Archive for the ‘SSH’ Category

Understanding SSH

February 6, 2011

SSH lets you send secure, encrypted commands to a computer remotely, as if you were sitting at the computer. You use the ssh tool in Terminal to open a command-line connection to a remote computer. While the connection is open, commands you enter are performed on the remote computer.

Note: If the SSH service ( sshd daemon ) is enabled you can use any application that supports SSH to connect to a computer running Mac OS X or Mac OS X Server.

How SSH Works

SSH works by setting up encrypted tunnels using public and private keys. Here is a description of an SSH session:

  1. The local and remote computers exchange public keys. If the local computer has never encountered a given public key, SSH and your web browser prompt you whether to accept the unknown key.
  2. The two computers use the public keys to negotiate a session key used to encrypt subsequent session data.
  3. The remote computer attempts to authenticate the local computer using RSA or DSA certificates. If this is not possible, the local computer is prompted for a standard user-name/password combination.
  4. After successful authentication, the session begins and remote shell, a secure file transfer, a remote command, or other action is begun through the encrypted tunnel.

The following are SSH tools:

  • sshd—Daemon that acts as a server to all other commands
  • ssh—Primary user tool that includes a remote shell, remote command, and port-
  • forwarding sessions
  • scp—Secure copy, a tool for automated file transfers
  • sftp—Secure FTP, a replacement for FTP

Generating Key Pairs for Key-Based SSH Connections

By default, SSH supports the use of password, key, and Kerberos authentication. The standard method of SSH authentication is to supply login credentials in the form of a user name and password. Identity key pair authentication enables you to log in to the server without supplying a password.

Key-based authentication is more secure than password authentication because it requires that you have the private key file and know the password that lets you access that key file. Password authentication can be compromised without a private key file.

This process works as follows:

  1. A private and a public key are generated, each associated with a user name to establish that user’s authenticity.
  2. When you attempt to log in as that user, the user name is sent to the remote computer.
  3. The remote computer looks in the user’s .ssh/ folder for the user’s public key. This folder is created after using SSH the first time.
  4. A challenge is sent to the user based on his or her public key.
  5. The user verifies his or her identity by using the private portion of the key pair to decode the challenge.
  6. After the key is decoded, the user is logged in without the need for a password. This is especially useful when automating remote scripts.

Note: If the server uses FileVault to encrypt the home folder of the user you want to use SSH to connect as, you must be logged in on the server to use SSH. Alternatively, you can store the keys for the user in a location that is not protected by FileVault, but this is not secure.

Advertisements

sftp without shell access

July 15, 2010

OpenSSH was the first version of the famous daemon that came with an built-in chroot functionality. Chrooting the sshd and restricting the shell access to a few commands can be a great solution to grant a few users secure access to exchange files.

1.vi /etc/ssh/sshd_config

Replace the line – “Subsystem sftp /usr/lib/openssh/sftp-server”  with –

Subsystem sftp internal-sftp

UsePAM yes

Match user user1
# The following two directives force user1 to become chrooted
# and only have sftp available.  No other chroot setup is required.
ChrootDirectory /sftp-upload
ForceCommand internal-sftp
# For additional paranoia, disallow all types of port forwardings.
AllowTcpForwarding no
GatewayPorts no
X11Forwarding no

2.  Now add a user as follows –

useradd -d /user1 -s /bin/false user1
3.

cd /sftp-upload

mkdir user1

chown -R user1:user1 user1/

4. Restart your sshd daemon ( kill -HUP <sshd pid>

Non – standard only restrict shell access –

You want to allow a user to place files or folder on his/her home directory through sft client or winscp client but you don want to any kind of shell access. Here is a simple tricks to restrict this.

Just change his login shell to /usr/local/libexec/sftp-server (Solaris) or /usr/lib/openssh/sftp-server ( Linux).
Moreover if you want to restrict access over your sensitive data just disable the others read (r) and execute (x) perm of that files and folder.

ssh tunneling

June 9, 2008

To tunnel a remote hosts port to your local host run the following command from your machine

ssh -L <port no>:<localhost/IP of the listening port>:<port no> <remote host name/IP>

SSH login without password

May 21, 2008

You want to use Linux and OpenSSH to automize your tasks. Therefore you need an automatic login from host A / user tarique to Host B / user tarique. You don’t want to enter any passwords, because you want to call ssh from a within a shell script.

Follow the steps below

    [tarique@A]$ ssh-keygen -t rsa

Now use ssh to create a directory ~/.ssh as user tarique on B

    [tarique@A]$ scp .ssh/id_rsa.pub tarique@B:
    [tarique@A]$ ssh tarique@B

Finally append tariques’s@A new public key to tarique@B:.ssh/authorized_keys and enter password one last time:

    [oracle@B]$cat id_rsa.pub >>.ssh/authorized_keys

 N.B Please ensure that you have ssh installed on your system :-)
 If .ssh and its parent directory is group writable then this will not work
 Sometimes it cause a little delay to get the password prompt and it actually
 happen by the following 2 lines at /etc/ssh/ssh_config
  # GSSAPIAuthentication yes
  # GSSAPIDelegateCredentials no
 Just comment out these 2 line and thats it!!!you will do a faster login
 
 If you want to debug what actually happen during ssh session then just type
       ssh user@host -v