These protocols were in common use, back in the day:
They transmit information (including passwords!) in plain text over the
internet. Ack! Don’t use them. Disable (
rshd, or uninstall the packages.
Some systems, such as Ubuntu 15.10, provide symlinks for backward compatibility:
% type rlogin rlogin is /usr/bin/rlogin % ls -log /usr/bin/rlogin lrwxrwxrwx 1 24 Nov 21 21:09 /usr/bin/rlogin -> /etc/alternatives/rlogin % ls -log /etc/alternatives/rlogin lrwxrwxrwx 1 15 Nov 21 21:09 /etc/alternatives/rlogin -> /usr/bin/slogin % ls -log /usr/bin/slogin lrwxrwxrwx 1 3 Nov 21 21:09 /usr/bin/slogin -> ssh
That’s adorable. Just avoid them.
sshis a Linux command that uses the ssh protocol for remote login.
scpis a Linux command that uses the ssh protocol to copy files.
ssh: Execute a command on a remote system, or remotely log in to a remote system
scp: Copy a file to/from a remote system
scpuse the same encryption, configuration, etc.
scpdaemon, just an
sshport (22) and an
Execute a remote command:
ssh email@example.com id
Start a interactive remote session:
@is omitted, then the current username is used.
What’s the difference between these two commands?
ssh applin@denver cat a*b ssh applin@denver "cat a*b"
How about these?
ssh applin@denver date; pwd ssh applin@denver "date; pwd"
scp supports using a directory as a destination,
or renaming the file.
scp alpha denver: scp beta applin@denver: scp gamma applin@denver:delta scp epsilon applin@denver:/tmp scp zeta applin@denver:/tmp/iota
Either the source, the destination, both, or neither can be a remote system:
scp denver:kappa lambda scp denver:omicron lansing:pi scp sigma tau
scp also supports the
-r options from
~/.sshdirectory contains a number of files, including:
~/.sshdirectory is unreadable/unwritable/unexecutable by anybody but me.
~/.ssh/authorized_keyscontains a list of authorized public keys.
~/.ssh/known_hosts contains the host keys for the hosts
that we’ve connected to previously. If anybody tries to impersonate
a host, they won’t have the same host key.
~/.ssh/configcontain configuration information, including:
ssh_config man page for tons more information.
# Share the control circuit for multiple connections: ControlMaster auto # Put the control circuit socket in MY directory, for safety: ControlPath ~/tmp/ssh·mux·%h·%p·%r # Keep the control circuit for a while after we stop using it: ControlPersist 10m # Global options: Host * Compression yes ForwardX11 yes Protocol 2 # Jack’s office at CSU: Host applin Applin csu CSU User applin HostName Greybull.CS.ColoState.Edu
/etc/ssh/sshd_config can make things more difficult for miscreants:
# Permit only certain users: AllowUsers cindy belle aurora snow # Don’t allow root login via ssh. One can use sudo, however: PermitRootLogin no # Empty password? You can’t use ssh, then: PermitEmptyPasswords no # Don’t allow password authentication at all: PasswordAuthentication no # Don’t permit obsolete ssh protocol 1: Protocol 2 # Everybody expects port 22, therefore: Port 13579
~/.ssh/id_ed25519: private key
~/.ssh/id_ed25519.pub: public key
~/.ssh/id_rsa: private key
~/.ssh/id_rsa.pub: public key
scpuse a pair of keys: one public, one private.
~/.ssh/authorized_keyscontains the public keys for the users authorized to log into this account (or copy files) without giving a password.
To generate a public/private key pair:
ssh-keygen -t ed25519 -C "Jack’s CSU Macbook"
This will create an ed25519 keypair in
If you’re using older software, you may have to resort to RSA keys. Make sure that they have a sufficiently long key.
ssh-keygen -b 4096 -t RSA -C "Jack’s home desktop"
Ed25519 is recommended as having better security, but requires up-to-date servers & clients. I use ed25519 for all my keys.
ssh-agentwill remember your passphrase for you.
Consider the following problem:
Port forwarding is your solution!
ssh -f -N -Llocal-port:host:host-port user@remote-host
-f: run in the background
-N: don’t run a command or start a shell on remote-host
% wget -q -O- http://icanhazip.com/ 203.0.113.123 % wget -q -O- http://localhost:12345/ % wget -O- http://localhost:12345/ --2018-01-17 19:16:33 -- http://localhost:12345/ Resolving localhost (localhost)... 127.0.0.1 Connecting to localhost (localhost)|127.0.0.1|:12345... failed: Connection refused. % ssh -f -N -L12345:icanhazip.com:80 firstname.lastname@example.org % wget -q -O- http://localhost:12345/ 188.8.131.52 % host 184.108.40.206 220.127.116.11.in-addr.arpa domain name pointer denver.cs.colostate.edu.