-
8/10/2019 Fedora Draft Documentation 0.1 OpenSSH Guide en US
1/26
Fedora Draft
DocumentationOpenSSH Guide
Using and configuring OpenSSH on Fedora
Scott Radvan
Eric Christensen
-
8/10/2019 Fedora Draft Documentation 0.1 OpenSSH Guide en US
2/26
OpenSSH Guide Draft
Fedora Draft Documentation OpenSSH Guide
Using and configuring OpenSSH on Fedora
Edition 15.0.2
Author Scott Radvan [email protected]
Author Eric Christensen [email protected]
Copyright 2010 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons
AttributionShare Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available
at http://creativecommons.org/licenses/by-sa/3.0/. The original authors of this document, and Red Hat,
designate the Fedora Project as the "Attribution Party" for purposes of CC-BY-SA. In accordance with
CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the
original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert,
Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity
Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
For guidelines on the permitted uses of the Fedora trademarks, refer to https://fedoraproject.org/wiki/
Legal:Trademark_guidelines.
Linuxis the registered trademark of Linus Torvalds in the United States and other countries.
Java
is a registered trademark of Oracle and/or its affiliates.
XFSis a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States
and/or other countries.
MySQLis a registered trademark of MySQL AB in the United States, the European Union and other
countries.
All other trademarks are the property of their respective owners.
The Fedora OpenSSH Guide assists both new and experienced users to understand, use, configure,
and secure the OpenSSH implementation of SSH (Secure Shell) in Fedora.
https://fedoraproject.org/wiki/Legal:Trademark_guidelineshttps://fedoraproject.org/wiki/Legal:Trademark_guidelineshttp://creativecommons.org/licenses/by-sa/3.0/mailto:[email protected]:[email protected] -
8/10/2019 Fedora Draft Documentation 0.1 OpenSSH Guide en US
3/26
Draft Draft
iii
Preface v
1. Document Conventions ................................................................................................... v
1.1. Typographic Conventions ...................................................................................... v
1.2. Pull-quote Conventions ........ ......... ........ ........ ........ ........ ........ ........ ........ ........ ....... vi
1.3. Notes and Warnings ........................................................................................... vii
2. We Need Feedback! ...................................................................................................... vii1. Introduction 1
1.1. What is SSH? .............................................................................................................. 1
1.2. What is OpenSSH? ...................................................................................................... 1
1.3. How do I get it? ........................................................................................................... 2
1.4. Why use it? ................................................................................................................. 2
1.5. License ........................................................................................................................ 3
2. OpenSSH Features 5
2.1. Current Features .......................................................................................................... 5
2.2. The OpenSSH suite ..................................................................................................... 5
3. Security 73.1. Benefits ....................................................................................................................... 7
3.2. SSH Vs. Telnet ............................................................................................................ 7
4. Client Use 9
4.1. Config File ................................................................................................................... 9
4.2. Connection Theory ....................................................................................................... 9
4.3. Connection Example ................................................................................................... 10
5. Server Use 11
5.1. Server Config ............................................................................................................. 11
5.2. Cryptographic Logon .................................................................................................. 11
6. Troubleshooting 136.1. Techniques ................................................................................................................ 13
A. Revision History 15
Index 17
-
8/10/2019 Fedora Draft Documentation 0.1 OpenSSH Guide en US
4/26
iv
-
8/10/2019 Fedora Draft Documentation 0.1 OpenSSH Guide en US
5/26
Draft Draft
v
Preface
1. Document ConventionsThis manual uses several conventions to highlight certain words and phrases and draw attention to
specific pieces of information.
In PDF and paper editions, this manual uses typefaces drawn from the Liberation Fonts1set. The
Liberation Fonts set is also used in HTML editions if the set is installed on your system. If not,
alternative but equivalent typefaces are displayed. Note: Red Hat Enterprise Linux 5 and later includes
the Liberation Fonts set by default.
1.1. Typographic ConventionsFour typographic conventions are used to call attention to specific words and phrases. These
conventions, and the circumstances they apply to, are as follows.
Mono-spaced Bold
Used to highlight system input, including shell commands, file names and paths. Also used to highlight
keycaps and key combinations. For example:
To see the contents of the file my_next_bestselling_novel in your current
working directory, enter the cat my_next_bestselling_novelcommand at the
shell prompt and press Enterto execute the command.
The above includes a file name, a shell command and a keycap, all presented in mono-spaced bold
and all distinguishable thanks to context.
Key combinations can be distinguished from keycaps by the hyphen connecting each part of a key
combination. For example:
Press Enterto execute the command.
Press Ctrl+Alt+F2to switch to the first virtual terminal. Press Ctrl+Alt+F1to
return to your X-Windows session.
The first paragraph highlights the particular keycap to press. The second highlights two key
combinations (each a set of three keycaps with each set pressed simultaneously).
If source code is discussed, class names, methods, functions, variable names and returned values
mentioned within a paragraph will be presented as above, in mono-spaced bold. For example:
File-related classes include filesystemfor file systems, filefor files, and dirfor
directories. Each class has its own associated set of permissions.
Proportional Bold
This denotes words or phrases encountered on a system, including application names; dialog box text;
labeled buttons; check-box and radio button labels; menu titles and sub-menu titles. For example:
Choose System Preferences Mousefrom the main menu bar to launch Mouse
Preferences. In the Buttonstab, click the Left-handed mousecheck box and click
1https://fedorahosted.org/liberation-fonts/
https://fedorahosted.org/liberation-fonts/https://fedorahosted.org/liberation-fonts/https://fedorahosted.org/liberation-fonts/ -
8/10/2019 Fedora Draft Documentation 0.1 OpenSSH Guide en US
6/26
Preface Draft
vi
Closeto switch the primary mouse button from the left to the right (making the mouse
suitable for use in the left hand).
To insert a special character into a geditfile, choose Applications Accessories
Character Mapfrom the main menu bar. Next, choose Search Findfrom
the Character Mapmenu bar, type the name of the character in the Searchfieldand click Next. The character you sought will be highlighted in the Character Table.
Double-click this highlighted character to place it in the Text to copyfield and then
click the Copybutton. Now switch back to your document and choose Edit Paste
from the geditmenu bar.
The above text includes application names; system-wide menu names and items; application-specific
menu names; and buttons and text found within a GUI interface, all presented in proportional bold and
all distinguishable by context.
Mono-spaced Bold Italicor Proportional Bold Italic
Whether mono-spaced bold or proportional bold, the addition of italics indicates replaceable or
variable text. Italics denotes text you do not input literally or displayed text that changes depending on
circumstance. For example:
To connect to a remote machine using ssh, type ssh [email protected]
a shell prompt. If the remote machine is example.comand your username on that
machine is john, type ssh [email protected].
The mount -o remount file-systemcommand remounts the named file
system. For example, to remount the /homefile system, the command is mount -o
remount /home.
To see the version of a currently installed package, use the rpm -qpackagecommand. It will return a result as follows:package-version-release.
Note the words in bold italics above username, domain.name, file-system, package, version and
release. Each word is a placeholder, either for text you enter when issuing a command or for text
displayed by the system.
Aside from standard usage for presenting the title of a work, italics denotes the first use of a new and
important term. For example:
Publican is a DocBookpublishing system.
1.2. Pull-quote ConventionsTerminal output and source code listings are set off visually from the surrounding text.
Output sent to a terminal is set in mono-spaced romanand presented thus:
books Desktop documentation drafts mss photos stuff svn
books_tests Desktop1 downloads images notes scripts svgs
Source-code listings are also set in mono-spaced romanbut add syntax highlighting as follows:
package org.jboss.book.jca.ex1;
importjavax.naming.InitialContext;
-
8/10/2019 Fedora Draft Documentation 0.1 OpenSSH Guide en US
7/26
-
8/10/2019 Fedora Draft Documentation 0.1 OpenSSH Guide en US
8/26
viii
-
8/10/2019 Fedora Draft Documentation 0.1 OpenSSH Guide en US
9/26
-
8/10/2019 Fedora Draft Documentation 0.1 OpenSSH Guide en US
10/26
Chapter 1. Introduction Draft
2
Solaris
Digital Unix/Tru64/OSF
Mac OS X
Cygwin
OpenSSH is not only included in general purpose operating systems, but also in several commercial
products. The list6of known organizations incorporating OpenSSH into their products includes Cisco,
Juniper Networks, Nokia, Apple, and Novell.
OpenSSH is a widely-used and important suite of tools. Providing the ability to securely communicate
between and configure hosts, it is released under a free license and has seen adoption across many
industry sectors.
1.3. How do I get it?
OpenSSH is included in a default Fedora installation, unless manually excluded. To confirm that youalready have it installed, run the rpm -qa | grep opensshcommand. The output shown here may
differ slightly from your output:
$ rpm -qa | grep openssh
openssh-5.4p1-1.fc13.x86_64
openssh-server-5.4p1-1.fc13.x86_64
openssh-clients-5.4p1-1.fc13.x86_64
The above command queried the RPM package database and the output shows the OpenSSH RPM
packages that are installed on the system. Run the ssh -V(upper-case 'V') command as another way
to find out the installed version:
$ ssh -V
OpenSSH_5.4p1, OpenSSL 1.0.0-fips 29 Mar 2010
If you do not have the opensshpackage installed, you can install it with the yumcommand. Perform
the following command as the root user and follow the instructions to install openssh:
# yum install openssh
1.4. Why use it?The OpenSSH suite consists of several tools, which replace older, more insecure tools, as shown in
the following table:
Table 1.1. OpenSSH tool replacements
Old Tool Replacement
rlogin, telnet ssh
6http://www.openssh.com/users.html
http://www.openssh.com/users.html -
8/10/2019 Fedora Draft Documentation 0.1 OpenSSH Guide en US
11/26
Draft License
3
Old Tool Replacement
rcp scp
ftp sftp
The above table shows the main networking tools provided by the OpenSSH suite. The older tools in
the above table are much less secure as they transmit credentials (such as username and password)
in clear textover the network or the Internet. These details could potentially be extracted from the
data stream and leave the hosts exposed to vulnerability and unauthorized access. The encrypted
data streams in the OpenSSH tools listed in the table provide an extra layer of security to protecting
network details by encrypting the entire transmission, including passwords. This is an important
attribute when transmitting credentials over a network, and especially over an untrusted network (such
as the Internet).
1.5. LicenseOpenSSH is released under the free and permissive BSD License. It can be used for any and all
purposes, including commercial use. More information about the BSD License can be found at the
BSD Licensepage at Wikipedia.org7.
7http://en.wikipedia.org/wiki/BSD_license
http://en.wikipedia.org/wiki/BSD_licensehttp://en.wikipedia.org/wiki/BSD_licensehttp://en.wikipedia.org/wiki/BSD_license -
8/10/2019 Fedora Draft Documentation 0.1 OpenSSH Guide en US
12/26
4
-
8/10/2019 Fedora Draft Documentation 0.1 OpenSSH Guide en US
13/26
Draft Chapter 2. Draft
5
OpenSSH FeaturesThis chapter further explains OpenSSH; its features; its included utilities; commands; and their use/
purpose.
2.1. Current FeaturesThe following is a list of OpenSSH features:
1
Open Source Project
Free Licensing
Strong Encryption
X11 Forwarding
Port Forwarding
Strong Authentication
Agent Forwarding
Interoperability
SFTP client and server support
Kerberos and AFS Ticket Passing
Data Compression
2.2. The OpenSSH suiteThe OpenSSH suite consists of both server and client tools. A client makes a connection to another
machine by connecting to the sshdserver on the target machine. This section provides a list of the
most common tools and commands, briefly describes their function, and shows the Fedora package
that provides each tool.
scp- copies files between hosts on a network. It uses sshfor data transfer, and uses the same
authentication and provides the same security as ssh. Provided by the openssh-clientspackage.
sftp- an interactive file transfer program, similar to ftp, but performs all operations overan encrypted sshchannel. It can also use many other features of ssh, such as public key
authentication and compression. Provided by the openssh-clientspackage.
slogin- a symbolic link2to the sshcommand. Provided by the openssh-clientspackage.
ssh- the main client program, used for logging into a remote machine and for executing commands
on a remote machine. Intended to replace rloginand rsh, it provides a secure and encrypted
channel between two hosts over a network. Also used as a subsystem to other commands listed
here. When using ssh, the key exchange and encryption is fully established before credentials
(such as username and password) are transmitted. Provided by the openssh-clientspackage.
1http://openssh.com/features.html
http://openssh.com/features.html -
8/10/2019 Fedora Draft Documentation 0.1 OpenSSH Guide en US
14/26
Chapter 2. OpenSSH Features Draft
6
ssh-add- adds cryptography and digital signature algorithm (RSA and DSA) identities to the ssh-
agentauthentication agent. Provided by the openssh-clientspackage.
ssh-agent- a program to hold private keys used for public key authentication. The idea is that
ssh-agentis started in the beginning of a session, and all other windows or programs are started
as clients to it. Provided by the openssh-clientspackage.
ssh-copyid- a script that uses sshto log into a remote machine and installs your own public key
into a remote machine's list of authorized keys. This action provides the ability for future logins with
key-based authentication. Provided by the openssh-clientspackage.
ssh-keygen- a utility that can generate, manage and convert authentication keys. Provided by the
opensshpackage.
ssh-keyscan- a utility for gathering the public ssh host keys of a number of hosts. It can contact
several hosts in parallel and is very fast in scanning a collection of hosts for their host keys.
Provided by the openssh-clientspackage.
-
8/10/2019 Fedora Draft Documentation 0.1 OpenSSH Guide en US
15/26
Draft Chapter 3. Draft
7
SecurityThis chapter describes the security benefits of using OpenSSH; and shows SSH encryption in action,
compared to telnet.
3.1. BenefitsThe primary benefit of using OpenSSH is security. It provides encryption when remotely connecting
to and configuring a host, and allows the same functionality as the older, less secure tools, and adds
more features over them.
OpenSSH is found on several different operating systems, and is interoperable - you are able to
expect the capability of running OpenSSH on any Linux machine, and its implementation is very
similar in Fedora compared to other Linux distributions.
3.2. SSH Vs. TelnetWhen using a network connection, essential and complex communication protocols such as TCP
(Transmission Control Protocol) and UDP (User Datagram Protocol) take place mostly "behind-
the-scenes" and are hidden beneath the user interface. This section shows the difference between
Telnet's insecure, clear-textauthentication, and the encrypted authentication used by OpenSSH, by
capturing and analyzing some of the underlying data transfer.
The following image shows a sample packet of connecting to a host via Telnet. Note that the
password, password1, is clearly displayed in the data stream. This could easily expose the password
to anybody analyzing the raw data on the network, leaving a host and its services vulnerable to attack:
Compare the above image to the following image, which is a sample of connecting via OpenSSH.
As OpenSSH uses encryption when providing credentials, the output is scrambled and is
incomprehensible to anybody analyzing the raw packet data:
-
8/10/2019 Fedora Draft Documentation 0.1 OpenSSH Guide en US
16/26
Chapter 3. Security Draft
8
This feature alone is the main reason why utilities such as telnetand rloginare consideredinsecure and out-dated. Providing encryption before credentials are sent, OpenSSH can allow for
stronger security when communicating over any network, but most importantly over unknown, or
untrusted ones.
-
8/10/2019 Fedora Draft Documentation 0.1 OpenSSH Guide en US
17/26
-
8/10/2019 Fedora Draft Documentation 0.1 OpenSSH Guide en US
18/26
Chapter 4. Client Use Draft
10
4.3. Connection ExampleThis section provides an example of connecting to a remote host via the sshcommand. Line numbers
have been added here to help explain the actions taken.
1. [user1@localhost ~]$ ssh foo.example.com
2. The authenticity of host 'foo.example.com (10.0.0.1)' can't be established.
3. RSA key fingerprint is eb:63:02:da:88:e5:a6:fc:71:31:15:0b:cd:56:5d:3f.
4. Are you sure you want to continue connecting (yes/no)? yes
5. Warning: Permanently added 'foo.example.com,10.0.0.1' (RSA) to the list of known hosts.
6. [email protected]'s password: *********
7. [user1@foo ~]$
Line 1 shows that the user1user on the client system is initiating an SSH connection to a server
with the sshcommand. The server's domain name is foo.example.com, but its IP address
(10.0.0.1) could be used instead.
Line 2, 3 and 4 check the key fingerprint of the remote host against local copies, if they exist, in
the ~/home/user1/.ssh/known_hosts file. If none exist for this host, as occurs in the above
example, the user is then prompted, after displaying the fingerprint, whether or not to add this record
in the same known_hostsfile by entering yesor no.
Line 5 displays the result, in this case, that the fingerprint has been added to the local file. This
mapping will be used in the future when connecting to this host.
Line 6 in this example shows where the password for [email protected] entered.
Line 7 shows the prompt of the remote machine after authentication has been successful. At this
point, no matter what authentication technique is in use, the user has access to the remote machine,
and it can be configured as though it were a local connection. Of course, the limit of what the user
has access to on the remote machine is still dependent on regular permissions and controls.
The following can happen and is possibly not good: TBD..
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
eb:62:1a:da:38:f5:e6:ec:10:31:17:0b:cf:56:5d:3f.
Please contact your system administrator.
Add correct host key in /home/user1/.ssh/known_hosts to get rid of this message.
Offending key in /home/user/.ssh/known_hosts:11
RSA host key for foo.example.com has changed and you have requested strict checking.
Host key verification failed.
-
8/10/2019 Fedora Draft Documentation 0.1 OpenSSH Guide en US
19/26
Draft Chapter 5. Draft
11
Server UseSetting up OpenSSH on your server isn't difficult. Most settings are found in the /etc/ssh/
sshd_configfile. It is important to understand the settings in the file, however, as failure to properly
configure OpenSSH could lead to your system being vulnerable to attack.
5.1. Server ConfigIn your /etc/ssh/sshd_config you will see several settings (and some you will not see) for setting
up OpenSSH as a service. Information on all possible choices within the /etc/ssh/sshd_config
can be found by man sshd_config.
Here are the main /etc/ssh/sshd_config choices to address:
Protocol 2- Because protocol version 1 contains security vulnerabilities you should make sure that
Protocol 2is the only protocol to be used. To do this make sure that Protocol 2is uncommented
and Protocol 1isn't in the configuration.
PermitRootLogin - To disable root login via SSH set this to no.PermitEmptyPasswords - To explicitly disallow remote login from accounts with empty passwords
set this to no.
Banner- Text you want displayed on the screen when someone connects to your server. This should
point to a file.
Ciphers- Ciphers that OpenSSH will use. Example: aes128-ctr,blowfish-cbc
AllowUsers- Usernames that can login using SSH. Example: user1 user2
DenyUsers- Usernames that cannot login using SSH. Example: user1 user2
Note
You must restart the sshdservice before the settings take place.
5.2. Cryptographic LogonIn this day of hightened security concerns and massive computing power it is more important than
ever to utilize every tool we have to prevent unauthorized access to our systems. We've relied on
passwords for years and we've learned that users typically don't do a good job with maintaining strong,
hack-resistant words and phrases instead gravitating towards simple words or sports team names that
are increadibly easy to guess. Enter Public Key Infrastructure (PKI) cryptography for authenticating
your users.
Setting up PKI authentication requires changing a couple settings in your /etc/ssh/sshd_config.
The following commands should be modified to activate PKI authentication:
PubkeyAuthentication - Uncomment and set to yes.
AuthorizedKeysFile - Uncomment this as well and make sure it is set to .ssh/
authorized_keys .
Note
You must restart the sshdservice before the settings take place.
By changing those two settings you have activated PKI authentication! When users put their public key
in their ~/.ssh/authorized_keys the system will try to authenticate them using that key before
asking for a password. Want to require the key and not allow users to authenticate with a password?
-
8/10/2019 Fedora Draft Documentation 0.1 OpenSSH Guide en US
20/26
Chapter 5. Server Use Draft
12
Just change PasswordAuthentication to noand after restarting the sshdservice your system
should only let people login using their PKI certificates.
-
8/10/2019 Fedora Draft Documentation 0.1 OpenSSH Guide en US
21/26
Draft Chapter 6. Draft
13
TroubleshootingI am the start of a chapter!
6.1. TechniquesI am a section!
-
8/10/2019 Fedora Draft Documentation 0.1 OpenSSH Guide en US
22/26
14
-
8/10/2019 Fedora Draft Documentation 0.1 OpenSSH Guide en US
23/26
Draft Draft
15
Appendix A. Revision HistoryRevision 0.2-1 Sun Apr 3 2011 Eric Christensen
Added to the Server Use section.
Added Cryptographic Logon to the Server Use section.
Revision 0.1-1 Wed May 12 2010 Scott Radvan [email protected]
Initial creation of book by publican
mailto:[email protected]:[email protected] -
8/10/2019 Fedora Draft Documentation 0.1 OpenSSH Guide en US
24/26
-
8/10/2019 Fedora Draft Documentation 0.1 OpenSSH Guide en US
25/26
Draft Draft
17
Index
Ffeedback
contact information for this manual, vii
-
8/10/2019 Fedora Draft Documentation 0.1 OpenSSH Guide en US
26/26