The secure shell (SSH) program provides remote access with strong authentication and public key session encryption. Secure shell is both secure and easy to use. SSH replaces telnet, ftp, rlogin, and rsh with secure alternatives, and it is the default remote login tool on our sample Red Hat system. On many Linux systems, SSH is installed as part of the initial system installation. Figure 12.5 shows a gnorpm query of the SSH package on our Red Hat system.
openssh openssh-askpass openssh-askpass-gnome openssh-clients openssh-server openssh-2.9p2-7
Size: 445400 Install Date: Sat Feb 02 07:00:10 GMT 2002
Build Host: stripples.devel.redhat.com Build Date: Thu Sep 06 01:14:35 GMT 2001 Distribution: Red Hat Linux Vendor: Red Hat, Inc.
Group: Applications/Internet Packager: Red Hat, Inc.
URL: http:/Avww. openssh. com/portable, html
SSH (Secure SHell) is a program for logging into and executing commands on a remote machine. SSH is intended to replace rlogin and rsh, and to provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and
Path zl zl
/etc/ssh C /etc/ssh/primes /usr/bin/scp
X Close igure 12.5: The OpenSSH RPM As Figure 12.5 shows, our sample system uses OpenSSH. SSH was originally developed at Helsinki University of Technology (HUT). Both commercial SSH packages and the open-source OpenSSH software evolved from the original HUT software. Most Linux systems use the OpenSSH package, and that is the software described in this section.
The tabs in Figure 12.5 show that there are five different RPMs used for OpenSSH on our Red Hat system. Two of these, the RPMs that include the string askpass in their names, contain the files necessary to format the SSH passphrase prompt for the X Windows System. One handles plain X, and the other formats the prompt for the GNOME desktop environment. The real meat of the OpenSSH system comes in the three other packages:
openssh Contains the key generation utility ssh-keygen and the remote file copy program scp.
openssh-server Contains the server daemon sshd and the secure ftp server.
openssh-clients Contains the OpenSSH client tools for client key maintenance, as well as the ssh command for secure login and the sftp command for secure FTP.
When a secure shell client and server connect, they exchange keys. The keys are compared to the known keys. If the key is not found, the user is asked to verify that the new key should be accepted. If the key is accepted by the user, the host key is added to the .ssh/known_hosts file in the user's home directory and then is used to encrypt a randomly generated session key. The session key is then used by both systems to encrypt the remainder of the session. If no special authentication has been configured, the user is prompted for a password; there is no need to worry about password thieves because the password is encrypted before it is sent. Listing 12.9 illustrates how the first login to duck looks from our sample Red Hat system with the default configuration.
Listing 12.9: A Sample ssh Login
$ ssh duck
The authenticity of host 'duck (172.16.8.8)' can't be established. RSA key fingerprint is 41:86:62:fb:6e:9f:13:9f:0d:6b:95:d7:09:00:10:a7. Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'duck,172.16.8.8' (RSA) to the list of known hosts. [email protected]'s password: Wats?Watt? [duck]$ logout Connection to duck closed.
The client user is not limited to simple password authentication. By default, the server configuration is set to accept password authentication and public key authentication. If users wish to use public key authentication, they must create their own private and public keys.
Was this article helpful?