You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

229 lines
16 KiB

<html> <head><title>SSH on SDF</title> </head>
<h1>Using SSH for connections/transfer to/from SDF</h1>
<li><a href="#sdf">SDF issues</a></li>
<li>ssh and <a href="#port_tunneling">port tunneling</a></li>
<li><a href="#public_key">public key</a> authentication</li>
<li><a href="#socks">socks tunneling</a> from a school/uni network</li>
<p>This tutorial discusses some important points concerning use of
SSH for encrypted traffic to and from SDF. Your first source for
information are the manpages: <code>man ssh</code> - read
them, if you want to make good use of <code>ssh</code> and company!</p>
<p><em>Note: this text has been assembled from articles written
by several users; therefore, layout and wording may vary,
and topics can be referred at several places.</em></p>
<p>SSH stands for Secure SHell, and is a replacement for telnet, to
permit secure terminal connections. The system mainly consists of the
following programs:</p>
<dd>This is the main program, used for direct terminal connections to a
remote computer. In principle it is used like <code>ssh</code>.</dd>
<dd>This is a replacement for ftp or rcp, and permits secure copying of
files to and from a remote computer. Its basic syntax is
<code>scp localfile</code> to
copy a file <em>to</em> the remote computer, and
<code>scp localfile</code> to
copy a file <em>from</em> the remote computer. Note that you can also
use wildcards in the remote and local file description (which may need
quotes around the remote file name, depending on your shell).
<dd>This is a replacement for ftp, permitting listing of a remote file
system and copying to and from it. It has more capabilities than scp,
but needs a remote service running under ssh. In principle it is used
like <code>sftp</code>.</dd>
<p>On the client side, a lot of programs are available; you may be best
off by using a search engine with the keywords <tt>ssh client</tt> and
your local operating system.
<!-- ------------------------------------------------------------------- -->
<h2 id="sdf">SDF issues</h2>
<p>Here we discuss some peculiarities concerning SDF and SSH.</p>
<h3 id="sdf_permissions">file and directory permissions</h3>
<p><a href="#public_key">Public key authentication</a> will not work,
if the home directory (<code>$HOME</code>) or the user's ssh directory
<code>$HOME/.ssh</code> are world writable. Your home directory should
never be world writable, anyway!</p>
<p>To make sure you have the right permissions, execute the following
command in the shell while logged into your account:<br/>
<code>chmod go-w $HOME $HOME/.ssh</code></p>
<p>You should look up <code>chmod</code> in the manpages, if you don't
understand this command.</p>
<h2>special topics</h2>
<!-- ------------------------------------------------------------------- -->
<h3 id="port_tunneling">How to enable Port Tunneling and Why</h3>
<h4>What is port tunneling good for</h4>
<P>Port tunneling is the ability to tunnel from your internet point for presence
back to SDF servers and use the SDF servers like a <a
href="">Socks 4 Proxy</a>. This allows
your connection to be encrypted via SSL between your internet access point and
SDF. This allows your traffic to be more secure if you are on a public internet
access point<p>
<h4>What tools are needed</h4>
<UL><LI>A good SSH Client that allows tunneling (<a href="">PuTTY</a> in my examples)</LI>
<LI>Any software package that understands SOCKS 4 (<a href="">Trillian</a> in my example)</LI>
<LI><a href="">MetaARPA</a> membership</LI>
<h4>How to set up PuTTY</h4>
First you need to connect to a SSL enabled SDF server: on port 443.
<img src="tutorials/images/PuTTY1.gif" align="left" alt="putty screenshot 1" width="456" height="435"><br clear="all">
Then you need to configure the port to tunnel on your local machine. Generally Socks proxies
use port 1080 so that is a good port. Click on the Tunnels category and configure the tunnel as
shown below.
<img src="tutorials/images/PuTTY2.gif" align="left" alt="putty screenshot 2" width="456" height="435"><br clear="all">
Click on the "Add" button and you should see the screen as listed below.
<img src="tutorials/images/PuTTY3.gif" align="left" alt="putty screenshot 3" width="456" height="435"><br clear="all">
Then go back to session
and name and save the session. Click connect and the tunnel should become active.
<h4>How to use the Tunnel you just enabled</h4>
I am now going to configure Trillian (A great multi IM chat program) to use the Tunnel.
It should be obvious how to configure other applications from these screenshots.
First click on the "Trillian Prefernces" and select "Advanced Preferences". Select "Proxy"
If you want all your chat services to use the proxy select use one setting for all services checkbox.
Otherwise configure this on each service you want to encrypt over the tunnel.
<img src="tutorials/images/Trillian.gif" align="left" alt="Trillian screenshot 1" width="730" height="530"><br clear="all">
Click on "Close". Now your service should be able to connect through the tunnel.
Again this will encrypt all traffic from your Internet Access Point to SDF.
Once it leaves SDF it will no longer be encrypted (Unless you are hitting a HTTPS
page or something already encrypted).
Technically any program that supports a Socks 4 proxy can be used with the tunnel.
<!-- ------------------------------------------------------------------- -->
<h3 id="public_key">SSH Public Key Authentication</h3>
<p>These instructions attempt to explain the basic concepts of SSH Public Key Authentication, what it is, and the steps required to use it.
</p><p><em>Note: Please make sure to have set the
<a href="#sdf_permissions">correct permissions</a> in your SDF account,
before attempting to set up public key authentication!</em> Also note
that there is another way of doing this, explained further down by
another user. Your mileage may vary!
</p><p> Logging in with SSH key authentication means that you do not have to use your SDF account password. Instead, you generate a 'key' -- which is two long strings of characters stored in a pair of files -- and these files are used to verify that you are who you say you are. Since your key can reliably identify you, you can authorize the user of this key (you, hopefully) to log in to your SDF account. You can authorize any key you wish, and adding someone's key would allow them to log in to your SDF account, without even using or knowing your password.
</p><p> This may sound insecure or easily exploitable. In fact though, due to much research and theory, it can be very secure. Notice "can be" in that last sentence. The key files are taking the place of a password in proving to the server that you're really you. Just like you have to keep passwords secret, the strength of this method relies on you following certain guidelines. You will generate a pair of mathematically related keys: one public and the other private. <strong>You should never give out your private key, nor should you make the file that contains it readable by any other user. This would be like storing your password in a world-readable file.</strong> Only your *public* key will be listed on the server. Ensuring that your private key remains private is the most important of the guidelines that I mentioned. On to the instructions:
<h4> Windows instructions: </h4>
You will need an SSH client and a key generator for Windows. These instructions are written for the popular programs PuTTY and PuTTYgen. Both are available at
</p><p>Run PuTTYgen. At the bottom of the window, you can select which type of key you want to generate. You will need to pick between RSA and DSA encryption: go with RSA -- the relevant website is here: . Your choice will have no effect on the rest of the steps here. For current applications, 1024 bits is plenty for a key to have. If youre feeling paranoid, 2048 bits should (barring any revolutions in prime factoring) keep your key secure for a decade or two.
</p><p>Now press Generate and wave your mouse around to seed some randomness in the key generator. Viola, you have a key.
</p><p>You can then add a passphrase to your key, and use just that one passphrase whenever you log in to an ssh server using your key. Alternately you can use no passphrase. Be aware though that if <em>you</em> don't have to use a password to login from your computer, then <em>neither would anyone else that sits down at your computer</em> or otherwise accesses your local account.
</p><p>The key comment is for your personal convenience, I reccomend youruser@yourlocalmachine and maybe the date, but of course it's up to you. Now save both the private and public key file somewhere (My Documents is a good choice, but pick somewhere that only *you* will have read access to.)
</p><p>Next, you need to configure PuTTY to use this key. Fire up PuTTY and load your session or create a new one. Then in the Category list on the left, selecct Connection > SSH > Auth. Browse for your key and load it up. Also, you'll want to allow changes of username if your SDF account name is different from your local one.
</p><p>You're almost done! Now you need to let the server know about your new key. After you do this, the ssh, scp and sftp programs will use the key files automatically. So (optionally, but it is recommended) save your session, and then connect. Now do the following to authorize your key:
</p><p>0. Copy the contents in the Key Generator window ("Public key for pasting into OpenSSH authorized_keys file")
</p><p>1. Log in as normal and run the following commands.
</p><p>2. <code>$ mkdir ~/.ssh</code>
</p><p>3. <code>$ cd ~/.ssh/</code>
</p><p>4. <code>$ touch authorized_keys</code>
</p><p>5. Open the authorized_keys file you just created in a text editor.
</p><p>6. Paste the contents of that box in to the authorized_keys file. In PuTTY, right click copies and pastes.
</p><p>7. Save the authorized_keys file.
</p><p> You should now be able to log in using SSH Key Authentication.
<hr />
<p>I succeeded somewhat differently. In my trial, public key should be
rather copied not from the saved public key, but from <strong>Public key for
pasting into OpenSSh authorized_keys file:</strong> textbox in the PuTTYgen
window. Note that we can also extract from existing PuTTYgen-type private
keys (just load into it, and the public key should be there.).
<h4> OpenSSH instructions: </h4>
You can get OpenSSH at or through package installers like rpm or apt-get. There are versions for most major non-Windows operating systems (and even one for Cygwin.) Once you have the OpenSSH suite set up, the program you will need to run is "ssh-keygen -t". The -t option is required, and specifies the type of encryption algorithm used in generating a key. You should use RSA encryption to generate your key -- the relevant website is here: .
</p><p>you@yourcomputer:~ $ ssh-keygen -t rsa
</p><p> You can then add a passphrase to your key, and use this passphrase whenever you log in to an SSH-enabled server. Alternately you can use no passphrase. Be aware though that if <em>you</em> don't have to use a password to login from your user account, then <em>neither would anyone else that sits down at your computer</em> or otherwise accesses your local account.
</p><p> You now have two new files in the ~/.ssh/ directory. These files are your public and private key and will be named and id_rsa respectively. The ssh, scp and sftp programs use these files automatically. To enable the server to recognize your key, follow these steps:
</p><p>1. Log in as normal and run the following commands.
</p><p>2. <code>$ mkdir ~/.ssh</code>
</p><p>3. <code>$ cd ~/.ssh/</code>
</p><p>4. <code>$ touch authorized_keys</code>
</p><p>5. Open the authorized_keys file you just created in a text editor.
</p><p>6. Paste the contents of your file in to the authorized_keys file.
</p><p>7. Save the authorized_keys file.
</p><p> You should now be able to log in using SSH Key Authentication.
<!-- ------------------------------------------------------------------- -->
<!-- socks chapter by user brendan, added by yargo -->
<h3 id="socks">connecting to SDF from a network</h3>
<p><i>... or configuring SSH clients to use a SOCKS proxy server</i></p>
<p>Assuming that you are having trouble connecting to SDF from your college network you will probably have to configure a connection through a SOCKS proxy. This tutorial gives help on configuring various clients to use a SOCKS proxy.</p>
<p>You will need to know the following information from your system administrator...</p>
<li>Proxy hostname i.e. <code></code></li>
<li>SOCKS version (4 or 5)</li>
<li>Port number to connect to (default is 1080)</li>
<li>Your username and password</li>
<h4>SSH(C) &ndash; SSH Communications Security Corp</h4>
<p>This client is often supplied by universities to their students.</p>
<li>Access the settings dialogue under <code>Edit &rarr; Settings</code></li>
<li>Under the <code>Connection</code> section, make sure that the tickbox marked <code>Connect through firewall</code> is checked <img src="tutorials/images/ssh-connection-setting.png" /></li>
<li>Under the <code>Firewall</code> section (near the bottom of the list) enter your SOCKS proxy settings in the form of <code>socks://[host]:[port]</code> Illustrated are the settings for TCD. <img src="tutorials/images/ssh-firewall-setting.png" /></li>
<li>Connect as normal!</li>
<p>A popular free SSH client.</p>
<li>Select in the left window <code>Proxy</code> (located under the <code>Connection</code> branch)</li>
<li>Enter in your details. Illustrated are those for TCD. <img src="tutorials/images/ssh-putty-config.png" /></li>
<li>Connect as normal! (You may want to save these details for future use)</li>
<h4>Commandline ssh client</h4>
<p>Those using MacOSX, Linux, SunOS or some BSD or other will be used to using the commandline ssh client to connect to SDF. Connecting via SOCKS is slightly more difficult and relies on an external program known as 'connect'.</p>
<p>All the details for using this program are documented on its webpage at <a href=""></a></p>
<p>Good luck!</p>
<p>Alternatively, issue a command from your workstation similar to this one (MetaARPA membership required):</p>
<p><blockquote><pre>ssh -D 9999 -p 443</pre></blockquote></p>
<p>Then, configure your browser to use the SOCKS proxy on "localhost" using port 9999 as shown here using Firefox:</p>
<p><img src="tutorials/images/firefox-socks-proxy.png"></p>
<p>For additional security and privacy, configure Firefox to do
remote DNS lookups rather than the default local DNS lookups. In
<em>about:config</em> search for <em>network.proxy.socks_remote_dns</em>
and toggle its value to <em>true</em>.
<!-- ------------------------------------------------------------------- -->
<cite>$Id: SSH-SDF.html,v 1.8 2008/07/12 05:38:37 cowl Exp cowl $</cite>