SCP is derived from rcp. SSH-Secure Shell. Application and a protocol that provide a secure replacement for the Berkeley r-tools. The protocol secures the sessions using standard cryptographic mechanisms, and the application can be used similarly to the Berkeley rexec and rsh tools. SSH Version 1 is implemented in the Cisco IOS XE software. User accounts have attributes that can be altered. Each user account has a set of associated attributes. These attributes are created from default values when a user is created by using the mkuser command. The attributes can be altered by using the chuser command. The following are the user attributes that control login and are not related to password quality.
Networking / BeginnersThe CompTIA Network tests you on rlogin, RSH, and RCP. These are three oldschoolprograms in the UNIX world. The R stands for remote and, like Telnet and SSH,these programs provide remote access and control of servers. Also like Telnet, they donot encrypt data and thus, should not be used across the Internet. Here is a quick breakdownof the suite:
- Rlogin Remote login works very similarly to Telnet. You simply run the programwith the host name of the server and you can connect and run commandsjust like with Telnet. It has one very nice advantage over Telnet in that it can beconfigured to log in automatically without the need to enter a user name andpassword. Rlogin works over TCP port 513.
- RSH Remote Shell allows you to send single commands to the remote server.Whereas rlogin is designed to be used interactively, RSH can be easily integratedinto a script. RSH runs over TCP port 514 by default.
- RCP Remote Copy provides the capability to copy files to and from the remoteserver without the need to resort to FTP or NFS (Network File System, the UNIXform of folder sharing). RCP can also be used in scripts and shares TCP port 514 with RSH.
In this tutorial:
24 SSH: Secure Network Operations#Edit source
In networked environments, it is often necessary to access hosts from a remote location. If a user sends login and password strings for authentication purposes as plain text, they could be intercepted and misused to gain access to that user account. This would open all the user's files to an attacker and the illegal account could be used to obtain administrator or root
access, or to penetrate other systems. In the past, remote connections were established with telnet
, rsh
or rlogin
, which offered no guards against eavesdropping in the form of encryption or other security mechanisms. There are other unprotected communication channels, like the traditional FTP protocol and some remote copying programs like rcp
.
- 24.1
ssh
—Secure Shell - 24.2
scp
—Secure Copy - 24.3
sftp
—Secure File Transfer - 24.4 The SSH Daemon (
sshd
) - 24.5 SSH Authentication Mechanisms
- 24.6 Port Forwarding
- 24.7 Adding and Removing Public Keys on an Installed System
- 24.8 For More Information
The SSH suite provides the necessary protection by encrypting the authentication strings (usually a login name and a password) and all the other data exchanged between the hosts. With SSH, the data flow could still be recorded by a third party, but the contents are encrypted and cannot be reverted to plain text unless the encryption key is known. So SSH enables secure communication over insecure networks, such as the Internet. The SSH implementation coming with SUSE Linux Enterprise Server is OpenSSH.
SUSE Linux Enterprise Server installs the OpenSSH package by default providing the commands ssh
, scp
, and sftp
. In the default configuration, remote access of a SUSE Linux Enterprise Server system is only possible with the OpenSSH utilities, and only if the sshd
is running and the firewall permits access.
SSH on SUSE Linux Enterprise Server uses cryptographic hardware acceleration if available. As a result, the transfer of large quantities of data through an SSH connection is considerably faster than without cryptographic hardware. As an additional benefit, the CPU will see a significant reduction in load.
With ssh
it is possible to log in to remote systems and to work interactively. To log in to the host sun
as user tux
enter one of the following commands:
If the user name is the same on both machines, you can omit it. Using ssh sun
is sufficient. The remote host prompts for the remote user's password. After a successful authentication, you can work on the remote command line or use interactive applications, such as YaST in text mode.
Furthermore, ssh
offers the possibility to run non-interactive commands on remote systems using ssh
HOSTCOMMAND. COMMAND needs to be properly quoted. Multiple commands can be concatenated as on a local shell.
24.1.1 Starting X Applications on a Remote Host#Edit source
SSH also simplifies the use of remote X applications. If you run ssh
with the -X
option, the DISPLAY
variable is automatically set on the remote machine and all X output is exported to the local machine over the existing SSH connection. At the same time, X applications started remotely cannot be intercepted by unauthorized individuals.
By adding the -A
option, the ssh-agent authentication mechanism is carried over to the next machine. This way, you can work from different machines without having to enter a password, but only if you have distributed your public key to the destination hosts and properly saved it there. Refer to Section 24.5.2, “Copying an SSH Key” for details.
This mechanism is deactivated in the default settings, but can be permanently activated at any time in the system-wide configuration file /etc/ssh/sshd_config
by setting AllowAgentForwarding yes
.
scp
copies files to or from a remote machine. If the user name on jupiter is different than the user name on sun, specify the latter using the USER_NAME@host
format. If the file should be copied into a directory other than the remote user's home directory, specify it as sun:DIRECTORY. The following examples show how to copy a file from a local to a remote machine and vice versa.
Tip: The -l
Option
With the ssh
command, the option -l
can be used to specify a remote user (as an alternative to the USER_NAME@host
format). With scp
the option -l
is used to limit the bandwidth consumed by scp
.
After the correct password is entered, scp
starts the data transfer. It displays a progress bar and the time remaining for each file that is copied. Suppress all output with the -q
option.
scp
also provides a recursive copying feature for entire directories. The command
copies the entire contents of the directory src
including all subdirectories to the ~/backup
directory on the host sun. If this subdirectory does not exist, it is created automatically.
The -p
option tells scp
to leave the time stamp of files unchanged. -C
compresses the data transfer. This minimizes the data volume to transfer, but creates a heavier burden on the processors of both machines.
If you want to copy several files from or to different locations, sftp
is a convenient alternative to scp
. It opens a shell with a set of commands similar to a regular FTP shell. Type help
at the sftp-prompt to get a list of available commands. More details are available from the sftp
man page.
24.3.2 Setting Permissions for File Uploads#Edit source
As with a regular FTP server, a user cannot only download, but also upload files to a remote machine running an SFTP server by using the put
command. By default the files will be uploaded to the remote host with the same permissions as on the local host. There are two options to automatically alter these permissions:
A umask works as a filter against the permissions of the original file on the local host. It can only withdraw permissions:
permissions original | umask | permissions uploaded |
---|---|---|
0666 | 0002 | 0664 |
0600 | 0002 | 0600 |
0775 | 0025 | 0750 |
To apply a umask on an SFTP server, edit the file /etc/ssh/sshd_configuration
. Search for the line beginning with Subsystem sftp
and add the -u
parameter with the desired setting, for example:
Explicitly setting the permissions sets the same permissions for all files uploaded via SFTP. Specify a three-digit pattern such as 600
, 644
, or 755
with -u
. When both -m
and -u
are specified, -u
is ignored.
To apply explicit permissions for uploaded files on an SFTP server, edit the file /etc/ssh/sshd_configuration
. Search for the line beginning with Subsystem sftp
and add the -m
parameter with the desired setting, for example:
To work with the SSH client programs ssh
and scp
, a server (the SSH daemon) must be running in the background, listening for connections on TCP/IP port 22
. The daemon generates three key pairs when starting for the first time. Each key pair consists of a private and a public key. Therefore, this procedure is called public key-based. To guarantee the security of the communication via SSH, access to the private key files must be restricted to the system administrator. The file permissions are set accordingly by the default installation. The private keys are only required locally by the SSH daemon and must not be given to anyone else. The public key components (recognizable by the name extension .pub
) are sent to the client requesting the connection. They are readable for all users.
A connection is initiated by the SSH client. The waiting SSH daemon and the requesting SSH client exchange identification data to compare the protocol and software versions, and to prevent connections through the wrong port. Because a child process of the original SSH daemon replies to the request, several SSH connections can be made simultaneously.
For the communication between SSH server and SSH client, OpenSSH supports versions 1 and 2 of the SSH protocol. Version 2 of the SSH protocol is used by default. Override this to use version 1 of protocol with the -1
option.
When using version 1 of SSH, the server sends its public host key and a server key, which is regenerated by the SSH daemon every hour. Both allow the SSH client to encrypt a freely chosen session key, which is sent to the SSH server. The SSH client also tells the server which encryption method (cipher) to use. Version 2 of the SSH protocol does not require a server key. Both sides use an algorithm according to Diffie-Hellman to exchange their keys.
The private host and server keys are absolutely required to decrypt the session key and cannot be derived from the public parts. Only the contacted SSH daemon can decrypt the session key using its private keys. This initial connection phase can be watched closely by turning on verbose debugging using the -v
option of the SSH client.
Tip: Viewing the SSH Daemon Log File
To watch the log entries from the sshd
use the following command:
It is recommended to back up the private and public keys stored in /etc/ssh/
in a secure, external location. In this way, key modifications can be detected or the old ones can be used again after having installed a new system.
Tip: Existing SSH Host Keys
If you install SUSE Linux Enterprise Server on a machine with existing Linux installations, the installation routine automatically imports the SSH host key with the most recent access time from an existing installation.
When establishing a secure connection with a remote host for the first time, the client stores all public host keys in ~/.ssh/known_hosts
. This prevents any man-in-the-middle attacks—attempts by foreign SSH servers to use spoofed names and IP addresses. Such attacks are detected either by a host key that is not included in ~/.ssh/known_hosts
, or by the server's inability to decrypt the session key in the absence of an appropriate private counterpart.
If the public keys of a host have changed (that needs to be verified before connecting to such a server), the offending keys can be removed with ssh-keygen -r HOSTNAME
.
As of version 6.8, OpenSSH comes with a protocol extension that supports host key rotation. It makes sense to replace keys, if you are still using weak keys such as 1024-bit RSA keys. It is strongly recommended to replace such a key and go for 2048-bit DSA keys or something even better. The client will then use the “best” host key.
Tip: Restarting sshd
After installing new host keys on the server, restart sshd.
This protocol extension can inform a client of all the new host keys on the server, if the user initiates a connection with ssh
. Then, the software on the client updates ~/.ssh/known_hosts
, and the user is not required to accept new keys of previously known and trusted hosts manually. The local known_hosts
file will contain all the host keys of the remote hosts, in addition to the one that authenticated the host during this session.
Once the administrator of the server knows that all the clients have fetched the new keys, they can remove the old keys. The protocol extension ensures that the obsolete keys will be removed from the client's configuration, too. The key removal occurs while initiating an ssh
session.
For more information, see:
http://heise.de/-2540907 („Endlich neue Schlüssel für SSH-Server,“ German only)
In its simplest form, authentication is done by entering the user's password just as if logging in locally. However, having to memorize passwords of several users on remote machines is inefficient. What is more, these passwords may change. On the other hand—when granting root
access—an administrator needs to be able to quickly revoke such a permission without having to change the root
password.
To accomplish a login that does not require to enter the remote user's password, SSH uses another key pair, which needs to be generated by the user. It consists of a public (id_rsa.pub
or id_dsa.pub
) and a private key (id_rsa
or id_dsa
).
To be able to log in without having to specify the remote user's password, the public key of the “SSH user” must be in ~/.ssh/authorized_keys
. This approach also ensures that the remote user has got full control: adding the key requires the remote user's password and removing the key revokes the permission to log in from remote.
For maximum security such a key should be protected by a passphrase which needs to be entered every time you use ssh
, scp
, or sftp
. Contrary to the simple authentication, this passphrase is independent from the remote user and therefore always the same.
An alternative to the key-based authentication described above, SSH also offers a host-based authentication. With host-based authentication, users on a trusted host can log in to another host on which this feature is enabled using the same user name. SUSE Linux Enterprise Server is set up for using key-based authentication, covering setting up host-based authentication on SUSE Linux Enterprise Server is beyond the scope of this manual.
Note: File Permissions for Host-Based Authentication
If the host-based authentication is to be used, the file /usr/lib/ssh/ssh-keysign
should have the setuid bit set, which is not the default setting in SUSE Linux Enterprise Server. In such case, set the file permissions manually. You should use /etc/permissions.local
for this purpose, to make sure that the setuid bit is preserved after security updates of openssh.
To generate a key with default parameters (RSA, 2048 bits), enter the command
ssh-keygen
.Accept the default location to store the key (
~/.ssh/id_rsa
) by pressing Enter (strongly recommended) or enter an alternative location.Enter a passphrase consisting of 10 to 30 characters. The same rules as for creating safe passwords apply. It is strongly advised to refrain from specifying no passphrase.
You should make absolutely sure that the private key is not accessible by anyone other than yourself (always set its permissions to 0600
). The private key must never fall into the hands of another person.
To change the password of an existing key pair, use the command ssh-keygen -p
.
To copy a public SSH key to ~/.ssh/authorized_keys
of a user on a remote machine, use the command ssh-copy-id
. To copy your personal key stored under ~/.ssh/id_rsa.pub
you may use the short form. To copy DSA keys or keys of other users, you need to specify the path:
To successfully copy the key, you need to enter the remote user's password. To remove an existing key, manually edit ~/.ssh/authorized_keys
.
When doing lots of secure shell operations it is cumbersome to type the SSH passphrase for each such operation. Therefore, the SSH package provides another tool, ssh-agent
, which retains the private keys for the duration of an X or terminal session. All other windows or programs are started as clients to the ssh-agent
. By starting the agent, a set of environment variables is set, which will be used by ssh
, scp
, or sftp
to locate the agent for automatic login. See the ssh-agent
man page for details.
After the ssh-agent
is started, you need to add your keys by using ssh-add
. It will prompt for the passphrase. After the password has been provided once, you can use the secure shell commands within the running session without having to authenticate again.
24.5.3.1 Using ssh-agent
in an X Session#Edit source
On SUSE Linux Enterprise Server, the ssh-agent
is automatically started by the GNOME display manager. To also invoke ssh-add
to add your keys to the agent at the beginning of an X session, do the following:
Log in as the desired user and check whether the file
~/.xinitrc
exists.If it does not exist, use an existing template or copy it from
/etc/skel
:If you have copied the template, search for the following lines and uncomment them. If
~/.xinitrc
already existed, add the following lines (without comment signs).When starting a new X session, you will be prompted for your SSH passphrase.
24.5.3.2 Using ssh-agent
in a Terminal Session#Edit source
In a terminal session you need to manually start the ssh-agent
and then call ssh-add
afterward. There are two ways to start the agent. The first example given below starts a new Bash shell on top of your existing shell. The second example starts the agent in the existing shell and modifies the environment as needed.
After the agent has been started, run ssh-add
to provide the agent with your keys.
ssh
can also be used to redirect TCP/IP connections. This feature, also called SSH tunneling
, redirects TCP connections to a certain port to another machine via an encrypted channel.
With the following command, any connection directed to jupiter port 25 (SMTP) is redirected to the SMTP port on sun. This is especially useful for those using SMTP servers without SMTP-AUTH or POP-before-SMTP features. From any arbitrary location connected to a network, e-mail can be transferred to the “home” mail server for delivery.
Similarly, all POP3 requests (port 110) on jupiter can be forwarded to the POP3 port of sun with this command:
Both commands must be executed as root
, because the connection is made to privileged local ports. E-mail is sent and retrieved by normal users in an existing SSH connection. The SMTP and POP3 host must be set to localhost
for this to work. Additional information can be found in the manual pages for each of the programs described above and in the OpenSSH package documentation under /usr/share/doc/packages/openssh
.
24.7 Adding and Removing Public Keys on an Installed System#Edit source
Rcp Ssh Key
In some environments, it is convenient or necessary to log in over SSH. As such, the user needs to provide a public SSH key. To add or remove an SSH key, proceed as follows:
Open YaST.
Under Security and Users, open the User and Group Management module.
Select the user you want to change and press Edit.
Switch to the SSH Public Key tab.
Add or remove your public key(s). If you add a public SSH key, look for the file extension
.pub
.Confirm with Ok.
Your public SSH key is saved in ~/.ssh/authorized_keys
.
The home page of OpenSSH
The OpenSSH Wikibook
man sshd
The man page of the OpenSSH daemon
man ssh_config
The man page of the OpenSSH SSH client configuration files
man scp
, man sftp
, man slogin
, man ssh
, man ssh-add
, man ssh-agent
, man ssh-copy-id
, man ssh-keyconvert
, man ssh-keygen
, man ssh-keyscan
Man pages of several binary files to securely copy files (scp
, sftp
), to log in (slogin
, ssh
), and to manage keys.
/usr/share/doc/packages/openssh/README.SUSE
, /usr/share/doc/packages/openssh/README.FIPS
Rcp Ssh Login
SUSE package specific documentation; changes in defaults with respect to upstream, notes on FIPS mode etc.