Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
gssapi-with-mic
hostbased
publickey
keyboard-interactive
password
Diffie-Hellman key is used instead of the server key for sharing the
session key in version 2 protocol
attacks)
The client then checks the list of known hosts by searching
'~/.ssh/known_hosts' file. If the public key is listed, it automatically
assumes that the data is valid and the server is trusted. But if the public is
not listed here then the user is displayed with a prompt that asks them to
verify the finger print.
Now both the client and server have enough information needed to create
the master key that will encrypt the session and the communication
starts.
The strategy used for options in the default sshd_config shipped with
OpenSSH is to specify options with their default value where
possible, but leave them commented. Uncommented options change a
default value.
#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::
Port Change:
Change the Port line in /etc/ssh/sshd_config to mention 435 and remove
the # at the beginning of the line. Check to ensure SSH is running on the
new port:
[root@bigboy root]# netstat -an | grep 435
tcp
0
0
192.168.1.100:435
0.0.0.0:*
[root@bigboy root]#
LISTEN
3) Copy only the public key to the home directory of the account to
which you will be sending the file.
[filecopy@bigboy .ssh]# scp id_dsa.pub filecopy@smallfry:public-key.tmp
[filecopy@smallfry
public-key.tmp
[filecopy@smallfry
[filecopy@smallfry
[filecopy@smallfry
filecopy]# ls
filecopy]# mkdir .ssh
filecopy]# chmod 700 .ssh
filecopy]# cd .ssh
From now on you can use ssh and scp as user filecopy from server bigboy
to smallfry without being prompted for a password.
Finally, restart both sshd and rsyslog to make the changes take effect.
sudo service sshd restart && sudo service rsyslog restart
This is a cool trick. If you open a shell to monitor the log, you can use the
tail command to print messages to the screen as they are written:
tail -f /var/log/sshd.log
SSH Tunnelling
With SSH tunneling the server computer can also receive data from other
computers on the client's network over the very same session. The client
is configured to listen on a specified TCP port and all data received on that
port will be automatically SSH encrypted and relayed to the remote
server. It is for this reason that SSH tunneling is also called SSH port
forwarding.
There are two types of forwarding:
Local Forwarding: Forwards traffic coming to a local port to a specified
remote port. This is also known as outgoing tunneling, as the tunnel is
established to the remote server.
Remote Forwarding: Forwards traffic coming to a remote port to a
specified local port. This is also known as incoming tunneling, as the
tunnel is established from the remote server.
As always it is best to explain these methodologies with some examples.
Introduction
1.
local: -L Specifies that the given port on the local (client) host is to
be forwarded to the given host and port on the remote side.
ssh -L sourcePort:forwardToHost:onPort connectToHost means: connect
with ssh to connectToHost, and forward all connection attempts to
the local sourcePort to port onPort on the machine
called forwardToHost, which can be reached from
the connectToHost machine.
2.
remote: -R Specifies that the given port on the remote (server) host
is to be forwarded to the given host and port on the local side.
ssh -R sourcePort:forwardToHost:onPort connectToHost means: connect
with ssh to connectToHost, and forward all connection attempts to
the remote sourcePort to port onPorton the machine
called forwardToHost, which can be reached from your local machine.
Additional options
-f tells ssh to background itself after it authenticates, so you don't
have to sit around running something on the remote server for the
tunnel to remain alive.
-N says that you want an SSH connection, but you don't actually
want to run any remote commands. If all you're creating is a tunnel,
then including this option saves resources.
The third image represents this tunnel. But the blue computer called
your host represents the computer where someone starts the ssh
tunnel, in this case the firewalled machine.
So, ask someone to start a ssh tunnel connection to your machine. The
command should basically look like
ssh -R 12345:localhost:22 YOURIP
Now the tunnel is opened. You can now connect via ssh to the firewalled
machine through the tunnel with the command
ssh -p 12345 localhost
which will connect to your own localhost (your machine) on port 12345,
but port 12345 is forwarded through the tunnel to port 22 of the localhost
Now
it
is
possible
to
browse
yahoo.com
by
visiting http://localhost:9001 in the web browser at work computer.
The home computer will act as a gateway which would accept requests
from work machine and fetch data and tunnelling it back. So the syntax
of the full command would be as follows.
ssh -L <local-port-to-listen>:<remote-host>:<remote-port>
<gateway>
So here what does localhost refer to? Is it the work since the command
line is executed from work? Turns out that it is not. As explained earlier is
relative to the gateway (home in this case) , not the machine from where
the tunnel is initiated. So this will make a connection to port 5900 of the
home computer where the VNC client would be listening in.
The created tunnel can be used to transfer all kinds of data not limited to
web browsing sessions. We can also tunnel SSH sessions from this as
well. Lets assume there is another computer (banned) to which we need
to SSH from within University but the SSH access is being blocked. It is
possible to tunnel a SSH session to this host using a local port forward.
The setup would look like this.
As can be seen now the transferred data between work and banned are
encrypted end to end. For this we need to create a local port forward as
follows.
ssh -L 9001:banned:22 home
Now we need to create a SSH session to local port 9001 from where the
session
will get tunneled to banned via home computer.
ssh -p 9001 localhost
Remote Forwarding
The syntax for local forwarding relies on the -R SSH command line
qualifier which is configured like this:
-R bind-address:bind-port:remote-server-address:remote-port
The syntax is similar to that of the -L option. The bind-address and bindport are the IP address and TCP port on which the local computer will
listen for connections from its neighbors. If the bind-address isn't listed,
then the server will only accept connections from localhost. The remoteserver-address and remote-port specify the same options for the remote
server and are from the remote server's perspective. If you specify
localhost as the remote-server-address, SSH will be interpret it to mean
the Internet IP address of the remote server.
This can be useful in a number of scenarios. For example, you cannot
connect to your office workstation via VPN due to network maintenance,
but during this time your workstation still has access to the Internet.
Remote forwarding could provide you with access.
Here's another scenario. You are moving into a new Internet data center,
all the network gear has been configured, but the installation of the data
circuits has been delayed. This has caused the configuration of the servers
to be delayed. If one server wired to your network can get access to a
server on the Internet, via a wireless card, or otherwise, then remote
access to the data center could be achieved using remote forwarding.
Example 1: The local computer forwards any connection to localhost on a
specified port to a remote host. Forwarding occurs over a previously
established connection from the remote host. If we revisit our scenario
where VPN access will be down due to maintenance, the first thing to be
done is to configure your workstation at work to establish a remote
forwarding SSH session to your home server.
[root@work-001 ~]# ssh -R localhost:9999:localhost:22 root@home.my-website.org
root@home.my-web-site.org's password:
Last login: Sat Mar 17 21:15:36 2007 from 216.10.135.26
[root@bigboy ~]# ping localhost
PING bigboy (127.0.0.1) 56(84) bytes of data.
64 bytes from bigboy (127.0.0.1): icmp_seq=1 ttl=64 time=0.091 ms
64 bytes from bigboy (127.0.0.1): icmp_seq=2 ttl=64 time=0.082 ms
64 bytes from bigboy (127.0.0.1): icmp_seq=3 ttl=64 time=0.097 ms
64 bytes from bigboy (127.0.0.1): icmp_seq=4 ttl=64 time=0.078 ms
As you can see, remote forwarding can be both useful, convenient and
productivity enhancing.
Example 2: The local computer forwards any connection to it's NIC on a
specified port to a remote host. Forwarding occurs over a previously
established connection from the remote host.
This is more fitting for our limited connectivity data center scenario. In this
case the local computer can be accessed by anyone on the Internet and it
will forward any SSH connections it receives on the specified port to the
server in the data center with the wireless access. Here's how it's done:
The next step is to establish the remote port forwarding session. Set
up a ping if you need constant activity on the link. In this case Internet
server is netserver-001.my-web-site.org.
[root@datacenter-001 ~]# ssh -R netserver-001.my-website.org:9999:localhost:22 root@netserver-001.my-web-site.org
root@netserver-001.my-web-site.org's password:
time=0.091
time=0.082
time=0.097
time=0.078
ms
ms
ms
ms
Now it's time to test it. From our home server bigboy, we can SSH into
server netserver-001 on port 9999 and get access to the data center.
[root@bigboy~]# ssh -p 9999 root@netserver-001.my-web-site.org
root@ netserver-001.my-web-site.org's password:
Last login: Sun Mar 18 15:50:16 2007 from 65.115.71.35
[root@datacenter-001 ~]#
Once executed the SSH client at work will connect to SSH server running
at home creating a SSH channel. Then the server will bind port 9001 on
home machine to listen for incoming requests which would subsequently
be routed through the created SSH channel between home and work.
As nice all of these would be still you need to create another tunnel if you
need to connect to another site in both cases. Wouldnt it be nice if it is
possible to proxy traffic to any site using the SSH channel created? Thats
what dynamic port forwarding is all about.
Dynamic Port Forwarding
Dynamic port forwarding allows to configure one local port for tunnelling
data to all remote destinations. However to utilize this the client
application connecting to local port should send their traffic using
the SOCKS protocol. At the client side of the tunnel a SOCKS proxy would
be created and the application (eg. browser) uses the SOCKS protocol to
specify where the traffic should be sent when it leaves the other end of
the ssh tunnel.
ssh -D 9001 home (Executed from 'work')
Here SSH will create a SOCKS proxy listening in for connections at local
port
9001 and upon receiving a request would route the traffic via SSH channel
created between work and home. For this it is required to configure the
browser to point to the SOCKS proxy at port 9001 at localhost.
The following is required for the forwarding of X11 connections from the server to client to
work:
The SSH daemon on the gateway machine must have TCP forwarding
must be enabled, otherwise X11 connections won't be forwarded:
FILE /etc/ssh/sshd_config
On the gateway
TCPForwarding yes
The xauth tool must be present on the server. Install netmisc/openssh with the X USE flag set to pull it in or install x11-apps/xauth.
X11 forwarding must be enabled in the server SSH daemon configuration:
/etc/ssh/sshd_config On the server
X11Forwarding yes
Troubleshooting SSH Port Forwarding
Here are a few symptoms that are easy to overcome:
SSH port forwarding is a very useful tool that can provide you with a great
deal of versatility when administering your servers. It's always a good
thing to remember.
Debugging
Use the -v parameter to ssh will provide some output as to what is
wrong. In fact, you can maximize the debugging messages with -vvv.
ssh -vvv remoteuser@remotecomputer
Example Experience:
How to fix a slow SSH login issue on Linux
Question: When I try to connect to a remote SSH server, it takes very
long time (30 seconds to 2 minutes) before password prompt appears.
Why is SSH login so slow to start, and how can I get rid of long delay in
SSH login?
If you have to wait very long for SSH password prompt, there could be
several things that may go wrong. To troubleshoot the root cause of slow
SSH login, you can run ssh command with "-vvv" option, which will show
you what's happening behind the scene during SSH login. $ ssh -vvv
user@<ssh-server>