Thursday, December 11, 2008

SSH

The following are tips for both the Secure Shell daemon (server) and the SSH command line client inlcuded with Mac OS X.

SSH daemon (server)

The first time sshd runs, it generates three cryptographic key pairs and stores the keys in the /private/etc/ directory.

  • ssh_host_key and ssh_host_key.pub (v1)
  • ssh_host_dsa_key and ssh_host_dsa_key.pub (v2 DSA)
  • ssh_host_rsa_key and ssh_host_rsa_key.pub (v2 RSA)

SSH communicates over TCP port 22 by default. The global server configuration file is:
/private/etc/sshd_config

To deny all remote SSH root logins (generally a good idea), set this value in the sshd_config file:
PermitRootLogin no

To disable the less secure v1 SSH protocol, set this value in the sshd_config file:
Protocol 2

To disable X forwading, set this value in the sshd_config file:
X11Forwarding no

To disable keyboard password logins (force public/private key authentication), set this value in the sshd_config file:
PasswordAuthentication no

SSH client

Note: because of its sensitive nature, the $HOME/.ssh/ directory and most of the files in it MUST be read/write for the user and not accessible to group or other. For example, the file permissions should look like this:
-rw-------
Otherwise, SSH will ignore them. If you copy personal SSH files to a new system and they don't work, check the permissions.

The default client configuration file is:
/private/etc/ssh_config
The user configuration file, $HOME/.ssh/config takes precedence over the default configuration.

To connect to an SSH server using a different user ID:
ssh userid@server-name-or-IP

To securely copy a local file(s) to a remote server, use scp:
scp localfile userid@server-name-or-IP:remotefile

To securely copy remote file(s) to the local machine, use scp:
scp userid@server-name-or-IP:remotefile localfile

Using public/private key encryption for authentication

First, generate a keypair for logins without passwords:
ssh-keygen -t dsa
The system will prompt you for a secret key passphrase, then create the key pair in two files:
id_dsa (v2 private key)
id_dsa.pub (v2 public key)
Next, append the v2 public key to your $HOME/.ssh/authorized_keys2 file on the server(s) where you want to login.

To bypass the passphrase that unlocks your secret key every time it is needed, load the key into ssh-agent.

SSH-Agent

To load secret keys in the ssh-agent manually, execute:

  1. ssh-agent
  2. ssh-add keyfile (once for each key)

It is usually more convenient to run ssh-agent and load keys in a BASH login. Linux users can use the keychain script.

Port Forwarding

SSH can port forward local and remote connections securely. Only root can forward privileged ports (<=1024)

To redirect a local port to a remote host port:
ssh userid@remotehost -L localport:remotehost:remoteport

To redirect a remote port to a local or remote host port:
ssh userid@remotehost -R remoteport:host:localport