DSL Servers

Servers

SSH Server

OpenSSH

The Secure Shell (SSH) is open source software. It is a viable replacement for telnet, ftp, rsh, rlogin and rcp. Security is incredibly important these days and it is imperative, network administrators be able to implement security.

OpenSSH supports versions 1.3, 1.5, 2 and 4.2.

 

The reason that telnet, ftp and others have been replaced with SSH is simply that SSH offers encryption of passwords and data while telnet and ftp still use plain text passwords. Using a packet sniffer, bad guys can intercept your password or your data and compromise your system.

The DISPLAY variable is automatically forwarded to the client machine. What this means is that if you are using the X Window System, when you log into a remote system, it is displayed on the client machine.

 

Version 3.0 and above eliminate several earlier key options.

~/.ssh/authorized_keys2

~/.ssh/known_hosts2

~/.ssh/ssh_known_hosts2

 

Now SSH Protocol 1 and 2 share the following files:

~/.ssh/authorized_keys

~/.ssh/known_hosts

~/.ssh/ssh_known_hosts

 

If you compile SSH there are several areas to check to make sure you do not give away your security. To create the most secure setup follow these recommendations:

 

- -with-etcdir=... Do not compile SSH and the keep the /etc directory on NFS

- -prefix=... SSH executables must not be on NFS mounts

- -disable-suid-ssh disable trusted hosts (SSH1)

- -disable-suid-ssh-signer disable trusted host (SSH2)

- -without-none do not allow anyone to use "none" for cypher, you want encryption

- -without-rsh don't use rsh at all

- -with-libwrap

  • -with-tcp-wrappers

 

Basic SSH Files

System wide configuration files are found in /etc/ssh/

Client:

ssh --- initializes SSH connection

scp --- secure copy

sftp --- secure ftp

 

Server: (daemon)

moduli --- contains Diffie-Hellman groups key exchange

sshd_config --- configuration file for sshd

ssh_host_dsa_key --- DSA private key for sshd

ssh_host_dsa_key.pub --- DSA public key used by sshd

ssh_host_key --- RSA private key sued by sshd

ssh_host_key.pub --- RSA public key used by sshd

ssh_host_rsa_key --- RSA private key used for sshd protocol 2

ssh_key_rsa_key.pub --- RSA public key used for sshd protocol 2

User SSH Files

One thing to remember, each user must create and maintain their own SSH files. As a result those files are in your Home directory. The Home directory may be indicated by any of the following:

~

$HOME

Examples:

~/.ssh/id_dsa --- notice that the tilde ~ indicates home directory

$HOME/.ssh/id_dsa --- home directory

Note that /.ssh is a hidden file in the home directory.

 

It is important to turn off other programs that are insecure and that users would use to go around SSH. Several programs will accomplish this.

Services that you maywant to turn off in both run levels 3 and 5:

ftp,httpd, sshd and network printing.

 

 

SSH is important to networks because you want to avoid this situation where someone in between two systems intercepts the message and may keep the message or alter it and SSH will prevent impersonation of a system. This is where the bad guy, pretends to be the intended recipient. Unaware, the sender continues to communicate with the bad guy thinking he is the one that was originally intended.

 

SSH Connection Sequence

  1. Secure Transport Layer Connection Established

 

  1. Once the Secure Transport Layer has been established, All Communication is Encrypted

  2. Client Authentication - Once the a secure connection has been verified, the client can authenticate itself to the server in safety.

  3.  

    Once the SSH has established a secure connection, multiple channels can be opened by multiplexing the connection between the two machines. Each channel can handle communication for X11 sessions, terminal sessions or other services. Either the client or the server can initiate a new channel.

    Channels will support flow-control allowing them to send and receive information more effectively and increasing the assurance that data will get to where it is supposed to go. The server and client negotiate these channels automatically.


    Once the client is authenticated and communication is secure, new services may be used in a secure manner, X11 applications and tunneled TCP/IP ports.

     

    X11 Forwarding:

    When you compile SSH by default support for X is included. If you do not use the X Window then you can leave it out and save space. In addition, at compile time you can enable or disable X forwarding.

    SSH2 Only

    $ configure...--enable-X11forwarding

    $ configure...-disable-Z11-forwarding

    X11 Forwarding allows X applications that are opened on the SSH server to appear on the SSH client display.

    TCP Port Forwarding enables SSH to encrypt any information that is running through a TCP/IP based program. This feature can be compiled into the program.

    SSH2 Only

    $ configure...- -enable-tcp-port-forwarding

    $ configure...- -disable-tcp-port-forwarding

    SSH QuickStart

     

    If you are like me the last thing you want to do is to have to read 100 pages of information before you can get SSH running. This section is designed to give you the bare requirements to run SSH in 10 minutes.

     

    If you have problems refer to the rest of the documentation for a fuller explanation.

     

    Step One: Generate Key Pairs

     

    This is assuming that OpenSSH is loaded and you are creating a DSA key pair.

     

    1. Open a terminal and type: ssh-keygen -t dsa


    2. Accept the default location and type in a passphrase.

     

    OR ......Create a RSA key pair.

     

    1. Open a terminal and type: ssh-keygen -t rsa

     

  4. Accept the default location and type in a passphrase.

 

 

Step Two: chmod ~/.ssh

 

Once you have created your keys you will need to chmod 755 your ssh directory.

 

chmod 755 ~/.ssh

Your done!

Now you have a public key, which you will share with computers you want to connect to and a private key which you will not share with anyone, ever.

 

~/.ssh/id_dsa.pub ---> public key

 

~/.ssh/id_dsa ---> private key

 

Both are located in your home directory.

Step Three: Share Public Key

 

1. Move into your ~/.ssh directory

cd ~/.ssh

2. View Contents of Directory

ls

3. Copy Public Key

cp ~/.ssh/id_dsa.pub /mnt/floppy/mykey

 

What we have done here is copied the public key to a floppy so we can share it with another computer. It has been renamed so that we do not get it mixed up with other public keys.

 

4. Place the Floppy in the Computer You Want to Share With

cat /mnt/floppy/mykey >> ~/.ssh/authorized_keys

 

This will add your key to a file of keys that are authorized to access this machine.

Step Four: Make Contact

Now you have your local machine that has your public key and your private key and you can access the computer that you placed your public key on by using this command:

ssh 192.168.4.5

This assumes that the IP address of the computer you are making contact with is the IP above, you can also use the domain name, theirserver.com (just for example).

 

Step 5: Transfer Files

Format for scp command

scp localfile This e-mail address is being protected from spambots. You need JavaScript enabled to view it :/somewhere/filename

Example: (transferring the file test.txt to myserver.com for john)

scp test.txt This e-mail address is being protected from spambots. You need JavaScript enabled to view it :/home/john/test.txt

 

One common mistake: When you log into the remote machine, all commands are issued as if you are local on that machine.

discuss Discuss DSL Servers
live training Live DSL Server Training Class

Creating a Simple Script for BackUp

This example is a backup script that can be used to back up an entire directory to another server. The local machine has a postgres database that you want to preserve on a remote machine (just an example). This script will recursively copy the folders and their contents as well as preserve the permissions on each file to a directory on the remote machine.

-r recursive

-p permissions

 

Establish a connection with the ssh command and then run this script.

 

scp -rp pgsql/* 192.168.4.3:/pgsql/backup/

 

 

The basic command to get going with SSH is the ssh command. It is a secure replacement for rlogin, rsh and telnet. The ssh command will enable you to login to remote machine and execute commands just as if you were on the machine. Here is an example:

 

ssh 192.168.5.1

 

Of course this IP address is a private IP not public, but you get the idea. The ssh command followed by an IP address. Or you could do this:

 

ssh myserver.net

 

Here you are using the domain name of the server and not the IP address. You will likely get this response:

 

The authenticity of host 'myserver.net' can't be established.

DSA key fingerprint is 45:56:3b:2c:cd:f2:5b:34:24:11:2c:45:de:56:26:cb

Are you sure you want to continue connecting (yes/no)

Type yes to continue and the server will be added to your list of know hosts.

scp copies files securely between two machines on a network. The scp command has the following options:

-c cipher select a specific cipher to use for encryption (ssh1)

-i identity_file select a file from RSA private key (ssh1)

-P preserve modification times, access times, and modes

-r recursively copy entire directory

-v verbose mode

-B select batch mode

-q disable progress meter

-C enable compression

-F ssh_config select alternative configuration file for user

-P port specify port to connect to on remote host

 

Once you have made the connection you will be prompted for a password to the remote machine. After you enter the password you will be taken to a command line. When you specify a login password you will become the person on the remote machine that you are on the local machine.

 

Here is an example:

You are logged in as tom on the client, you will become tom on the server, with all the rights of tom.

By adding using the following command, you can designate who you will be on the remoter server:

ssh -l username myserver.net

Example:

ssh -l fred myserver.net

Here you are logged in as tom on the client machine and will become fred on the server.

 

One of the advantages of SSH is that you can generate a key pair so that you do not have to type in your password each time you use ssh.

 

Generating a DSA Key Pair for Version 2

Open a terminal and type: ssh-keygen -t dsa

 

This command will create a DSA key pair that works with version 2 of the SSH Protocol. You will be asked if you want to accept the default location for the file:

~/.ssh/id_dsa

 

Accept the default location and type in a passphrase. A passphrase should be a string of words that you will remember. The phrase makes it more secure than just one word. You can uses spaces and tabs in a passphrase. You will be asked to retype the phrase to confirm it. You best write it down somewhere secure.

 

In this process a public key is also generated at the following location:

~/.ssh/id_dsa.pub

 

Never give out your private key!

 

scp --> transfer local file to remote server

 

scp command will allow you to transfer data over a secure, encrypted connection.

 

Format for scp command

scp localfile This e-mail address is being protected from spambots. You need JavaScript enabled to view it :/somewhere/filename

 

Example: (transferring the file test.txt to myserver.com for john)

 

scp text.txt This e-mail address is being protected from spambots. You need JavaScript enabled to view it :/home/john/text.txt

 

 

scp to transfer remote file to local machine

Format to transfer remote file to local machine

scp user@remotehost:/remotefilename /localfilename

scp This e-mail address is being protected from spambots. You need JavaScript enabled to view it :/home/john/test.txt /home/john/test.txt

 

 

scp group transfer

If you wanted to transfer the contents of an entire directory, you could follow this procedure:

Format for group transfer (local to remote):

scp /home/john/groupfiles/* This e-mail address is being protected from spambots. You need JavaScript enabled to view it :/home/john/groupfiles/

Notice the ending / that will indicate a directory.

 

 


sftp uses a secure, encrypted connection to establish the ftp transfer. sftp is available for version 2.5.0p1 and higher.

sftp

sftp This e-mail address is being protected from spambots. You need JavaScript enabled to view it

Once in interactive mode sftp will use the following commands:

bye quit

cd path change remote directory to path (example: cd /tmp)

lcd path change local directory to path

chgrp grp path change group of file path to grp (numeric number)

chmod mode path change permissions of file path

 

 

chown own path change owner of file, own must be numeric

exit quit

get remote-path local-path retrieve files

help help

lmkdir create local directory

ln oldpath newpath create symbolic link

lpwd print local working directory

ls display remote directory

lumask set local umask to umask

put local-path remote-path

quit exit

rename oldpath newpath rename remote path

rmdir remove remote directory

rm path remove remote file

symlink oldpath newpath create symbolic link

! command execute command in local shell

! escape to local shell

 

GENERATE A RSA KEY PAIR

 

Step 1:

Generate a RSA key, use the following command:

 

ssh-keygen -t rsa

 

The default location for your keys are: ~ (tilde) is a symbol for your home directory

 

~/.ssh/id_rsa

~/.ssh/id_rsa.pub

 

Accept the default locations, the first is your private key and the second is the public key.

 

Step 2:

Change the directory permissions of your ssh directory:

chmod 755 ~/.ssh

 

Step 3:

Share keys by copying your public key to another machine. First you probably want to copy your public key to a floppy and then give the floppy to the person who will use your key. Email will work too, but this may be risky if someone intercepts it.

 

cp ~/.ssh/id_rsa.pub /mnt/floppy/mykey

 

Once you get to the machine that will uses this key you need to cat the "mykey" into their directory of know servers.

 

cat /mnt/floppy/mykey >> ~/.ssh/authorized_keys

 

Once you have created your keys you will need to chmod 755 your ssh directory.

 

chmod 755 ~/.ssh

 

Your done!

 

Now you have a public key, which you will share with computers you want to connect to and a private key which you will not share with anyone, ever.

 

~/.ssh/id_dsa.pub ---> public key

 

~/.ssh/id_dsa ---> private key

 

Both are located in your home directory. This means that each user will have to create their own keys!

 

ssh-add Command will add RSA or DSA identities to the SSH agent. The ssh-agent will locate the necessary files to automatically authenticate.

Options for ssh-add

-l list fingerprints of all identities represented by agent

-L list public key parameters of all identities represented by agent

-d remove identity from agent

-D delete all identities from agent

-x lock agent with password

-X unlock agent

-t set maximum lifetime when adding an identity to an agent, usually in seconds

-s add key in smartcard reader

-e remove key in smartcard reader

 

The OpenSSH Server runs a daemon that listens for connections on port 22. This is the typical situation, however, you may want to start the SSH manually. The server only has one sshd running, if more than one connection is made child processes are started from the one daemon.

 

To operate SSH, the daemon must be started. use the following commands at the terminal:

 

/sbin/service sshd start

/sbin/service sshd restart

/sbin/service sshd stop

 

Notice that this is the daemon sshd, not just ssh.

 

SSH Client is used to access a remote machine to be able to execute command or transfer files. The SSH Client provides a method of logging into a specific machine to which the Client must prove it's identity. The identity is provided by encrypted keys.

 

In order for a client to use the SSH Server, the client machine must have SSH loaded and configured.

 

The SSH Client must be authenticated to the machine that it will access. If the SSH is protocol version 1, there are three methods it may use to prove who it is.

Two Less Secure Methods Usually Disallowed

1. The remote machine must have the client's machine listed in it's /etc/hosts.equiv or /etc/shosts.equiv files and the user name on both machines must be the same, then the user is allowed to login. Or if the remote machine has the user and client machine listed in the .rhosts or .shosts files the user is allowed to login.

2. The login on the remote machine must be permitted by:

$HOME/.rhosts, $HOME/.shosts, /etc/hosts.equiv, or /etc/shosts.equiv

AND the remote computer must be able to authenticate the client's host key in $HOME/.ssh/known_hosts. This is a security benefit in that it protects against IP spoofing, DNS spoofing and routing spoofing.

The third method of authentication is the one preferred in the SSH protocol version 1.

3. RSA Based Authentication - this method uses two separate keys: public/private keys. The server knows the public key located in $HOME/.ssh/authorized_keys while the user or client is the only one that knows the private key located in $HOME/.ssh/identity.

When contact is made via SSH the server checks to see if the client is listed in the authorized keys. If it is , it sends a challenge, a random number, which is encrypted by the user's public key. This then can only be decrypted by the private key on the client which will in turn prove who the client is.

 

Authentication with SSH protocol version 2 provides two algorithms that can be used RSA like version 1 and DSA.

RSA Keys:

$HOME/.ssh/id_rsa same as ~/.ssh/id_rsa

$HOME/.ssh/id_rsa.pub

DSA Keys

$HOME/.ssh/id_dsa same as ~/.ssh/id_dsa

$HOME/.ssh/d_dsa.pub

 

SSH protocol version 2 also provides for another level of security by encrypting the traffic with 3DES, Blowfish, CAST128 or Arcfour and insuring the integrity with hmac-md5 or hmac-sha1.

 

Setting Up a SSH Server on DSL

One of the most important factors of DSL is that you can setup services that you want to use like SSH very easily. The DSL Control Panel provides a simple button to click which runs a script activating the SSHD Server. Once the SSH Server is activated it is probably a good idea to modify your /etc/hosts.allow file to restrict SSH to only those IP Addresses that you will use to login. The default /etc/hosts.allow file will allow connections from any location, although it is still restricted on the basis of username and password.

 

/etc/hosts.allow

When you view the default

 

ssh sshd : ALL@ALL : ALLOW

ALL : 127.0.0.1 : ALLOW

ALL : ALL@ALL : DENY

 

To restrict connections to a single, a network or a number of IP Addresses, change the file to this:

 

SSHD: 192.168.5.78

This limits to just one IP Address.

 

SSHD: 192.168.5.

This will limit to an entire network.

 

SSHD: 192.168.5.78 192.168.5.66

This will limit connections to the two IP Addresses listed.

The reason to limit connections is that it provides an additional layer of security in that you limit the locations that can connect to your SSH server.

 

When you connect to the server you will see this message that will tell you to include the RSA fingerprint from the server onto your client.

 

The authenticity of host '192.168.5.99 (192.168.5.99)' can't be established.

RSA key fingerprint is ce:77:12:75:86:a2:8a:fc:f1:15:31:00:21:50:36:05.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.168.5.99' (RSA) to the list of known hosts.

 

You should set a good password for each user on the DSL system to insure security.

Once you login using SSH you will see this message:

This e-mail address is being protected from spambots. You need JavaScript enabled to view it 's password:

Welcome to DSL

 

DSL comes with ABSOLUTELY NO WARRANTY, to the extent

permitted by applicable law.

 

This can be used to setup a backup server in about 10 minutes using old hardware.

 

 

 

 

 

 

Setting Up a Web Server

 

MonkeyWeb

If you want to setup a quick easy web server, you can do that in 5 minutes. Open the the DSL Panel and select MonkeyWeb. To test if the server is working type in the IP Address of your computer in a web browser and you should see this test screen.

Now all you have to do to change the web page that is shown is to move your web pages to

/opt/monkey/htdocs

Simple.

Ok here is how you do it. Open Beaver and choose HTML under Languages in the Menu at the top. HTML will then be highlighted for you to create a web page. Put in the basic structure tags that you see in the example and then modify the BODY to create your web page. In the example an image was added.

 

Once your web page is complete save it to the /home/dsl directory with any images that you may want to use. The reason you cannot save it to the default /opt/monky/htdocs folder is because it is owned by root so a regular user cannot modify it.

 

Once your information is saved start a terminal session and then type sudo su

 

This will allow you to become root so that you can now move the web pages and images over to the website. In the example below you see the default permissions on the /opt/monkey/htdocs directory.

 

To move your files to the /op/monkey/htdocs directory cd to /home/dsl

cd /home/dsl

Now copy your html files to the monkey web server.

cp *.html /opt/monkey/htdocs

Move your images over.

cp *.png *.jpg /opt/monkey/htdocs

Now view your site by using Dillo by directing the browser to /opt/monkey/htdocs/index.hmtl.

 

If you want to allow others to view the web pages you create, place all of your web pages in /opt/monkey/htdocs and then have people connect to your computer using the IP Address of your computer. This is an interesting way to share information on the same network. Of course if you wanted to use this on the Internet you would need a public IP Address.