Previous Page
Next Page

The Secure Shell (ssh)

The Secure Shell (ssh) enables users to securely access a remote system over an insecure network. You use the Secure Shell to do the following:

  • Log in to a remote system (by using ssh).

  • Copy files over the network between hosts (by using scp or sftp).

Before the Secure Shell was available, remote connections wereand still can behandled via rlogin, rsh, and rcp. These commands create insecure connections and are prone to security risks.

With the Secure Shell, you establish secure communication between two hosts on an insecure network. The two hosts are referred to as the client (the host that requests the connection) and the server (the host being connected to). The Secure Shell daemon, sshd, starts up on each host at system boot, when the svc:/network/ssh:default service has been enabled by the SMF. The sshd daemon listens for connections, and it handles the encrypted authentication exchange between the hosts. When authentication is complete, the user can execute commands and copy files remotely.

The ssh on the client side is controlled by the /etc/ssh/ssh_config file and by ssh command line options. The ssh_config file controls which types of authentication are permitted for accessing the server. Optionally, a user can also provide ssh settings in his or her own $HOME/.ssh/config file.

The sshd on the server side is controlled by the /etc/ssh/sshd_config file, which is controlled by the system administrator.

Normally, each user wanting to use SSH with authentication runs the ssh-keygen command once to create the authentication key in $HOME/.ssh/identity, $HOME/.ssh/id_dsa, or $HOME/.ssh/id_rsa. The client maintains the private key, and the server is provided with the public key that is needed to complete authentication. Public-key authentication is a stronger type of authentication than typical password authentication because the private key never travels over the network. To create a public/private key for public key authentication, follow Step by Step 4.11.

Step By Step 4.11: Setting Up Public Key Authentication for Solaris Secure Shell

In the following step by step, you'll set up Public Key Authentication so that bcalkins can log in to a remote host using ssh. For this step by step, you'll need two systems. One will be the client, and the other will be the remote host.

1.
Make sure both systems have a user account named bcalkins, a password assigned to the account, and an established home directory named /export/home/bcalkins.

2.
Make sure each account has a .ssh directory in the /export/home/bcalkins home directory. If not, you can create the .ssh directory by running the ssh-keygen command described in step 7.

3.
As root, enable host-based authentication on the client by adding the following line to the /etc/ssh/ssh_config file:

HostbasedAuthentication yes

4.
On the remote host, enable host based authentication by adding the following line to the /etc/ssh/sshd_config file:

HostbasedAuthentication yes

5.
Start up sshd on the remote host if it is not currently running by typing

svcadm svc:/network/ssh:default

If the ssh service is already running, restart it.

6.
On the remote host, ensure that the sshd daemon can access the list of trusted hosts by setting IgnoreRhosts to no in the /etc/ssh/sshd_config file as follows

IgnoreRhosts no

7.
On the client, log in as bcalkins and create the client's public key. To generate the public key on the client, issue the following command:

ssh-keygen -t rsa

Use the -t option to specify the type of algorithm; rsa, dsa, or rsa1. The system responds with

Generating public/private rsa key pair.
Enter file in which to save the key (//.ssh/id_rsa):

When you press Enter, the system responds with

Created directory '/export/home/bcalkins/.ssh'.
Enter passphrase(empty for no passphrase):

The passphrase is used for encrypting the private key. A good passphrase is 1030 characters long, mixes alphabetic and numeric characters, and avoids simple English prose and English names. A carriage return entry means that no passphrase is used; this type of blank passphrase is strongly discouraged for user accounts. The passphrase is not displayed when you type it in, as shown here:

Enter same passphrase again:

Enter the passphrase again to confirm it. The system responds with

Your identification has been saved in /export/home/bcalkins/.ssh
/id_rsa.
Your public key has been saved in /export/home/bcalkins/.ssh
/id_rsa.pub.
The key fingerprint is:
c9:8e:d8:f9:69:6e:01:e7:c4:82:05:8a:8e:d3:03:56 root@ultra5

8.
The key fingerprint is displayed as a colon-separated series of two-digit hexadecimal values. You should check to make sure the path to the key is correct. In this example, the path is /export/home/bcalkins/.ssh/id_rsa.pub. At this point, you have created a public/private key pair. Now, copy the public key and append the key to the $HOME/.ssh/authorized_keys file in your home directory on the remote host.

9.
When the public key has been created on the client and copied to the remote host, you can start using the Secure Shell to log in to the remote system by typing this line, where <hostname> is the name of the remote host that you want to connect to:

ssh <hostname>

The first time you run ssh:

ssh 192.168.0.252

you're prompted with questions regarding the authenticity of the remote host as follows:

The authenticity of host '192.168.0.252' can't be established.
 RSA key fingerprint in md5 is: \
78:28:11:cb:41:81:a2:73:50:5a:d4:49:bb:12:85:03
 Are you sure you want to continue connecting(yes/no)? yes

This is a normal message for initial connections to the remote host. If you enter yes, the system responds with

Warning: \
Permanently added '192.168.0.252' (RSA) to the list of known hosts.
Enter passphrase for key '/export/home/bcalkins/.ssh/id_rsa':

After you enter your passphrase, the system will log you into the remote host.

Last login: Wed Oct 19 20:43:57 2005 from ultra5
Sun Microsystems Inc.   SunOS 5.10      Generic January 2005


To copy files by using the Secure Shell, you start the secure copy program by typing the scp command, using the following syntax:

scp <sourcefile> <username>@<hostname>:</destinationdir>

Table 4.26 describes the arguments to the scp command.

Table 4.26. scp Command Arguments

Argument

Description

<sourcefile>

The name of the local file that you want to copy

<username>

The username on the remote host to which you want to connect

<hostname>

The name of the remote system to which the file will be copied

<destinationdir>

The name of the directory on the remote host to which you will copy the file


You should type the secure passphrase when prompted. The system responds by displaying the following:

  • The filename

  • The percentage of the file transferred as it is being copied

  • The quantity of data transferred as it is being transferred

  • The estimated time of arrival when the entire file will be copied to the remote directory

This example copies the file named file1 to the home directory of bcalkins on the remote host:

scp file1 bcalkins@192.168.0.252:~

The system responds with this:

Password:

If you enter the user login password, you are then logged in to the remote host:

file1  100%  |*************************************| 12540  0:00

For more information on using the Secure Shell, refer to the ssh and sshd man pages.


Previous Page
Next Page