using ssh

Using SSHEveryone Should Know this

Aaron BurgemeisterFOSS BigotNovell, Inc. [email protected]

mailto:[email protected]

© Novell Inc. All rights reserved

2

What is SSH?

• SSH is a network Protocol– NAT Friendly

– Secure

• Allows Data to be Exchanged Securely– Port Forwarding

– GUI Forwarding

• Multiple OS Support– NetWare

– Windows (Not Natively)

– Linux

– MAC


3

SSH Experience

• Heard of it?

• Used it?

• Tunneled?

• Forwarded GUI?

• Remote Commands?• Copied File?


4

Why SSH?????

• It's already there (cross-plat)

• It's secure (SSHv2 (good) vs. SSHv1 (old/bad))

• It's fast (no graphical overhead, doesn't send tons of data to maintain connections, command-line based)


5

Available SSH ToolsOn Linux and Mac

• SSH is standard on Linux and Mac, and NetWare, and can be added to any OS as the source code is freely available

SSH

SCP

• Putty is even available for Linux– http://www.chiark.greenend.org.uk/~sgtatham/putty/


6

Available SSH Tools on Windows

Putty (and related applications below)– http://www.chiark.greenend.org.uk/~sgtatham/puttyl

PLINK (Great for scripting uses)

PAGENT (Key Material Management)


7

Available SSH Tools on Windows

WinSCP– http://winscp.net/eng/index.php

XMING– http://sourceforge.net/projects/xming

Cygwin– http://www.cygwin.com/

http://sourceforge.net/projects/xming

http://www.cygwin.com/


8

SSH Server (Daemons)

• The SSH Daemon is Supported by All OS's

– Windows must use cygwin or OpenSSH to run the Daemon

– NetWare 6.5 SP3 or greater

• Multiple Authentication Back-ends

– Using PAM authentication> /etc/passwd

> eDirectory/LDAP

> Active Directory

– Centrify (www.centrify.com)

How Can SSH Be Used?


10

Basic SSH Connection


Access Files

Launch Scripts

Launch Programs

Install Linux Remotely

ssh root@ssh_server


11


SSH is a Shell Connection

Full Access to the Remote Computer

Redirect Sound

Restart Services

Install Software


12

Tunneling with SSH

SSH Can Tunnel any TCP Traffic

Local Forwarding / Remote Forwarding

Local Forwarding● Involves forwarding a socket from the client to the

server

Remote Forwarding● Involves forwarding a socket from the server to the

client.

Gateway Port and Security Note


13

Tunneling with SSH - Security

Security Benefits of Tunneling

From SSH Client to SSH Server the connection is secure

From the SSH Server to the remote service may not be secure, for example, HTTP, telnet, etc.

May provide a way to easily secure an insecure application

Access to otherwise inaccessible (more-secure) applications via a single locked-down server.

Preventing it from happening (for admins)?


14

ssh username@ssh_server -L 993:imap_server:993

E-Mail


15

ssh username@ssh_server -L 1993:imap_server:993

E-Mail – Making a Connection

Making the SSH Connection

The e-mail client can then simply be pointed to the local computer on port '1993' to connect to the remote, otherwise inaccessible IMAP server.

The “pointing” could be done via client connection parameters, a modified 'hosts' file, DNS, etc.


16

rdesktop localhost:3389

ssh username@ssh_server -L 3389:win_server:3389

Remote Desktop -Making a Connection

Making the SSH Connection

Starting the Linux RDP Client


17

ssh username@ssh_server -L 1993:imap_server:993 -L 3389:win_server:3389-L 1025:smtp_server:25

Multiple Connections

Single Tunnel Point

Multiple Destinations

Multiple Ports

Whole command as one single line

Redirecting X (GUI)


19

Redirecting the “GUI”

Redirecting the Graphical Screens of the Remote Computer, Installation, Application, to the Local Computer

Very Simple

Redirect an Oracle Installer

Redirect Skype


20

ssh username@ssh_server -X

From Linux to Linux

Very Simple

Native Support


21

From Windows to Linux

Not as Simple

No Native Support

• Enable X Redirection and use one of the following X Servers

– xming> http://sourceforge.net/projects/xming

– XwinLogon> http://www.calcmaster.net/visual-c++/xwinlogon/

– LabF's WinaXe> http://www.labf.com/winaxeplus/index.html


22

ssh username@ssh_server -X

From Mac to Linux

Very Simple

Native Support

Redirect– YaST

– Skype

– Installs

Copying Files with SSH


24

scp localfile.txt username@ssh_server:/remote/destination/path/

Simple File Copy with SSH

Very Simple

Fairly Fast

Secure

scp username@ssh_server:/remote/destination/path/file.txt/local/destination/path/

mailto:username@ssh


25

rsync -avz -e ssh /source_dir/ username@ssh_server:/dest_dir/

RSYNC Over SSH

Very Simple

Requires RSYNC client

Synchronizes whole folder structures

Running Remote Commands with SSH


27

ssh username@ssh_server 'ps aux';ssh username@ssh_server 'top -d1 -n1';

Remote Commands

Output returned to client machine sending command

Makes connection, runs, and exits

Useful for monitoring remote machines– Mentioned in Nagios session an hour ago

mailto:username@ssh

mailto:username@ssh

Key Material Management and Usage


29

Key Material

Makes the Connection More Secure (passwords can be disabled to prevent feasibility of brute-force attacks)

Allows for unprompted Authentication– Immediate access to the system

– Provide access to the system without ever giving out the password, even as different identities than the user's own user

• Steps Involved:– Generating a client key

– Copying the keys to the remote destination's store

– 'ssh-agent' used to store keys for you


30

Demo

• Novell® Remote– Give access to specific services in a restricted environment

– Useful for support to access environments behind firewall

– Share access to a VM environment (NAT, Host-only)

• Audience Demo– Requirement: Network Access; support.novell.com

account preferably

using ssh

Documents