Difference between revisions of "Secure Shell"
(→SSH without passwords) |
|||
Line 1: | Line 1: | ||
'''Secure Shell''' (or '''SSH''') is a set of standards and an associated network protocol that allows establishing a secure channel between a local and a remote computer. It uses public-key cryptography to authenticate the remote computer and (optionally) to allow the remote computer to authenticate the user. | '''Secure Shell''' (or '''SSH''') is a set of standards and an associated network protocol that allows establishing a secure channel between a local and a remote computer. It uses public-key cryptography to authenticate the remote computer and (optionally) to allow the remote computer to authenticate the user. | ||
+ | |||
+ | ''Note: This article will only consider OpenSSH.'' | ||
== SSH without passwords == | == SSH without passwords == | ||
Line 48: | Line 50: | ||
$ #~OR~ | $ #~OR~ | ||
$ ssh root@<SERVER_IP> -i /path/to/my_private_key.txt | $ ssh root@<SERVER_IP> -i /path/to/my_private_key.txt | ||
+ | |||
+ | * Get the private key's "fingerprint": | ||
+ | $ ssh-keygen -lf /path/to/my_private_key.txt | ||
+ | 2048 f6:a0:8c:99:ba:c2:31:36:1c:f2:5d:c5:da:37:27:b7 bob@hostname (RSA) | ||
+ | |||
+ | * Create a "signature": | ||
+ | $ echo -n 'this is my signature' |openssl sha1 -binary |\ | ||
+ | openssl pkeyutl -sign -inkey my_private_key.txt -pkeyopt digest:sha1 > signature | ||
+ | |||
+ | ==Converting OpenSSH public keys== | ||
+ | |||
+ | * First, generate a public/private key: | ||
+ | $ ssh-keygen -t rsa -b 2048 -f /home/bob/my-key | ||
+ | |||
+ | * Extract public key from private key: | ||
+ | $ openssl rsa -in my-key -pubout | ||
+ | |||
+ | * Note the difference between the above and the default public key <code>`ssh-keygen`</code> provides (i.e., the "<code>my-key.pub</code>" file): | ||
+ | $ cat /home/bob/my-key.pub | ||
+ | |||
+ | * Or, get your public key in PEM format (only works with OpenSSH v5.6+): | ||
+ | $ ssh-keygen -f my-key.pub -e -m pem | ||
==SSH config file== | ==SSH config file== |
Revision as of 11:37, 4 November 2014
Secure Shell (or SSH) is a set of standards and an associated network protocol that allows establishing a secure channel between a local and a remote computer. It uses public-key cryptography to authenticate the remote computer and (optionally) to allow the remote computer to authenticate the user.
Note: This article will only consider OpenSSH.
Contents
SSH without passwords
- Step 1: Generate keys (public and private) and leave passphrase blank if you want password-less logins:
ssh-keygen # ~Or~ ssh-keygen -t dsa # ~Or~ ssh-keygen -t rsa -b 2048 -f /home/bob/my-key
- Step 2: Copy public key to remote server (Important: Only the public key!):
scp ~/.ssh/id_dsa.pub username@remote-host:.ssh/authorized_keys # ~OR~ ssh-copy-id -i ~/.ssh/id_rsa.pub username@remote-host
- Step 3: Set directory/file permissions (if not already set):
chmod 700 ~/.ssh chmod 600 ~/.ssh/authorized_keys
- Step 4: Now, SSH into your remote server (password will be required the first time):
ssh username@remote-host
That's it! You are now free to log into your remote server without entering a password. This is useful for automating file transfers. However, it must be used with care. If not executed properly, it is a potential security risk.
Using SSH private keys
For illustration purposes, I will generate a pseudo-key by generating 512 random characters to give you an idea of what a RSA private key should look like (note: You should never really create a private key less than 2048 bits):
$ echo "-----BEGIN RSA PRIVATE KEY-----" && openssl rand -base64 512 && echo -e "-----END RSA PRIVATE KEY-----\n" -----BEGIN RSA PRIVATE KEY----- AgaLRL9vUvHb736UVEavYIgpDJywdAvy+Y8/PGnS2aXbr1JzRXsvmoufcYpdJev+ 9E2XigSgoEuP3eDH4lRCtYRVuSqN7jUVJT26KBQbC34qw72mrfcVoW5H442l2oGF oOcWTcRz0F4R0LKbCecx7tGgzAW/XOVocmcC4CsEIrA+hmUkk9sXO/VD7eV6dP5D d3k3bqoDI4VEkhpavKSTRnoDBrl33tiz43vyiQUegPjZVkg+jOI7fyZL2hElQea2 o+KjEFfr4a1ZJs/58XitoCcHb7vaFX4PGNDuveBchFKmeWROuMxHalBVbV/sZVr4 bJYfNHTHHr4rNjQdf5cO9wnzIhC1hsutxZWPEj9JF3X+BVtAgKVS9Zbkh9BxSJJG cLWrmyqM7gRhE96ibHF6hGJ7jj0cf/pK8e8NVIVzD1jwvXAT7FeJHkKltoAKQ7LQ bC4d0b27jOccLpR6C4SU6zhSyWBnsoawiMfYR7HsEmLlOZW6fycrukFzi5wm/zpK r4YVIrzWHJzJbP+CIVvLUp8hv13OO3ozQo3tCNofpESV2/vYOGStDQtF9GVq53rS DWn2NAzT6X1IFtJlxQxG0CNsnNBAAZoOA3lgEPQqPzdoqKA/deS64oBH8j8CUSUp DQgaIxzVF1/2bKO3JoHKLaeui4vFIH7KT8ITS/FKoD8= -----END RSA PRIVATE KEY-----
- Save your private key to a file (let's call it "
my_private_key.txt
") and:
$ chmod 600 my_private_key.txt
- Now use that private key to log into your remote server (assuming, of course, that server has the matching key):
$ ssh -i /path/to/my_private_key.txt -l root <SERVER_IP> $ #~OR~ $ ssh root@<SERVER_IP> -i /path/to/my_private_key.txt
- Get the private key's "fingerprint":
$ ssh-keygen -lf /path/to/my_private_key.txt 2048 f6:a0:8c:99:ba:c2:31:36:1c:f2:5d:c5:da:37:27:b7 bob@hostname (RSA)
- Create a "signature":
$ echo -n 'this is my signature' |openssl sha1 -binary |\ openssl pkeyutl -sign -inkey my_private_key.txt -pkeyopt digest:sha1 > signature
Converting OpenSSH public keys
- First, generate a public/private key:
$ ssh-keygen -t rsa -b 2048 -f /home/bob/my-key
- Extract public key from private key:
$ openssl rsa -in my-key -pubout
- Note the difference between the above and the default public key
`ssh-keygen`
provides (i.e., the "my-key.pub
" file):
$ cat /home/bob/my-key.pub
- Or, get your public key in PEM format (only works with OpenSSH v5.6+):
$ ssh-keygen -f my-key.pub -e -m pem
SSH config file
Note: See the ssh_config (5) man page for details.
- Edit your SSH config file (
~/.ssh/config
) and add the following (example) lines:
# contents of $HOME/.ssh/config Host dev HostName dev.example.com Port 22321 User bob Host github IdentityFile ~/.ssh/github.key
Now you can simply type:
ssh dev
to SSH into that dev.example.com
remote host.
See: for more examples.
Making SSH even more secure
Note: All of the following settings will be implemented in your /etc/ssh/sshd_config
file.
- Disable SSH protocol 1. Make sure no lines reads
Protocol 1
. If so, change it to:
Protocol 2
- Enable key-based logins (see above for how to do this):
PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys
- Disable password-based logins (Only do this if you first enable key-based logins!):
PasswordAuthentication no
- Run on ports other than 22
Port 1717 # any free port above 1024
You will then need to point to this port when SSHing into your remote machine
ssh -p 1717 remote.machine
- Disable root logins (Very important!):
PermitRootLogin no
Disable / deny brute force attacks
The following iptables rules should deny almost all brute force attacks on your firewall's port 22 (SSH port):
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP
Supported escape sequences
Note: The following escapes are only recognized immediately after newline.
~. - terminate connection (and any multiplexed sessions) ~B - send a BREAK to the remote system ~C - open a command line ~R - Request rekey (SSH protocol 2 only) ~^Z - suspend ssh ~# - list forwarded connections ~& - background ssh (when waiting for connections to terminate) ~? - this message ~~ - send the escape character by typing it twice
Todo
- Access your local subversion repository from the road
ssh -NfL 3690:127.0.0.1:3690 USER@64.3.10.24 -p6111
Then you can access the repository via
svn://127.0.0.1/YOUR-SVN-PATH
- Secure web traffic when traveling
ssh -D 9999 -p6111 USER@64.3.10.24
then go to Firefox's Preferences->Advanced->Network->Settings->Manual proxy settings with:
SOCKS Host: 127.0.0.1 Port: 9999 No proxy for: localhost, 127.0.0.1
See also
- SSH Filesystem (sshfs)
- Fish protocol
- rsync