UbuntuHelp:SSHHowto

1. title SSH

Parent page: Internet and Networking

Introduction

OpenSSH provides secure remote access to your computer, allowing you to run command line and graphical programs, transfer files, and use a "port forwarding" capability to securely tunnel other protocols through firewalls and untrusted networks. SSH replaces older, insecure programs like telnet, rlogin, and FTP. These older applications transmit passwords across the Internet without encryption, meaning the password could easily be stolen.

Installing the SSH Server

If you want to securely connect to your machine from a remote computer, even a computer running another operating system like Mac OS or Windows, then you need to install the openssh-server package from the main repository. Installing software is discussed in InstallingSoftware.

Testing the server

Once you have installed the server, go to a command-line and type:

ssh localhost

You should be prompted to type your password, and you should get another command-line when you type your password in. If this works, then your SSH server is working properly. To leave the SSH command-line, type:

exit

If you have a local network (such as a home or office network), try logging in from one of the other computers on your network. If nothing happens, you might need to tell your computer's firewall to allow connections on port 22. Finally, try logging in from another computer elsewhere on the Internet - perhaps from work (if your computer is at home) or from home (if your computer is at your work). If you can't access your computer this way, you might need to tell your router's firewall to allow connections from port 22, and might also need to configure Network Address Translation. <<Anchor(public-key-auth)>>

Public key authentication

If your SSH server is visible over the Internet, you should use public key authentication instead of passwords if at all possible. If you don't think it's important, go to your /var/log/ folder and have a look at the files named auth (attempted logins for this week) and auth.0 (attempted logins for last week). My computer - a perfectly ordinary desktop PC - had over 4,000 attempts to guess my password and almost 2,500 break-in attempts in the last week alone. How many thousand random guesses do you think it will take before an attacker stumbles across your password? With public key authentication, every computer has a public and a private "key" (a large number with particular mathematical properties). The private key is kept on the computer you log in from, while the public key is stored on the .ssh/authorized_keys file on all the computers you want to log in to. When you log in to a computer, the SSH server uses the public key to "lock" messages in a way that can only be "unlocked" by your private key - this means that even the most resourceful attacker can't snoop on, or interfere with, your session. As an extra security measure, most SSH programs store the private key in a password-protected format, so that if your computer is stolen or broken in to, you should have enough time to disable your old public key before they break the password and start using your key. Wikipedia has a more detailed explanation of how keys work. Public key authentication is a much better solution than passwords for most people. In fact, if you don't mind leaving a private key unprotected on your hard disk, you can even use keys to do secure automatic log-ins - as part of a network backup, for example. Different SSH programs generate public keys in different ways, but they all generate public keys in a similar format:

<ssh-rsa or ssh-dsa> <really long string of nonsense> <username>@<host>

No matter how your public key was generated, you can add it to your Ubuntu system by opening the file .ssh/authorized_keys in your favourite text editor and adding the key to the bottom of the file. You can also limit the SSH features that the key can use, such as disallowing port-forwarding or only allowing a specific command to be run. This is done by adding "options" before the SSH key, on the same line in the authorized_keys file. For example, if you maintain a CVS repository, you could add a line like this:

command="/usr/bin/cvs server",no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-user-rc ssh-dss <string of nonsense>...

When the user with the specified key logged in, the server would automatically run `/usr/bin/cvs server`, ignoring any requests from the client to run another command such as a shell. For more information, see the sshd man page. The main problem with public key authentication is that you need a secure way of getting the public key onto your computer before you can log in with it. If you will only ever log in to your computer from a few other computers (such as logging in to your PC from your laptop), you should copy your SSH keys over immediately, then disable password authentication altogether. If you would like to log in from other computers from time to time (such as a friend's PC), read Strong|Passwords for instructions on how to install a program that generates hard-to-guess passwords. To disable password authentication, open /etc/ssh/sshd_config and look for the following line:

PasswordAuthentication yes

Change it to the following (or add it if you couldn't find that line):

PasswordAuthentication no

You will need superuser access to save this file. Once you have saved the file, restart your SSH server and try logging in again - it shouldn't even ask you for a password now.

Logging in from other computers

Although SSH has many uses, its main job is to provide access to a command-line over a network. Even if you are installing SSH for completely different reasons, it's best to get command-line access access before you try anything more complicated.

From Unix-like systems (including Mac OS X)

Using the command-line

All modern Unix-like systems (Linux, OS X, BSDs, and others) include a command-line ssh client. To login to your computer from a Unix-like machine, go to a command-line and type:

ssh <username>@<computer name or IP address>

For example:

ssh joe@laptop

or:

ssh [email protected]

You should get the same password prompt as before (or be told you can't log in, if passwords are disabled).

Tip: Keep Alive

Your ssh session will automatically log out if it is idle. To keep the connection active (alive) add this to /etc/ssh/ssh_config on the machine you are logging in from:

ServerAliveInterval 120

This will send a "keep-alive" signal to the server every 120 seconds.

Tip: Generating Public Keys

To create your public and private SSH keys on the command-line, do:

mkdir ~/.ssh
chmod 700 ~/.ssh
ssh-keygen -q -f ~/.ssh/id_rsa -t rsa

Then enter a password that will protect your private key while it's stored on the hard drive (or press enter to leave your private key unprotected). Your public key is now available as .ssh/id_rsa.pub in your home folder.

Using PuTTY

PuTTY is a popular graphical SSH client. Although the Windows client is more widely known, you can get the Linux version by installing the putty package from the Universe repository. See the windows section for further information about PuTTY.

Using SecPanel

!SecPanel is another graphical SSH client. You can get it by installing the secpanel package from the Universe repository.

From Windows

Using PuTTY

PuTTY is a free SSH client for Windows, which you can download from here. 模板:Http://img296.imageshack.us/img296/7404/putty3zv1.png To log in to your computer, type your computer's name or IP address into the "Host Name (or IP address)" box, click on the "SSH" radio button, then click "Open". You will be asked for your username and password, then you'll get a command-line on your Linux computer.

Tip: Keep alive

Your PuTTY (ssh) session will automatically log out if it is idle. To keep the connection active (alive), before you make the connection, select "Connection" on the left of the PuTTY Configuration window, and type 120 in the "Seconds between keepalives (0 to turn off)" box.

Tip: Importing your openssh keys

For security reasons, you should normally create a new SSH private key for every computer you use. However, if you have no choice but to reuse a private key, PuTTY can import an Ubuntu private key with puttygen.exe, as described in the PuTTY manual.

Tip: Generating Public Keys

The PuTTY manual has a section on public key authentication.

Using Cygwin

Cygwin is a unix-like environment for Windows. You can download it here: Cygwin To install it run the Setup.exe and choose a server. To use ssh, you need to install the openssh package (it includes BOTH a server and client). It is located under "Net" and is called openssh. 模板:Http://img296.imageshack.us/img296/4139/cygwinopensshpv3.png Then you can launch Cygwin as a .bat file and get a Terminal Interface: 模板:Http://img127.imageshack.us/img127/9751/zshdx1.png Now follow the earlier instructions for using the command-line on a Unix-like OS.

Transferring Files Remotely With SSH

Another important function of SSH is allowing secure file transfer using SCP and SFTP.

Limitation: You can't move files between two remote computers. Either the source or destination must be a local file. However, if you log in to a remote machine with ssh, you can copy files between two remote machines on that machine's command-line.

From Unix-like systems (including Mac OS X)

Using the Command-line

Just as all modern Unix-like systems have an SSH client, they also have SCP and SFTP clients. To copy a file from your computer to another computer with ssh, go to a command-line and type:

scp <file> <username>@<IP address or hostname>:<Destination>

For example, to copy your TPS Reports to Joe's Desktop:

scp "TPS Reports.odw" joe@laptop:Desktop/

This will copy TPS Reports.odw to /home/joe/Desktop, because SCP uses your home folder as the destination unless the destination folder begins with a '/'. To copy the pictures from your holiday to your website, you could do:

scp -r /media/disk/summer_pics/ [email protected]:"/var/www/Summer 2008/"

The -r (recursive) option means to copy the whole folder and any sub-folders. You can also copy files the other way:

scp -r [email protected]:/home/catbert/evil_plans/ .

The '.' means to copy the file to the current directory. Alternatively, you could use secret_plans instead of '.', and the folder would be renamed. Finally, if you want to look around the remote machine and copy files interactively, you can use SFTP:

sftp [email protected]

This will start an SFTP session that you can use to interactively move files between computers.

Using SSHFS

SSHFS is a recent addition to Linux that allows you to make a remote filesystem available over SSH act as if it was inside a folder on your own system. See SSHFS for details.

Using GNOME

Click Places -> Connect to Server. Select SSH for Service Type, write the name or IP address of the computer you're connecting to in Server, the user you'd like to connect as in User Name, and a name for the connection if you wish. Files can be copied by dragging and dropping between this window and other windows.

Using KDE

Open Konqueror, and in the address bar type:

fish://username@server_address

Files can be copied by dragging and dropping them between this window or tab and to other windows or tabs.

Using other programs

!SecPanel and PuTTY also have file transfer utilities, although they're generally not as easy to use as the ones discussed above.

From Windows

PuTTY has command-line SCP and SFTP utilities for Windows that act much like the command-line scp and sftp utilities for Unix-like systems. Alternatively, WinSCP is a graphical utility to transfer files. 模板:Http://img296.imageshack.us/img296/491/winscpnh5.png

Winscp uses PuTTY keys for public key authentication

Running GUI Programs

SSH can be used to tunnel graphical applications over a network as well as text-based ones. GUIs are more complicated than text, and therefore harder to set up and more likely to require extra software.

Check Your SSH Server Settings

By default, Ubuntu's SSH server has everything you need enabled. If you have disabled features for security reasons, you might not be able to start GUI programs. To make sure, look in your /etc/ssh/sshd_config for this line:

AllowTcpForwarding No

This disables forwarding of Internet connections over SSH. You should delete this line if you want to use VNC for GUI programs (discussed below). Next, look for this line:

X11Forwarding yes

This enables Unix-style GUI forwarding over SSH. If you don't see it, open the file in your favourite text editor and add that line. You will need superuser privileges to save changes to /etc/ssh/sshd_config.

Single Applications

If you are logging in from a Unix-like operating system, you can forward single applications over SSH very easily, because all Unix-like systems share a common graphics layer called X11. This even works under Mac OS X, although you will need to install and start the X11 server before using SSH. To forward single applications, connect to your system using the command-line, but add the -X option to forward X11 connections:

ssh -X joe@laptop

Once the connection is made, type the name of your GUI program on the command-line:

firefox &

Your program will start as normal, although you might find it's a little slower than it would be if it were running locally. The trailing & means that the program should run in "background mode", so you can start typing new commands in straight away, rather than waiting for your program to finish. If you only want to run a single command, you can log in like this:

ssh -f -T -X joe@laptop firefox

That will run Firefox, then exit when it finishes. See the SSH manual page for information about -f and -T. If you start an application and it complains that it cannot find the display, try installing the xauth package from the Main repository. Xauth is installed by default with desktop installations but not server installations. If you suspect that programs are running slowly because of a lack of bandwith, you can turn SSH compression on with the -C option:

ssh -fTXC joe@laptop firefox

Using -fTXC here is identical to -f -T -X -C.

Nested windows

Xephyr is a program that gives you an X server within your current server. It's available in the xserver-xephyr package in the Main repository. 模板:Http://cafelinux.org/OptickleArt/albums/userpics/normal Xephyr.png Two ssh forwarded desktops on dual monitors, click to enlarge Setting up Xephyr was explained briefly in the Ubuntu forums.

Tunneling VNC connections through ssh

Virtual Network Computing ("VNC") is a cross-platform way of sharing a desktop. Once you've set your SSH server up, see VNC for more information.

Breaking out of a controlled network

Sometimes it's useful to tunnel all web traffic over SSH, without having to start Firefox on a remote computer. For example, to work around network monitoring or snooping, or to avoid badly configured routers on the Internet. If you can change the settings on your web browser, you can probably use SSH to circumvent these filters.

Warning: Filtering and monitoring is usually implemented for a reason. Even if you don't agree with that reason, your IT department might not take kindly to you flouting their rules.

SOCKS is a protocol is used by some proxy servers. The SOCKS protocol allows a client (such as a web browser) to ask a server to download a file for it, rather than downloading the file directly. Most SSH clients can act as a SOCKS proxy server, securely tunnelling requests through your SSH session, making an ordinary (insecure) web request from your Ubuntu computer. Using the command-line SSH client, you can activate SOCKS by doing:

ssh -D 1080 user@host

-D refers to Dynamic port forwarding, and 1080 is the standard SOCKS port. You can use a different port if you prefer, but you should choose a port in the range 1024 to 49151, inclusive. There is also a brief discussion in the PuTTY manual page about how to get PuTTY to act as a SOCKS proxy server. Once you have set your SOCKS proxy up, your applications can use a SOCKS proxy on the computer you are connecting from. For example, in Firefox:

• go to Edit -> Preferences -> Advanced -> Network -> Connection -> Settings...
• check "Manual proxy configuration"
• make sure "Use this proxy server for all protocols" is cleared
• clear "HTTP Proxy", "SSL Proxy", "FTP Proxy", and "Gopher Proxy" fields
• enter "127.0.0.1" for "SOCKS Host", and "1080" (or whatever port you chose) for Port.

You can also set Firefox to use the DNS through that proxy, so even your DNS lookups are secure:

• Type in about:config in the Firefox address bar
• Find the key called "network.proxy.socks_remote_dns" and set it to true

The SOCKS proxy will stop working when you close your SSH session. You will need to change these settings back to normal in order for your browser to work again.

See also

• Remote|Recovery
• Advanced SSH configuration and extra security

---