SSH Tutorial
What's SSH?
To quote the README file: Ssh (Secure Shell) is a program to log into
another computer over a network, to execute commands in a remote machine,
and to move files from one machine to another. It provides strong
authentication and secure communications over unsecure channels. It is
intended as a replacement for rlogin, rsh, and rcp.
What do I do?
I'll explain how I set SSH and sshd(the ssh server daemon) up on this
iMac with Linux/PPC r5 and how I set them up at home with an i686 running
RedHat6. I used ssh-1.2.27-5us, ssh-client-1.2.27-5us, and
ssh-server-1.2.27-5us on both computers. I also have seen it been done on
BSD boxes and they weren't anything different. After getting the hang of
this you'll realize the only pain is making sure you're using the right
identity keys.
To start off, get those files. Try rpmfind.net if you like rpms, or this ftp site if you want the
tarball. Then install them (rpm -ivh *.rpm for rpms,tar zxvf
*.tar.gz, then cd into the directory, run
./configure, make, then make install for
tarballs.)
I personally like the rpms because they install themselves very
quickly and efficiently.
The next thing I did was made sure things were actually installed where
they should be. I ran which ssh, which sshd , and also
whereis ssh and whereis sshd . My output is as so:
[johndoe@localhost johndoe]$ which ssh
/usr/bin/ssh
[johndoe@localhost johndoe]$ which sshd
/usr/sbin/sshd
[johndoe@localhost johndoe]$ whereis ssh
ssh: /usr/bin/ssh /etc/ssh /usr/man/man1/ssh1.1 /usr/man/man1/ssh.1
[johndoe@localhost johndoe]$ whereis sshd
sshd: /usr/sbin/sshd /usr/man/man8/sshd1.8 /usr/man/man8/sshd.8
Next, I went into /etc/hosts.allow and changed it so it says:
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
all
sshd: all
After that I'd go into my home directory and ran ssh-keygen1. This
generates the keys and the directory '.ssh/'. It will ask where to save
the key, you should just hit return unless you want it different then
default(/home/johndoe/.ssh/identity).
Then it will prompt you for a passphrase. And then to enter the same
phrase again. You should follow the same etiquette as with your other
passwords. Here is the output I get when I run ssh-keygen1 :
[johndoe@localhost johndoe]$ ssh-keygen1
Initializing random number generator...
Generating p: ............++ (distance 190)
Generating q: ..++ (distance 40)
Computing the keys...
Testing the keys...
Key generation complete.
Enter file in which to save the key (/home/johndoe/.ssh/identity):
Enter passphrase:
Enter the same passphrase again:
Your identification has been saved in /home/johndoe/.ssh/identity.
Your public key is:
1024 37
145134297447762606526475849531827773520337282760619881591595337714659618094613938314
31178714427267483786960793572444855315762562743769177845943458525119947128144388138691204827
52494487228351991517275632561704249941387551716707812584302581676445583303592030381101048611
31189806625150768833421778491980264304827
johndoe@localhost
Your public key has been saved
in /home/johndoe/.ssh/identity.pub
Now here comes the somewhat tricky part. I'll try and explain it as best
as I can. You should cd into your .ssh/ directory. When you do an
ls you should see:
[johndoe@localhost ~/.ssh]$ ls
identity identity.pub random_seed
Copy your identity.pub file to a new file called authorized_keys like so:
[johndoe@localhost ~/.ssh]$ cp identity.pub authorized_keys
The ~/.ssh/authorized_keys file lists all of the keys that are authorized
to connect to the given user. If a user's key is in the authorized_keys
file and they have a matching private key(identity) on their system, they
are granted access.
Ok, now you're ready to send that identity.pub key somewhere. I'm going to
explain this the way I did it, which was between my 2 boxes. You should be
able to pick up what I did, if not don't worry, I'll give you some links
of FAQ's for troubleshooting. The way I did it was I copied both of my
identity.pub names to 'i686box' and 'ppcbox'. I then I ftp'd from my
linuxppc box(johndoe) to my i686(janedoe) and did the following:
[johndoe@localhost ~/.ssh]$ ftp my.i686.box
Connected to my.i686.box
220 my.i686.box ready
Name (my.i686.box:johndoe):
331 User okay, need password.
Password:
230 Logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> get /home/janedoe/.ssh/i686box /home/johndoe/.ssh/i686box
ftp> put /home/johndoe/.ssh/ppcbox /home/janedoe/.ssh/ppcbox
ftp> bye
Then I would go into a shell for each box and cat i686box >>
authorized_keys on my Linux/PPC box and cat ppcbox >>
authorized_keys on my i686 box. That puts your identity.pub key into
the authorized_keys file. After that I just rm'd 'i686box' and 'ppcbox'.
The next thing you should do is check file permissions.
They NEED to be set as so:
[johndoe@localhost .ssh]$ ls -laF
total 7
drwx------ 2 john john 1024 Aug 17 01:10 ./
drwx------ 16 john john 1024 Aug 17 09:41 ../
-rw------- 1 john john 333 Aug 16 10:48 authorized_keys
-rw------- 1 john john 535 Aug 17 01:10 identity
-rw------- 1 john john 333 Aug 16 10:48 identity.pub
-rw------- 1 john john 512 Aug 17 08:33 random_seed
If you don't know howto change permissions, learn. They NEED to be set
to exactly that if you want it to work. Otherwise you might get "bad file
mode for /home/johndoe" when you try and connect. Finally now though,
you're ready to go. I did all of this to both boxes and made sure they
matched.
Then I ran the command, ssh -l johndoe -v
my.i686.box.
The breakdown on this command is -l johndoe(for
login) and -v(for verbose mode). Do a man ssh to see all the
options...also highly recommended for better understanding of ssh.
Here is the output I get:
[johndoe@localhost .ssh]$ ssh -l johndoe -v my.i686.box
SSH Version 1.2.27 [powerpc-unknown-linux], protocol version 1.5.
Standard version. Does not use RSAREF.
localhost: Reading configuration data /etc/ssh/ssh_config
localhost: ssh_connect: getuid 102 geteuid 0 anon 0
localhost: Allocated local port 1023.
localhost: Connecting to 204.170.128.11 port 22.
localhost: Connection established.
localhost: Remote protocol version 1.5, remote software version 1.2.27
localhost: Waiting for server public key.
localhost: Received server public key (768 bits) and host key (1024 bits).
localhost: Host 'my.i686.box' is known and matches the host key.
localhost: Initializing random; seed file /home/johndoe/.ssh/random_seed
localhost: Encryption type: idea
localhost: Sent encrypted session key.
localhost: Installing crc compensation attack detector.
localhost: Received encrypted confirmation.
localhost: Trying rhosts or /etc/hosts.equiv with RSA host authentication.
localhost: Remote: Rhosts/hosts.equiv authentication refused: client
user 'johndoe', server user 'johndoe', client host 'my.linuxppc.box'.
localhost: Server refused our rhosts authentication or host key.
localhost: No agent.
localhost: Trying RSA authentication with key 'johndoe@my.i686.box'
localhost: Received RSA challenge from server.
Enter passphrase for RSA key 'johndoe@my.i686.box':
localhost: Sending response to host key RSA challenge.
localhost: Remote: RSA authentication accepted.
localhost: RSA authentication accepted by server.
localhost: Requesting pty.
localhost: Requesting X11 forwarding with authentication spoofing.
localhost: Requesting shell.
localhost: Entering interactive session.
Last login: Tue Aug 17 09:54:03 1999
[johndoe@my.i686.box ~/]$
There you go, I just connected to my i686 box with a secure shell. By the
way, the "Enter passphrase for RSA key 'johndoe@my.i686.box'", that was
the passphrase from the beginning when you first made the key.
Troubleshooting
Didnt work? Before posting problems anywhere, quick check and make sure
your file permissions are exactly the same as I listed. Also make sure
your using the right key. Here's an SSH FAQ to look at
also. If you have problems try there first, or post it on the Discussion
Board if you're still stuck.
Where do I go from here?
Keep reading. Check out any docs you can find, read the man pages... any
source you can find on it, read it.
-josh (thanks alot to ethan benson, pd, and temas)
|