Secure communications with OpenSSH
- — 23 April, 2002 11:34
This month we take a look at a suite of tools for secure remote administration and file transfers over a network, OpenSSH. When it comes to tasks such as remote administration, the need for security and encrypted communications become obvious.
Included on this month's cover CD are the latest versions of OpenSSL and OpenSSH. The former is a library that provides the encryption features used by OpenSSH and, thus, must be installed before OpenSSH. Once installed, OpenSSH provides three main tools, each of which will be covered in this article:
- ssh, a replacement for rlogin and telnet;
- scp, a replacement for rcp; and
- sftp, a replacement for ftp.All of these tools use strong encryption and other security features to prevent network attacks such as eavesdropping and connection hijacking.
The most commonly used program in the OpenSSH suite is ssh, which allows you to access another computer through a shell prompt. The encryption provided by ssh protects against an outsider stealing the password used to access the system, among other things. ssh is now the de facto standard for remote administration because of such features.
Accessing a system using ssh is easy, provided that system has an ssh server running (this is included in the OpenSSH package). You will need a username and password on the system to access it. To use ssh to access a remote system, type in a shell:
$ ssh username@server
If this is the first time you are connecting to the server, you will be prompted with:
Host key not found from the list of known hosts.
Are you sure you want to continue connecting (yes/no)?
Typing "yes" should then present you with a password prompt. If authentication is successful, you should be able to use the system as if you were sitting at it locally.
I find this tool more useful every day. It allows you to copy files across a network remotely, without the need to use a reasonably complicated client such as FTP. As this is part of the OpenSSH suite, all of the data transmitted during the copy is encrypted to prevent people eavesdropping on the transfer. The basic syntax for scp is:
$ scp source_file user@destination:/directory/to/copy/toA number of useful options can be used with the scp command to make copying a large number of files easier. Recursive copying can copy whole directories, and compression can speed up transfers on a slow link such as a modem. To try these features, just add the options "-R" and "-C" to the scp as shown:
$ scp -RC source_directory user@destination:/directory/to/copy/toSFTP This command line file transfer program uses a set of commands similar to those of common FTP programs. Once again, all communications using sftp are encrypted. sftp is particularly useful for manipulating a number of files on a host system. The functionalities of sftp and scp often overlap, so which you decide to use is mostly up to personal preference. Using sftp follows the familiar command syntax:
$ sftp user@destination
If you've been trying out each of the tools covered in this article, you'll be aware by now that each time you use a command you need to enter your password. While this is a good, if not essential, security feature, there are times when it is perfectly safe to allow ssh to connect between computers without requiring a password. An example of this situation would be two networked computers isolated from a potentially dangerous network such as the Internet, such as a laptop and a desktop.
Setting up passwordless ssh is very easy. You need to tell the computer you want to access without a password and who you are so it can still authenticate you. To do this, generate a public/private key pair by typing in a shell:
This will create the two keys and save them in '~/.ssh/'. The private key will be called 'identity' while the public key will be called 'identity.pub'. To enable passwordless ssh, copy the public key to the server you want to access. To do this, log into the server and edit the file '~/.ssh/authorized_keys', add the entire contents of the recently created 'identity.pub' file and save the changes. Now you should be able to access the server without a password.