Use OpenSSH to provide a secure environment for running remote terminals. The basic usage of OpenSSH and the terminal is very simple, but this article will also cover other elements that allow automatic login to remote hosts, ways to run remote applications, and how to securely copy files between hosts.
About this series
The typical UNIX® administrator has a set of key utilities, know-how, and systems that are frequently used to assist in the administrative process. Various key utilities, command line chains, and scripts exist to streamline different processes. Some of these tools come from the operating system, but most of the know-how comes from long-term experience and the need to reduce the stress on the system administrator's job. This series of articles focuses on getting the most out of the tools available in various UNIX environments, including ways to simplify administrative tasks in heterogeneous environments.
Why use OpenSSH?
The standard network services you use every day, such as FTP, Telnet, RCP, Remote Shell (rsh), etc., work well in a closed environment, but the information transmitted over the network using these services is unencrypted. Anyone using a packet sniffer on your network or a remote computer can view the exchanged information and sometimes even password information.
Furthermore, with all such services, the options for automating the login process are limited and often rely on embedding a plain text password into the command line in order to execute statements, making the login process even more insecure.
The Secure Shell (SSH) protocol was developed to circumvent these limitations. SSH provides encryption for the entire communication channel, including login and password credential exchange, and it works with public and private keys to provide automated authentication for logins. You can also use SSH as the underlying transport protocol. Using SSH in this way means that after a secure connection is opened, all types of information can be exchanged over the encrypted channel, and even HTTP and SMTP can use this method to secure the communication mechanism.
OpenSSH is a free implementation of the SSH 1 and SSH 2 protocols. It was originally developed as part of the OpenBSD (Berkeley Software Distribution) operating system and is now released as a general solution for UNIX or Linux® and similar operating systems.
Install OpenSSH
OpenSSH is free software and can be downloaded from the main OpenSSH website (see Resources). OpenSSH systems can be built from source code on a variety of systems, including Linux, HP-UX, AIX®, Solaris, Mac OS X, and more. It is usually possible to find precompiled binaries for your chosen platform and version. Some vendors even provide OpenSSH toolkits as part of the operating system.
To build OpenSSH you need the following:
If you need to use the default configuration settings, use the normal build sequence, as shown in Listing 1 below.
$ ./configure $ make $ make install |
This installs binaries, libraries, and configuration files into the /usr/local directory, for example, binaries to /usr/local/bin and configuration files to /usr/local/etc. If you want to integrate various tools into the main environment, you may need to specify the --prefix option to set the base directory and the --sysconfdir option to set the configuration file location:
$ ./configure --prefix=/usr --sysconfidir=/etc/ssh |
Some other general options you might specify include:
After completing the configuration, use make to build in the normal way.
After the build and installation process is complete, you need to configure the system by first creating an SSH key that uniquely identifies the system, and then enabling secure communication between the client and host. You can run:
$ make host-key |
Alternatively, you can perform the individual steps manually on the command line. You need to create three keys (one for each of the major encryption algorithms: rsa1, rsa, and dsa). For example, Listing 2 shows how to create the rsa1 key.
$ ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key Generating public/private rsa1 key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /etc/ssh//ssh_host_key. Your public key has been saved in /etc/ssh//ssh_host_key.pub. The key fingerprint is: 43:aa:58:3c:d8:30:de:43:af:66:2a:b2:8d:02:08:86 root@remotehost |
You are prompted for your password. For the host key, you probably don't need the key password, so you can press Return to use an empty password. Alternatively, you can use the -N option on the command line to speed up the process (see Listing 3).
$ ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N "" Generating public/private rsa1 key pair. Your identification has been saved in /etc/ssh/ssh_host_key. Your public key has been saved in /etc/ssh/ssh_host_key.pub. The key fingerprint is: a3:e3:21:4f:b5:9f:ff:05:46:66:bc:36:a1:47:a0:64 root@remotehost |
Now repeat the process to create the rsa and dsa keys (see Listing 4).
$ ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N "" $ ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N "" |
This will create two files for each key type: the public key (in a file ending in .pub) and the private key. You should ensure that the private key is only read by root and SSH processes - this should be configured automatically. You may want to copy the public key to a central location on a Network File System (NFS) share so that people can add it to the list of known host keys.
Finally, you need to start the sshd process and configure it to execute on startup. For Linux hosts, you can find the appropriate init script in contrib/redhat/sshd.init that can be added to /etc/init.d.
Using SSH for basic terminal access
OpenSSH's primary role is as an SSH tool, a secure alternative to the Telnet protocol for secure remote login to UNIX or Linux hosts.
To connect to a remote host using the standard shell, you simply type the hostname:
$ ssh remotehost |
By default, the system attempts to use the current username as the login name. To use a different login name, precede the host name with the login name, separated by the @ symbol. For example:
$ ssh mc@remotehost |
You are prompted for your user password - this is similar to Telnet.
The first time you connect to a host, you'll be asked if you want to save a copy of the remote host's public key in a "known hosts" file (see Listing 5).
$ ssh root@remotehost The authenticity of host 'remotehost (10.211.55.3)' can't be established. RSA key fingerprint is cc:c8:8b:75:3d:b6:00:2f:a9:9c:53:4c:03:0f:3d:1b. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'remotehost' (RSA) to the list of known hosts. |
In the future, you will not receive this warning, but the warning will be issued when the system detects that the public key returned by the remote host does not match the public key in the host's file, indicating a possible hacker attack. It could also mean that the administrator only regenerated the host key.
Essentially, there is no difference between SSH and Telnet sessions, except that SSH sessions are encrypted, making it nearly impossible for anyone to snoop into your session or know your password or the commands and operations you are executing. .
You can also use SSH to run commands directly on the remote host without using a shell. For example, to run the who command on the remote host, see Listing 6.
Listing 6. Running the who command on the remote host$ ssh mc@remotehost who admin console Nov 23 14:04 mc ttyp1 Dec 2 10:53 (sulaco.mcslp.pri) mc ttyp2 Dec 10 06:50 (sulaco.mcslp.pri) admin ttyp3 Dec 12 13:33 mc ttyp4 Dec 15 12:38 (nautilus.mcslp.p) |
Remote execution also emulates the client host's standard input, output, and error. This means you can redirect output to a remote command. For example, you can append information directly to a remote file by piping the output from the command to SSH on the remote host (see Listing 7).
Listing 7. Appending information directly to a remote file$ echo "Hello World" |ssh mc@remotehost 'cat >> helloworlds.txt' |
You can use this method to increase your productivity when using SSH to simplify the login process.
Exchanging files using SFTP
The sft command is an alternative to FTP that uses the secure communication channel provided by the SSH protocol.
To open an SFTP connection, specify the hostname on the command line:
$ sftp remotehost |
Keep in mind that the above command assumes that you wish to use the same login method as your current host. To use a different login method, prepend the hostname with the username:
$ sftp mc@remotehost |
Although SFTP works similarly to FTP, there are some limitations and differences. For example, dir in FTP provides a long file list (see Listing 8).
ftp> dir 502 'EPSV': command not understood. 227 Entering Passive Mode (192,168,0,110,150,159) 150 Opening ASCII mode data connection for directory listing. total 1472 drwx------ 3 mc staff 102 Nov 4 11:17 Desktop drwx------ 3 mc staff 102 Nov 4 11:17 Documents drwx------ 18 mc staff 612 Nov 5 18:01 Library drwx------ 3 mc staff 102 Nov 4 11:17 Movies drwx------ 3 mc staff 102 Nov 4 11:17 Music drwx------ 4 mc staff 136 Nov 4 11:17 Pictures drwxr-xr-x 4 mc staff 136 Nov 4 11:17 Public drwxr-xr-x 6 mc staff 204 Nov 4 11:17 Sites drwxrwxrwx 3 root staff 102 Dec 24 07:30 tmp drwxr-xr-x 7 root staff 238 Dec 11 08:39 trial 226 Transfer complete. |
In SFTP, dir acts as an alias for the host directory listing command, which is ls in UNIX or Linux. By default, dir provides only a short list (see Listing 9).
sftp> dir Desktop Documents Library Movies Music Pictures Public Sites tmp trial |
To get a long list, use the same options as ls (see Listing 10).
sftp> dir -l drwx------ 3 mc staff 102 Nov 4 11:17 Desktop drwx------ 3 mc staff 102 Nov 4 11:17 Documents drwx------ 18 mc staff 612 Nov 5 18:01 Library drwx------ 3 mc staff 102 Nov 4 11:17 Movies drwx------ 3 mc staff 102 Nov 4 11:17 Music drwx------ 4 mc staff 136 Nov 4 11:17 Pictures drwxr-xr-x 4 mc staff 136 Nov 4 11:17 Public drwxr-xr-x 6 mc staff 204 Nov 4 11:17 Sites drwxrwxrwx 3 root staff 102 Dec 24 07:30 tmp drwxr-xr-x 7 root staff 238 Dec 11 08:39 trial |
Other commands such as changing directories (cd, lcd locally), creating directories (mkdir), and sending (put) and receiving (get) files remain unchanged. The latter two commands, put and get, both accept wildcards (similar to mput and mget in FTP), but be careful when transferring multiple files without wildcards in SFTP. For example, sftp> mget file1 file2 file3 is recognized as trying to get file1 and file2 and place them in the local directory file3, but that directory may not exist.
Copy files between hosts using scp
The scp command works similarly to the rc command, except that it uses the SSH protocol to transfer files. When transferring content-related files or automatically exchanging files on the Internet, scp is much better.
Its format is similar to rcp; you specify the file path to be copied between, and the hostname should be merged into it if necessary. For example, to copy a .bashrc file from a remote host to your local machine, use:
$ scp remotehost:/users/mc/.bashrc ~/.bashrc |
As before, to specify a username to use, precede the host with the username, separated by the @ symbol:
$ scp mc@remotehost:/users/mc/.bashrc ~/.bashrc |
Assuming the user you are connecting to has read permissions, you will also need to use the metacharacter ~ to access the information in your home directory.
$ scp mc@remotehost:~mc/.bashrc ~/.bashrc |
To copy from the logged-in user's home directory, use:
$ scp mc@remotehost:.bashrc ~/.bashrc |
The scp command also supports standard expansion rules. So, to copy all .bash* files, you can use:
$ scp mc@remotehost:.bash* ~ |
You can even select individual files more specifically by using expanding braces ({}):
$ scp mc@remotehost:".bash{rc,_path,_aliases,_vars}" ~
|
Note that the expanding braces in the file path (not the full remote path expression) are enclosed in double quotes.
In all of the above examples, you will be prompted for the password of the remote host. This can be avoided by providing the host with the public part of your own personal key.
Enable automatic login using public key
When you log in to a remote system using ssh, sftp, or scp, you still need a password to complete the login process. By creating a public or private key, appending the public portion of the key to the ~/.ssh/authorized_keys file, and exchanging a valid key with the remote site, you can eliminate the requirement to provide a password and allow automatic login.
To create a public or private key, you need to use ssh-keygen to specify the type of key encryption. The rsa key type is used in the demonstration, but other key types are also valid. To create the key, see Listing 11.
$ ssh-keygen-trsa Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): |
You should enter the location of the file that holds the keys (public and private components). Using the default (in the .ssh directory in your home directory) is usually fine (see Listing 12).
Created directory '/root/.ssh'. Enter passphrase (empty for no passphrase): |
If you enter a password at this stage, a security key file is created, but you must also enter the password each time you use the key. Pressing Return means no password is required (see Listing 13).
Listing 13. Skipping the password requirement by pressing ReturnEnter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: 98:da:8d:48:a8:09:44:b1:b3:62:51:2d:a9:6b:61:ba root@remotehost |
The public key (id_rsa.pub) and corresponding private key (id_rsa) have now been created.
To enable automatic login, you must copy the contents of the public key to the authorized_keys file in the ~/.ssh directory on the remote host. You can automate this using SSH (see Listing 14).
$ cat ./.ssh/id_rsa.pub | ssh mc@remotehost 'cat >> .ssh/authorized_keys'; |
Also, if you do this frequently across multiple hosts, you can use a small script or shell function to perform all the necessary steps, as shown in Listing 15.
OLDDIR='pwd';
if [ -z "$1" ]; then
echo Need user@host info;
exit;
fi;
cd $HOME;
if [ -e "./.ssh/id_rsa.pub" ]; then
cat ./.ssh/id_rsa.pub | ssh $1 'cat >> .ssh/authorized_keys';
else
ssh-keygen -trsa;
cat ./.ssh/id_rsa.pub | ssh $1 'cat >> .ssh/authorized_keys';
fi;
cd $OLDDIR
|
You can use the setremotekey script to copy an existing key, or if the key does not exist, create one before copying:
$ setremotekey mc@remotehost |
Now, whenever you need to log in to a remote host using a public key, you can use a personal key script in combination with a list of keys accepted by that user on the remote host.
Summarize
OpenSSH is an important tool that secures communications and information transfers between computers. Not only is it a secure alternative to conventional tools such as Telnet, FTP, and RCP, but it can also serve as a transport protocol for other services such as Subversion, X Windows System, and rsync. This article shows you the basic steps required to get OpenSSH up and running, how to best use the main tools provided by OpenSSH, and how to use key exchange tools to simplify login and connectivity issues.