لطفا منتظر باشید ...
Understanding the Secure Shell (SSH)
If you’re concerned about someone intercepting your clear-text network communications, consider installing the Secure Shell. Because it encrypts your communications over any network, it’s a viable alternative to the RSH commands as well as Telnet.
SSH Installation
The SSH includes several component RPM packages, as shown in Chapter 10 to install them as required.
Package | Function |
|---|---|
openssh-* | Core files for SSH client and server |
openssh-askpass-gnome-* | Files that support passphrase management inside GNOME |
openssh-askpass-* | Files that support GUI management of SSH passphrases |
openssh-clients-* | Client files for connecting to SSH servers |
openssh-server-* | SSH servers |
| Tip | You can even use SSH on Microsoft Windows computers. As of this writing, a free version of the Open SSH package is available for download from Network Simplicity at www.networksimplicity.com. Once installed and configured, it works just like the Linux version of SSH. |
SSH Configuration
The main SSH configuration file is /etc/ssh/sshd_config. While the default file works in most cases, you can adjust the settings in this file for special TCP/IP ports—for example, to limit access to different IP addresses, to adjust the size of encryption keys, to override RSH authentication, and to enable the use of Kerberos.
Once you have the appropriate packages installed, the next step is to create private and public encryption keys. You keep the private key secure on your Linux server. Public encryption keys allow others to scramble the messages that they send to you. Alternatively, messages that you send are encrypted with the private key. They include the public key, which is used to unscramble the message only on the destination computer. These keys are based on random numbers so large (512 bits and more) that it would take weeks for a cracker with a personal computer to find.
Two basic SSH commands allow you to create private and public keys: ssh-keygen -t rsa and ssh-keygen -t dsa. These commands let you create keys based on the algorithm created by RSA Security or the Digital Secure Algorithm.
Both commands create the private and public keys, by default, in the ssh subdirectory of the user’s home directory; thus ~/.ssh, as listed in Table 23.5. When prompted, create a passphrase. If you don’t set a passphrase, a cracker could steal your SSH private key. In some cases, this would allow the cracker to use your digital identity to use your credit cards or sign contracts in your name.
Algorithm | Private | Public |
|---|---|---|
DSA | ~/.ssh/id_dsa | ~/.ssh/id_dsa.pub |
RSA | ~/.ssh/id_rsa | ~/.ssh/id_rsa.pub |
Sample Session
Once you’ve installed the right RPMs on clients and servers and created the appropriate SSH keys, you’re ready to begin using the Secure Shell. If desired, you can check to make sure the SSH server is running by issuing the service sshd status command.
Now you can connect directly to your account on another computer. For example, assume you are a user named tblair and have an account on both computers. Run the ssh sugaree.mommabears.com command to connect to that computer. Be sure to substitute the computer name or IP address of your choice for sugaree.mommabears.com.
The first time you try to connect with ssh (or related commands), you’ll see a message like the following:
The authenticity of host ‘sugaree.mommabears.com’ can’t be
? established. RSA key fingerprint is
? 34:21:d2:3c:34:83:40:23:d2:c2:9f:34:90:e3:a3. Are
? you sure you want to continue connecting (yes/no)?
Select yes, and enter your password on the remote computer to complete the connection. You’ll be able to work on the remote computer, and messages between your computers will be encrypted. Alternatively, you could log into a different account, say vputin, as follows:
# ssh vputin@sugaree.mommabears.com
Alternatively, you could use the secure FTP service associated with SSH. If user vputin has a group of RPMs on his account and you have his password, you could use the secure FTP service to download files from his home directory on the remote computer. For example, the following commands log into that account and then download the source code for a new GNU C compiler to the local /tmp directory:
# sftp vputin@sugaree.mommabears.com
sftp> get gcc-3.9-8.src.rpm /tmp
