Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
Applies to SUSE Linux Enterprise Server 11 SP4

14 SSH: Secure Network Operations

In networked environments, it is often necessary to access hosts from a remote location. If a user sends login and password strings for authentication purposes as plain text, they could be intercepted and misused to gain access to that user account without the authorized user knowing about it. This would open all the user's files to an attacker and the illegal account could be used to obtain administrator or root access, or to penetrate other systems. In the past, remote connections were established with telnet, rsh or rlogin, which offered no guards against eavesdropping in the form of encryption or other security mechanisms. There are other unprotected communication channels, like the traditional FTP protocol and some remote copying programs like rcp.

The SSH suite provides the necessary protection by encrypting the authentication strings (usually a login name and a password) and all the other data exchanged between the hosts. With SSH, the data flow could still be recorded by a third party, but the contents are encrypted and cannot be reverted to plain text unless the encryption key is known. So SSH enables secure communication over insecure networks, such as the Internet. The SSH implementation coming with SUSE Linux Enterprise Server is OpenSSH.

SUSE Linux Enterprise Server installs the OpenSSH package by default providing the commands ssh, scp, and sftp. In the default configuration, remote access of a SUSE Linux Enterprise Server system is only possible with the OpenSSH utilities, and only if the sshd is running and the firewall permits access.

14.1 ssh—Secure Shell

By using the ssh program, it is possible to log in to remote systems and to work interactively. To log in to the host sun as user tux user one of the following commands:

ssh tux@sun
ssh -l tux sun

If the username is the same on both machines, you may omit it: ssh sun. The remote host prompts for the remote user's password. After a successful authentication, you can work on the remote command line or use interactive applications, such as YaST in text mode.

Furthermore, ssh offers the possibility to just run non-interactive commands on remote systems by running ssh HOST COMMAND. COMMAND needs to be properly quoted. Multiple commands can be concatenated as on a regular shell.

ssh root@sun "dmesg | tail -n 25"
ssh root@sun "cat /etc/issue && uptime"

14.1.1 Starting X Applications on a Remote Host

SSH also simplifies the use of remote X applications. If you run ssh with the -X option, the DISPLAY variable is automatically set on the remote machine and all X output is exported to the remote machine over the existing SSH connection. At the same time, X applications started remotely cannot be intercepted by unauthorized individuals.

14.1.2 Agent Forwarding

By adding the -A option, the ssh-agent authentication mechanism is carried over to the next machine. This way, you can work from different machines without having to enter a password, but only if you have distributed your public key to the destination hosts and properly saved it there.

This mechanism is deactivated in the default settings, but can be permanently activated at any time in the systemwide configuration file /etc/ssh/sshd_config by setting AllowAgentForwarding yes.

14.2 scp—Secure Copy

scp copies files to or from a remote machine. If the username on jupiter is different than the username on sun, specify the latter using the username@host format. If the file should be copied into a directory other then the remote user's home directory, specify it as sun:DIRECTORY. The following examples show how to copy a file from a local to a remote machine and vice versa.

# local -> remote
scp ~/MyLetter.tex tux@sun:/tmp
# remote -> local
scp tux@sun:/tmp/MyLetter.tex ~
Tip: The -l Option

With the ssh command, the option -l can be used to specify a remote user (as an alternative to the username@host format). With scp the option -l is used to limit the bandwidth consumed by scp.

After the correct password is entered, scp starts the data transfer. It displays a progress bar and the time remaining for each file that is copied. Suppress all output with the -q option.

scp also provides a recursive copying feature for entire directories. The command

scp -r src/ sun:backup/

copies the entire contents of the directory src including all subdirectories to the ~/backup directory on the host sun. If this subdirectory does not exist it is created automatically.

The -p option tells scp to leave the time stamp of files unchanged. -C compresses the data transfer. This minimizes the data volume to transfer, but creates a heavier burden on the processors of both machines.

14.3 sftp—Secure File Transfer

If you want to copy several files from and/or to different locations, sftp is a convenient alternative to scp. It opens a shell with a set of commands similar to a regular ftp shell. Type help at the sftp-prompt to get a list of available commands. More details are available from the sftp (1) man page.

sftp sun
Enter passphrase for key '/home/tux/.ssh/id_rsa': 
Connected to sun.
sftp> help
Available commands:
bye                                Quit sftp
cd path                            Change remote directory to 'path'

14.4 The SSH Daemon (sshd)

To work with the SSH client programs ssh and scp, a server (the SSH daemon) must be running in the background, listening for connections on TCP/IP port 22. The daemon generates three key pairs when starting for the first time. Each key pair consists of a private and a public key. Therefore, this procedure is referred to as public key-based. To guarantee the security of the communication via SSH, access to the private key files must be restricted to the system administrator. The file permissions are set accordingly by the default installation. The private keys are only required locally by the SSH daemon and must not be given to anyone else. The public key components (recognizable by the name extension .pub) are sent to the client requesting the connection. They are readable for all users.

A connection is initiated by the SSH client. The waiting SSH daemon and the requesting SSH client exchange identification data to compare the protocol and software versions, and to prevent connections through the wrong port. Because a child process of the original SSH daemon replies to the request, several SSH connections can be made simultaneously.

For the communication between SSH server and SSH client, OpenSSH supports versions 1 and 2 of the SSH protocol. Version 2 of the SSH protocol is used by default. Override this to use version 1 of protocol with the -1 option.

When using version 1 of SSH, the server sends its public host key and a server key, which is regenerated by the SSH daemon every hour. Both allow the SSH client to encrypt a freely chosen session key, which is sent to the SSH server. The SSH client also tells the server which encryption method (cipher) to use. Version 2 of the SSH protocol does not require a server key. Both sides use an algorithm according to Diffie-Hellman to exchange their keys.

The private host and server keys are absolutely required to decrypt the session key and cannot be derived from the public parts. Only the contacted SSH daemon can decrypt the session key using its private keys. This initial connection phase can be watched closely by turning on verbose debugging using the -v option of the SSH client.

It is recommended to back up the private and public keys stored in /etc/ssh/ in a secure, external location. In this way, key modifications can be detected or the old ones can be used again after having installed a new system.

Tip: Existing SSH Host Keys

If you install SUSE Linux Enterprise Server on a machine with existing Linux installations, the installation routine automatically imports the SSH host key with the most recent access time from an existing installation.

When establishing a secure connection with a remote host for the first time, the client stores all public host keys in ~/.ssh/known_hosts. This prevents any man-in-the-middle attacks—attempts by foreign SSH servers to use spoofed names and IP addresses. Such attacks are detected either by a host key that is not included in ~/.ssh/known_hosts, or by the server's inability to decrypt the session key in the absence of an appropriate private counterpart.

In case the public keys of a host have really changed (something that needs to be verified before attempting to connect to such a server), the offending keys can be removed with the command ssh-keygen -r HOSTNAME

14.5 SSH Authentication Mechanisms

In it's simplest form, authentication is done by entering the user's password just as if logging in locally. However, having to memorize passwords of several users on remote machines, is inefficient. Whats more, these passwords may change. On the other hand—when granting root access—an administrator needs to be able to quickly revoke such a permission without having to change the root password.

In order to accomplish a login that does not require to enter the remote user's password, SSH uses another key pair, which needs to be generated by the user. It consists of a public (id_rsa.pub or id_dsa.pub) and a private key (id_rsa or id_dsa).

In order to be able to log in without having to specify the remote user's password, the public key of the SSH user must be present in ~/.ssh/authorized_keys. This approach also ensures that the remote user has got full control: adding the key requires the remote user's password and removing the key revokes the permission to log in from remote.

For maximum security such a key should be protected by a passphrase which needs to be entered every time you use ssh, scp, or sftp. Contrary to the simple authentication, this passphrase is independent from the remote user and therefore always the same.

An alternative to the key-based authentication described above, SSH also offers a host-based authentication. With host-based authentication, users on a trusted host can log in to another host on which this feature is enabled using the same username. SUSE Linux Enterprise Server is set up for using key-based authentication, covering setting up host-based authentication on SUSE Linux Enterprise Server is beyond the scope of this manual.

Note: File Permissions for Host-Based Authentication

If the host-based authentication is to be used, the file /usr/lib/ssh/ssh-keysign (32-bit systems) or /usr/lib64/ssh/ssh-keysign (64-bit systems) should have the setuid bit set, which is not the default setting in SUSE Linux Enterprise Server. In such case, set the file permissions manually. You should use /etc/permissions.local for this purpose, to make sure that the setuid bit is preserved after security updates of openssh.

14.5.1 Generating an SSH Key

  1. To generate a key with default parameters (RSA, 2048 bits), enter the command ssh-keygen.

  2. Accept the default location to store the key (~/.ssh/id_rsa) be pressing Enter (strongly recommended) or enter an alternative location.

  3. Enter a passphrase consisting of 10 to 30 characters. The same rules as for creating safe passwords apply. It is strongly advised to refrain from specifying no passphrase.

You should make absolutely sure that the private key is not accessible by anyone other than yourself (always set its permissions to 0600). The private key must never fall into the hands of another person.

In order to change the password of an existing key pair, use the command ssh-keygen -p.

14.5.2 Copying an SSH Key

To copy a public SSH key to ~/.ssh/authorized_keys of a user on a remote machine, use the command ssh-copy-id. In order to copy your personal key stored under ~/.ssh/id_rsa.pub you may use the short form. In order to copy DSA keys or keys of other users, you need to specify the path:

# ~/.ssh/id_rsa.pub
ssh-copy-id -i tux@sun

# ~/.ssh/id_dsa.pub
ssh-copy-id -i ~/.ssh/id_dsa.pub  tux@sun

# ~notme/.ssh/id_rsa.pub
ssh-copy-id -i ~notme/.ssh/id_rsa.pub  tux@sun

In order to successfully copy the key, you need to enter the remote user's password. To remove an existing key, manually edit ~/.ssh/authorized_keys.

14.5.3 Using the ssh-agent

When doing lots of secure shell operations it is cumbersome to type the SSH passphrase for each such operation. Therefore, the SSH package provides another tool, ssh-agent, which retains the private keys for the duration of an X or terminal session. All other windows or programs are started as clients to the ssh-agent. By starting the agent, a set of environment variables is set, which will be used by ssh, scp, or sftp to locate the agent for automatic login. See man 1 ssh-agent for details.

Once the ssh-agent is started, you need to add your keys by using ssh-add. It will prompt for the passphrase. Once entered, you can use the secure shell commands within the running session without having to provide your password. Using ssh-agent in an X Session

On SUSE Linux Enterprise Server the ssh-agent is automatically started by the GNOME or KDE display managers. In order to also invoke ssh-add to add your keys to the agent at the beginning of an X session, do the following:

  1. Log in as the desired user and check whether the file ~/.xinitrc exists.

  2. If it does not exist, use an existing template or copy it from /etc/skel:

    if [ -f ~/.xinitrc.template ]; then mv ~/.xinitrc.template ~/.xinitrc; \
    else cp /etc/skel/.xinitrc.template ~/.xinitrc; fi
  3. If you have copied the template, search for the following lines and uncomment them. If ~/.xinitrc already existed, add the following lines (without comment signs).

    # if test -S "$SSH_AUTH_SOCK" -a -x "$SSH_ASKPASS"; then
    #       ssh-add < /dev/null
    # fi
  4. When starting a new X session, you will be prompted for your SSH passphrase. Using ssh-agent in a Terminal Session

In a terminal session you need to manually start the ssh-agent and then call ssh-add afterwards. There are two ways to start the agent. The first example given below starts a new Bash shell on top of your existing shell. The second example starts the agent in the existing shell and modifies the environment as needed.

ssh-agent -s /bin/bash
eval $(ssh-agent)

After the agent has been started, run ssh-add to provide the agent with your keys.

14.6 Port Forwarding

ssh can also be used to redirect TCP/IP connections. This feature, also called SSH tunneling, redirects TCP connections to a certain port to another machine via an encrypted channel.

With the following command, any connection directed to jupiter port 25 (SMTP) is redirected to the SMTP port on sun. This is especially useful for those using SMTP servers without SMTP-AUTH or POP-before-SMTP features. From any arbitrary location connected to a network, e-mail can be transferred to the home mail server for delivery.

ssh -L 25:sun:25 jupiter

Similarly, all POP3 requests (port 110) on jupiter can be forwarded to the POP3 port of sun with this command:

ssh -L 110:sun:110 jupiter

Both commands must be executed as root, because the connection is made to privileged local ports. E-mail is sent and retrieved by normal users in an existing SSH connection. The SMTP and POP3 host must be set to localhost for this to work. Additional information can be found in the manual pages for each of the programs described above and also in the OpenSSH package documentation under /usr/share/doc/packages/openssh.

14.7 Configuring An SSH Daemon with YaST

To configure an sshd server with YaST run YaST and choose Network Services › SSHD Configuration. Then proceed as follows:

  1. On the General tab, select the ports sshd should listen on in the SSHD TCP Ports table. The default port number is 22. Multiple ports are allowed. To add a new port, click Add, enter the port number and click OK. To delete a port, select it in the table, click Delete and confirm.

  2. Select the features the sshd daemon should support. To disable TCP forwarding, uncheck Allow TCP Forwarding. Disabling TCP forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders. See Section 14.6, “Port Forwarding” for more information about TCP forwarding.

    To disable X forwarding, uncheck Allow X11 Forwarding. If this option is disabled, any X11 forward requests by the client will return an error. However users can always install their own forwarders. See Section 14.1, “ssh—Secure Shell” for more information about X forwarding.

    In Allow Compression determine, whether the connection between the server and clients should be compressed. After setting these options, click Next.

  3. The Login Settings tab contains general login and authentication settings. In Print Message of the Day After Login determine, whether sshd should print message from /etc/motd when a user logs in interactively. If you want to disable connection of a user root, uncheck Permit Root Login.

    In Maximum Authentication Tries enter the maximum allowed number of authentication attempts per connection. RSA Authentication specifies whether pure RSA authentication is allowed. This option applies to SSH protocol version 1 only. Public Key Authentication specifies whether public key authentication is allowed. This option applies to protocol version 2 only.

  4. On the Protocol and Ciphers tab, determine which versions of the SSH protocol should be supported. You can choose to support version 1 only, version 2 only, or to support both SSH version 2 and 1.

    Under Supported Ciphers, all supported ciphers are listed. You can remove a cipher by selecting it in the list and clicking Delete. To add a cipher to the list, select it from the dropdown menu and click Add.

  5. Click Finish to save the configuration.

14.8 For More Information


The home page of OpenSSH


The OpenSSH Wikibook

man sshd

Manpage of the OpenSSH daemon

man ssh_config

Manpage of the OpenSSH SSH client configuration files

man scp, man sftp, man slogin, man ssh, man ssh-add, man ssh-agent, man ssh-copy-id, man ssh-keyconvert, man ssh-keygen, man ssh-keyscan

Manpage of several binary files to copy (scp, sftp), login (slogin, ssh), and manage keys.

Print this page