Table of Contents for
SSH, The Secure Shell: The Definitive Guide, 2nd Edition

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition SSH, The Secure Shell: The Definitive Guide, 2nd Edition by Robert G. Byrnes Published by O'Reilly Media, Inc., 2005
  1. Cover
  2. SSH, the Secure Shell, 2nd Edition
  3. Preface
  4. Protect Your Network with SSH
  5. Intended Audience
  6. Reading This Book
  7. Our Approach
  8. Which Chapters Are for You?
  9. Supported Platforms
  10. Disclaimers
  11. Conventions Used in This Book
  12. Comments and Questions
  13. Safari Enabled
  14. Acknowledgments
  15. 1. Introduction to SSH
  16. What Is SSH?
  17. What SSH Is Not
  18. The SSH Protocol
  19. Overview of SSH Features
  20. History of SSH
  21. Related Technologies
  22. Summary
  23. 2. Basic Client Use
  24. A Running Example
  25. Remote Terminal Sessions with ssh
  26. Adding Complexity to the Example
  27. Authentication by Cryptographic Key
  28. The SSH Agent
  29. Connecting Without a Password or Passphrase
  30. Miscellaneous Clients
  31. Summary
  32. 3. Inside SSH
  33. Overview of Features
  34. A Cryptography Primer
  35. The Architecture of an SSH System
  36. Inside SSH-2
  37. Inside SSH-1
  38. Implementation Issues
  39. SSH and File Transfers (scp and sftp)
  40. Algorithms Used by SSH
  41. Threats SSH Can Counter
  42. Threats SSH Doesn’t Prevent
  43. Threats Caused by SSH
  44. Summary
  45. 4. Installation and Compile-Time Configuration
  46. Overview
  47. Installing OpenSSH
  48. Installing Tectia
  49. Software Inventory
  50. Replacing r-Commands with SSH
  51. Summary
  52. 5. Serverwide Configuration
  53. Running the Server
  54. Server Configuration: An Overview
  55. Getting Ready: Initial Setup
  56. Authentication: Verifying Identities
  57. Access Control: Letting People In
  58. User Logins and Accounts
  59. Forwarding
  60. Subsystems
  61. Logging and Debugging
  62. Compatibility Between SSH-1 and SSH-2 Servers
  63. Summary
  64. 6. Key Management and Agents
  65. What Is an Identity?
  66. Creating an Identity
  67. SSH Agents
  68. Multiple Identities
  69. PGP Authentication in Tectia
  70. Tectia External Keys
  71. Summary
  72. 7. Advanced Client Use
  73. How to Configure Clients
  74. Precedence
  75. Introduction to Verbose Mode
  76. Client Configuration in Depth
  77. Secure Copy with scp
  78. Secure, Interactive Copy with sftp
  79. Summary
  80. 8. Per-Account Server Configuration
  81. Limits of This Technique
  82. Public-Key-Based Configuration
  83. Hostbased Access Control
  84. The User rc File
  85. Summary
  86. 9. Port Forwarding and X Forwarding
  87. What Is Forwarding?
  88. Port Forwarding
  89. Dynamic Port Forwarding
  90. X Forwarding
  91. Forwarding Security: TCP-Wrappers and libwrap
  92. Summary
  93. 10. A Recommended Setup
  94. The Basics
  95. Compile-Time Configuration
  96. Serverwide Configuration
  97. Per-Account Configuration
  98. Key Management
  99. Client Configuration
  100. Remote Home Directories (NFS, AFS)
  101. Summary
  102. 11. Case Studies
  103. Unattended SSH: Batch or cron Jobs
  104. FTP and SSH
  105. Pine, IMAP, and SSH
  106. Connecting Through a Gateway Host
  107. Scalable Authentication for SSH
  108. Tectia Extensions to Server Configuration Files
  109. Tectia Plugins
  110. 12. Troubleshooting and FAQ
  111. Debug Messages: Your First Line of Defense
  112. Problems and Solutions
  113. Other SSH Resources
  114. 13. Overview of Other Implementations
  115. Common Features
  116. Covered Products
  117. Other SSH Products
  118. 14. OpenSSH for Windows
  119. Installation
  120. Using the SSH Clients
  121. Setting Up the SSH Server
  122. Public-Key Authentication
  123. Troubleshooting
  124. Summary
  125. 15. OpenSSH for Macintosh
  126. Using the SSH Clients
  127. Using the OpenSSH Server
  128. 16. Tectia for Windows
  129. Obtaining and Installing
  130. Basic Client Use
  131. Key Management
  132. Accession Lite
  133. Advanced Client Use
  134. Port Forwarding
  135. Connector
  136. File Transfers
  137. Command-Line Programs
  138. Troubleshooting
  139. Server
  140. 17. SecureCRT and SecureFX for Windows
  141. Obtaining and Installing
  142. Basic Client Use
  143. Key Management
  144. Advanced Client Use
  145. Forwarding
  146. Command-Line Client Programs
  147. File Transfer
  148. Troubleshooting
  149. VShell
  150. Summary
  151. 18. PuTTY for Windows
  152. Obtaining and Installing
  153. Basic Client Use
  154. File Transfer
  155. Key Management
  156. Advanced Client Use
  157. Forwarding
  158. Summary
  159. A. OpenSSH 4.0 New Features
  160. Server Features: sshd
  161. Client Features: ssh, scp, and sftp
  162. ssh-keygen
  163. B. Tectia Manpage for sshregex
  164. Regex Syntax: Egrep Patterns
  165. Regex Syntax: ZSH_FILEGLOB (or Traditional) Patterns
  166. Character Sets for Egrep and ZSH_FILEGLOB
  167. Regex Syntax: SSH Patterns
  168. Authors
  169. See Also
  170. C. Tectia Module Names for Debugging
  172. D. SSH-1 Features of OpenSSH and Tectia
  173. OpenSSH Features
  174. Tectia Features
  175. E. SSH Quick Reference
  176. Legend
  177. sshd Options
  178. sshd Keywords
  179. ssh Options
  180. scp Options
  181. ssh and scp Keywords
  182. ssh-keygen Options
  183. ssh-agent Options
  184. ssh-add Options
  185. Identity and Authorization Files, OpenSSH
  186. Identity and Authorization Files, Tectia
  187. Environment Variables
  188. Index
  189. Index
  190. Index
  191. Index
  192. Index
  193. Index
  194. Index
  195. Index
  196. Index
  197. Index
  198. Index
  199. Index
  200. Index
  201. Index
  202. Index
  203. Index
  204. Index
  205. Index
  206. Index
  207. Index
  208. Index
  209. Index
  210. Index
  211. Index
  212. Index
  213. Index
  214. About the Authors
  215. Colophon
  216. Copyright

What Is an Identity?

An SSH identity is a sequence of bits that says, “I am really me.” It is a mathematical construct that permits an SSH client to prove itself to an SSH server, so the SSH server says, “Ah, I see, it’s really you. You are hereby authenticated. Come in.”

SSH user key and agent configuration (highlighted parts)

Figure 6-1. SSH user key and agent configuration (highlighted parts)

An identity consists of two parts, called the private key and the public key. Together, they are known as a key pair.

The private key represents your identity for outgoing SSH connections. When you run an SSH client in your account, such as ssh or scp, and it requests a connection with an SSH server, the client uses this private key to prove your identity to the server.

Warning

Private keys must be kept secret. An intruder with your private key can access your account as easily as you can.

The public key represents your identity for incoming connections to your account. When an SSH client requests access to your account, using a private key as proof of identity, the SSH server examines the corresponding public key. If the keys “match” (according to a cryptographic test), authentication succeeds and the connection proceeds. Public keys don’t need to be secret; they can’t be used to break into an account.

A key pair is typically stored in a pair of files with related names. In SSH, the public-key filename is the same as the private one, but with the suffix .pub added. For example, if the file mykey holds a private key, its corresponding public key is found in mykey.pub.

You may have as many SSH identities as you like. Most SSH implementations let you specify a default identity clients use unless told otherwise. To use an alternative identity, you must change a setting by command-line argument, configuration file, or some other configuration tool.

The structure of identity files differs for OpenSSH and Tectia, so we explain them separately. Their locations in the filesystem are shown in Figures 6-2 (private keys) and 6-3 (public keys).

SSH identity files (private keys) and the programs that use them

Figure 6-2. SSH identity files (private keys) and the programs that use them

6.1.1 OpenSSH Identities

An OpenSSH identity is stored in two files. By default, the private key is stored in the file id_dsa, and the public key in id_dsa.pub.[91] This key pair, which is kept in your ~/.ssh directory, is your default identity that clients use unless told otherwise. The private key looks something like this:

    -----BEGIN DSA PRIVATE KEY-----         Or "BEGIN RSA" for RSA keys
    Proc-Type: 4,ENCRYPTED
    DEK-Info: DES-EDE3-CBC,89C3AE51BC5876FD

    MXZJgnkYE+1+eff3yt9j/aCCABz75egbGJfAbWrseiu0k3Dim9Teu2Ob1Xjdv4U9
    II1hVYOkgQYuhdJbzrLMpJ0W1+N5ujI8akJ6j0ESeGTwJbhGyst71Y3A2+w4m1iv
    ... lines omitted ...
    gMtQSdL26V1+EmGiPfio8Q==
    -----END DSA PRIVATE KEY-----
SSH authorization files (public keys) and the programs that use them

Figure 6-3. SSH authorization files (public keys) and the programs that use them

and the public key file contains a long, single line:

    ssh-dss AAAAB3NzaC1kc3MAAACBAM4a2KKBE6zhPBgR ...more... smith@example.com

The file format for these keys is known as “OpenSSH format.”

The .pub file containing your public key has no function by itself. Before it can be used for authentication, this public key must be copied into an authorization file on an SSH server machine, ~/.ssh/authorized_keys. Thereafter, when an SSH client requests a connection to your server account using a private key as proof of identity, the OpenSSH server consults your authorized_keys file to find the matching public key.

6.1.2 Tectia Identities

A Tectia key pair is also stored in two files with related names (i.e., the private-key filename plus .pub yields the public-key filename). Tectia key files are often named based on the key’s cryptographic properties. For example, a 2048-bit, DSA-encrypted key is generated by default in the Tectia files id_dsa_2048_a and id_dsa_2048_a.pub. These files are in a format known as “SECSH public-key file format” and sometimes “SSH2 format.” The encrypted private key looks like this:

    ---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
    Subject: smith
    Comment: "2048-bit dsa, smith@example.com, Sat Feb 12 2005 15:17:53 -0200"

Converting SSH-1 Keys to SSH-2 with ssh-keyconverter

OpenSSH includes the program ssh-keyconverter, which converts old SSH-1 RSA keys into a format suitable for SSH-2 authentication. If you used SSH-1 in the early days but are just getting around to upgrading, ssh-keyconverter might save you the time of generating and installing new keys. There are two uses:

Converting key files

Run ssh-keyconverter with the -k option to convert a single SSH-1 RSA key file to SSH-2 format. If your private key file is mykey, run:

    $ ssh-keyconverter -k -o newfile mykey
    Creates newfile and newfile.pub
Converting your entire authorized_keys file

Run ssh-keyconverter with the -a option to convert all SSH-1 RSA keys in your authorized_keys file to SSH-2 format:

    $ cd ~/.ssh
    $ ssh-keyconverter -a -o newfile authorized_keys
    ...Check that file newfile looks correct, and then...
    $ mv newfile authorized_keys
    $ chmod 600 authorized_keys

Existing SSH-2 format keys are ignored.

See the manpage for ssh-keyconverter for more details.

    P2/56wAAA4oAAAAmZGwtbW9kcHtzaWdue2RzYS1uaXN5LXNoYTF9LGRoe3BsYWlufX0AAA
    AIM2Rlcy1jYmMAAANIEYkNTUySnPZlYsNh15lkVfzRk6dPx4XYcXe+4f45XHIxwqcUo2Cd
    ... lines omitted ...
    RFI0RQxDhgWS/SXlFF
    ---- END SSH2 ENCRYPTED PRIVATE KEY ----

and the public key like this:

    ---- BEGIN SSH2 PUBLIC KEY ----
    Subject: smith
    AAAAB3NzaC1kc3MAAAEBAP3QfkjOBm1+aPgEUG39j5va13CRrPSedFYtv/52VqIgrBzRV8
    Es1KHPIwmB1FOn5ej02FATNGtaR/fg6K4DVoWscIHGZk95OjLgAz+JeBq7lxYwQ0EzpsTQ
    ... lines omitted ...
    mQ1et1r4Wr0fj0F/2tXf+o71P2HfNw1M6I0B/54eI=
    ---- END SSH2 PUBLIC KEY ----

Unlike OpenSSH, however, a Tectia identity is not a single key but a collection of keys. When a Tectia client tries to authenticate, it may use all keys in the collection. If the first key fails to authenticate, the Tectia client automatically tries the second, and so forth, until it succeeds or fails completely.

To create an identity in Tectia, private keys must be listed in a file called an identification file. Your default identity file is ~/.ssh2/identification. [92] Inside the file, private keys are listed one per line. For public-key authentication, a line begins with the keyword IdKey, followed by the name of the private-key file:

    # Tectia identification file
    # The following names are relative to ~/.ssh2
    IdKey id_dsa_2048_a
    IdKey my-other-tectia-key
    # This key uses an absolute path
    IdKey /usr/local/etc/third-key

The identification file may also contain PGP-related keywords: [6.5]

    # Tectia identification file
    PgpSecretKeyFile my-file.pgp
    IdPgpKeyName my-key-name

Like OpenSSH, Tectia has an authorization file for incoming connections, but with a difference. Instead of containing copies of the public keys, the Tectia authorization file merely lists the public-key filenames using the Key keyword:

    # Tectia authorization file
    Key id_dsa_2048_a.pub
    Key something-else.pub

Notice you have only one copy of each public key. This is slightly easier to maintain than OpenSSH’s system, which has separate copies in the .pub file and authorized_keys file. [8.2.1]

Tip

Tectia’s identification file can group multiple keys as a single identity. You can approximate this behavior in OpenSSH with the IdentityFile keyword. [7.4.2] To set up a default “identity” with multiple keys, add the following section to the end of your ~/.ssh/config file:

    Host *
     IdentityFile key1
     IdentityFile key2
     IdentityFile key3

Now this multiple-key “identity” is available for all SSH connections. Similarly, you can place multiple IdentityFile values in any other section of the configuration file to associate a multikey identity with a particular host or set of hosts.


[91] If your default key is an RSA key, the filenames are id_rsa and id_rsa.pub

[92] This default may be changed with the IdentityFile keyword. [7.4.2]