/.ssh/identity.
    ...

ssh-keygen(1) will create a public and private key pair for use in authentication. The private key is stored in ~/.ssh/identity, whereas the public key is stored in ~/.ssh/identity.pub. The public key must be placed in ~/.ssh/authorized_keys of the remote machine in order for the setup to work.

This will allow connection to the remote machine based upon RSA authentication instead of passwords.

If a passphrase is used in ssh-keygen(1), the user will be prompted for a password each time in order to use the private key.

ssh-agent(1) and ssh-add(1) are utilities used in managing multiple passworded private keys.

10.10.7. SSH-туннелирование

OpenSSH позволяет создать туннель, который будет инкапсулировать в себе какой-либо другой протокол, обеспечивая таким образом прозрачное шифрование трафика.

Например, вот так можно через ssh(1) создать туннель для telnet:

    % ssh -2 -N -f -L 5023:localhost:23 user@foo.bar.com
    %

  • -2 говорит ssh(1) использовать версию 2 протокола. (Не указывайте эту опцию при работе со старыми ssh-серверами)

  • -N indicates no command, or tunnel only. If omitted, ssh(1) would initiate a normal session.

  • -f forces ssh(1) to run in the background.

  • -L indicates a local tunnel in localport:localhost:remoteport fashion.

  • foo.bar.com is the remote/target SSH server.

An SSH tunnel works by creating a listen socket on the specified local host and port. It then forwards any connection to the local host/port via the SSH connection to the remote machine on the specified remote port.

In the example, port 5023 on localhost is being forwarded to port 23 on the remote machine. Since 23 is telnet, this would create a secure telnet session through an SSH tunnel.

This can be used to wrap any number of insecure TCP protocols such as smtp, pop3, ftp, etc.

Типичный SSH-туннель

    % ssh -2 -N -f -L 5025:localhost:25 user@mailserver.foobar.com
    user@mailserver.foobar.com's password: *****
    % telnet localhost 5025
    Trying 127.0.0.1...
    Connected to localhost.
    Escape character is '^]'.
    220 mailserver.foobar.com ESMTP

This can be used in conjunction with an ssh-keygen(1) and additional user accounts to create a more seamless/hassle-free SSH tunneling environment. Keys can be used in place of typing a password, and the tunnels can be run as a separate user.

10.10.8. Что почитать еще

OpenSSH

ssh(1) scp(1) ssh-keygen(1) ssh-agent(1) ssh-add(1)

sshd(8) sftp-server(8)