SSH Configuration, Use of Client puTTY, and Troubleshooting in Debian

PuTTY: A Free Telnet/SSH Client

SSH Configuration and Troubleshooting in Debian

SSH

SSH (Secure SHell) is the secure way to connect over the Internet. A free version of SSH called OpenSSH is available as the ssh package in Debian.

 Basics of SSH

First install the OpenSSH server and client.

# apt-get update

# apt-get install ssh

/etc/ssh/sshd_not_to_be_run must not be present if one wishes to run the OpenSSH server.

SSH has two authentication protocols:

  • SSH protocol version 1:
    • Potato version only supports this protocol.
    • available authentication methods:
      • RSAAuthentication: RSA identity key based user authentication
      • RhostsAuthentication: .rhosts based host authentication (insecure, disabled)
      • RhostsRSAAuthentication: .rhosts authentication combined with RSA host key (disabled)
      • ChallengeResponseAuthentication: RSA challenge-response authentication
      • PasswordAuthentication: password based authentication
  • SSH protocol version 2:
    • post-Woody versions use this as the primary protocol.
    • available authentication methods:
      • PubkeyAuthentication: public key based user authentication
      • HostbasedAuthentication: .rhosts or /etc/hosts.equiv authentication combined with public key client host authentication (disabled)
      • ChallengeResponseAuthentication: challenge-response authentication
      • PasswordAuthentication: password based authentication

Be careful about these differences if you are migrating to Woody or using a non-Debian system.

See /usr/share/doc/ssh/README.Debian.gz, ssh, sshd, ssh-agent, and ssh-keygen for details.

Following are the key configuration files:

  • /etc/ssh/ssh_config: SSH client defaults. See ssh. Notable entries are:
    • Host: Restricts the following declarations (up to the next Host keyword) to be only for those hosts that match one of the patterns given after the keyword.
    • Protocol: Specifies the SSH protocol versions. The default is “2,1”.
    • PreferredAuthentications: Specifies the SSH2 client authentication method. The default is “hostbased,publickey,keyboard-interactive,password”.
    • PasswordAuthentication: If you want to log in with a password, you have to make sure this is not set no.
    • ForwardX11: The default is disabled. This can be overridden by the command-line option “-X”.
  • /etc/ssh/sshd_config: SSH server defaults. See sshd. Notable entries are:
    • ListenAddress: Specifies the local addresses sshd should listen on. Multiple options are permitted.
    • AllowTcpForwarding: The default is disabled.
    • X11Forwarding: The default is disabled.
  • $HOME/.ssh/authorized_keys: the lists of the default public keys that clients use to connect to this account on this host. See ssh-keygen.
  • $HOME/.ssh/identity: See ssh-add and ssh-agent.

The following will start an ssh connection from a client.

$ ssh username@hostname.domain.ext     $ ssh -1 username@hostname.domain.ext # Force SSH version 1     $ ssh -1 -o RSAAuthentication=no -l username test.host         # force password on SSH1     $ ssh -o PreferredAuthentications=password -l username test.host         # force password on SSH2

For the user, ssh functions as a smarter and more secure telnet (will not bomb with ^]).

SSH clients

There are a few free SSH clients available for non-Unix-like platforms.

Windows

puTTY (GPL)

Windows (cygwin)

SSH in cygwin (GPL)

Macintosh Classic

macSSH (GPL) [Note that Mac OS X includes OpenSSH; use ssh in the Terminal application]

Troubleshooting SSH

If you have problems, check the permissions of configuration files and run ssh with the “-v” option.

Use the “-P” option if you are root and have trouble with a firewall; this avoids the use of server ports 1–1023.

If ssh connections to a remote site suddenly stop working, it may be the result of tinkering by the sysadmin, most likely a change in host_key during system maintenance. After making sure this is the case and nobody is trying to fake the remote host by some clever hack, one can regain a connection by removing the host_key entry from $HOME/.ssh/known_hosts on the local machine

 

———————————- SSH Installation —————————————–

Introduction

SSH stands for Secure Shell and is a protocol for secure remote login and other secure network services over an insecure network1. See Wikipedia – Secure Shell for more general information and ssh, lsh-client or dropbear for the SSH software implementations out of which OpenSSH is the most popular and most widely used2. SSH replaces the unencrypted telnet,rlogin and rsh and adds many features.

In this document we’ll be using the OpenSSH command suite, it will also be assumed that the following two variables are defined:

remote_host=<the remote computer>
remote_user=<your user name on $remote_host>

So, if you want to use the recipes below, first set these variables to the remote computer name and the user name on that remote computer. Then cut and paste of the commands below should work. remote_host may also be an IP-address.

Installation

Installation of the client

Normally the client is installed by default. If not it suffices to run as root:

apt-get install openssh-client

Installation of the server

The server allows to connect remotely and gets installed by running as root:

apt-get install openssh-server

Configuration files

The main configuration files are in the directory /etc/ssh :

  • ssh_config : client configuration file

  • sshd_config : server configuration file

In addition this directory contains the private/public key pairs identifying your host :

  • ssh_host_dsa_key
  • ssh_host_dsa_key.pub
  • ssh_host_rsa_key
  • ssh_host_rsa_key.pub

Since OpenSSH 5.73, a new private/public key pair is available:

  • ssh_host_ecdsa_key
  • ssh_host_ecdsa_key.pub

Regenerating host keys

rm /etc/ssh/ssh_host_*
dpkg-reconfigure openssh-server

Remote login

With password

If you want to login to $remote_host as user $remote_user simply type

ssh $remote_user@$remote_host

and then type in your password.

If the usernames on the local and the remote computer are identical, you can drop the $remote_user@-part and simply write

ssh $remote_host

If this is the first time you login to the remote computer, ssh will ask you whether you are sure you want to connect to the remote computer. Answer ‘yes’ after you verified the remote computer’s fingerprint, type in your password, and ssh will connect you to the remote host.

Using shared keys

One of the functions of ssh is using a pair of private/public keys to connect to a remote host. This method allows you to login to a remote host without typing your password every time. To do this you must generate a pair of private/public keys on your local machine and deposit the key on the remote host.

To generate the key, use the program ssh-keygen as follows

ssh-keygen -t rsa

This program generates a pair of private/public keys in the directory ~/.ssh. The program first asks for the destination files for the keys, by default located in ~/.ssh. Afterwards a passphrase is requested.

Note: We recommend not to leave the passphrase empty. An attacker who gets hold of your private key can otherwise connect to the hosts where you deposited you public key since the passphrase is empty. Choose a long and complex passphrase.

You private key is id_rsa (don’t give it to someone else), the public key is id_rsa.pub.

You copy your public key to a remote host with the command ssh-copy-id

ssh-copy-id -i ~/.ssh/id_rsa.pub $remote_user@$remote_host

Now you can connect simply to the remote host and the passphase is asked for. Once done, you get connected to the remote host. In case of a new connection the passphrase does not get asked for again during your entire session.

Securing

By default a SSH server is relatively secure. With the help of some configuration options and external utilities it is possible to make it even harder for crackers.

/!\ Using the latest version of package openssh-server allows to protect against known security holes.

Configuration Options

(!) One should edit the file /etc/ssh/sshd_config to change the parameters and then restart the ssh server with

invoke-rc.d ssh restart
  • Deactivate using passwords for authentication (PasswordAuthentication no).

  • Deactivate using the root account (PermitRootLogin no).

  • Only allow login by certain users or groups (AllowUsers and AllowGroups)

{i} The options AllowUsers and AllowGroups do not improve the security of a SSH server. But in certain cases their use allows to resist a brute force attack a little longer.

External Utilities

  • fail2ban : allows to automatically blacklist IPs attempting to brute force a SSH server with the help of iptables.

  • denyhosts : as fail2ban, denyhosts allows to block IP addresses trying to brute force a connection to ssh. But in contrast to fail2ban it does not use iptables, but the file /etc/hosts.deny.

Additional Functions

Additional Commands

scp

scp is a command line utilty allowing to transfer files between two machines.

  • Sending a file:
scp $source_file $remote_user@$remote_host:$destination_file
  • Copying a file to the local machine:
scp $remote_user@$remote_host:$source_file $destination_file

ssh-agent and ssh-add

ssh-agent is a useful utility to manage private keys and their passphrases. It should be invoked at the beginning of your session like so on a bourne shell:

eval `ssh-agent -s`

or on a C shell:

eval `ssh-agent -c`

When a private key is first needed, you are prompted for its passphrase and ssh-agent remembers the key. Whenever that private key is used later on, the passphrase doesn’t get asked anymore.

ssh-add can be used to manage the remembered keys:

  • Adding a key: ssh-add $private_key

  • List the added keys: ssh-add -l

  • Remove all keys from the knowledge of ssh-agent: ssh-add -D

Remote commands

If you just want to run one command on the remote computer, you don’t need to login. You can tell ssh to run the command without login, for instance,

ssh $remote_user@$remote_host 'ls *.txt'

lists all files with extension .txt on the remote computer. This works with single tick quotes ‘…’ as shown here, with double tick quotes “…”, and without quotes. There may be differences between these three cases, though, not yet documented here.

SSH into Debian from another OS

SSH and security

SSH Server

  • Consider using fail2ban which is a log file monitor that automatically bans an ip address after a predefined number of failed login attempts. Guards against brute force attacks.

  • Use SSH keys rather than password.

SSH Client

Troubleshooting

OpenSSL version mismatch. Built against 1000105f, you have 10001060

If you get an error message like this when starting the ssh daemon, you need to run:

apt-get install openssh-server openssh-client
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s