Technocrat's Weblog

Mon, 09 Mar 2009

How to use SSH as a replacement for telnet and ftp.

What is ssh and why should I use it?

Ssh or Secure SHell is a secure replacement for telnet. When using telnet, the characters you type on your keyboard, to send to the remote server, are sent in clear text. This means that anyone with access to the network can use a packet sniffer to find out exactly what you are typing. This includes your password. An attacker could then use your password to gain unauthorized access to the remote server. Afterward, your administrator would examine the server logs to determine the nature of the intrusion. These logs would reveal only that it was you! Ssh uses encryption to encrypt the text being transferred between you and the remote server. Anyone attempting to read this text will merely see a string of garbled characters. Telnet replacement is important in today's security minded networks. Ssh also has the ability to transfer files back and forth from you to your remote server. Scp lets you copy files to and from your remote server without having to actually login. Sftp looks and acts just like ftp. The final advantage of ssh is compression. Ssh compresses data before sending it to the remote host. This speeds up file transfers and decreases bandwidth usage.

Ssh authenticates using two possible methods: normal password and key pair. The normal password method simply prompts the user for their password. Example:

ssh samiam@greeneggs
samiam@greeneggs's password:

Now enter your password and you have access.

The key pair method of authentication involves generating a public and private key. Before you can begin you must first generate a key pair: ssh-keygen -t rsa

You will be asked to enter a passphrase. A passphrase is a password that you must enter before you use your key. This prevents anyone from stealing your key. Without the passphrase the key is useless. Ssh then creates a directory in your home directory called .ssh. Inside this directory you will see two files:

  1. id_rsa This is your private key. Never give this out.
  2. id_ras.pub This is your public key. This is the key you place on remote servers.

Next, you give a copy of your public key (id_rsa.pub) to the administrator of the server you wish to access. He will then create a directory called .ssh in your home directory on that server. Your public key is placed in the directory as a file called authorized_keys2. When this is done you should be able to login to the remote server using:

ssh <username on server>@<remote hostname or IP address>

Ssh will ask you for your passphrase. After you've entered it you will be given a shell prompt on the remote server. That's it. For example say the remote server was called greeneggs and your username was samiam. To ssh to that server you would type: ssh samiam@greeneggs

If your user name was the same on both your workstation and the remote server then you could omit the username: ssh greeneggs

Scp is similar. To copy a file:
scp <full path to files> <username server>@<remote hostname or IP address>:<full path to file location>

You could also reverse it to copy from the remote server to your work station. Suppose you wanted to copy /tmp/file.tar on the remote server to /tmp/file.tar locally: 

scp samiam@greeneggs:/tmp/file.tar /tmp/file.tar

Sftp works much like ssh. To sftp to the remote server:
sftp samiam@greeneggs

You will then have a prompt much like an ftp prompt.

Hardening the ssh server.

If the ssh server is located on a busy or public network you should add restrictions to the ssh server to lesson the chance of unwanted intruders. The file /etc/ssh/sshd_config controls how the ssh server (sshd) acts. The following options are useful:

PermitRootLogin no

This prevents someone from logging on as root via ssh.
AllowUsers

Using this option, you can specifically allow certain users the right to login via ssh while disallowing all others. For example, to allow only the user samiam to login, the line would read:

AllowUsers samiam samiam@hostname

Hostname is the hostname of the ssh server. Users are separated by white space. You can add as many users as you like.

Banner /etc/ssh/banner

This option has ssh display a banner during the login process. The banner file is a plain text file. Example:

###################################################
#           AUTHORIZED ACCESS ONLY                #
# Your activities are being LOGGED and REPORTED   #
###################################################

Other configuration changes include using the 'match' directive to allow certain users specific abilities, such as using keys. Also, the default location of key files can be changed to a protected area that prevents users from arbitrarily installing new keys.

If you make these changes be sure to restart the ssh server with the command (as root) service sshd restart.

WARNING. If you disable a user in the future by locking their account (passwd -l) or by changing their password they will still have ssh access if they use the key pair authentication method. Be sure to delete their .ssh directory or make it unreadable by them.

Suggested SSH Articles

http://www.jdmz.net/ssh/