The 101 Uses of OpenSSH: Part I

 in
Mick scratches the surface of ssh.
How SSH Works

Secure Shell works very similarly to Secure Sockets Layer web transactions (it's no coincidence that the cryptographical functions used by OpenSSH are provided by OpenSSL, a free version of Netscape's Secure Sockets Layer source-code libraries). Both can set up encrypted channels using generic “host keys” or with published credentials (digital certificates) that can be verified by a trusted certificate authority (such as VeriSign). Here's how connections are built.

First, the client and the server exchange (public) host keys. If the client machine has never encountered a given public key before, both ssh and most web browsers ask the user whether to accept the untrusted key. Next, they use these to negotiate a session key that is used to encrypt all subsequent session data via a block cipher such as Triple-DES (3DES), blowfish, or idea.

Then, the server attempts to authenticate the client using RSA or DSA certificates. If this isn't possible, the client is prompted for a standard username/password combination (optionally, “rhosts” host-IP-based authentication with or without RSA keys may be used; OpenSSH also supports KerberosIV and skey). Finally, after successful authentication the session proper begins: either a remote shell, a secure file transfer, a remote command, etc., is begun over the encrypted tunnel.

As I mentioned earlier, ssh is actually a suite of tools:

  • sshd—dæmon that acts as a server to all other commands

  • ssh—primary end-user tool: remote shell, remote command, and port-forwarding sessions

  • scp—tool for automated file transfers

  • sftp—tool for interactive file transfers—COMMERCIAL SSH ONLY

  • ssh-keygen—generates private-public key pairs for use in RSA and DSA authentication (including host keys)

  • ssh-agent—dæmon used to automate client's RSA/DSA authentications

  • ssh-add—loads private keys into ssh-agent process

  • ssh-askpass—X interface for ssh-add

Note that sftp, which is essentially an ftp client with encryption and strong authentication grafted on, is available only in F-Secure's commercial versions of ssh version 2—I only mention it here because you may come across a reference to it elsewhere and wonder why you've only got scp.

Of these tools, most users concern themselves only with ssh, since “encrypted Telnet” is the simplest use of ssh. Scp, ssh-agent and ssh-add, however, along with the strong authentication and TCP port-forwarding capabilities of ssh itself, make ssh considerably more flexible than that. Since we're paranoid and want to encrypt as much of the stuff we fling over the networks as possible, we really groove on this flexibility.

Getting and Installing OpenSSH

The OpenSSH web site (see Resources) is the place to go for the latest version of OpenSSH, both in source-code and RPM forms, and also for OpenSSL, which is required by OpenSSH. Also required is zlib, available at the freesoftware.com site (see Resources).

Note that you may not be able to get by with RPM packages. When I tried to install the RPMs from OpenSSH.com on my laptop, running SuSE Linux, everything worked except sshd, which wouldn't install due to SuSE's lack of a “chkconfig” package. Your preferred flavor of Linux may or may not have the same problem (unless it has chckconfig), or it may have its own RPM of OpenSSH (for all I know, by the time you read this somebody may have published RPMs for SuSE).

If RPMs won't work, you'll need to build OpenSSH (and possibly OpenSSL and zlib) from source. To Linux old-timers, “rolling your own” software installations is old hat, but if you're not in that category don't despair. All three distributions use “.configure” scripts that eliminate the need for most users to edit any Makefiles. Assuming your system has gcc and the normal assortment of system libraries and that these are reasonably up-to-date, the build process is both fast and simple.

In my own case, after installing OpenSSL 0.9.5a and zlib-1.1.3 (all version numbers, by the way, may be outdated by the time you read this!) I followed these steps to build and install OpenSSH 2.1.1p4:

tar -xzvf openssh-2.1.1p4.tar.gz
cd openssh-2.1.1p4
./configure --sysconfdir=/etc/ssh
make
make install

Per instructions provided by the file “INSTALL” I fed the configure script one customized option: rather than installing all configuration-files in /etc, I instructed it to create and use a subdirectory, /etc/sshd. Since this version of OpenSSH supports both RSA and DSA keys, it makes sense to minimize the amount of clutter ssh adds to /etc.

For a client-only installation, this is all you need to do. Note that one or more of the version numbers cited above may already be dated by the time you read this article; be sure to check the OpenSSH and zlib web sites for the latest versions.

If you wish to run the Secure Shell Dæmon sshd (i.e., you wish to accept ssh connections from remote hosts), you'll also need to create startup scripts and, in the case of SuSE, edit /etc/rc.config. This has also been thought of for you: the source distribution's “contrib” directory contains some useful goodies.

The Red Hat directory contains “sshd.init”, which can be copied to /etc/rc.d and linked to in the appropriate runlevel directory (/etc/rc.d/rc2.d, etc.). It also contains “sshd.pam”, which can be installed in /etc/pam if you use Pluggable Authentication Modules (PAM) and “openssh.spec”, which can be used to create your very own OpenSSH RPM package. These files are, obviously, intended for use on Red Hat systems but will probably also work on Red Hat-derived systems (Mandrake, Yellow Dog, etc.).

The suse directory also contains an “openssh.spec” file for creating OpenSSH prpm packages for SuSE and an “rc.sshd” file to install in /etc/rc.d (actually /sbin/init.d in SuSE). In addition, it contains “rc.config.ssd”, the contents of which must be added to /etc/rc.config in order for the rc.sshd script to work properly. This is achieved by simply entering the command:

cat ./rc.config.ssd >> /etc/rc.config

Create a symbolic link in rc2.d and/or rc3.d, and your SuSE system is ready to serve up secured shells! Either reboot or type /etc/rc.d/rc.sshd start to start the dæmon.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

thanks

joviton's picture

god bless you for taking trouble in writing this tutorial of SSH .
linux is the best OS ever .

Linux

Misafir's picture

Linux Where the on World Wide should look

Using SSH

Mithilesh's picture

Hi,

I am new and today used the SSH first time then i thought to study more about SSH and googled the uses of SSH and found your website its very helpfull but still i am unable to understand few things can yu suggest me any good site/article for a new user. I wanted to use this just because it is fast and i love it.

about ssh

Rakesh's picture

sir
I read your article The 101 Uses of OpenSSH: Part I
it boost me to start doing experiments with ssh. it gives me all the basic as i am new bie to it.
But I had one problem i tried to uninstall ssh from my system to install new one using rpm -e option -> It not worked.
I knew (through net searching)the new intallation overwrite the old one, but i want to remove it and install it on my system(redhat-9).
Please can you suggest anything regarding this.

thanking you.

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix