SSH Operation and Techniques - © William Stearns 1 SSH Operation and Techniques The Swiss Army Knife of encryption tools…

SSH Operation and Techniques - © William Stearns 2 Overview SSH Introduction and Basic Use Copying files Port and X Windows forwarding SSH Keys and installation Ssh-agent Fanout and Fanterm

SSH Operation and Techniques - © William Stearns 3 SSH Features Command line terminal connection tool Replacement for rsh, rcp, telnet, and others All traffic encrypted Both ends authenticate themselves to the other end Ability to carry and encrypt non-terminal traffic

SSH Operation and Techniques - © William Stearns 4 Brief History SSH.com's SSH1, originally completely free with source code, then license changed with version SSH.com's SSH2, originally only commercial, but now free for some uses. OpenSSH team took the last free SSH1 release, refixed bugs, added features, and added support for the SSH2 protocol.

SSH Operation and Techniques - © William Stearns 5 Installation OpenSSH is included with a number of Linux distributions, and available for a large number of Unices On RPM-based Linuxes: rpm -Uvh openssh*.rpm

SSH Operation and Techniques - © William Stearns 6 Basic use ssh SshServerName ssh -l UserName SshServerName ssh SshServerName CommandToRun ssh -v SshServerName Server Host Key checks Uses same login password And if we need to encrypt other traffic?

SSH Operation and Techniques - © William Stearns 7 Securely copying files scp scp -p localfile remotemachine:/remotepath/file Prompts for authentication if needed All traffic encrypted Replaces ftp, rcp, file sharing

SSH Operation and Techniques - © William Stearns 8 File synchronization - Rsync Rsync copies a tree of files from a master out to a copy on another machine. Can use ssh as its transport. rsync -azv -e ssh /home/wstearns/webtree/ mirror.stearns.org/home/web/

SSH Operation and Techniques - © William Stearns 9 Port Forwarding - real server on remote machine I want to listen on port 5110 on this machine; all packets arriving here get sent to mailserver, port 110: ssh -L 5110:mailserver:110 mailserver

SSH Operation and Techniques - © William Stearns 10 Port Forwarding - real server on this machine All web traffic to my firewall should be redirected to the web server running on port 8000 on my machine instead: ssh -R 80:MyMachine:8000 firewall

SSH Operation and Techniques - © William Stearns 11 X Windows forwarding No setup - already done! Run the X Windows application in the terminal window: xclock & The screen display shows up on your computer, and any keystrokes and mouse movements are sent back, all encrypted.

SSH Operation and Techniques - © William Stearns 12 Packet forwarding – VPNs Tunnel packets over the SSH connection Connects to a virtual network device on both ends Openssh 4.3 and higher

SSH Operation and Techniques - © William Stearns 13 SSH key background Old way: password stored on server, user supplied password compared to stored version New way: private key kept on client, public key stored on server.

SSH Operation and Techniques - © William Stearns 14 SSH key creation General command: ssh-keygen -b c 'Comment' -f ~/.ssh/identity_file Different forms for each of the SSH flavors Assign a hard-to-guess passphrase to the private key during creation. Key can be used for multiple servers

SSH Operation and Techniques - © William Stearns 15 SSH key installation 3 versions of ssh: interoperability is good, but poorly documented ssh-keyinstall utility automates the creation and installation 'ssh-keyinstall -s SshServerName' creates keys, if needed, and installs them on the remote server Need password during key install only

SSH Operation and Techniques - © William Stearns 16 Using SSH keys ssh SshServerName Ssh -l UserName SshServerName ssh SshServerName CommandToRun Ssh -v SshServerName

SSH Operation and Techniques - © William Stearns 17 ssh-agent Remembers your private key(s) Other applications can ask ssh-agent to authenticate you automatically. Unattended remote sessions. Should already be running in the background ssh-add [KeyName]

SSH Operation and Techniques - © William Stearns 18 Fanout Runs command on multiple machines by opening separate ssh session to each fanout 'machine1 machine2 'command params' Gives organized output from each machine

SSH Operation and Techniques - © William Stearns 19 Fanterm – live control of multiple machines Fanterm provides interactive control of multiple remote systems. Initial window receives keystrokes. Keystrokes sent to each remote system. Output from each system shows up in a seperate terminal.

SSH Operation and Techniques - © William Stearns 20

SSH Operation and Techniques - © William Stearns 21 Fanqueue – the next generation Queue commands to be run on a group of machines Handles case where a machine is unavailable Allows new machines to be added later

SSH Operation and Techniques - © William Stearns 22 Rsync-backup Rsync-backup automates the process of backing up machines with rsync and ssh. Features: Only changed data shipped All permissions preserved All communication encrypted Unlimited snapshots Use <= 2X-4X combined client capacity

SSH Operation and Techniques - © William Stearns 23 Rsync-backup client install Install ssh, rsync, and rsync-backup-client rpms (see ) Install ssh-keyinstall on client to create a backup key with ssh-keyinstall -s backupserver -u root -c /usr/sbin/rsync-backup-server

SSH Operation and Techniques - © William Stearns 24 Rsync-backup server install Install ssh, freedups, rsync-static, and rsync- backup-server rpms Turn off password authentication in /etc/ssh/sshd_config

SSH Operation and Techniques - © William Stearns 25 Rsync-backup examples Examples of backup commands: rsync-backup-client / rsync-backup-client /usr /home/gbk

SSH Operation and Techniques - © William Stearns 26 Links and references SSH, The Secure Shell, The Definitive Guide ssh-keyinstall, fanout, rsync-backup, freedups and other apps at

SSH Operation and Techniques - © William Stearns 27 More links Docs at faq.html William Stearns