See this page as a slide show

Secure Shell

Overview

1. The Before Times
2. Compatibility
3. ssh & scp
4. The ~/.ssh Directory
5. System Configuration
6. Asymmetric Encryption
7. Generating a Key Pair
8. Port Forwarding

The Before Times

These protocols were in common use, back in the day:

ftp, rcp

Copy files between hosts

telnet, rlogin

Log in remotely

rsh

Execute a remote command

They transmit information in plain text (unencrypted) over the internet. This is bad. Don’t use them. Disable ftpd, rlogind, and rshd, or uninstall the packages.

Compatibility

Some systems, such as Ubuntu 15.10, provide symlinks for backward compatibility:

    % type rlogin
    rlogin is /usr/bin/rlogin

    % ls -log /usr/bin/rlogin
    lrwxrwxrwx 1 24 Nov 21 21:09 /usr/bin/rlogin -> /etc/alternatives/rlogin

    % ls -log /etc/alternatives/rlogin
    lrwxrwxrwx 1 15 Nov 21 21:09 /etc/alternatives/rlogin -> /usr/bin/slogin

    % ls -log /usr/bin/slogin 
    lrwxrwxrwx 1  3 Nov 21 21:09 /usr/bin/slogin -> ssh

ssh & scp

• ssh: Execute a command on a remote system, or remotely log in to a remote system
• scp: Copy a file to/from a remote system
• ssh and scp use the same encryption, configuration, etc.
• There is no scp port or scp daemon, just an ssh port (22) and an ssh daemon (sshd).

Use of ssh

Execute a remote command:

    ssh applin@denver.cs.colostate.edu id

Start a interactive remote session:

    ssh applin@denver.cs.colostate.edu

• If username@ is omitted, then the current username is used.
• A full hostname may not be required, if the domain is the same.

Quoting

What’s the difference between these two commands?

    ssh applin@denver cat a*b

    ssh applin@denver "cat a*b"

How about these?

    ssh applin@denver date; pwd

    ssh applin@denver "date; pwd"

Use of scp

As does cp, scp supports using a directory as a destination, or renaming the file.

    scp alpha denver:
    scp beta applin@denver:
    scp gamma applin@denver:delta
    scp epsilon applin@denver:/tmp
    scp zeta applin@denver:/tmp/iota

Either the source, the destination, both, or neither can be a remote system:

    scp denver:kappa lambda
    scp denver:omicron lansing:pi
    scp sigma tau

scp also supports the -p and -r options from cp.

The ~/.ssh Directory

• The ~/.ssh directory contains a number of files, including:
  • authorized_keys
  • known_hosts
  • config
  • id_rsa
  • id_rsa.pub
• My ~/.ssh directory is unreadable/unwritable/unexecutable by anybody but me.
  • It’s overkill, but I like it.

~/.ssh/authorized_keys

~/.ssh/authorized_keys contains a list of authorized public keys. That is, it’s a list of “people” given permission to log in without a password, or to copy files to/from this account without a password.

~/.ssh/known_hosts

~/.ssh/known_hosts contains the host keys for the hosts that we’ve connected to previously. If anybody tries to impersonate a host, they won’t have the same host key.

~/.ssh/config

• /etc/ssh/ssh_config and ~/.ssh/config contain configuration information, including:
  • ControlMaster
  • ControlPath
  • ControlPersist
  • Compression
  • ForwardX11
  • Protocol
  • Host aliases

See the ssh_config man page for tons more information.

Sample ~/.ssh/config

    # Share the control circuit for multiple connections:
    ControlMaster auto

    # Put the control circuit socket in MY directory, for safety:
    ControlPath ~/tmp/ssh·mux·%h·%p·%r

    # Keep the control circuit for a while after we stop using it:
    ControlPersist 10m

    # Global options:
    Host *
        Compression yes
        ForwardX11 yes
        Protocol 2

    # Jack’s office at CSU:
    Host applin Applin csu CSU
        User applin
        HostName Greybull.CS.ColoState.Edu

System Configuration

/etc/ssh/sshd_config can make things more difficult for miscreants:

    # Permit only certain users:
    AllowUsers cindy belle aurora snow

    # Don’t allow root login via ssh.  One can use sudo, however:
    PermitRootLogin no

    # Empty password?  You can’t use ssh, then:
    PermitEmptyPasswords no

    # Don’t allow password authentication at all:
    PasswordAuthentication no

    # Don’t permit obsolete ssh protocol 1:
    Protocol 2

    # Everybody expects port 22, therefore:
    Port 13579

~/.ssh/id_*

• ~/.ssh/id_rsa: private key
• ~/.ssh/id_rsa.pub: public key
• ~/.ssh/id_ed25519: private key
• ~/.ssh/id_ed25519.pub: public key

Asymmetric Encryption

• ssh and scp use a pair of keys: one public, one private.
• Your public key is public. You can publish it in the newspaper.
• Your private key is private. If it gets out, abandon it.
• ~/.ssh/authorized_keys contains the public keys for the users authorized to log into this account (or copy files) without giving a password.
• Anybody can encrypt a message with your public key, but only you have the private key to decrypt it. However, you don’t do explicit encryption/decryption with ssh & scp.
• Make one public/private key pair for each device (e.g., laptop). If you lose the laptop, invalidate its keys.

Generating a Key Pair

To generate a public/private key pair:

    ssh-keygen -b 4096 -t RSA -C "Jack’s home desktop"

This will create an 4096-bit RSA keypair in ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub. Other key types can be used, but RSA has the best combination of security and availability, as of 2015.

Ed25519 is recommended as having better security, but requires up-to-date servers & clients. I use ed25519 for my Linux laptops and CSU machines, but I can’t use it with PuTTY.

    ssh-keygen -t ed25519 -C "Jack’s CSU Macbook"

Passphrase

• An ssh private key is generally protected by a passphrase.
• It’s like a password, but longer.
  • Why they call it a passphrase is beyond me.
• ssh-agent will remember your passphrase for you.
• If you don’t have a passphrase, who can get to your private key?

Port Forwarding

    ssh -f -N -Llocal-port:host:host-port user@remote-host

• -f: run in the background
• -N: don’t run a command or start a shell on remote-host
• -L:
  1. Connect to remote-host as user (really, it always does that)
  2. From remote-host, connect to host on port host-port
  3. Forward that connection to local-port on the local machine

Port Forwarding Example

% wget -q -O- http://icanhazip.com/
203.0.113.123

% wget -q -O- http://localhost:12345/

% wget -O- http://localhost:12345/
--2015-11-28 14:41:36--  http://localhost:12345/
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:12345... failed: Connection refused.

% ssh -f -N -L12345:icanhazip.com:80 applin@denver.cs.colostate.edu

% wget -q -O- http://localhost:12345/
129.82.46.205

% host 129.82.46.205
205.46.82.129.in-addr.arpa domain name pointer denver.cs.colostate.edu.

Cryptography ain’t Everything