В началоUnix Toolbox → 5. SSH SCP
Gentoo-doc HOME Пред.: 4. NETWORKВ началоУровень выше: Unix ToolboxСлед.: 6. VPN WITH SSH

5. 5. SSH SCP

5.1. 5.1 Public key authentication

Connect to a host without password using public key authentication. The idea is to append your public key to the authorized_keys2 file on the remote host. For this example let's connect host-client to host-server, the key is generated on the client.

• Use ssh-keygen to generate a key pair. ~/.ssh/id_dsa is the private key, ~/.ssh/

id_dsa.pub is the public key.

• Copy only the public key to the server and append it to the file ~/.ssh/

authorized_keys2 on your home on the server.

# ssh-keygen -t dsa -N ''

# cat ~/.ssh/id_dsa.pub | ssh you@host-server "cat - >> ~/.ssh/authorized_keys2"

Using the Windows client from ssh.com

The non commercial version of the ssh.com client can be downloaded the main ftp site:

ftp.ssh.com/pub/ssh/. Keys generated by the ssh.com client need to be converted for the OpenSSH server. This can be done with the ssh-keygen command.

• Create a key pair with the ssh.com client: Settings - User Authentication - Generate

New....

• I use Key type DSA; key length 2048.

• Copy the public key generated by the ssh.com client to the server into the ~/.ssh folder.

• The keys are in C:\Documents and Settings\%USERNAME%\Application

Data\SSH\UserKeys.

• Use the ssh-keygen command on the server to convert the key:

# cd ~/.ssh

# ssh-keygen -i -f keyfilename.pub >> authorized_keys2

Notice: We used a DSA key, RSA is also possible. The key is not protected by a password.

Using putty for Windows

Putty5 is a simple and free ssh client for Windows.

• Create a key pair with the puTTYgen program.

• Save the public and private keys (for example into C:\Documents and

Settings\%USERNAME%\.ssh).

• Copy the public key to the server into the ~/.ssh folder:

# scp .ssh/puttykey.pub root@192.168.51.254:.ssh/

• Use the ssh-keygen command on the server to convert the key for OpenSSH:

# cd ~/.ssh

# ssh-keygen -i -f puttykey.pub >> authorized_keys2

• Point the private key location in the putty settings: Connection - SSH - Auth

5.2. 5.2 Check fingerprint

At the first login, ssh will ask if the unknown host with the fingerprint has to be stored in the known hosts. To avoid a man-in-the-middle attack the administrator of the server can send you the server fingerprint which is then compared on the first login. Use ssh-keygen -l to get the fingerprint (on the server):

# ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub # For RSA key

2048 61:33:be:9b:ae:6c:36:31:fd:83:98:b7:99:2d:9f:cd /etc/ssh/ssh_host_rsa_key.pub

# ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub # For DSA key (default)

2048 14:4a:aa:d9:73:25:46:6d:0a:48:35:c7:f4:16:d4:ee /etc/ssh/ssh_host_dsa_key.pub

Now the client connecting to this server can verify that he is connecting to the right server:

# ssh linda

The authenticity of host 'linda (192.168.16.54)' can't be established.

DSA key fingerprint is 14:4a:aa:d9:73:25:46:6d:0a:48:35:c7:f4:16:d4:ee.

Are you sure you want to continue connecting (yes/no)? yes

5.3. 5.3 Secure file transfer

Some simple commands:

# scp file.txt host-two:/tmp

# scp joe@host-two:/www/*.html /www/tmp

# scp -r joe@host-two:/www /www/tmp

In Konqueror or Midnight Commander it is possible to access a remote file system with the address fish://user@gate. However the implementation is very slow.

Furthermore it is possible to mount a remote folder with sshfs a file system client based on SCP. See fuse sshfs6.

5.4. 5.4 Tunneling

SSH tunneling allows to forward or reverse forward a port over the SSH connection, thus securing the traffic and accessing ports which would otherwise be blocked. This only works with TCP. The general nomenclature for forward and reverse is (see also ssh and NAT example):

# ssh -L localport:desthost:destport user@gate # desthost as seen from the gate

# ssh -R destport:desthost:localport user@gate # forwards your localport to destination

# ssh -X user@gate # To force X forwarding

5.http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

6.http://fuse.sourceforge.net/sshfs.html

This will connect to gate and forward the local port to the host desthost:destport. Note desthost is the destination host as seen by the gate, so if the connection is to the gate, then desthost is localhost. More than one port forward is possible.

Direct forward on the gate

Let say we want to access the CVS (port 2401) and http (port 80) which are running on the gate. This is the simplest example, desthost is thus localhost, and we use the port 8080 locally instead of 80 so we don't need to be root. Once the ssh session is open, both services are accessible on the local ports.

# ssh -L 2401:localhost:2401 -L 8080:localhost:80 user@gate

Netbios and remote desktop forward to a second server

Let say a Windows smb server is behind the gate and is not running ssh. We need access to the smb share and also remote desktop to the server.

# ssh -L 139:smbserver:139 -L 3388:smbserver:3389 user@gate

The smb share can now be accessed with \\127.0.0.1\, but only if the local share is disabled, because the local share is listening on port 139.

It is possible to keep the local share enabled, for this we need to create a new virtual device with a new IP address for the tunnel, the smb share will be connected over this address.

Furthermore the local RDP is already listening on 3389, so we choose 3388. For this example let's use a virtual IP of 10.1.1.1.

• With putty use Source port=10.1.1.1:139. It is possible to create multiple loop devices

and tunnel. On Windows 2000, only putty worked for me.

• With the ssh.com client, disable "Allow local connections only". Since ssh.com will bind

to all addresses, only a single share can be connected.

Now create the loopback interface with IP 10.1.1.1:

• # System->Control Panel->Add Hardware # Yes, Hardware is already connected # Add

a new hardware device (at bottom).

• # Install the hardware that I manually select # Network adapters # Microsoft , Microsoft

Loopback Adapter.

• Configure the IP address of the fake device to 10.1.1.1 mask 255.255.255.0, no

gateway.

• advanced->WINS, Enable LMHosts Lookup; Disable NetBIOS over TCP/IP.

• # Enable Client for Microsoft Networks. # Disable File and Printer Sharing for Microsoft

Networks.

I HAD to reboot for this to work. Now connect to the smb share with \\10.1.1.1 and remote

desktop to 10.1.1.1:3388.

Debug

If it is not working:

• Are the ports forwarded: netstat -an? Look at 0.0.0.0:139 or 10.1.1.1:139

• Does telnet 10.1.1.1 139 connect?

• You need the checkbox "Local ports accept connections from other hosts".

• Is "File and Printer Sharing for Microsoft Networks" disabled on the loopback interface?

Connect two clients behind NAT

Suppose two clients are behind a NAT gateway and client cliadmin has to connect to client

cliuser (the destination), both can login to the gate with ssh and are running Linux with sshd.

You don't need root access anywhere as long as the ports on gate are above 1024. We use 2022

on gate. Also since the gate is used locally, the option GatewayPorts is not necessary.

On client cliuser (from destination to gate):

# ssh -R 2022:localhost:22 user@gate # forwards client 22 to gate:2022

On client cliadmin (from host to gate):

# ssh -L 3022:localhost:2022 admin@gate # forwards client 3022 to gate:2022

Now the admin can connect directly to the client cliuser with:

# ssh -p 3022 admin@localhost # local:3022 -> gate:2022 -> client:22

Connect to VNC behind NAT

Suppose a Windows client with VNC listening on port 5900 has to be accessed from behind NAT.

On client cliwin to gate:

# ssh -R 15900:localhost:5900 user@gate

On client cliadmin (from host to gate):

# ssh -L 5900:localhost:15900 admin@gate

Now the admin can connect directly to the client VNC with:

# vncconnect -display :0 localhost

Пред.: 4. NETWORKВ началоУровень выше: Unix ToolboxСлед.: 6. VPN WITH SSH
В началоUnix Toolbox → 5. SSH SCP