Most network administrator manage their servers remotely. A network administrator can remotely control server without need to locally stand beside of the actual machine. This connection of course made using internet media. On earlier era, there are so much application for this purpose. One can mention tools such as telnet, ftp, and application known as r tools such as rsh, rlogin, and rcp. But all of these applications are insecure as any message (even sensitive data such as username and password) are transmitted plain. No encryption at all.
The insecure of telnet and other old application then force people to invent new remote connection system with secure connection. Thus, SSH rises.
Secure SHell or SSH is now notably used for establishing remote connections. SSH send and receive message over cryptograhic network protocol for secure data communication. This mechanism guarantee a secure channel over insecure network.
Introduction to OpenSSH, The Free SSH implementation
OpenSSH, at beginning developed by OpenBSD, now become popular and free implementation of SSH connectivity. Licensed under BSD License which offer you freedom to use by everyone.
OpenSSH suite has two part: client side and server side. OpenSSH also offer other utilities such as ssh-add, ssh-agent, ssh-keysign, ssh-keyscan, ssh-keygen. SSH also offer sftp and scp for file transferring.
Most Linux and BSD distribution has included OpenSSH. However if you want to install from source you can go to http://openssh.org/ and download newest version. The compilation is quite straightforward and self explain.
If you have Debian/Ubuntu you can install by:
aptitude install ssh-server
SSHD (SSH Daemon / Server)
SSH server use a configuration file sshd_config. On Linux, mostly it is located on /etc/ssh/sshd_config (Slackware64). On BSD (FreeBSD) it is located also on /etc/ssh/sshd_config. The file can be used directly without altering anything. However if you can also modify it at you wish.
For security reason, we should (strongly recommended) to make sure security is handled. In this case, we limit root account so it can’t be used for remote login. Make sure the following option is enabled on configuration file (not commented by #):
PermitRootLogin no StrictModes yes UsePrivilegeSeparation yes
Strict mode will check whether user has access mode 777, or in other word is permitted to write, read, and execute all files and directories on his home directory. UsePrivilegeSeparation will fork another process to handle incoming connection before the connection is authenticated. After user is authenticated, the login credentials will be transferred to the main sshd process.
Similar to sshd, ssh use configuration file and can be use directly. On Linux system, mostly, it is located on /etc/ssh/ssh_config. On BSD, specifically FreeBSD, is is located on /etc/ssh/ssh_config. As a client, it works by making a connection to SSH server. It will lookup for server, maintaining keys used for communication for server, etc.
For security reason too, we should consider following on SSH configuration file:
CheckHostIP yes StrictHostKeyChecking ask
The first directive, CheckHostIP, enforce client to check IP host whether is under DNS spoofing or not. Another directive, StrictHostKeyChecking will enforce client to ask whether public key of remote system will be written to known_host file when initial connection established.
Using the Client
To connect to server using SSH, a connection must be set inside encrypted connection. A connection use a valid account on server side. It means, you are logging to remote server using the account on that server. For example when I have account xathrya on celestial-being.net, I use:
When you do initial connection, you will be asked whether you want to save the host information or not.
The authenticity of host 'hostname (IP)' can't be established. RSA key fingerprint is <some hexadecimal string>. Are you sure you want to continue connecting (yes/no)?
If you want to proceed, then you must answer by ‘yes’. Client then will remember the remote host by fingerprinting and stored on a file known_hosts. This file mostly located on ~/.ssh/known_hosts. If you have save the fingerprint, and then the host use different fingerprint, ssh client will give you a warning and prevent you from proceeding. If you are sure you connect to correct server, you should remove associated line on ~/.ssh/known_hosts.
Secure Copy (SCP)
SCP or secure copy works like normal cp (copy) utility, but works on network. SCP copy file(s) of two system across network using SSH connection. At general, the syntax for scp defined as:
scp [options] [[[email protected]]host1:[path]]file1 ... [[[email protected]:[path]]file2
The hosts can be our machine or remote machine. SCP will copy file on first host to second host. Thus we can use scp to copy file from out host to remote server, from remote server to our host, or from remote server to another remote server.
The common options / flags used by scp are:
- -p: keep date modified information, access, and file mode
- -r: recursively copies files. Used to copies all directory content
- -c: activating SSH compression mode
scp [email protected]:/opt/research/gundam00 /home/xathrya/gundam00
At that example I copy a file gundam00 from remote host (celestial-being.net) on path /opt/research to my machine as /home/xathrya/gundam00. Note that the host1 now defined as remote host and host2 is defined at my host.
Secure File Transfer Protocol (SFTP)
SFTP is another version of FTP run on SSH connection. It is like FTP but provide security. If a server want to use SFTP service, make sure you have following line active on sshd_config file:
SubSystem sftp /usr/lib/openssh/sftp-server
Where /usr/lib/openssh/sftp-server is a path to sftp-server on Debian/Ubuntu system. You should find a correct path to sftp if you have no above file.
Using SFTP client is like using any FTP client except SFTP use the same port as SSH does. The default SSH port is 22. Following is a sample SFTP connection established:
[email protected]: $ sftp [email protected] Connection to celestial-being.net [email protected]'s password: ******* sftp> put gundam00.pdf Uploading gundam00.pdf to /home/xathrya/gundam00.pdf gundam00.pdf 100% 1.5MB 129.4KB/s 00:16 sftp>
There we have two phase: login, and uploading. User xathrya is initiating connection to celestial-being.net using account setsuna. I passed the authentication then use put to upload a file. You can also use another command such as ls, cd, which are supported by ftp (and also sftp).
If in any case you change the SSH port to a number, for example 1351 then SFTP client cannot connect to remote server. But you can still make a connection by using:
sftp -oPort=1351 <user>@<site domain>network