HOWTO Setup SSH

From Research
Revision as of 21:21, 26 October 2006 by Gordp (talk | contribs) (→‎Configure)
Jump to navigation Jump to search

Purpose

SSH (The Secure Shell) is arguably the best way to access your data, over a network connection. The communication is encrypted, and a number of other services can run on top of SSH, permitting those other services to benefit from port-standardization, and encryption of the traffic. Linux, IRIX, Mac OS-X and other *NIX flavours generally all come with SSH, or can have SSH compiled from source.

Installation

Under Gentoo:

hostname ~ # emerge -pv net-misc/openssh
[ebuild   R    ] net-misc/openssh-4.3_p2-r5  USE="ipv6 ldap pam tcpd -X -X509 -chroot -hpn -kerberos -libedit (-selinux) -sftplogging -skey -smartcard -static"

Configure

The main configuration file for an SSH server is /etc/ssh/sshd_config. Adding the AllowUsers Directive is nearly a necessity, and implies that all other unspecified users are Denied.

AllowUsers nx gordp mdeepwel

(the user nx allows for the use of NoMachine's NXServer / NXClient remote desktop)

Typically, you will want the SSH daemon to start at boot, and run whenever your computer is turned on. Under Gentoo:

hostname ~ # rc-update add sshd default
* sshd added to runlevel default

You can manually stop, start, or restart the SSH daemon with this syntax (Gentoo):

hostname ~ # /etc/init.d/sshd stop
hostname ~ # /etc/init.d/sshd start
hostname ~ # /etc/init.d/sshd restart  (use this to effect changes; will maintain an existing connection)

Usage

Graphical tools exist for use with just about every OS, making such tasks as drag-and-drop file-transfer both easy and secure! Use this rather than FTP, wherever possible.

Problems

  • By far, the most-common difficulty encountered is that a host's RSA key has changed, and you are denied access. This can be quite opaque when using a GUI client like Fugu. The cure is to edit your ~/.ssh/known_hosts file, and remove the offending key. If this means nothing to you :-) then perhaps it's easiest to entirely delete your ~/.ssh/known_hosts and begin collecting keys all over again.
  • For those who connect to a number of different machines behind the same IP address (this happens with a NAT firewall, and multiple machines behind it), you can hand-edit your ~/.ssh/known_hosts file and add multiple public RSA keys for the same IP address. Here is an example of multiple keys, for different machines behind a single IP-address:
70.70.130.1 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAy9L56BD2+70YA97DzdBY0GGuDMHwPn1BUdByPBmOVLxPTdOtcbXLGHpV2IoYeiej0TAngAtzn4tUv2HZJS4y3OKnVq+nvHU3AtZm26oSaiHEDq6ilLX/AtA7lgi+keZSPASDTYA2M34nv6lsFpT3AFugTreKlkdORXDoamlW8Ds=
70.70.130.1 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAzVZj8PTtTQVAsbPs8s61YHT4CPQj73yiIEhh6FrAJOzRZSexaXGDO9R2cKCNYvIaXUnbI6QXhp2CNAofpKkLkqGOUiMQI2qkf/TdHAi2kgB33m0Tghy/Gf3CCS+YAh0z0oFzLQz93aSCsuKRYgKDAriDpzy9ZAsKpKXzn6VsW2k=
70.70.130.1 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAuxvwzkYpj3U3uNB/ZzTT0fxbzc+1xXApDf67iY0sfqn+pKx+r8mu2bRylflzH7DUDkmJmLoj5vXfgU1wHrfdjLnabMwhJO2B0kWi/kij0NuEp1O2PZgTNTAmsyju+i64ug82Urp9WO882gbLX7GAE9I0D54PfhncyVnhb6rT1mU=

Generally, you copy these entries from the intended target machine, using any number of means to get the key transferred. For example, you can easily set up and accept the key from your first machine, then use that computer to connect to the second machine (all behind your NAT firewall), then easily copy the public RSA key, which then would allow direct-connection to the second box). The file you need to copy is typically /etc/ssh/ssh_host_rsa_key.pub, with a bit of trimming after the = sign.