SSH on SUSE Linux Enterpriser Server 11
In the past, remote connections were established with Telnet, which offers no guards in the form of encryption or other security mechanisms against eavesdropping. There are also other traditional communication channels (such as FTP and some remote copying programs) that provide unencrypted transmission.
The SSH suite was developed to provide secure transmission by encrypting the authentication strings (usually a login name and a password) and all the other data exchanged between the hosts. With SSH, the data flow can still be recorded by a third party, but the contents are encrypted and cannot be reverted to plain text unless the encryption key is known.
SUSE Linux Enterprise Server 11 installs the package OpenSSH by default, which includes programs such as ssh, scp, and sftp as alternatives to Telnet, rlogin, rsh, rcp, and FTP.
The secure shell not only provides all the functionality of Telnet, rlogin, rsh and rcp, but even includes some features of FTP. SSH supports the protection of X11 and any TCP connections, by routing them through a cryptographically secure channel.
The following lists the basic functionality provided by SSH:
- Login from a remote host.
- Interactive or noninteractive command execution on remote hosts.
- Copying files between different network hosts; optional support for compressing data.
- Cryptographically secured authentication and communication across insecure networks.
- Automatic and transparent encryption of all communication.
- Complete substitution of the “r” utilities: rlogin, rsh, and rcp.
- Port forwarding.
SSH not only encrypts the traffic and authenticates the client, it also authenticates the involved servers. Various procedures are available for server authentication.
In SUSE Linux Enterprise Server the Open Source implementation of SSH (OpenSSH) is used. OpenSSH is available as open source because it does not use any patented algorithms.
SSH Protocol Versions:
The following are the versions currently available for the SSH protocol:
- Protocol Version 1 (SSH1)
- Protocol Version 2 (SSH2)
Public Key Authentication Management:
Authenticate user using a public key procedure. Protocol version 1 only supports RSA keys. Protocol version 2 provides authentication through RSA and DSA keys.
RSA. The name is derived from the surnames of its developers, Rivest, Shamir, and Adleman. Its security is mainly based on the fact that it is easy to multiply two large prime numbers, but it is difficult to regain the factors from this product.
DSA. Digital Signature Algorithm. It is a US Federal Government standard for digital signatures.
To manage public key authentication, you need to know the following:
- Public Key Authentication Process.
- Create a Key Pair.
- Configure and Use Public Key Authentication.
Public Key Authentication Process:
To use public key authentication, the public key of the user has to be stored on the server in the home directory of the user account being accessed. These public keys are stored on the server in the file ~/.ssh/authorized_keys. The corresponding private key must be stored on the client computer.
With the keys stored in the appropriate places, the following occurs in the public key authentication process:
- The client informs the server which public key is being used for authentication.
- The server checks to see if the public key is known.
- The server encrypts a random number using the public key and transfers this to the client.
- Only the client is able to decrypt the random number with its private key.
- The client sends the server an MD5 checksum that it has calculated from the number.
- The server also calculates a checksum and if they are identical, the user has authenticated successfully.
- If public key authentication fails and password authentication is allowed, the user is asked for the login password.
The secret key should be protected by a passphrase. Without passphrase protection, simply owning the file containing the private key is sufficient for a successful authentication.
However, if the key is additionally protected with a passphrase, the file is useless if you do not know the passphrase.
Create a Key Pair:
You create a key pair with the command ssh-keygen. A different key is required for SSH1 than for SSH2. For this reason, you need to create a separate key pair for each version.
You use the option -t keytype to specify the type of key. ssh-keygen -t rsa1 generates a key pair for SSH1; ssh-keygen -t rsa or ssh-keygen -t dsa are used to create key pairs for ssh2.
The keys are stored in the directory ~/.ssh. For SSH1, the default for these files is ~/.ssh/identity (private key) and ~/.ssh/identity.pub (public key). For SSH2 the default files are ~/.ssh/id_rsa and ~/.ssh/id_dsa, respectively, plus the corresponding public key files with the .pub extension.
The following shows how a key pair for the protocol version 2 is generated using option -t (required) to generate a DSA key pair on Primary Machine (ws1).
Generate a DSA key pair on Secondary Machine also (ws2)
Concatenate id_dsa.pub from all nodes into the authorized_keys file on the Primary Machine (ws1).
Concatenate id_dsa.pub from all nodes into the authorized_keys file on the Secondary Machine (ws2).
For authentication using RSA or DSA keys, you need to copy the public key to the Primary Machine, and then append the public key to the file ~/.ssh/authorized_keys. For example, you can copy the key to the Primary Machine with the command scp, as in the following:
You can now launch the Secondary Machine to see if authentication with the DSA key works properly, as in the following:
The following are commonly used SSH-related client commands:
ssh: This is the SSH client. SSH can be a replacement for rlogin, rsh. and Telnet. slogin is a symbolic link to ssh.Every user should use ssh consistently instead of Telnet .
scp: This command copies files securely between two computers using ssh, and replaces rcp and FTP (for pure file transfer).
sftp: This command offers an interface similar to a command line ftp client. You can view files on the remote machine with ls and transfer files using put and get.
ssh-keyscan: A utility for gathering the public ssh host keys from a number of SSH servers. The keys gathered are displayed on the standard output.This output can then be compared with the key in the file /etc/ssh/ssh_known_hosts and be included in the file.
ssh-keygen: This command generates RSA keys.
ssh-agent: This command can handle private RSA keys, to respond to challenges (challenge response) from the server. This simplifies authentication.
ssh-add: This command registers new keys with the ssh-agent.