DSL Servers
| DSL Servers |
ServersSSH ServerOpenSSH The Secure Shell (SSH) is open source software. It is a viable replacement for telnet, ftp, rsh, rlogin and rcp. Security is incredibly important these days and it is imperative, network administrators be able to implement security. OpenSSH supports versions 1.3, 1.5, 2 and 4.2.
The reason that telnet, ftp and others have been replaced with SSH is simply that SSH offers encryption of passwords and data while telnet and ftp still use plain text passwords. Using a packet sniffer, bad guys can intercept your password or your data and compromise your system. The DISPLAY variable is automatically forwarded to the client machine. What this means is that if you are using the X Window System, when you log into a remote system, it is displayed on the client machine.
Version 3.0 and above eliminate several earlier key options. ~/.ssh/authorized_keys2 ~/.ssh/known_hosts2 ~/.ssh/ssh_known_hosts2
Now SSH Protocol 1 and 2 share the following files: ~/.ssh/authorized_keys ~/.ssh/known_hosts ~/.ssh/ssh_known_hosts
If you compile SSH there are several areas to check to make sure you do not give away your security. To create the most secure setup follow these recommendations:
- -with-etcdir=... Do not compile SSH and the keep the /etc directory on NFS - -prefix=... SSH executables must not be on NFS mounts - -disable-suid-ssh disable trusted hosts (SSH1) - -disable-suid-ssh-signer disable trusted host (SSH2) - -without-none do not allow anyone to use "none" for cypher, you want encryption - -without-rsh don't use rsh at all - -with-libwrap
Basic SSH FilesSystem wide configuration files are found in /etc/ssh/ Client: ssh --- initializes SSH connection scp --- secure copy sftp --- secure ftp
Server: (daemon) moduli --- contains Diffie-Hellman groups key exchange sshd_config --- configuration file for sshd ssh_host_dsa_key --- DSA private key for sshd ssh_host_dsa_key.pub --- DSA public key used by sshd ssh_host_key --- RSA private key sued by sshd ssh_host_key.pub --- RSA public key used by sshd ssh_host_rsa_key --- RSA private key used for sshd protocol 2 ssh_key_rsa_key.pub --- RSA public key used for sshd protocol 2 User SSH FilesOne thing to remember, each user must create and maintain their own SSH files. As a result those files are in your Home directory. The Home directory may be indicated by any of the following: ~ $HOME Examples: ~/.ssh/id_dsa --- notice that the tilde ~ indicates home directory $HOME/.ssh/id_dsa --- home directory Note that /.ssh is a hidden file in the home directory.
It is important to turn off other programs that are insecure and that users would use to go around SSH. Several programs will accomplish this. Services that you maywant to turn off in both run levels 3 and 5: ftp,httpd, sshd and network printing.
SSH is important to networks because you want to avoid this situation where someone in between two systems intercepts the message and may keep the message or alter it and SSH will prevent impersonation of a system. This is where the bad guy, pretends to be the intended recipient. Unaware, the sender continues to communicate with the bad guy thinking he is the one that was originally intended.
SSH Connection Sequence
Step Two: chmod ~/.ssh
Once you have created your keys you will need to chmod 755 your ssh directory.
chmod 755 ~/.ssh Your done! Now you have a public key, which you will share with computers you want to connect to and a private key which you will not share with anyone, ever.
~/.ssh/id_dsa.pub ---> public key
~/.ssh/id_dsa ---> private key
Both are located in your home directory. Step Three: Share Public Key
1. Move into your ~/.ssh directory cd ~/.ssh 2. View Contents of Directory ls 3. Copy Public Key cp ~/.ssh/id_dsa.pub /mnt/floppy/mykey
What we have done here is copied the public key to a floppy so we can share it with another computer. It has been renamed so that we do not get it mixed up with other public keys.
4. Place the Floppy in the Computer You Want to Share With cat /mnt/floppy/mykey >> ~/.ssh/authorized_keys
This will add your key to a file of keys that are authorized to access this machine. Step Four: Make Contact Now you have your local machine that has your public key and your private key and you can access the computer that you placed your public key on by using this command: ssh 192.168.4.5 This assumes that the IP address of the computer you are making contact with is the IP above, you can also use the domain name, theirserver.com (just for example).
Step 5: Transfer Files Format for scp command scp localfile This e-mail address is being protected from spambots. You need JavaScript enabled to view it :/somewhere/filename Example: (transferring the file test.txt to myserver.com for john) scp test.txt This e-mail address is being protected from spambots. You need JavaScript enabled to view it :/home/john/test.txt
One common mistake: When you log into the remote machine, all commands are issued as if you are local on that machine.
Creating a Simple Script for BackUp This example is a backup script that can be used to back up an entire directory to another server. The local machine has a postgres database that you want to preserve on a remote machine (just an example). This script will recursively copy the folders and their contents as well as preserve the permissions on each file to a directory on the remote machine. -r recursive -p permissions
Establish a connection with the ssh command and then run this script.
scp -rp pgsql/* 192.168.4.3:/pgsql/backup/
The basic command to get going with SSH is the ssh command. It is a secure replacement for rlogin, rsh and telnet. The ssh command will enable you to login to remote machine and execute commands just as if you were on the machine. Here is an example:
ssh 192.168.5.1
Of course this IP address is a private IP not public, but you get the idea. The ssh command followed by an IP address. Or you could do this:
ssh myserver.net
Here you are using the domain name of the server and not the IP address. You will likely get this response:
The authenticity of host 'myserver.net' can't be established. DSA key fingerprint is 45:56:3b:2c:cd:f2:5b:34:24:11:2c:45:de:56:26:cb Are you sure you want to continue connecting (yes/no) Type yes to continue and the server will be added to your list of know hosts. scp copies files securely between two machines on a network. The scp command has the following options: -c cipher select a specific cipher to use for encryption (ssh1) -i identity_file select a file from RSA private key (ssh1) -P preserve modification times, access times, and modes -r recursively copy entire directory -v verbose mode -B select batch mode -q disable progress meter -C enable compression -F ssh_config select alternative configuration file for user -P port specify port to connect to on remote host
Once you have made the connection you will be prompted for a password to the remote machine. After you enter the password you will be taken to a command line. When you specify a login password you will become the person on the remote machine that you are on the local machine.
Here is an example: You are logged in as tom on the client, you will become tom on the server, with all the rights of tom.
By adding using the following command, you can designate who you will be on the remoter server: ssh -l username myserver.net Example: ssh -l fred myserver.net Here you are logged in as tom on the client machine and will become fred on the server.
One of the advantages of SSH is that you can generate a key pair so that you do not have to type in your password each time you use ssh.
Generating a DSA Key Pair for Version 2 Open a terminal and type: ssh-keygen -t dsa
This command will create a DSA key pair that works with version 2 of the SSH Protocol. You will be asked if you want to accept the default location for the file: ~/.ssh/id_dsa
Accept the default location and type in a passphrase. A passphrase should be a string of words that you will remember. The phrase makes it more secure than just one word. You can uses spaces and tabs in a passphrase. You will be asked to retype the phrase to confirm it. You best write it down somewhere secure.
In this process a public key is also generated at the following location: ~/.ssh/id_dsa.pub
Never give out your private key!
scp --> transfer local file to remote server
scp command will allow you to transfer data over a secure, encrypted connection.
Format for scp command scp localfile This e-mail address is being protected from spambots. You need JavaScript enabled to view it :/somewhere/filename
Example: (transferring the file test.txt to myserver.com for john)
scp text.txt This e-mail address is being protected from spambots. You need JavaScript enabled to view it :/home/john/text.txt
scp to transfer remote file to local machine Format to transfer remote file to local machine scp user@remotehost:/remotefilename /localfilename scp This e-mail address is being protected from spambots. You need JavaScript enabled to view it :/home/john/test.txt /home/john/test.txt
scp group transfer If you wanted to transfer the contents of an entire directory, you could follow this procedure: Format for group transfer (local to remote): scp /home/john/groupfiles/* This e-mail address is being protected from spambots. You need JavaScript enabled to view it :/home/john/groupfiles/ Notice the ending / that will indicate a directory.
sftp sftp This e-mail address is being protected from spambots. You need JavaScript enabled to view it Once in interactive mode sftp will use the following commands: bye quit cd path change remote directory to path (example: cd /tmp) lcd path change local directory to path chgrp grp path change group of file path to grp (numeric number) chmod mode path change permissions of file path
chown own path change owner of file, own must be numeric exit quit get remote-path local-path retrieve files help help lmkdir create local directory ln oldpath newpath create symbolic link lpwd print local working directory ls display remote directory lumask set local umask to umask put local-path remote-path quit exit rename oldpath newpath rename remote path rmdir remove remote directory rm path remove remote file symlink oldpath newpath create symbolic link ! command execute command in local shell ! escape to local shell
GENERATE A RSA KEY PAIR
Step 1: Generate a RSA key, use the following command:
ssh-keygen -t rsa
The default location for your keys are: ~ (tilde) is a symbol for your home directory
~/.ssh/id_rsa ~/.ssh/id_rsa.pub
Accept the default locations, the first is your private key and the second is the public key.
Step 2: Change the directory permissions of your ssh directory: chmod 755 ~/.ssh
Step 3: Share keys by copying your public key to another machine. First you probably want to copy your public key to a floppy and then give the floppy to the person who will use your key. Email will work too, but this may be risky if someone intercepts it.
cp ~/.ssh/id_rsa.pub /mnt/floppy/mykey
Once you get to the machine that will uses this key you need to cat the "mykey" into their directory of know servers.
cat /mnt/floppy/mykey >> ~/.ssh/authorized_keys
Once you have created your keys you will need to chmod 755 your ssh directory.
chmod 755 ~/.ssh
Your done!
Now you have a public key, which you will share with computers you want to connect to and a private key which you will not share with anyone, ever.
~/.ssh/id_dsa.pub ---> public key
~/.ssh/id_dsa ---> private key
Both are located in your home directory. This means that each user will have to create their own keys!
ssh-add Command will add RSA or DSA identities to the SSH agent. The ssh-agent will locate the necessary files to automatically authenticate. Options for ssh-add -l list fingerprints of all identities represented by agent -L list public key parameters of all identities represented by agent -d remove identity from agent -D delete all identities from agent -x lock agent with password -X unlock agent -t set maximum lifetime when adding an identity to an agent, usually in seconds -s add key in smartcard reader -e remove key in smartcard reader
The OpenSSH Server runs a daemon that listens for connections on port 22. This is the typical situation, however, you may want to start the SSH manually. The server only has one sshd running, if more than one connection is made child processes are started from the one daemon.
To operate SSH, the daemon must be started. use the following commands at the terminal:
/sbin/service sshd start /sbin/service sshd restart /sbin/service sshd stop
Notice that this is the daemon sshd, not just ssh.
SSH Client is used to access a remote machine to be able to execute command or transfer files. The SSH Client provides a method of logging into a specific machine to which the Client must prove it's identity. The identity is provided by encrypted keys.
In order for a client to use the SSH Server, the client machine must have SSH loaded and configured.
The SSH Client must be authenticated to the machine that it will access. If the SSH is protocol version 1, there are three methods it may use to prove who it is. Two Less Secure Methods Usually Disallowed 1. The remote machine must have the client's machine listed in it's /etc/hosts.equiv or /etc/shosts.equiv files and the user name on both machines must be the same, then the user is allowed to login. Or if the remote machine has the user and client machine listed in the .rhosts or .shosts files the user is allowed to login. 2. The login on the remote machine must be permitted by: $HOME/.rhosts, $HOME/.shosts, /etc/hosts.equiv, or /etc/shosts.equiv AND the remote computer must be able to authenticate the client's host key in $HOME/.ssh/known_hosts. This is a security benefit in that it protects against IP spoofing, DNS spoofing and routing spoofing. The third method of authentication is the one preferred in the SSH protocol version 1. 3. RSA Based Authentication - this method uses two separate keys: public/private keys. The server knows the public key located in $HOME/.ssh/authorized_keys while the user or client is the only one that knows the private key located in $HOME/.ssh/identity. When contact is made via SSH the server checks to see if the client is listed in the authorized keys. If it is , it sends a challenge, a random number, which is encrypted by the user's public key. This then can only be decrypted by the private key on the client which will in turn prove who the client is.
Authentication with SSH protocol version 2 provides two algorithms that can be used RSA like version 1 and DSA. RSA Keys: $HOME/.ssh/id_rsa same as ~/.ssh/id_rsa $HOME/.ssh/id_rsa.pub DSA Keys $HOME/.ssh/id_dsa same as ~/.ssh/id_dsa $HOME/.ssh/d_dsa.pub
SSH protocol version 2 also provides for another level of security by encrypting the traffic with 3DES, Blowfish, CAST128 or Arcfour and insuring the integrity with hmac-md5 or hmac-sha1.
Setting Up a SSH Server on DSLOne of the most important factors of DSL is that you can setup services that you want to use like SSH very easily. The DSL Control Panel provides a simple button to click which runs a script activating the SSHD Server. Once the SSH Server is activated it is probably a good idea to modify your /etc/hosts.allow file to restrict SSH to only those IP Addresses that you will use to login. The default /etc/hosts.allow file will allow connections from any location, although it is still restricted on the basis of username and password.
/etc/hosts.allow When you view the default
ssh sshd : ALL@ALL : ALLOW ALL : 127.0.0.1 : ALLOW ALL : ALL@ALL : DENY
To restrict connections to a single, a network or a number of IP Addresses, change the file to this:
SSHD: 192.168.5.78 This limits to just one IP Address.
SSHD: 192.168.5. This will limit to an entire network.
SSHD: 192.168.5.78 192.168.5.66 This will limit connections to the two IP Addresses listed. The reason to limit connections is that it provides an additional layer of security in that you limit the locations that can connect to your SSH server.
When you connect to the server you will see this message that will tell you to include the RSA fingerprint from the server onto your client.
The authenticity of host '192.168.5.99 (192.168.5.99)' can't be established. RSA key fingerprint is ce:77:12:75:86:a2:8a:fc:f1:15:31:00:21:50:36:05. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.5.99' (RSA) to the list of known hosts.
You should set a good password for each user on the DSL system to insure security. Once you login using SSH you will see this message: This e-mail address is being protected from spambots. You need JavaScript enabled to view it 's password: Welcome to DSL
DSL comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
This can be used to setup a backup server in about 10 minutes using old hardware.
Setting Up a Web Server
MonkeyWebIf you want to setup a quick easy web server, you can do that in 5 minutes. Open the the DSL Panel and select MonkeyWeb. To test if the server is working type in the IP Address of your computer in a web browser and you should see this test screen. Now all you have to do to change the web page that is shown is to move your web pages to /opt/monkey/htdocs Simple. Ok here is how you do it. Open Beaver and choose HTML under Languages in the Menu at the top. HTML will then be highlighted for you to create a web page. Put in the basic structure tags that you see in the example and then modify the BODY to create your web page. In the example an image was added.
Once your web page is complete save it to the /home/dsl directory with any images that you may want to use. The reason you cannot save it to the default /opt/monky/htdocs folder is because it is owned by root so a regular user cannot modify it.
Once your information is saved start a terminal session and then type sudo su
This will allow you to become root so that you can now move the web pages and images over to the website. In the example below you see the default permissions on the /opt/monkey/htdocs directory.
To move your files to the /op/monkey/htdocs directory cd to /home/dsl cd /home/dsl Now copy your html files to the monkey web server. cp *.html /opt/monkey/htdocs Move your images over. cp *.png *.jpg /opt/monkey/htdocs Now view your site by using Dillo by directing the browser to /opt/monkey/htdocs/index.hmtl.
If you want to allow others to view the web pages you create, place all of your web pages in /opt/monkey/htdocs and then have people connect to your computer using the IP Address of your computer. This is an interesting way to share information on the same network. Of course if you wanted to use this on the Internet you would need a public IP Address. |
Discuss DSL Servers
Live DSL Server Training Class
