Scrigroup - Documente si articole

Username / Parola inexistente      

Home Documente Upload Resurse Alte limbi doc  

 
CATEGORII DOCUMENTE
AccessAdobe photoshopAlgoritmiAutocadBaze de dateCC sharp
CalculatoareCorel drawDot netExcelFox proFrontpageHardware
HtmlInternetJavaLinuxMatlabMs dosPascal
PhpPower pointRetele calculatoareSqlTutorialsWebdesignWindows
WordXml


Secure Remote Logins and File Copying

linux



+ Font mai mare | - Font mai mic



DOCUMENTE SIMILARE

FEDORA version differences

Secure Remote Logins and File Copying

Configuring the DHCP Server

Secure Remote Logins and File Copying

Codes, scripts and configurations

Studiul comenzilor elementare DOS

Remote Disk Access with NFS

Troubleshooting Linux with syslog

The NTP Server

MIME-Version: 1.0 Content-Location: file:///C:/5676B2B5/ksjhdjk45.htm Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset="us-ascii"

Secure Remote Logins and File Copying

Introduction =

One = of the most popular file transfer and remote login Linux applications is OpenSSH, which provides a number of ways to create encrypted remote terminal and file transfer connections between clients and servers. The OpenSSH Secure Copy (= SCP) and Secure FTP (SFTP) programs are secure replacements for FTP, and Secure = Shell (SSH) is often used as a stealthy alternative to TELNET. OpenSSH isn't limi= ted to Linux; SSH and SCP clients are available for most operating systems including Windows.

A Quick Introduction To SSH Encryption

Data encryption is accomplished by using special mathematical equations to scram= ble the bits in a data stream to make it unreadable to anyone who does not have access to the corresponding decryption equation. The process is usually made even harder through the use of an encryption key that is used to modify the= way the equations do the scrambling. You can recover the original data only if = you have access to this key and the corresponding programs. Data encryption hel= ps to prevent unauthorized users from having access to the data.

SSH = uses the concept of randomly generated private and public keys to do its encryption.= The keys are usually created only once, but you have the option of regenerating them should they become compromised.

A su= ccessful exchange of encrypted data requires the receiver to have a copy of the send= er's public key beforehand. Here's how it's done with SSH.

When= you log into an SSH server, you are prompted as to whether you want to accept the download of the server's public key before you can proceed. The SSH client's key is uploaded to the server at the same time. This creates a situation in which the computers at each end of the SSH connection have each other's keys and are able to decrypt the data sent from the other end of the encrypted l= ink or 'tunnel'.

All = the public keys that an SSH client's Linux user encounters are stored in a file named ~/.ssh/known_hosts along with the IP address that provided it. If a k= ey and IP address no longer match, then SSH knows that something is wrong. For example, reinstalling the operating system or upgrading the SSH application might regenerate the keys. Of course, keys changes can be caused by someone trying some sort of cyber attack, as well. Always investigate changes to be safe. Your server's own public and private SSH keys are stored in the /etc/= ssh/ directory.

N= ote: The .ssh directory is a hidden directory, as are all files and directories whose names begin with a period. The ls -a command lists all normal and hidden files in a directory. The ~/ notation is a universally accepted way of referring to your home directory = and is recognized by all

Linux commands.

 

Linu= x uses other key files also to provide the capability of password-less logins and = file copying to remote servers using SSH and SCP. In this case, the SSH connecti= on is established, then the client automatically sends its public key which the server uses to match against a predefined list in the user's directory. If there is a match then the login is authorized. These files are also stored = in your ~/.ssh directory and need to be specially generated. The id_dsa and id_dsa.pub files are your private and public keys respectively, and authorized_keys stores all the authorized public keys from remote hosts that may log into your account without the need for passwords (more on this late= r).

Starting OpenSSH

Open= SSH is installed by default during Linux installations. With Ubuntu / Debian, this= may not be the case and it will have to be installed after the initial installation. The apt-get install ssh command will be sufficient to activate SSH using these latter mentioned distributions.

Beca= use SSH and SCP are part of the same application, they share the same configuration file and are governed by the same /etc/init.d/sshd startup script.

You = can configure SSH to start at boot by using the chkconfig command when running Fedora / Redhat or with the sysv-rc-conf command with Debian / Ubuntu.

[roo= t@bigboy tmp]# chkconfig sshd on

You = can also start, stop, and restart SSH after booting by running the sshd initialization script.

[roo= t@bigboy tmp]# service sshd start

[roo= t@bigboy tmp]# service sshd stop

[roo= t@bigboy tmp]# service sshd restart

Reme= mber to restart the SSH process every time you make a change to the configuration f= iles for the changes to take effect on the running process.

Testing The Status of SSH<= /o:p>

You = can test whether the SSH process is running with

[roo= t@bigboy tmp]# pgrep sshd

You = should get a response of plain old process ID numbers.

The /etc/ssh/sshd_config File

The = SSH configuration file is called /etc/ssh/sshd_config. By default SSH listens on all your NICs and uses TCP port 22. Take a look at a snippet from configuration:

# The strategy used for options in the default sshd_config shipped with

# Op= enSSH is to specify options with their default value where

# po= ssible, but leave them commented. Uncommented options change a

# de= fault value.

 

#Por= t 22

#Pro= tocol 2,1

 

#Lis= tenAddress 0.0.0.0

#Lis= tenAddress ::

SSH Versions 1 and 2

The = original encryption scheme of SSH was adequate for its time but was eventually found= to have a number of limitations. The answer to these was version 2. Always for= ce your systems to operate exclusively with version 2 by setting the protocol statement in the /etc/ssh/sshd_config file to 2. Remember to restart SSH to make this take effect.

#

# Fi= le: /etc/ssh/sshd_config

#

 

Prot= ocol 2

<= /a>

How To Change The TCP Port On Which SSH Listens

If y= ou are afraid of people trying to hack in on a well known TCP port, then you can change port 22 to a location that won't interfere with other applications on your system, such as port 435. This is a rudimentary precaution only, becau= se good network scanning programs can detect SSH running on alternative ports.=

What= you need to do is:

1) U= se the netstat command to make sure your system isn't listening on port 435, using grep to filter out everything that doesn't have the string '435':=

[roo= t@bigboy root]# netstat -an | grep 435

[roo= t@bigboy root]#

2) No response allows us to proceed. Change the Port line in /etc/ssh/sshd_config= to mention 435 and remove the # at the beginning of the line. If port 435 is b= eing used, pick another port and try again.

Port= 435

3) R= estart SSH:

[roo= t@bigboy tmp]# service sshd restart

4) C= heck to ensure SSH is running on the new port:

[roo= t@bigboy root]# netstat -an | grep 435

tcp<= span style=3D'mso-spacerun:yes'>    0    0    192.168.1.100:435    0.0.0.0:*    LISTEN

[roo= t@bigboy root]#

Next= you'll discover how to actually login to systems using SSH.

Using SSH To Login To A Remote Machine

Usin= g SSH is similar to Telnet. To login from another Linux box use the ssh command with= a -l to specify the username you wish to login as. If you leave out the -l, y= our username will not change. Here are some examples for a server named smallfr= y in your /etc/hosts file.

If y= ou are user root and you want to log in to smallfry as yourself, use the command <= o:p>

[roo= t@bigboy tmp]# ssh smallfry

User= root can also log in to Smallfry as user peter via the default port 22:

[roo= t@bigboy tmp]# ssh -l peter smallfry

or v= ia port 435 using the username@remote_server alternative login format: <= /span>

[roo= t@bigboy tmp]# ssh -p 435 peter@smallfry

<= span class=3Dmw-headline>

What To Expect With Your First = Login

The = first time you log in, you get a warning message saying that the remote host does= n't know about your machine and prompting you to store a copy of the remote hos= t's SSH identification keys on your local machine. It will look something like this:

[roo= t@bigboy tmp]# ssh smallfry

The authenticity of host 'smallfry (smallfry)' can't be established.=

RSA = key fingerprint is 5d:d2:f5:21:fa:07:64:0d:63:1b:3b:ee:a6:58:58:bb.<= /span>

Are = you sure you want to continue connecting (yes/no)? yes

Warn= ing: Permanently added 'smallfry' (RSA) to the list of known hosts. root@smallfr= y's password:

Last= login: Thu Nov 14 10:18:45 2002 from 192.168.1.98

No m= ail.

[roo= t@smallfry tmp]#

The = key is stored in your ~/.ssh/known_hosts file and you should never be prompted for this again.

<= /a>

SSH Failures Due To Linux Reinstallations

If L= inux or SSH is reinstalled on the remote server then the keys are regenerated and y= our SSH client will detect that this new key doesn't match the saved value in t= he known_hosts file. The SSH client will fail giving an error like this, errin= g on the side of caution to alert you to the possibility of a form of hacking attack.

[roo= t@bigboy tmp]# ssh 192.168.1.102

@@@@= @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @

@@@@= @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!

Some= one could be eavesdropping on you right now (man-in-the-middle attack)!

It i= s also possible that the RSA host key has just been changed.

The fingerprint for the RSA key sent by the remote host is

5d:d= 2:f5:21:fa:07:64:0d:63:1b:3b:ee:a6:58:58:bb.

Plea= se contact your system administrator.

Add = correct host key in /root/.ssh/known_hosts to get rid of this message.

Offe= nding key in /root/.ssh/known_hosts:2

RSA = host key for 192.168.1.102 has changed and you have requested strict checking.<= /o:p>

Host= key verification failed.

[roo= t@bigboy tmp]#

If y= ou are confident that the error is due to a reinstallation, then edit your ~/.ssh/known_hosts text file, removing the entry for the offending remote server. When you try connecting via SSH again, you'll be prompted to add the new key to your ~/.ssh/known_hosts file and the login session should procee= d as normal after that.

<= /a>

Deactivating Telnet After Insta= lling SSH

You = should always consider SSH over TELNET, because of the inherent data encryption features of SSH and the current widespread availability of SSH clients for = both Linux and Windows.

By d= efault, the TELNET server isn't installed with Fedora Linux. If you do decide to deactivate an active TELNET server, then use procedures detailed in Chapter= 16, 'Telnet, TFTP, and xinetd'.

<= /a>

Executing Remote Commands on De= mand with SSH

A ni= ce feature of SSH is that it is capable of logging in and executing single commands on a remote system. You just have to place the remote command, enclosed in quotes, at the end of the ssh command of the local server. In t= he example below, a user on server smallfry who needs to know the version of t= he kernel running on server bigboy (192.168.1.100) remotely runs the uname -a command. The command returns the version of 2.6.8-1.521 and the server's na= me, bigboy.

[roo= t@smallfry tmp]# ssh 192.168.1.100 'uname -a'

root= @192.168.1.100's password:

Linu= x bigboy 2.6.8-1.521 #1 Mon Aug 16 09:01:18 EDT 2004 i686 i686 i386 GNU/Linux

[roo= t@smallfry tmp]#

This= feature can be very useful. You can combine it with password-free login, explained later in this chapter, to get the status of a remote server whenever you ne= ed it. More comprehensive monitoring may best be left to such purpose built programs as MRTG, which is covered in Chapter 22, ' Monitoring Server Performance'.

SSH Tunneling=

You = already know that SSH creates an encrypted data session between a client and server. With SSH tunneling the server computer can also receive data from other computers on the client's network over the very same session. The client is configured to listen on a specified TCP port and all data received on that = port will be automatically SSH encrypted and relayed to the remote server. It is= for this reason that SSH tunneling is also called SSH port forwarding.

Ther= e are two types of forwarding:

L= ocal Forwarding: Fo= rwards traffic coming to a local port to a specified remote port. This is also kno= wn as outgoing tunneling, as the tunnel is established to the remote server. <= o:p>

R= emote Forwarding: Fo= rwards traffic coming to a remote port to a specified local port. This is also kno= wn as incoming tunneling, as the tunnel is established from the remote server.=

As a= lways it is best to explain these methodologies with some examples.

Local Forwarding<= span style=3D'font-size:12.0pt;font-family:Arial'>

The = syntax for local forwarding relies on the -L SSH command line qualifier which is configured like this:

-L bind-address:bind-port:remote-server-address:remote-port<= /p>

Wher= e the bind-address and bind-port are the IP address and TCP port on which the loc= al computer will listen for connections from its neighbors. If the bind-address isn't listed, then the server will only accept connections from localhost. = The remote-server-address and remote-port specify the same options for the remo= te server.

N= ote: Sometimes an intermediary rela= y host for the data can be used. In this case the data passes through an encrypted= SSH connection for the part of the journey between the local server and the intermediary. The connection between the intermediary and remote host is no= t. This is not a security issue when forwarding SSH traffic, which is already encrypted, but it can be so when forwarding unencrypted data such as POP ma= il, SMTP mail or, telnet.

Inte= rmediaries can be useful especially when the intermediary host is the only host on the local network with access to the remote host.

Here= are some explanatory examples:

E= xample 1: The local computer forwards any connection to its NIC IP address on a specified port = to a remote host.

[roo= t@bigboy ~]# ssh -L 192.168.1.100:9999:216.10.135.26:22  root@192.168.1.100

root= @192.168.1.100's password:

Last= login: Sat Mar 17 22:00:50 2007 from 192.168.1.201

[roo= t@bigboy ~]#

Here= server bigboy is configured to forward any connections its NIC IP address of 192.168.1.100 receives on port 9999 to port 22 on server 216.10.135.26.

The = outbound connection to 216.10.135.26 is managed by a separate shell process with the login credentials you specify. In this case the connection will be created = on bigboy itself, 192.168.1.100, and will run as user root. This can be tricky= , as after executing this command it will appear as if you have logged into bigb= oy all over again and nothing appears to be happening. Don't be fooled, the new login is shell is the master process for the connection that needs to be created. If you log out, the forwarding will be broken. <= /p>

This= can easily be tested. Using SSH to connect to bigboy on port 9999 actually logs= you into the remote server web-003.

[roo= t@smallfry ~]# ssh -p 9999 root@192.168.1.200

root= @192.168.1.200's password:

Last= login: Sat Mar 17 21:56:03 2007 from home.my-web-site.org

[roo= t@web-003 ~]#

You = can then use the netstat and ps commands to verify that the shell process has been created and that the connection has been established.

[roo= t@bigboy ~]# netstat -an | grep 216.10.135.26

tcp<= span style=3D'mso-spacerun:yes'>   0   0   192.168.1.100:36342   216.10.135.26:22   ESTABLISHED

[roo= t@bigboy ~]#

 

[roo= t@bigboy ~]# ps -ef | grep 216.10.135.26

root=      22901 21955  0 13:59 pts/0    00:00:00 ssh -L 192.168.2.200:9999:216.10.135.26:222 -p 222 root@192.168.1.100

[roo= t@bigboy ~]#

Forw= arding can be useful! Let's see some more examples.

E= xample 2: The local computer forwards any connection to localhost on a specified port, to a rem= ote host via an intermediary server. Connection's to the local computer's NIC on the specified port is not allowed.

[roo= t@smallfry ~]# ssh -L localhost:9999:216.10.135.26:22

  root@192.168.1.100

root= @192.168.1.100's password:

[roo= t@bigboy ~]#

Here= server smallfry is configured to local forward any connections its localhost IP address receives on port 9999 to port 22 on a remote server with an IP addr= ess of 216.10.135.26. Server bigboy is used as the intermediary.

[roo= t@smallfry ~]# ssh -p 9999 localhost

root= @localhost's password:

Last= login: Sat Mar 17 20:11:09 2007 from home.my-web-site.org

[roo= t@web-003 ~]#

You = can use the netstat command on smallfry and bigboy to verify that connections have = been established between bigboy and web-003, and smallfry and bigboy.

[roo= t@smallfry ~]# netstat -an | grep EST | grep 192.168.1.100

tcp<= span style=3D'mso-spacerun:yes'>   0   0   192.168.1.50:40679   192.168.1.100:22   ESTABLISHED

[roo= t@smallfry ~]#

[roo= t@bigboy ~]# netstat -an | grep EST | grep 216.10.135.26

tcp<= span style=3D'mso-spacerun:yes'>    0   0   192.168.1.100:56236  216.10.135.26:22   ESTABLISHED

[roo= t@bigboy ~]#

SSH connections to the NICs of either bigboy or smallfry fail.

[roo= t@smallfry ~]# ssh -p 9999 192.168.1.100

ssh:= connect to host 192.168.1.100 port 9999: Connection refused

[roo= t@smallfry ~]# ssh -p 9999 192.168.1.50

ssh:= connect to host 192.168.1.50 port 9999: Connection refused

[roo= t@smallfry ~]#

The = final example which follows discusses forwarding unencrypted protocols.

E= xample 3: The local computer forwards any POP mail queries to localhost directly to the remote = POP mail server over an SSH tunnel.

[roo= t@smallfry ~]# ssh -L 9999:mailserver:110 root@mailserver

root= @mailserver's password:

Last= login: Sat Mar 17 20:11:09 2007 from home.my-web-site.org

[roo= t@mailserver ~]#

In t= his case an SSH connection is created to mailserver using a shell process owned by u= ser root. The server mailserver then creates an unencrypted POP session (TCP po= rt 110) to itself. The advantage of this configuration is that POP data never leaves the POP server unencrypted.

POP = mail users on smallfry can then get their mail over the encrypted link by configuring localhost as the POP mail server in their mail client, and not mailserver.

 

Remote Forwarding

The = syntax for local forwarding relies on the -R SSH command line qualifier which is configured like this:

-R bind-address:bind-port:remote-server-address:remote-port<= /p>

The = syntax is similar to that of the -L option. The bind-address and bind-port are the= IP address and TCP port on which the local computer will listen for connections from its neighbors. If the bind-address isn't listed, then the server will = only accept connections from localhost. The remote-server-address and remote-port specify the same options for the remote server and are from the remote serv= er's perspective. If you specify localhost as the remote-server-address, SSH wil= l be interpret it to mean the Internet IP address of the remote server.

This= can be useful in a number of scenarios. For example, you cannot connect to your of= fice workstation via VPN due to network maintenance, but during this time your workstation still has access to the Internet. Remote forwarding could provi= de you with access.

Here= 's another scenario. You are moving into a new Internet data center, all the network gear has been configured, but the installation of the data circuits= has been delayed. This has caused the configuration of the servers to be delaye= d. If one server wired to your network can get access to a server on the Inter= net, via a wireless card, or otherwise, then remote access to the data center co= uld be achieved using remote forwarding.

E= xample 1: The local computer forwards any connection to localhost on a specified port to a remo= te host. Forwarding occurs over a previously established connection from the remote host. If we revisit our scenario where VPN access will be down due to maintenance, the first thing to be done is to configure your workstation at work to establish a remote forwarding SSH session to your home server.

[roo= t@work-001 ~]# ssh -R localhost:9999:localhost:22 root@home.my-web-site.org=

root= @home.my-web-site.org's password:

Last= login: Sat Mar 17 21:15:36 2007 from 216.10.135.26

[roo= t@bigboy ~]# ping localhost

PING bigboy (127.0.0.1) 56(84) bytes of data.

64 b= ytes from bigboy (127.0.0.1): icmp_seq=3D1 ttl=3D64 time=3D0.091 ms

64 b= ytes from bigboy (127.0.0.1): icmp_seq=3D2 ttl=3D64 time=3D0.082 ms

64 b= ytes from bigboy (127.0.0.1): icmp_seq=3D3 ttl=3D64 time=3D0.097 ms

64 b= ytes from bigboy (127.0.0.1): icmp_seq=3D4 ttl=3D64 time=3D0.078 ms

Here workstation work-001 creates an SSH session to server bigboy at home. It al= so tells bigboy to use this session to forward data to work-001 when bigboy receives SSH connections to localhost on port 9999. Remember, the remote-server-address of the -R option is from the remote server's perspect= ive (work-001). If you specify localhost as the remote-server-address, SSH will= be interpret it to mean the Internet IP address of the remote server.

We h= ave setup a ping session to ensure that there is constant traffic between bigboy and work-001 over the connection so that any intermediary firewall doesn't = kill it due to inactivity.

When= you arrive home, all you have to do is SSH to localhost on your home system to = gain access to your workstation at work.

[roo= t@bigboy ~]# ssh -p 9999 root@localhost

root= @localhost's password:

Last= login: Sun Mar 18 15:50:16 2007 from 65.115.71.35

[roo= t@work-001 ~]#

 

As y= ou can see, remote forwarding can be both useful, convenient and productivity enhancing.

E= xample 2: The local computer forwards any connection to it's NIC on a specified port to a remote host. Forwarding occurs over a previously established connection from the remote host.

This= is more fitting for our limited connectivity data center scenario. In this case the local computer can be accessed by anyone on the Internet and it will forward any SSH connections it receives on the specified port to the server in the = data center with the wireless access. Here's how it's done:

Your= local computer may be configured to only accept SSH connections for remote forwar= ding on the loopback localhost interface. Edit your sshd_config file and make su= re the GatewayPorts setting is set to yes.

#

# Fi= le: /etc/ssh/sshd_config

#

 

Gate= wayPorts yes

Rest= art the SSH daemon to activate the setting.

[roo= t@netserver-001  ~]# /etc/init.d/sshd restart<= /o:p>

Stop= ping sshd: [  OK  ]

Star= ting sshd: [  OK  ]

[roo= t@netserver-001  ~]#

The = next step is to establish the remote port forwarding session. Set up a ping if y= ou need constant activity on the link. In this case Internet server is netserver-001.my-web-site.org.

[roo= t@datacenter-001 ~]# ssh -R netserver-001.my-web-site.org:9999:localhost:22 root@netserver-001.my-web-site.org

root= @netserver-001.my-web-site.org's password:

Last= login: Sat Mar 17 21:15:36 2007 from 216.10.135.26

[roo= t@netserver-001 ~]# ping localhost

PING netserver-001 (127.0.0.1) 56(84) bytes of data.

64 b= ytes from netserver-001 (127.0.0.1): icmp_seq=3D1 ttl=3D64 time=3D0.091 ms<= /o:p>

64 b= ytes from netserver-001 (127.0.0.1): icmp_seq=3D2 ttl=3D64 time=3D0.082 ms<= /o:p>

64 b= ytes from netserver-001 (127.0.0.1): icmp_seq=3D3 ttl=3D64 time=3D0.097 ms<= /o:p>

64 b= ytes from netserver-001 (127.0.0.1): icmp_seq=3D4 ttl=3D64 time=3D0.078 ms<= /o:p>

Here workstation datacenter-001 creates an SSH session to Internet server netserver-001. It also tells netserver-001 to use this session to forward d= ata to datacenter-001 when netserver-001 receives SSH connections on any interf= ace IP address (*) on port 9999.

Now = it's time to test it. From our home server bigboy, we can SSH into server netserver-001 on port 9999 and get access to the data center.

[roo= t@bigboy~]# ssh -p 9999 root@netserver-001.my-web-site.org

root@ netserver-001.my-web-site.org's password:

Last= login: Sun Mar 18 15:50:16 2007 from 65.115.71.35

[roo= t@datacenter-001 ~]#

Succ= ess! You have saved the day with your ingenuity.

Confi= guring Forwarding with GUI Clients

You = won't always have SSH command line access for the servers at both end of a port forwarding connection. Sometimes a GUI is either easier to use, or is your = only option.

Most= GUI clients will have SSH forwarding capabilities and it will be configurable on each of your saved connections, not globally. The options to do this should= be found under the advanced properties or equivalent tab and with your new Lin= ux command line knowledge, the setup should be relatively easy.

Troub= leshooting SSH Port Forwarding

Ther= e can be many complications with SSH port forwarding, and they are mostly related to typographical errors. Here are a few symptoms that are easy to overcome:

If r= emote forwarding doesn't work from a remote server, but works from localhost, then make sure you have activated the GatewayPorts setting on your computer. If = not, change it, restart the SSH daemon and try again.

If y= ou get a message like this stating that the address is already in use, then you may = have another port forwarding session already started on the port or the port you intend to use for forwarding is already in use by another application.

bind: Address already in use

chan= nel_setup_fwd_listener: cannot listen to port: 9999

Coul= d not request local forwarding.

&quo= t;Connection closed' messages like this one could be caused by typing in an incorre= ct forwarding address.

ssh_= exchange_identification: Connection closed by remote host

If y= ou are attempting remote forwarding using your server's NIC IP address and get this message, then it could be because the GatewayPorts setting has been disable= d. With local forwarding, it could be caused by specifying an incorrect port on which the server should listen.

[roo= t@bigboy ~]# ssh -p 9999 192.168.1.100

ssh:= connect to host 192.168.1.200 port 9999: Connection refused

[roo= t@bigboy ~]

SSH = port forwarding is a very useful tool that can provide you with a great deal of versatility when administering your servers. It's always a good thing to remember.

SCP: A Secure Alternative to FT= P

From= a networking perspective, FTP isn't very secure, because usernames, passwords, and data are sent across the network unencrypted. More secure forms such as SFTP (Secure FTP) and SCP (Secure Copy) are available as a part of the Open= SSH package that is normally installed by default on RedHat and Fedora Core. Remember, unlike FTP, SCP doesn't support anonymous downloads like FTP.

The = Linux scp command for copying files has a format similar to that of the regular L= inux cp command. The first argument is the source file and the second is the destination file. When copying to or from a remote server, SCP logs in to t= he server to transfer the data and this therefore requires you to supply a rem= ote server name, username, and password to successfully execute the command. The remote filename is therefore preceded by a prefix of the remote username and server name separated by an @ symbol. The remote filename or directory then follows separated by a colon. The format therefore looks like this:

user= name@servername:filename

user= name@servername:directoryname

For = example, file /etc/syslog.conf on a server with IP address 192.168.1.100 that needs = to be retrieved as user peter would have the format peter@192.168.1.000:/etc/syslog.conf, the entire /etc directory would be peter@192.168.1.000:/etc/.

N= ote: You can download an easy-to-use Windows SCP client called WinSCP from https://winscp.vse.cz/eng/ =

<= span class=3Dmw-headline>Copyi= ng Files To The Local Linux Box

If y= ou understand how scp represents remote filenames, you can start copying files fairly easily. For example, to copy file /tmp/software.rpm on the remote machine to the local directory /usr/rpm use the commands =

[roo= t@bigboy tmp]# scp root@smallfry:/tmp/software.rpm /usr/rpm

root= @smallfry's password:

soft= ware.rpm        =            =    100% 1011    27.6KB/s   00:00

[roo= t@bigboy tmp]#

To c= opy the file /tmp/software.rpm on the remote machine to the local directory /usr/rpm using TCP port 435, use the commands

[roo= t@bigboy tmp]# scp -P 435 root@smallfry:/tmp/software.rpm /usr/rpm=

root= @smallfry's password:

soft= ware.rpm        =             &nb= sp;  100% 1011    = 27.6KB/s   00:00

[roo= t@bigboy tmp]#

= Copyi= ng Files To The Remote Linux Box

Copy= ing files to the local Linux server now becomes intuitive. For examples, to copy file /etc/hosts on the local machine to directory /tmp on the remote server=

[roo= t@bigboy tmp]# scp /etc/hosts root@192.168.1.103:/tmp

root= @192.168.1.103's password:

host= s        =             &nb= sp;        100% 1011    27.6KB/s   00:00   

[roo= t@bigboy tmp]#

To c= opy file /etc/hosts on the local machine to directory /tmp on the remote server via = TCP port 435, use the commands

[roo= t@bigboy tmp]# scp -P 435 /etc/hosts root@192.168.1.103:/tmp

host= s        =             &nb= sp;        100% 1011    27.6KB/s   00:00   

[roo= t@bigboy tmp]#

SFTP: Another Secure Alternativ= e to FTP

Open= SSH also has the SFTP program, which runs over an encrypted SSH session but whose commands mimic those of FTP. SFTP can be more convenient to use than SCP wh= en you are uncertain of the locations of the files you want to copy, because it has the directory browsing abilities of FTP. Unlike FTP, SFTP doesn't suppo= rt anonymous logins.

Here= is a sample login sequence that logs in, gets help on the available commands and downloads a file to the local server.

[roo= t@bigboy tmp]# sftp 192.168.1.200

Conn= ecting to 192.168.1.200

root= @192.168.1.200's password:

sftp= > help

Avai= lable commands:

cd p= ath        =             &nb= sp;  Change remote directory to 'path'

lcd path        =             &nb= sp; Change local directory to 'path'

chgr= p grp path        =         Change group of file 'path' to 'grp'

chmo= d mode path        =        Change permissions of file 'path' to 'mode'

<= o:p>

<= o:p>

sftp= > ls

<= o:p>

<= o:p>

anac= onda-ks.cfg

inst= all.log

inst= all.log.syslog

<= o:p>

<= o:p>

sftp= > get install.log

inst= all.log        =                =  100%   17KB  39.4KB/s   00:00

sftp= > exit

[roo= t@bigboy tmp]#

<= span class=3Dmw-headline>Using SSH and SCP without a pas= sword

From= time to time you may want to write scripts that will allow you to copy files to a server, or login, without being prompted for passwords. This can make them simpler to write and also prevents you from having to embed the password in your code.

SCP = has a feature that allows you to do this. You no longer have to worry about prying eyes seeing your passwords nor worrying about your script breaking when som= eone changes the password. You can configure SSH to do this by generating and installing data transfer encryption keys that are tied to the IP addresses = of the two servers. The servers then use these pre-installed keys to authentic= ate one another for each file transfer. As you may expect, this feature doesn't work well with computers with IP addresses that periodically change, such as those obtained via DHCP.

Ther= e are some security risks though. The feature is automatically applied to SSH as well. Someone could use your account to log in to the target server by ente= ring the username alone. It is therefore best to implement this using unprivileg= ed accounts on both the source and target servers.

The = example that follows enables this feature in one direction (from server bigboy to server smallfry) and only uses the unprivileged account called filecopy.

Configuration: Client Side=

Here= are the steps you need to do on the computer that acts as the SSH client:

1) G= enerate your SSH encryption key pair for the filecopy account. Press the Enter key = each time you are prompted for a password to be associated with the keys. (Do not enter a password.)

[fil= ecopy@bigboy filecopy]# ssh-keygen -t dsa

Gene= rating public/private dsa key pair.

Ente= r file in which to save the key

(/fi= lecopy/.ssh/id_dsa):

Enter passphrase (empty for no passphrase):

Ente= r same passphrase again:

Your identification has been saved in

/fil= ecopy/.ssh/id_dsa.

Your= public key has been saved in

/fil= ecopy/.ssh/id_dsa.pub.

The = key fingerprint is:

1e:7= 3:59:96:25:93:3f:8b:50:39:81:9e:e3:4a:a8:aa

file= copy@bigboy

[fil= ecopy@bigboy filecopy]#

2) T= hese keyfiles are stored in the.ssh subdirectory of your home directory. View the contents of that directory. The file named id_dsa is your private key, and = id_dsa.pub is the public key that you will be sharing with your target server. Versions other than RedHat/Fedora may use different filenames, use the SSH man pages= to verify this.

[fil= ecopy@bigboy filecopy]# cd ~/.ssh

[fil= ecopy@bigboy filecopy]# ls

id_d= sa  id_dsa.pub  known_hosts

[fil= ecopy@bigboy .ssh]#

3) C= opy only the public key to the home directory of the account to which you will be sending the file.

[fil= ecopy@bigboy .ssh]# scp id_dsa.pub filecopy@smallfry:public-key.tmp

Now,= on to the server side of the operation.

Confi= guration - Server Side

Here= are the steps you need to do on the computer that will act as the SSH server. =

1) L= og into smallfry as user filecopy. Create an .ssh subdirectory in your home directo= ry and then go to it with cd.

[fil= ecopy@smallfry filecopy]# ls

publ= ic-key.tmp

[fil= ecopy@smallfry filecopy]# mkdir .ssh

[fil= ecopy@smallfry filecopy]# chmod 700 .ssh

[fil= ecopy@smallfry filecopy]# cd .ssh

2) A= ppend the public-key.tmp file to the end of the authorized_keys file using the >> append redirector with the cat command. The authorized_keys file contains a listing of all the public keys from machines that are allowed to connect to your Smallfry account without a password. Versions other than RedHat/Fedora may use different filenames, use the SSH man pages to verify this.

[fil= ecopy@smallfry .ssh]# cat ~/public-key.tmp >> authorized_keys

[fil= ecopy@smallfry .ssh]# rm ~/public-key.tmp

From= now on you can use ssh and scp as user filecopy from server bigboy to smallfry wit= hout being prompted for a password.

Conclusion

Most= Linux security books strongly recommend using SSH and SCP over TELNET and FTP bec= ause of their encryption capabilities. Despite this, there is still a place for = FTP in the world thanks to its convenience in providing simple global access to files and TELNET, which is much easier to implement in price-sensitive netw= ork appliances than SSH. Consider all options when choosing your file transfer = and remote login programs and select improved security whenever possible as the long term benefits eventually outweigh the additional cost over time.

DISTRIBUIE DOCUMENTUL

Comentarii


Vizualizari: 1358
Importanta: rank

Comenteaza documentul:

Te rugam sa te autentifici sau sa iti faci cont pentru a putea comenta

Creaza cont nou



Termeni si conditii de utilizare | Contact
© SCRIGROUP 2024. All rights reserved