Appendix C. Secure Connections Through SSH

Developers built SSH (Secure Shell) so they could log in to another computer over a network with the protections of encryption (scrambling data) and authentication (making sure a person or system is really what is claimed). Using SSH, a person can execute commands and send passwords securely. Earlier protocols such as FTP and Telnet transmitted their information in plain text, allowing people snooping on the Internet to get the passwords and use them to gain access to others’ accounts and data. SSH also replaces older Unix commands such as rlogin, rsh, and rcp (remote logon, remote shell, and remote copy).

SSH allows you to:

  • Run a single command on a remote system (ssh followed by the desired command)

  • Start a shell on a remote system where one can enter a series of commands (ssh without specifying a command)

  • Copy a file from one system to another (scp)

  • Download a file from an FTP site ( sftp)

Additionally, SSH provides secure X connections and secure forwarding of arbitrary TCP connections.

The traditional remote command protocols are vulnerable to different kinds of attacks. Somebody who has root access to machines on the network, or physical access to the wire, can gain unauthorized access to systems in a variety of ways. It is also possible for such a person to log all the traffic to and from your system, including passwords (which SSH never sends in the clear).

The X Window System also has a number of severe vulnerabilities. With SSH, you can create secure remote X sessions that the user can access as if the session was running on his local machine. As a side effect, using remote X clients with SSH is more convenient for users.

Encryption keys, by default, are exchanged using a data encryption format called RSA, and data used in the key exchange is destroyed every hour (keys are not saved anywhere). Every host has an RSA key that is used to authenticate the host when RSA host authentication is used. Encryption is used to protect against IP-spoofing; public key authentication is used to protect against DNS and routing spoofing.

Examples

SSH is a program for logging in to a remote machine and for executing commands on a remote machine.

When you first log on to a remote machine with SSH, you see something similar to the following message:

The authenticity of host 'memphis.org (memphis.org)' can't be established.
RSA key fingerprint is 8c:e2:4b:4d:9b:79:cd:e9:84:36:72:32:2b:3b:7e:48.
Are you sure you want to continue connecting (yes/no)?

This is perfectly normal; as long as you have no reason to think someone is trying to spoof the real system, you should press the Enter key to answer yes. Another message is displayed and you are logged in:

Warning: Permanently added 'memphis.org,memphis.org' (RSA) to the
list of known hosts.

After your first logon, your session looks more like this: 

willtonj@rome:~> ssh [email protected]
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
         SSH port 22 access restricted to authorized users only
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
[email protected]'s password:************
Last login: Thu May 13 12:05:54 2004 from 65.123.111.109
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
 [email protected] is on 222.102.131.176
 grizzly:~>
 Connection to memphis.org closed.
 willtonj@rome:~> sftp [email protected]
 Connecting to memphis.org...
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
         SSH port 22 access restricted to authorized users only
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
 [email protected]'s password:
5332: Permission denied, please try again.
 [email protected]'s password:*************
 willtonj@rome:~> sftp [email protected]
 Connecting to ...memphis.org
[email protected]'s password:*************
sftp>

At this point, you have connected to the remote host and can use any Linux/FTP commands. The following commands are unique to SFTP:

cd path

Change remote directory to path.

lcd path

Change local directory to path.

chgrp grp path

Change group of file path to grp.

chmod mode path

Change permissions of file path to mode.

chown own path

Change owner of file path to own.

help

Display this help text.

get remote-path [ local-path ]

Download file.

lls [ls- options [ path ]]

Display local directory listing.

ln oldpath newpath

Symlink remote file.

lmkdir path

Create local directory.

lpwd

Print local working directory.

ls [ path ]

Display remote directory listing.

lumask umask

Set local umask to umask.

mkdir path

Create remote directory.

put local-path [ remote-path ]

Upload file.

pwd

Display remote working directory.

exit, quit

Quit SFTP.

rename oldpath newpath

Rename remote file.

rmdir path

Remove remote directory.

rm path

Delete remote file.

symlink oldpath newpath

Symlink remote file.

version

Show SFTP version.

! command

Execute command in local shell.

!

Escape to local shell.

?

Synonym for help.

scp copies files between hosts on a network. It uses SSH for data transfer, uses the same authentication, and provides the same security as SSH.

To copy local file filename to f ilename on remote machine memphis.org, enter:

grizzly:~>scp -p 
            filename :memphis.org: filename

-p preserves modification time, access time, and mode from the original.

Copy filename from remote machine memphis.org to local file filename:

grizzly:~>scp -p memphis.org: filename 
            filename

Finally, you can use SSH with the -X option and generate an X session. For example, Run this command:

grizzly:~>ssh -X [email protected]
[email protected]'s password:********
cf11 grizzly:~>gnomine

and in a short time, a window appears as if it was on your system, and you are playing GNOME mines.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.139.97.53