SSH I - Installation
The traditional network services like ftp, pop or telnet
are convenient but inherently unsafe, since they all make you send a password
and data in clear text over an increasingly unsafe network. It is almost
a no-brainer to intercept these services and copy transferred data. Furthermore
the authentication of the server is weak: the services are open to so-called
'man-in-the-middle' attacks, where an intruder pretends to be the server
and thus receives all data the client is sending.
Enter SSH (Secure SHell). By using SSH, you encrypt
the traffic and you can make 'man-in-the-middle' attacks almost impossible.
It also protects you from DNS and IP spoofing. As a bonus, it offers the
possibility to compress the traffic and thus make transfers faster. SSH is
a very versatile tool: not only does it replace telnet, you can also 'tunnel'
services like ftp, pop and even PPP via it.
SSH implementations
exist for almost all major operating systems.
The original SSH has
been developed by a Finnish company. Due to copyright restraints and patented
algorithms, the Free Software world now uses OpenSSH, a free SSH work-alike.
SSH consists of a client-server pair like all the other
services. Every system administrator worth his money runs an SSH server.
If your remote host doesn't run SSH, you should really think about switching
to a host which does. A site which doesn't run an SSH server displays a serious
lack of interest in network security.
SSH comes in two major, partly incompatible versions,
1.x and 2.x. You won't be able to connect to an SSH 1.x server with an SSH
2.x client. OpenSSH 2.x supports both versions.
Notice that the use of version 1 is deprecated in favor
of version 2 for security reasons.
section index top
Seen from the client level, SSH provides two levels
of authentication.
The first level allows you to connect from any machine
to a SSH server, as long as you know the password of the account on the remote
machine. This encrypts any traffic sent via SSH, but doesn't provide a strong
mechanism to authenticate the host you are connecting to. Another host could
intercept your connection by pretending to be the host you want to connect
to ('man-in-the-middle-attack').
The second level relies on the key mechanism: you create
your own key pair and put the public key onto the server. Now if you connect
to the SSH server, your client sends a request to the server for authentication
using your keys. The server looks up the public key in your remote home directory,
and compares both keys. Then it sends an encrypted challenge to the client.
This challenge is decrypted on the local machine using the private
key and sent back to the server.
Using this method, you will have to know the password of your key (if you
choose to use one). In contrast to level one, this password will not
be sent over the network. Level two authentication doesn't use any passwords
at all.
This scheme not only encrypts any travel sent via SSH, but also makes 'man-in-the-middle'
attacks next to impossible. This login process usually takes ten seconds.
section index top
If you are using a Mandrake release prior to 7.2, you
will have to download the needed packages from one of the servers listed
on the crypto apps
page or get the source directly from the OpenSSH website. If you are using 7.2
or later, you will find all the needed software on your Mandrake CD.
You will need these packages:
- openssl
- openssh
- openssh-clients
- and, if you want to run an SSH server, openssh-server
Of course the truly paranoid will prefer building them
from source, but usually
RPMs will do ;).
To test your installation, connect to a SSH server:
ssh -l [your account name on the remote host]
[address of the remote host]
If this works, you will receive a message like this:
The authenticity of host [hostname] can't be established.
Key fingerprint is 1024 5f:a0:0b:65:d3:82:df:ab:44:62:6d:98:9c:fe:e9:52.
Are you sure you want to continue connecting (yes/no)?
If it doesn't work, you might use a newer version of
OpenSSH which defaults to SSH version 2, while the server still uses SSH
version 1. In this case, use the -1 option to the 'ssh' command.
SSH tells you that it doesn't know this host, which
is nothing to worry about, since you are connecting for the first time. Type
yes . This will add the 'fingerprint' of this
host to '~/.ssh/known_hosts'. Future connects to this host will not display
this message.
However, if the remote host at a later point changes its IP or its server
key, SSH will display a huge warning message, because such changes might
be symptoms of a 'man-in-the-middle' attack. Ask the administrator of the
remote server first before proceeding.
Then SSH will prompt you for your account password on the remote machine.
Type it, press ENTER et voila, you've established your first SSH connection!
Now proceed just like you would in a telnet session.
Installing an OpenSSH server is easy, too. Just install
the RPM. During the installation, you will get a message like this:
Generating RSA keys: .ooooooO..................ooooooO
Key generation complete.
Your identification has been saved in /etc/ssh/ssh_host_key.
Your public key has been saved in /etc/ssh/ssh_host_key.pub.
The key fingerprint is:
5f:a0:0b:65:d3:82:df:ab:33:52:6f:89:9a:fe:e9:52 root@[local machine]
Generating DSA parameter and key.
Your identification has been saved in /etc/ssh/ssh_host_dsa_key.
Your public key has been saved in /etc/ssh/ssh_host_dsa_key.pub.
The key fingerprint is:
64:85:4a:da:cf:74:94:0d:5a:93:cf:f2:62:ed:07:26 root@[local machine]
This message indicates that the key, which identifies
your machine to clients, has been generated. It is a very good idea to keep
external backup copies of these keys!
Start the server with
service sshd start
That's all. Now external ssh-clients can connect to
the machine (provided they have an account on your machine, naturally). If
you want the SSH server to be started every time you boot the machine, run
chkconfig --add sshd
once (as 'root').
section index top
Now that you've got it running basically, learn how
to set up SSH ...
|