Sunday, September 18, 2011

Open SSH

Open SSH

SSH relies upon the proper installation of SSL.

[root@client ~]# which ssh
/usr/bin/ssh
[root@client ~]# ls -l /usr/bin/ssh
-rwxr-xr-x  1 root root 240488 Nov 30  2004 /usr/bin/ssh
[root@client ~]# rpm -qf /usr/bin/ssh
openssh-clients-3.9p1-8.RHEL4.1
[root@server ssh]# rpm -qa | grep -i ssh
openssh-3.9p1-8.RHEL4.1
openssh-askpass-3.9p1-8.RHEL4.1
openssh-clients-3.9p1-8.RHEL4.1
openssh-server-3.9p1-8.RHEL4.1
openssh-askpass-gnome-3.9p1-8.RHEL4.1
[root@client ~]# ssh
usage: ssh [-1246AaCfghkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec] [-D port] [-e escape_char] [-F configfile] [-i identity_file] [-L port:host:hostport] [-l login_name] [-m mac_spec] [-o option] [-p port] [-R port:host:hostport] [-S ctl] [user@]hostname [command]
[root@client ~]# netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q     Local Address     Foreign Address State    PID/Program name
Tcp         0      0          0.0.0.0:32769     0.0.0.0:*       LISTEN   1890/rpc.statd
Tcp         0      0          0.0.0.0:111 0.0.0.0:*        LISTEN   1870/portmap
Tcp         0           0           127.0.0.1:631     0.0.0.0:*           LISTEN   2012/cupsd
Tcp         0           0           127.0.0.1:25      0.0.0.0:*           LISTEN   2082/sendmail: acce
Tcp         0           0           :::22             :::*            LISTEN   2048/sshd
-n – shows numerical address
-t – shows only tcp related connection
-l – shows only listening sockets
-p - Show the PID and name of the program to which each socket belongs.
[root@client ~]# ssh server.linux.com
The authenticity of host 'server.linux.com (192.168.226.129)' can't be established.
RSA key fingerprint is 4c:c0:9b:19:26:70:54:59::a9:7e:.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server.linux.com,192.168.226.129' (RSA) to the list of known hosts.
root@server.linux.com's password:
Last login: Tue Dec 19  2006
-bash: /usr/lib/vmware-tools/bin32: is a directory
[root@server ~]#
The above ssh command connects to the system server.linux.com and prompts you to enter the password. Note that the ssh actually prompts for the password and not the login, as it automatically assumes you are trying to connect to the remote system as the current logged in user of your system.



[root@client ~]# ls -l .ssh/
total 8
-rw-r--r--  1 root root 242 Dec 19  known_hosts



The hidden directory in the home directory of the user in the local system who has used ssh to connect to a remote server has all the files and public keys stored in a file known_hosts.



Ssh relies on PKI (Public Key Infrastructure). PKI relies upon asymmetric cryptography. What it means is that there are 2 keys that are used for communications. One is considered as the Public Key and the other a Private Key. Each ssh daemon creates its own secret private key. That private key also has a corresponding public key. The public key is what we store as ssh clients in the local systems known_hosts file. We can then encrypt information using the stored public key, which only the unique owner of the public key can decrypt using the servers private key. 



[root@client ~]# cat .ssh/known_hosts
server.linux.com,192.168.226.129 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAyJo1z2nO0NRMN4zAFuwTfzMihwwPVuQxbH/XnSMbCwfvxMBAdUEcmbZbn6q0s6EAhAHS3nI+iS/brMOHurttd+pHoVrcLL//UfEzsZ5krb+YrPbrLVKP5uq5iJG1Tds05xGixG6V8e2JqorrTU0k0gBuu8/29rHXeQxfdsEOxY8=
[root@client ~]#



Above we see the public key that was generated earlier when we logged into the server server.linux.com which has the IP Address 192.168.226.129. There are 2 protocols which ssh use for encryption. RSA and DSA. Here the protocol that is being used is RSA which is the default protocol. The rest is the public key portion of the public/private key pair.



Note: Protect your Private Keys from the server to any media.



To login as a different user on the server run the command



[root@client ~]# ssh remoteuser@server.linux.com
remoteuser@server.linux.com's password:
[remoteuser@server ~]$ whoami
remoteuser



or



[root@client ~]# ssh -l remoteuser server.linux.com
remoteuser@server.linux.com's password:
Last login: Tue Dec 19  2006 from client.linux.com
[remoteuser@server ~]$ whoami
remoteuser
[remoteuser@server ~]$



Check the Gateway of your network if it is up and running by executing the following command, in order to connect to a remote system.



[remoteuser@server ~]$ netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.226.0   0.0.0.0         255.255.255.0   U         0 0          0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0
0.0.0.0         192.168.226.2   0.0.0.0         UG        0 0          0 eth0



-r – shows routing table
-n – shows numerical address



Secure File Transfer



[root@server ssh]# which sftp
/usr/bin/sftp
[root@server ssh]# rpm -qf /usr/bin/sftp
openssh-clients-3.9p1-8.RHEL4.1



Secure Copy



[remoteuser@client ~]$ seq 25 > hello.txt
[remoteuser@client ~]$ scp hello.txt remoteuser@server.linux.com:/home/remoteuser
remoteuser@server.linux.com's password:
hello.txt                                    100%   66     0.1KB/s   
[remoteuser@client ~]$



To check whether the file has been transferred execute



[remoteuser@client ~]$ ssh remoteuser@server.linux.com "ls -l"
remoteuser@server.linux.com's password:
total 8
-rw-rw-r--  1 remoteuser remoteuser 66 Dec 19  hello.txt
[root@server ~]# cd /etc/ssh
[root@server ssh]# ls -l
total 184
-rw-------  1 root root 111892 Nov 30  2004 moduli
-rw-r--r--  1 root root   1192 Nov 30  2004 ssh_config
-rw-------  1 root root   3025 Nov 30  2004 sshd_config
-rw-------  1 root root    668 Nov 29  ssh_host_dsa_key
-rw-r--r--  1 root root    590 Nov 29  ssh_host_dsa_key.pub
-rw-------  1 root root    515 Nov 29  ssh_host_key
-rw-r--r--  1 root root    319 Nov 29  ssh_host_key.pub
-rw-------  1 root root    887 Nov 29  ssh_host_rsa_key
-rw-r--r--  1 root root    210 Nov 29  ssh_host_rsa_key.pub
[root@server ssh]#






Generating Keys Manually



[remoteuser@client ~]$ which ssh-keygen
/usr/bin/ssh-keygen
[remoteuser@client ~]$ ls -l /usr/bin/ssh-keygen
-rwxr-xr-x  1 root root 81264 Nov 30  2004 /usr/bin/ssh-keygen
[remoteuser@client ~]$ ssh-keygen
You must specify a key type (-t).
Usage: ssh-keygen [options]
Options:
  -b bits     Number of bits in the key to create.
  -c          Change comment in private and public key files.
  -e          Convert OpenSSH to IETF SECSH key file.
  -f filename Filename of the key file.
  -g          Use generic DNS resource record format.
  -i          Convert IETF SECSH to OpenSSH key file.
  -l          Show fingerprint of key file.
  -p          Change passphrase of private key file.
  -q          Quiet.
  -y          Read private key file and print public key.
  -t type     Specify type of key to create.
  -B          Show bubblebabble digest of key file.
  -C comment  Provide new comment.
  -N phrase   Provide new passphrase.
  -P phrase   Provide old passphrase.
  -r hostname Print DNS resource record.
  -G file     Generate candidates for DH-GEX moduli
  -T file     Screen candidates for DH-GEX moduli






[root@server remoteuser]# su - remoteuser
[remoteuser@server ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/remoteuser/.ssh/id_rsa):
Created directory '/home/remoteuser/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/remoteuser/.ssh/id_rsa.
Your public key has been saved in /home/remoteuser/.ssh/id_rsa.pub.
The key fingerprint is:
54:65:4b:08:69:a1:7b:3d:f1:be:50:37:b3::ff remoteuser@server.linux.com
[remoteuser@server ~]$ ls -l .ssh/
total 16
-rw-------  1 remoteuser remoteuser 887 Dec 19  id_rsa
-rw-r--r--  1 remoteuser remoteuser 237 Dec 19  id_rsa.pub



To generate DSA Private/Public Keys



[remoteuser@server ~]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/remoteuser/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/remoteuser/.ssh/id_dsa.
Your public key has been saved in /home/remoteuser/.ssh/id_dsa.pub.
The key fingerprint is:
69:64:4c:dc:d9:42:02:1c:c7:f3:cf:0d:ac:24:89:74 remoteuser@server.linux.com
[remoteuser@server ~]$ ls -l .ssh/
total 32
-rw-------  1 remoteuser remoteuser 668 Dec 19  id_dsa
-rw-r--r--  1 remoteuser remoteuser 617 Dec 19  id_dsa.pub
-rw-------  1 remoteuser remoteuser 887 Dec 19  id_rsa
-rw-r--r--  1 remoteuser remoteuser 237 Dec 19  id_rsa.pub






Finally copy the file id_rsa.pub to the users systems home directory, ie the client from where the user remoteuser in our example will connect to the server inside /home/username/.ssh directory and rename it to authorized_keys. This way a user will not be prompted for a password from that remote system.









Posted by
Identity Solutions


at
8:28 AM
























Labels:

















No comments:















Post a Comment
























        

      









Subscribe to:
Post Comments (Atom)