Fedora Draft Documentation 0.1 OpenSSH Guide en US

8/10/2019 Fedora Draft Documentation 0.1 OpenSSH Guide en US

1/26

Fedora Draft

DocumentationOpenSSH Guide

Using and configuring OpenSSH on Fedora

Scott Radvan

Eric Christensen


2/26

OpenSSH Guide Draft

Fedora Draft Documentation OpenSSH Guide

Using and configuring OpenSSH on Fedora

Edition 15.0.2

Author Scott Radvan [email protected]

Author Eric Christensen [email protected]

Copyright 2010 Red Hat, Inc.

The text of and illustrations in this document are licensed by Red Hat under a Creative Commons

AttributionShare Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available

at http://creativecommons.org/licenses/by-sa/3.0/. The original authors of this document, and Red Hat,

designate the Fedora Project as the "Attribution Party" for purposes of CC-BY-SA. In accordance with

CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the

original version.

Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert,

Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.

Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity

Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.

For guidelines on the permitted uses of the Fedora trademarks, refer to https://fedoraproject.org/wiki/

Legal:Trademark_guidelines.

Linuxis the registered trademark of Linus Torvalds in the United States and other countries.

Java

is a registered trademark of Oracle and/or its affiliates.

XFSis a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States

and/or other countries.

MySQLis a registered trademark of MySQL AB in the United States, the European Union and other

countries.

All other trademarks are the property of their respective owners.

The Fedora OpenSSH Guide assists both new and experienced users to understand, use, configure,

and secure the OpenSSH implementation of SSH (Secure Shell) in Fedora.
https://fedoraproject.org/wiki/Legal:Trademark_guidelineshttps://fedoraproject.org/wiki/Legal:Trademark_guidelineshttp://creativecommons.org/licenses/by-sa/3.0/mailto:[email protected]:[email protected]


3/26

Draft Draft

iii

Preface v

1. Document Conventions ................................................................................................... v

1.1. Typographic Conventions ...................................................................................... v

1.2. Pull-quote Conventions ........ ......... ........ ........ ........ ........ ........ ........ ........ ........ ....... vi

1.3. Notes and Warnings ........................................................................................... vii

2. We Need Feedback! ...................................................................................................... vii1. Introduction 1

1.1. What is SSH? .............................................................................................................. 1

1.2. What is OpenSSH? ...................................................................................................... 1

1.3. How do I get it? ........................................................................................................... 2

1.4. Why use it? ................................................................................................................. 2

1.5. License ........................................................................................................................ 3

2. OpenSSH Features 5

2.1. Current Features .......................................................................................................... 5

2.2. The OpenSSH suite ..................................................................................................... 5

3. Security 73.1. Benefits ....................................................................................................................... 7

3.2. SSH Vs. Telnet ............................................................................................................ 7

4. Client Use 9

4.1. Config File ................................................................................................................... 9

4.2. Connection Theory ....................................................................................................... 9

4.3. Connection Example ................................................................................................... 10

5. Server Use 11

5.1. Server Config ............................................................................................................. 11

5.2. Cryptographic Logon .................................................................................................. 11

6. Troubleshooting 136.1. Techniques ................................................................................................................ 13

A. Revision History 15

Index 17


4/26

iv


5/26

Draft Draft

v

Preface

1. Document ConventionsThis manual uses several conventions to highlight certain words and phrases and draw attention to

specific pieces of information.

In PDF and paper editions, this manual uses typefaces drawn from the Liberation Fonts1set. The

Liberation Fonts set is also used in HTML editions if the set is installed on your system. If not,

alternative but equivalent typefaces are displayed. Note: Red Hat Enterprise Linux 5 and later includes

the Liberation Fonts set by default.

1.1. Typographic ConventionsFour typographic conventions are used to call attention to specific words and phrases. These

conventions, and the circumstances they apply to, are as follows.

Mono-spaced Bold

Used to highlight system input, including shell commands, file names and paths. Also used to highlight

keycaps and key combinations. For example:

To see the contents of the file my_next_bestselling_novel in your current

working directory, enter the cat my_next_bestselling_novelcommand at the

shell prompt and press Enterto execute the command.

The above includes a file name, a shell command and a keycap, all presented in mono-spaced bold

and all distinguishable thanks to context.

Key combinations can be distinguished from keycaps by the hyphen connecting each part of a key

combination. For example:

Press Enterto execute the command.

Press Ctrl+Alt+F2to switch to the first virtual terminal. Press Ctrl+Alt+F1to

return to your X-Windows session.

The first paragraph highlights the particular keycap to press. The second highlights two key

combinations (each a set of three keycaps with each set pressed simultaneously).

If source code is discussed, class names, methods, functions, variable names and returned values

mentioned within a paragraph will be presented as above, in mono-spaced bold. For example:

File-related classes include filesystemfor file systems, filefor files, and dirfor

directories. Each class has its own associated set of permissions.

Proportional Bold

This denotes words or phrases encountered on a system, including application names; dialog box text;

labeled buttons; check-box and radio button labels; menu titles and sub-menu titles. For example:

Choose System Preferences Mousefrom the main menu bar to launch Mouse

Preferences. In the Buttonstab, click the Left-handed mousecheck box and click

1https://fedorahosted.org/liberation-fonts/
https://fedorahosted.org/liberation-fonts/https://fedorahosted.org/liberation-fonts/https://fedorahosted.org/liberation-fonts/


6/26

Preface Draft

vi

Closeto switch the primary mouse button from the left to the right (making the mouse

suitable for use in the left hand).

To insert a special character into a geditfile, choose Applications Accessories

Character Mapfrom the main menu bar. Next, choose Search Findfrom

the Character Mapmenu bar, type the name of the character in the Searchfieldand click Next. The character you sought will be highlighted in the Character Table.

Double-click this highlighted character to place it in the Text to copyfield and then

click the Copybutton. Now switch back to your document and choose Edit Paste

from the geditmenu bar.

The above text includes application names; system-wide menu names and items; application-specific

menu names; and buttons and text found within a GUI interface, all presented in proportional bold and

all distinguishable by context.

Mono-spaced Bold Italicor Proportional Bold Italic

Whether mono-spaced bold or proportional bold, the addition of italics indicates replaceable or

variable text. Italics denotes text you do not input literally or displayed text that changes depending on

circumstance. For example:

To connect to a remote machine using ssh, type ssh [email protected]

a shell prompt. If the remote machine is example.comand your username on that

machine is john, type ssh [email protected].

The mount -o remount file-systemcommand remounts the named file

system. For example, to remount the /homefile system, the command is mount -o

remount /home.

To see the version of a currently installed package, use the rpm -qpackagecommand. It will return a result as follows:package-version-release.

Note the words in bold italics above username, domain.name, file-system, package, version and

release. Each word is a placeholder, either for text you enter when issuing a command or for text

displayed by the system.

Aside from standard usage for presenting the title of a work, italics denotes the first use of a new and

important term. For example:

Publican is a DocBookpublishing system.

1.2. Pull-quote ConventionsTerminal output and source code listings are set off visually from the surrounding text.

Output sent to a terminal is set in mono-spaced romanand presented thus:

books Desktop documentation drafts mss photos stuff svn

books_tests Desktop1 downloads images notes scripts svgs

Source-code listings are also set in mono-spaced romanbut add syntax highlighting as follows:

package org.jboss.book.jca.ex1;

importjavax.naming.InitialContext;


7/26


8/26

viii


9/26


10/26

Chapter 1. Introduction Draft

2

Solaris

Digital Unix/Tru64/OSF

Mac OS X

Cygwin

OpenSSH is not only included in general purpose operating systems, but also in several commercial

products. The list6of known organizations incorporating OpenSSH into their products includes Cisco,

Juniper Networks, Nokia, Apple, and Novell.

OpenSSH is a widely-used and important suite of tools. Providing the ability to securely communicate

between and configure hosts, it is released under a free license and has seen adoption across many

industry sectors.

1.3. How do I get it?

OpenSSH is included in a default Fedora installation, unless manually excluded. To confirm that youalready have it installed, run the rpm -qa | grep opensshcommand. The output shown here may

differ slightly from your output:

$ rpm -qa | grep openssh

openssh-5.4p1-1.fc13.x86_64

openssh-server-5.4p1-1.fc13.x86_64

openssh-clients-5.4p1-1.fc13.x86_64

The above command queried the RPM package database and the output shows the OpenSSH RPM

packages that are installed on the system. Run the ssh -V(upper-case 'V') command as another way

to find out the installed version:

$ ssh -V

OpenSSH_5.4p1, OpenSSL 1.0.0-fips 29 Mar 2010

If you do not have the opensshpackage installed, you can install it with the yumcommand. Perform

the following command as the root user and follow the instructions to install openssh:

# yum install openssh

1.4. Why use it?The OpenSSH suite consists of several tools, which replace older, more insecure tools, as shown in

the following table:

Table 1.1. OpenSSH tool replacements

Old Tool Replacement

rlogin, telnet ssh

6http://www.openssh.com/users.html
http://www.openssh.com/users.html


11/26

Draft License

3

Old Tool Replacement

rcp scp

ftp sftp

The above table shows the main networking tools provided by the OpenSSH suite. The older tools in

the above table are much less secure as they transmit credentials (such as username and password)

in clear textover the network or the Internet. These details could potentially be extracted from the

data stream and leave the hosts exposed to vulnerability and unauthorized access. The encrypted

data streams in the OpenSSH tools listed in the table provide an extra layer of security to protecting

network details by encrypting the entire transmission, including passwords. This is an important

attribute when transmitting credentials over a network, and especially over an untrusted network (such

as the Internet).

1.5. LicenseOpenSSH is released under the free and permissive BSD License. It can be used for any and all

purposes, including commercial use. More information about the BSD License can be found at the

BSD Licensepage at Wikipedia.org7.

7http://en.wikipedia.org/wiki/BSD_license
http://en.wikipedia.org/wiki/BSD_licensehttp://en.wikipedia.org/wiki/BSD_licensehttp://en.wikipedia.org/wiki/BSD_license


12/26

4


13/26

Draft Chapter 2. Draft

5

OpenSSH FeaturesThis chapter further explains OpenSSH; its features; its included utilities; commands; and their use/

purpose.

2.1. Current FeaturesThe following is a list of OpenSSH features:

1

Open Source Project

Free Licensing

Strong Encryption

X11 Forwarding

Port Forwarding

Strong Authentication

Agent Forwarding

Interoperability

SFTP client and server support

Kerberos and AFS Ticket Passing

Data Compression

2.2. The OpenSSH suiteThe OpenSSH suite consists of both server and client tools. A client makes a connection to another

machine by connecting to the sshdserver on the target machine. This section provides a list of the

most common tools and commands, briefly describes their function, and shows the Fedora package

that provides each tool.

scp- copies files between hosts on a network. It uses sshfor data transfer, and uses the same

authentication and provides the same security as ssh. Provided by the openssh-clientspackage.

sftp- an interactive file transfer program, similar to ftp, but performs all operations overan encrypted sshchannel. It can also use many other features of ssh, such as public key

authentication and compression. Provided by the openssh-clientspackage.

slogin- a symbolic link2to the sshcommand. Provided by the openssh-clientspackage.

ssh- the main client program, used for logging into a remote machine and for executing commands

on a remote machine. Intended to replace rloginand rsh, it provides a secure and encrypted

channel between two hosts over a network. Also used as a subsystem to other commands listed

here. When using ssh, the key exchange and encryption is fully established before credentials

(such as username and password) are transmitted. Provided by the openssh-clientspackage.

1http://openssh.com/features.html
http://openssh.com/features.html


14/26

Chapter 2. OpenSSH Features Draft

6

ssh-add- adds cryptography and digital signature algorithm (RSA and DSA) identities to the ssh-

agentauthentication agent. Provided by the openssh-clientspackage.

ssh-agent- a program to hold private keys used for public key authentication. The idea is that

ssh-agentis started in the beginning of a session, and all other windows or programs are started

as clients to it. Provided by the openssh-clientspackage.

ssh-copyid- a script that uses sshto log into a remote machine and installs your own public key

into a remote machine's list of authorized keys. This action provides the ability for future logins with

key-based authentication. Provided by the openssh-clientspackage.

ssh-keygen- a utility that can generate, manage and convert authentication keys. Provided by the

opensshpackage.

ssh-keyscan- a utility for gathering the public ssh host keys of a number of hosts. It can contact

several hosts in parallel and is very fast in scanning a collection of hosts for their host keys.

Provided by the openssh-clientspackage.


15/26


7

SecurityThis chapter describes the security benefits of using OpenSSH; and shows SSH encryption in action,

compared to telnet.

3.1. BenefitsThe primary benefit of using OpenSSH is security. It provides encryption when remotely connecting

to and configuring a host, and allows the same functionality as the older, less secure tools, and adds

more features over them.

OpenSSH is found on several different operating systems, and is interoperable - you are able to

expect the capability of running OpenSSH on any Linux machine, and its implementation is very

similar in Fedora compared to other Linux distributions.

3.2. SSH Vs. TelnetWhen using a network connection, essential and complex communication protocols such as TCP

(Transmission Control Protocol) and UDP (User Datagram Protocol) take place mostly "behind-

the-scenes" and are hidden beneath the user interface. This section shows the difference between

Telnet's insecure, clear-textauthentication, and the encrypted authentication used by OpenSSH, by

capturing and analyzing some of the underlying data transfer.

The following image shows a sample packet of connecting to a host via Telnet. Note that the

password, password1, is clearly displayed in the data stream. This could easily expose the password

to anybody analyzing the raw data on the network, leaving a host and its services vulnerable to attack:

Compare the above image to the following image, which is a sample of connecting via OpenSSH.

As OpenSSH uses encryption when providing credentials, the output is scrambled and is

incomprehensible to anybody analyzing the raw packet data:


16/26

Chapter 3. Security Draft

8

This feature alone is the main reason why utilities such as telnetand rloginare consideredinsecure and out-dated. Providing encryption before credentials are sent, OpenSSH can allow for

stronger security when communicating over any network, but most importantly over unknown, or

untrusted ones.


17/26


18/26

Chapter 4. Client Use Draft

10

4.3. Connection ExampleThis section provides an example of connecting to a remote host via the sshcommand. Line numbers

have been added here to help explain the actions taken.

1. [user1@localhost ~]$ ssh foo.example.com

2. The authenticity of host 'foo.example.com (10.0.0.1)' can't be established.

3. RSA key fingerprint is eb:63:02:da:88:e5:a6:fc:71:31:15:0b:cd:56:5d:3f.

4. Are you sure you want to continue connecting (yes/no)? yes

5. Warning: Permanently added 'foo.example.com,10.0.0.1' (RSA) to the list of known hosts.

6. [email protected]'s password: *********

7. [user1@foo ~]$

Line 1 shows that the user1user on the client system is initiating an SSH connection to a server

with the sshcommand. The server's domain name is foo.example.com, but its IP address

(10.0.0.1) could be used instead.

Line 2, 3 and 4 check the key fingerprint of the remote host against local copies, if they exist, in

the ~/home/user1/.ssh/known_hosts file. If none exist for this host, as occurs in the above

example, the user is then prompted, after displaying the fingerprint, whether or not to add this record

in the same known_hostsfile by entering yesor no.

Line 5 displays the result, in this case, that the fingerprint has been added to the local file. This

mapping will be used in the future when connecting to this host.

Line 6 in this example shows where the password for [email protected] entered.

Line 7 shows the prompt of the remote machine after authentication has been successful. At this

point, no matter what authentication technique is in use, the user has access to the remote machine,

and it can be configured as though it were a local connection. Of course, the limit of what the user

has access to on the remote machine is still dependent on regular permissions and controls.

The following can happen and is possibly not good: TBD..

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!

Someone could be eavesdropping on you right now (man-in-the-middle attack)!

It is also possible that the RSA host key has just been changed.

The fingerprint for the RSA key sent by the remote host is

eb:62:1a:da:38:f5:e6:ec:10:31:17:0b:cf:56:5d:3f.

Please contact your system administrator.

Add correct host key in /home/user1/.ssh/known_hosts to get rid of this message.

Offending key in /home/user/.ssh/known_hosts:11

RSA host key for foo.example.com has changed and you have requested strict checking.

Host key verification failed.


19/26


11

Server UseSetting up OpenSSH on your server isn't difficult. Most settings are found in the /etc/ssh/

sshd_configfile. It is important to understand the settings in the file, however, as failure to properly

configure OpenSSH could lead to your system being vulnerable to attack.

5.1. Server ConfigIn your /etc/ssh/sshd_config you will see several settings (and some you will not see) for setting

up OpenSSH as a service. Information on all possible choices within the /etc/ssh/sshd_config

can be found by man sshd_config.

Here are the main /etc/ssh/sshd_config choices to address:

Protocol 2- Because protocol version 1 contains security vulnerabilities you should make sure that

Protocol 2is the only protocol to be used. To do this make sure that Protocol 2is uncommented

and Protocol 1isn't in the configuration.

PermitRootLogin - To disable root login via SSH set this to no.PermitEmptyPasswords - To explicitly disallow remote login from accounts with empty passwords

set this to no.

Banner- Text you want displayed on the screen when someone connects to your server. This should

point to a file.

Ciphers- Ciphers that OpenSSH will use. Example: aes128-ctr,blowfish-cbc

AllowUsers- Usernames that can login using SSH. Example: user1 user2

DenyUsers- Usernames that cannot login using SSH. Example: user1 user2

Note

You must restart the sshdservice before the settings take place.

5.2. Cryptographic LogonIn this day of hightened security concerns and massive computing power it is more important than

ever to utilize every tool we have to prevent unauthorized access to our systems. We've relied on

passwords for years and we've learned that users typically don't do a good job with maintaining strong,

hack-resistant words and phrases instead gravitating towards simple words or sports team names that

are increadibly easy to guess. Enter Public Key Infrastructure (PKI) cryptography for authenticating

your users.

Setting up PKI authentication requires changing a couple settings in your /etc/ssh/sshd_config.

The following commands should be modified to activate PKI authentication:

PubkeyAuthentication - Uncomment and set to yes.

AuthorizedKeysFile - Uncomment this as well and make sure it is set to .ssh/

authorized_keys .

Note

You must restart the sshdservice before the settings take place.

By changing those two settings you have activated PKI authentication! When users put their public key

in their ~/.ssh/authorized_keys the system will try to authenticate them using that key before

asking for a password. Want to require the key and not allow users to authenticate with a password?


20/26

Chapter 5. Server Use Draft

12

Just change PasswordAuthentication to noand after restarting the sshdservice your system

should only let people login using their PKI certificates.


21/26


13

TroubleshootingI am the start of a chapter!

6.1. TechniquesI am a section!


22/26

14


23/26

Draft Draft

15

Appendix A. Revision HistoryRevision 0.2-1 Sun Apr 3 2011 Eric Christensen

[email protected]

Added to the Server Use section.

Added Cryptographic Logon to the Server Use section.

Revision 0.1-1 Wed May 12 2010 Scott Radvan [email protected]

Initial creation of book by publican
mailto:[email protected]:[email protected]


24/26


25/26

Draft Draft

17

Index

Ffeedback

contact information for this manual, vii


26/26

Fedora Draft Documentation 0.1 OpenSSH Guide en US

Documents

Transcript of Fedora Draft Documentation 0.1 OpenSSH Guide en US