Beruflich Dokumente
Kultur Dokumente
https://support.suso.com/supki/SSH_Tutorial_for...
HOME
DOCUMENTATION
EMAIL SUPPORT
USER FORUM
Support Documentation
log in / create account
wiki
search
Search Supki
Contents
1 What Is SSH?
2 Getting Started
3 Generating a key
3.1 Installing your public key manually
3.2 Installing your public key automatically
4 Using the ssh-agent program
5 X11 Session Forwarding
6 TCP Port Forwarding
7 SOCKS5 proxying
8 Running Commands Over SSH
9 Using SCP
10 Keeping Your SSH Session Alive
11 Ending your SSH session
12 External References
13 Credits
What Is SSH?
There are a couple of ways that you can access a shell (command line) remotely on most Linux/Unix systems. One
of the older ways is to use the telnet program, which is available on most network capable operating systems.
Accessing a shell account through the telnet method though poses a danger in that everything that you send or
receive over that telnet session is visible in plain text on your local network, and the local network of the machine
you are connecting to. So anyone who can "sni" the connection in-between can see your username, password,
email that you read, and commands that you run. For these reasons you need a more sophisticated program than
telnet to connect to a remote host.
1 of 9
28/07/16 13:02
https://support.suso.com/supki/SSH_Tutorial_for...
Getting Started
This tutorial isn't going to cover how to install SSH, but will cover how to use it for a variety of tasks. Consult your
Linux distribution's document for information on how to setup OpenSSH.
Chances are that if you are using a version of Linux that was released after 2002, that you already have OpenSSH
installed. The version of SSH that you will want to use on Linux is called OpenSSH. As of this writing (October
2009), the latest version available is 5.3, but you may encounter versions from 3.6 on up. If you are using anything
lower than version 3.9, I'd strongly advise you to upgrade it.
OpenSSH can be obtained from http://www.openssh.org/
To really make ssh useful, you need a shell account on a remote machine, such as on a Suso account.
The rst thing we'll do is simply connect to a remote machine. This is accomplished by running 'ssh hostname' on
your local machine. The hostname that you supply as an argument is the hostname of the remote machine that you
want to connect to. By default ssh will assume that you want to authenticate as the same user you use on your local
machine. To override this and use a dierent user, simply use remoteusername@hostname as the argument. Such
as in this example:
ssh username@username.suso.org
The rst time around it will ask you if you wish to add the remote host to a list of known_hosts, go ahead and say
yes.
The authenticity of host 'arvo.suso.org (216.9.132.134)' can't be established. RSA key ngerprint is
53:b4:ad:c8:51:17:99:4b:c9:08:ac:c1:b6:05:71:9b. Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'arvo.suso.org' (RSA) to the list of known hosts.
It is important to pay attention to this question however because this is one of SSH's major features. Host
validation. To put it simply, ssh will check to make sure that you are connecting to the host that you think you are
connecting to. That way if someone tries to trick you into logging into their machine instead so that they can sni
your SSH session, you will have some warning, like this:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The RSA host key for arvo.suso.org has changed, and the key for the according IP address 216.9.137.122 is
unchanged. This could either mean that DNS SPOOFING is happening or the IP address for the host and its host
key have changed at the same time. Oending key for IP in /home/suso/.ssh/known_hosts:10
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
2 of 9
28/07/16 13:02
https://support.suso.com/supki/SSH_Tutorial_for...
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right
now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The ngerprint for
the RSA key sent by the remote host is 96:92:62:15:90:ec:40:12:47:08:00:b8:f8:4b:df:5b. Please contact your
system administrator. Add correct host key in /home/suso/.ssh/known_hosts to get rid of this message. Oending
key in /home/suso/.ssh/known_hosts:53 RSA host key for arvo.suso.org has changed and you have requested strict
checking. Host key verication failed.
If you ever get a warning like this, you should stop and determine if there is a reason for the remote server's host
key to change (such as if SSH was upgraded or the server itself was upgraded). If there is no good reason for the
host key to change, then you should not try to connect to that machine until you have contacted its administrator
about the situation. If this is your own machine that you are trying to connect to, you should do some computer
forensics to determine if the machine was hacked (yes, Linux can be hacked). Or maybe your home computer's IP
address has changed such as if you have a dynamic IP address for DSL. One time I received this message when
trying to connect to my home machine's DSL line. I thought it was odd since I hadn't upgraded SSH or anything on
my home machine and so I choose not to try to override the cached key. It was a good thing that I didn't try
because I found out that my dynamic IP address had changed and that out of chance, another Linux machine
running OpenSSH took my old IP.
After saying yes, it will prompt you for your password on the remote system. If the username that you specied
exists and you type in the remote password for it correctly then the system should let you in. If it doesn't, try again
and if it still fails, you might check with the administrator that you have an account on that machine and that your
username and password is correct.
Generating a key
Now that you have spent all that time reading and are now connected, go ahead and logout.;-) Once you're back to
your local computer's command prompt enter the command 'ssh-keygen -t dsa'.
ssh-keygen -t dsa
It should begin spitting out the following:
Generating public/private dsa key pair. Enter le in which to save the key (/home/localuser/.ssh/id_dsa): Enter
passphrase (empty for no passphrase): Enter same passphrase again: Your identication has been saved in
/home/localuser/.ssh/id_dsa. Your public key has been saved in /home/localuser/.ssh/id_dsa.pub. The key ngerprint
is: 93:58:20:56:72:d7:bd:14:86:9f:42:aa:82:3d:f8:e5 localuser@mybox.home.com
It will prompt you for the location of the keyle. Unless you have already created a keyle in the default location,
you can accept the default by pressing 'enter'.
Next it will ask you for a passphrase and ask you to conrm it. The idea behind what you should use for a
passphrase is dierent from that of a password. Ideally, you should choose something unique and unguessable, just
like your password, but it should probably be something much longer, like a whole sentence. Here are some
examples of passphrases I've used in the past:
The right thing changes from state to state
the purpose of life is to give it purpose
They're not going to guess this passphrase!
The RIAA can just suck my big ass
It is never a good day at Teletron
Some passphrases that I've used have had as many as 60 characters along with punctuation and numbers. This
makes the passphrase harder to guess. To give you an idea of how much more secure a passphrase is than a
password. Consider this. Even if you narrowed down the number of words someone could use in a passphrase to
2000 potential words, if that person used 5 words in a sentence from that 2000 word set, it would mean there are
32,000,000,000,000,000 dierent combinations. Compare this with 6,095,689,385,410,816, which is the total
possible combinations in an 8 character password using upper and lower case characters, numbers and
punctuation (about 94 potential characters). So an 8 character password has 5.25 times less combinations than a 5
word passphrase. In actuality, most people choose words from a set of 10,000 or more words, bringing the
complexity of a 5 word passphrase to 16,405 or more times greater than that of a 8 character password. So on
average, the diiculty of cracking a passphrase is much greater than any password that could be used.
Interestingly, the potential number of combinations of 8 word passphrase of someone with an adult vocabulary
(8000 words or more) is almost equal to the number of 8 character password combinations multiplied by itself or
about 16,777,216,000,000,000,000,000,000,000,000 combinations.
Don't use any famous quotes or phrases for your passphrase, they may be easily guessed by another person or by a
brute force cracking program.
The reason why you would generate a keyle is so that you can increase the security of your SSH session by not
using your system password. When you generate a key, you are actually generating two key les. One private key
and one public key, which is dierent from the private key. The private key should always stay on your local
3 of 9
28/07/16 13:02
https://support.suso.com/supki/SSH_Tutorial_for...
computer and you should take care not to lose it or let it fall into the wrong hands. Your public key can be put on
the machines you want to connect to in a le called .ssh/authorized_keys. The public key is safe to be viewed by
anybody and mathematically cannot be used to derive the private key. Its just like if I gave you a number
38,147,918,357 and asked you to nd the numbers and operations I used to generate that number. There are nearly
innite possibilities.
Whenever you connect via ssh to a host that has your public key loaded in the authorized_keys le, it will use a
challenge response type of authentication which uses your private key and public key to determine if you should be
granted access to that computer It will ask you for your key passphrase though. But this is your local ssh process
that is asking for your passphrase, not the ssh server on the remote side. It is asking to authenticate you according
to data in your private key. Using key based authentication instead of system password authentication may not
seem like much of a gain at rst, but there are other benets that will be explained later, such as logging in
automatically from X windows.
4 of 9
28/07/16 13:02
https://support.suso.com/supki/SSH_Tutorial_for...
Gentoo
SuSE
Ubuntu
Most distributions prior to about 2002 did not start it.
Don't worry if you don't see your distro listed in here. You can check if it is already running by running this
command.
ps auxw
If there is an ssh-agent process listed there, then you can just start using it, otherwise, you should consult your
distribution's documentation on OpenSSH and running the ssh-agent.
Once you've veried that ssh-agent is running, you can add your ssh key to it by running the ssh-add command:
ssh-add
If the program nds the DSA key that you created above, it will prompt you for the passphrase. Once you have
done so it should tell you that it has added your identity to the ssh-agent:
Identity added: /home/username/.ssh/id_dsa (/home/username/.ssh/id_dsa)
Now you can try logging into that remote machine again and this time you will notice that it just logs you right in
without prompting you for any password or passphrase.
To make adding your passphrase easier, you can add the ssh-add program to your desktop session startup
programs and it will bring up a prompt in X windows to ask for your passphrase every time you login to your
desktop. You should also have the gtk2-askpass program installed. Or x11-askpass. They are the real programs that
actually prompt you for your password. ssh-add just runs them if its not being run in a terminal. Below is a
screenshot of the Gnome Sessions Conguration dialog with ssh-add added to the startup programs.
5 of 9
28/07/16 13:02
https://support.suso.com/supki/SSH_Tutorial_for...
For some newer programs and newer versions of X windows, you may need to use the -Y option instead for trusted
X11 forwarding. Try using this option if your X11 windows program fails to start running with a message like this
one that was for Gimp:
The program 'gimp-2.2' received an X Window System error. This probably reects a bug in the program. The error
was 'BadWindow (invalid Window parameter)'. (Details: serial 154 error_code 3 request_code 38 minor_code 0)
(Note to programmers: normally, X errors are reported asynchronously; that is, you will receive the error a while
after causing it. To debug your program, run it with the --sync command line option to change this behavior. You
can then get a meaningful backtrace from your debugger if you break on the gdk_x_error() function.)
6 of 9
28/07/16 13:02
https://support.suso.com/supki/SSH_Tutorial_for...
SOCKS5 proxying
So thats great and all, but eventually you are going to want to know how you can do tunneling without having to
specify the address that you want to forward to.
This is accomplished through the -D SOCKS5 option.
ssh -D 9999 username@remotehost.net
Any application that supports the SOCKS5 protocol (and most of the big network programs do) can forward its
network connection over SSH and dynamically forward to any hostname that you specify. So for a web browser, any
URL that you type in the URL eld, would be sent through the SSH tunnel. Firefox, Xchat, Gaim and many others
all support using SOCKS5. The setting is usually under preferences in the connection settings.
Remember, in the words of Benjamin "Uncle Ben" Parker, with great power comes great responsibility. Just because
you can get around rewalls and use other hosts for sending network traic, doesn't mean that some system
administrator isn't going to notice you.
Using SCP
SCP is basically a program that uses the SSH protocol to send les between hosts over and encrypted connection.
You can transfer les from your local computer to a remote host or vice versa or even from a remote host to
another remote host.
Here is a basic command that copies a le called report.doc from the local computer to a le by the same name on
the remote computer.
scp report.doc username@remote.host.net:
Note how the lack of a destination lename just preserves the original name of the le. This is also the case if the
7 of 9
28/07/16 13:02
https://support.suso.com/supki/SSH_Tutorial_for...
8 of 9
28/07/16 13:02
https://support.suso.com/supki/SSH_Tutorial_for...
External References
Here are some links where you can nd more information about SSH
Mark's presentation notes from the January 2006 BLUG meeting
OpenSSH Website
The SSH FAQ
Secure Shell article in Wikipedia
The old non-wiki version of this tutorial (last modied 2007-08-04)
The much older version of this tutorial (1999-02-21)
Linked to by digg.com front page (2006-03-03) (823 diggs!)
This tutorial was cited by Patent #WO2009077781 A1
Credits
Original document, graphics and examples by Mark Krenz (mark@suso.org)
Thank you to the following people for sending corrections:
Zake Stahl (Several corrections)
Christopher Mylonas (noticing that MySQL should be 3306, not 3066)
Tehiri Tehiri (Suggesting a clarication in the username and password prompt section)
Behrang Saeedzadeh (Noticing contact typo)
Pratik Mallya (Suggesting I mention ssh-copy-id)
Other people listed on the history page of this document.
Retrieved from "https://support.suso.com/w/index.php?title=SSH_Tutorial_for_Linux&oldid=414"
Category:
Shell
Copyright 2004-2009 Suso Technology Services, Inc.
101 W.Kirkwood Ave Ste 222
Bloomington, Indiana
9 of 9
28/07/16 13:02