Secure Shell

RTT - Cursul 2
Razvan Deaconescu, Lucian Cojocar
ROSEdu

19 octombrie 2009

1 Notiuni generale
2 Comenzi de baz
a
3 Notiuni avansate
4 Utilizare SSH n alte aplicat, ii
5 Exemple

1 Notiuni generale
2 Comenzi de baz
a
3 Notiuni avansate
4 Utilizare SSH n alte aplicat, ii
5 Exemple

SSH

protocol de ret, ea (nivel aplicat, ie)

canal securizat de comunicat, ie
comanda de la distant, a, transfer de fis, iere, tunelare
client (ssh), server (sshd, portul 22)
servere pe Unix-uri, Mac OS X, Windows (cygwin)
OpenSSH este practic singura implementare de SSH

Criptare

doua tipuri
chei simetrice - rapida
chei asimetrice - lenta dar potent, ial mai sigura

algoritmi de criptare
alg(mesaj) mesaj criptat
AES (Advanced Encryption Standard), Blowfish
RSA (Rivest, Shamir, Adleman) , DSA (Digital Signature
Algorithm)

Chei publice/private

legatura matematica (ex: RSA se bazeaza pe teorema lui

Euller)
generate n acelas, i timp
pub(priv(M)) = M (semnatura digitala)
priv(pub(M)) = M (criptare)
autentificare (certificate)
criptare folosita n conjunct, ie cu chei simetrice

1 Notiuni generale
2 Comenzi de baz
a
3 Notiuni avansate
4 Utilizare SSH n alte aplicat, ii
5 Exemple

Fisiere utilizate (client)

/.ssh/id rsa cheia privata implicita

/.ssh/id rsa cheia publica implicita
/.ssh/config
/.ssh/authorized keys chei publice pentru care nu se mai cere
parola
/.ssh/known hosts chei publice ale serverlor la care ne-am
conectat
/.shosts autentificare n funct, ie de host

Fisiere utilizate (server)

/etc/ssh/ssh host rsa key cheia privata a serverului

/etc/ssh/ssh host rsa key.pub cheia publica a serverului
/etc/ssh/ssh config
/etc/ssh/ssh rc comenzi executate la conectare

Conectare la distant, a

ssh ana@rosedu.org
ssh -l bogdan rosedu.org
ssh -p 2222 -l corina rosedu.org
ssh -l dan rosedu.org ls /projects
ssh -i .ssh/servers.priv -l root rosedu.org
man ssh

Copiere la/de la distant, a

scp file.txt elena@rosedu.org:

scp file.txt florin@rosedu.org:projects/elena/tmp/
scp -P 2222 file.txt gabi@rosedu.org:
scp horia@rosedu.org:test.txt .
scp -r horia@rosedu.org:docs/ /stuff/
man scp

Generare pereche de chei

ssh-keygen -t rsa
ssh-keygen -t dsa -N My|P422)(
implicit {/.ssh/id dsa, /.ssh/id dsa.pub}
ssh-keygen -t rsa -f my key
{my key, my key.pub}
ssh-keygen -H
man ssh-keygen

Autentificare folosind chei publice

scp /.ssh/id rsa.pub irina@rosedu.org

cat id rsa.pub >> /.ssh/authorized keys

Autentificare folosind chei publice

scp /.ssh/id rsa.pub irina@rosedu.org

cat id rsa.pub >> /.ssh/authorized keys
ssh -l irina rosedu.org
cat /.ssh/id rsa.pub | ssh irina@rosedu.org cat >>
/.ssh/authorized keys

Autentificare folosind chei publice

scp /.ssh/id rsa.pub irina@rosedu.org

cat id rsa.pub >> /.ssh/authorized keys
ssh -l irina rosedu.org
cat /.ssh/id rsa.pub | ssh irina@rosedu.org cat >>
/.ssh/authorized keys
ssh-copy-id -i /.ssh/id rsa.pub irina@rosedu.org

1 Notiuni generale
2 Comenzi de baz
a
3 Notiuni avansate
4 Utilizare SSH n alte aplicat, ii
5 Exemple

Instalare s, i interact, iune server SSH

emerge openssh
apt-get install openssh-server
/etc/init.d/ssh {stop, start, restart,

Instalare s, i interact, iune server SSH

emerge openssh
apt-get install openssh-server
/etc/init.d/ssh {stop, start, restart, reload}

Configurari de baza server SSH

/etc/ssh/sshd config
Port 22
PasswordAuthentication no
X11Forwarding yes
GatewayPorts yes
man sshd config

Folosire ssh-agent

mai multe perechi de chei folosire opt, iune -i la ssh/scp

chei cu passphrase introducerea passphrase-ului la fiecare
conectare
booooring (lene, pierdere de timp, rutina)
ssh-agent bash
ssh-add ; se adauga cheia implicita
ssh-add /.ssh/my key ; se adauga cheia specificata
la autentificare nu se mai cere passphrase; nu mai e nevoie de
-i
pornit automat cu interfat, a grafica

TCP Port Forwarding

ssh -L localhost:8080:rosedu.org:80 rtt@rosedu.org

conexiune pe localhost:8080 sunt dirijate catre rosedu.org:80

ssh -R rosedu.org:8022:localhost:22 rtt@rosedu.org

conexiunile ajung la sistemul care a init, iat reverse port forward

SOCKS proxy

ssh -D 8080 rtt@rosedu.org

asigura un canal criptat pana la server
proxy anonim
tunel local, dinamic

X-Forwarding cu SSH

X11Fowarding on ; /etc/ssh/sshd config

ssh -X -l lucian rosedu.org
xeyes, firefox, gvim etc.
rulare la distant, a, afis, are locala

1 Notiuni generale
2 Comenzi de baz
a
3 Notiuni avansate
4 Utilizare SSH n alte aplicat, ii
5 Exemple

SCM

git clone ssh://rosedu.org/projects/repo.git/

svn checkout svn+ssh//rosedu.org/projects/repo.svn/

rsync

rsync -avz -e ssh monica@rosedu.org:/home/cdl/projects

/rsync/

SSHFS

sistem de fisiere peste ssh

implementat cu FUSE (Filesystem in Userspace)

1 Notiuni generale
2 Comenzi de baz
a
3 Notiuni avansate
4 Utilizare SSH n alte aplicat, ii
5 Exemple

Exemple

tunel invers creat deja de pe o sat, ie din regie (sper sa fi t, inut)

ssh -Nn -R rosedu.org:29000:localhost:22 rtt@rosedu.org
GatewayPorts
tunel direct, tunel invers (ntre rosedu.org, si calculatorul de
acasa)
proxy socks5 (tsock wget whatismyip.org)
montare sistem de fisiere (sshfs)
lansare aplicat, ie X

Bibliografie

SSH: The Secure Shell (The Definitive Guide), OReilly 2005

(2nd Edition)
http://www.linuxjournal.com/article/4412
http://suso.org/docs/shell/ssh.sdf edition)