Monday, 19 August 2013

How to protect Outgoing Network Connections - ssh

ssh - performs remote logins and remote command execution
 

scp - copies files between computers
 

sftp - copies files between computers, with an interactive, ftp-like user interface

sshd - server daemon

ssh-keygen - create and modifies public and private keys


ssh-agent  - caches ssh private keys to avoid typing pass-phrases
 

ssh-add    - Manipulates the key cache of ssh-agent

~/.ssh  - Directory(per user) for keys and configuration files
 

/etc/ssh - Directory(system wide) for keys and configuration files
 

~/.ssh/config - Client config file(per user)
 

/etc/ssh/sshd_config - client configuration file(system wide)

To invoke a remote command

# ssh -l remoteUser remotehost uptime

Authenticating by public key(OpenSSH)

Problem: you want to set up public-key authentication between an OpenSSH client and an OpenSSH server.


Solution:

 Public Key Authentication:-


Public key authentication let's you prove your identity to a remote host using a cryptographic key instead of a login password.


1. Generate a key if necessary:
  # mkdir -p ~/.ssh         ---- if it doen't already exist
  # chmod 700 ~/.ssh
  # cd ~/.ssh
  # ssh-keygen -t dsa
 
2. Copy the public key to the remote host:
  # scp -p id_dsa.pub remoteuser@remotehost:
    passwd: ****

3. Log into the remote host and install the public key:    
# ssh -l remoteUser remotehost
Password: *****
# mkdir -p ~/.ssh         ---- if it doen't already exist
# chmod 700 ~/.ssh
# cat id_dsa.pub >> ~/.ssh/authorized_keys   (appending)
# chmod 600 ~/.ssh/authorized_keys
# mv id_dsa.pub ~/.ssh    optional
# logout

4. Log back in via public-key authentication:

# ssh -l remoteUser remotehost
Enter passphrase for key '/home/smith//.ssh/id_dsa': ***

Note: SSH keys are more secure than passwords because keys are never transmitted over the network, where as passwords are.

An SSH "key" is actually a matched pair of keys stored in two files. The private or secret key remains on the client machine, encrypted with a passphrase. The public key is copied to the remote(server)machine.
When establishing a connection the SSH client and server perform a complex negotiation based on the private and public key and if they match, your identity is proven and the connection succeeds.

The SSH server must be configured to permit public-key authentication, which is the default

/etc/ssh/sshd_config
publickeyAuthentication yes   ---- if no, change it and restart sshd

Public-Key authentication lets allow you prove your identity to a remote host using a sryptographic key instead of a login password.


No comments:

Post a Comment