book

SSH, The Secure Shell: The Definitive Guide, 2nd Edition

by Daniel J. Barrett, Richard E. Silverman, Robert G. Byrnes

May 2005

Intermediate to advanced

666 pages

21h 5m

English

O'Reilly Media, Inc.

Read now

Unlock full access

SSH, the Secure Shell, 2nd Edition
Preface
Protect Your Network with SSH
Intended Audience
End-User AudiencePrerequisitesSystem-Administrator AudiencePrerequisites
Reading This Book
Our Approach
Which Chapters Are for You?
Supported Platforms
Disclaimers
Conventions Used in This Book

Comments and Questions
Safari Enabled
Acknowledgments
1. Introduction to SSH
What Is SSH?
What SSH Is Not
The SSH Protocol
1.3.1 Protocols, Products, Clients, and Confusion
Overview of SSH Features
1.4.1 Secure Remote Logins1.4.2 Secure File Transfer1.4.3 Secure Remote Command Execution1.4.4 Keys and Agents1.4.5 Access Control1.4.6 Port Forwarding
History of SSH
Related Technologies
1.6.1 rsh Suite (r-Commands)1.6.2 Pretty Good Privacy (PGP) and GNU Privacy Guard (GnuPG)1.6.3 Kerberos1.6.4 IPSEC and Virtual Private Networks1.6.5 Secure Remote Password (SRP)1.6.6 Secure Socket Layer (SSL) Protocol1.6.7 SSL-Enhanced Telnet and FTP1.6.8 stunnel1.6.9 Firewalls
Summary
2. Basic Client Use
A Running Example
Remote Terminal Sessions with ssh
2.2.1 File Transfer with scp
Adding Complexity to the Example
2.3.1 Known Hosts2.3.2 The Escape Character
Authentication by Cryptographic Key
2.4.1 A Brief Introduction to Keys2.4.2 Generating Key Pairs with ssh-keygen2.4.3 Installing a Public Key on an SSH Server Machine2.4.3.1 Instructions for OpenSSH2.4.3.2 Instructions for Tectia2.4.4 If You Change Your Key
The SSH Agent
2.5.1 Agents and Automation2.5.2 A More Complex Passphrase Problem2.5.3 Agent Forwarding
Connecting Without a Password or Passphrase
Miscellaneous Clients
2.7.1 sftp2.7.2 slogin
Summary
3. Inside SSH
Overview of Features
3.1.1 Privacy (Encryption)3.1.2 Integrity3.1.3 Authentication3.1.4 Authorization3.1.5 Forwarding (Tunneling)
A Cryptography Primer
3.2.1 How Secure Is Secure?3.2.2 Public-and Secret-Key Cryptography3.2.3 Hash Functions
The Architecture of an SSH System
Inside SSH-2
3.4.1 Protocol Summary3.4.2 SSH Transport Layer Protocol (SSH-TRANS)3.4.2.1 Connection3.4.2.2 Protocol version selection3.4.2.3 Parameter negotiation3.4.2.4 Key exchange and server authentication3.4.2.5 Server authentication and antispoofing: some gory details3.4.2.6 Wonder security powers, activate!3.4.3 SSH Authentication Protocol (SSH-AUTH)3.4.3.1 The authentication request3.4.3.2 The authentication response3.4.3.3 Getting started: the “none” request3.4.3.4 Public-key authentication3.4.3.5 Password authentication3.4.3.6 Hostbased authentication3.4.4 SSH Connection Protocol (SSH-CONN)3.4.4.1 Channels3.4.4.2 Requests3.4.4.3 The finish line
Inside SSH-1
Implementation Issues
3.6.1 Host Keys3.6.2 Authorization in Hostbased Authentication3.6.2.1 Hostbased access files3.6.2.2 Control file details3.6.2.3 Netgroups as wildcards3.6.2.4 Summary3.6.3 SSH-1 Backward Compatibility3.6.4 Randomness3.6.5 Privilege Separation in OpenSSH
SSH and File Transfers (scp and sftp)
3.7.1 What’s in a Name?3.7.2 scp Details3.7.3 scp2/sftp Details
Algorithms Used by SSH
3.8.1 Public-Key Algorithms3.8.1.1 Rivest-Shamir-Adleman (RSA)3.8.1.2 Digital Signature Algorithm (DSA)3.8.1.3 Diffie-Hellman key agreement3.8.2 Secret-Key Algorithms3.8.2.1 International Data Encryption Algorithm (IDEA)3.8.2.2 Advanced Encryption Standard (AES)3.8.2.3 Data Encryption Standard (DES)3.8.2.4 Triple-DES3.8.2.5 ARCFOUR (RC4)3.8.2.6 Blowfish3.8.2.7 Twofish3.8.2.8 CAST3.8.3 Hash Functions3.8.3.1 CRC-323.8.3.2 MD53.8.3.3 SHA-13.8.3.4 RIPEMD-1603.8.4 Compression Algorithms: zlib
Threats SSH Can Counter
3.9.1 Eavesdropping3.9.2 Name Service and IP Spoofing3.9.3 Connection Hijacking3.9.4 Man-in-the-Middle Attacks
Threats SSH Doesn’t Prevent
3.10.1 Password Cracking3.10.2 IP and TCP Attacks3.10.3 Traffic Analysis3.10.4 Covert Channels3.10.5 Carelessness
Threats Caused by SSH
Summary
4. Installation and Compile-Time Configuration
Overview
4.1.1 Install the Prerequisites4.1.2 Obtain the Sources4.1.3 Verify the Signature4.1.4 Extract the Source Files4.1.5 Perform Compile-Time Configuration4.1.6 Compile Everything4.1.7 Install the Programs and Configuration Files
Installing OpenSSH
4.2.1 Prerequisites4.2.2 Downloading and Extracting the Files4.2.2.1 Verifying with GnuPG4.2.3 Building and Installing4.2.4 Configuration Options4.2.4.1 File locations4.2.4.2 Random number generation4.2.4.3 Networking4.2.4.4 Authentication4.2.4.5 Access control
Installing Tectia
4.3.1 Prerequisites4.3.2 Obtaining and Extracting the Files4.3.3 Verifying with md5sum4.3.4 Building and Installing4.3.5 Configuration Options4.3.5.1 File locations and permission4.3.5.2 Random number generation4.3.5.3 Networking4.3.5.4 X Window System4.3.5.5 TCP port forwarding4.3.5.6 Encryption4.3.5.7 Authentication4.3.5.8 SOCKS proxies4.3.5.9 Debugging4.3.5.10 SSH-1 protocol compatibility4.3.6 SSH-1 Compatibility Support for Tectia
Software Inventory
Replacing r-Commands with SSH
4.5.1 Concurrent Versions System (CVS)4.5.2 GNU Emacs4.5.3 Pine4.5.4 rsync, rdist
Summary
5. Serverwide Configuration
Running the Server
5.1.1 Running sshd as the Superuser5.1.2 Running sshd as an Ordinary User
Server Configuration: An Overview
5.2.1 Server Configuration Files5.2.2 Checking Configuration Files5.2.2.1 Checking OpenSSH configuration files5.2.2.2 Checking Tectia configuration files5.2.3 Command-Line Options5.2.4 Changing the Configuration5.2.5 A Tricky Reconfiguration Example
Getting Ready: Initial Setup
5.3.1 File Locations5.3.1.1 Host key files5.3.1.2 Random seed file5.3.1.3 Process ID file5.3.1.4 Server configuration file5.3.1.5 User SSH directory5.3.1.6 Per-account authorization files5.3.1.7 utmp file structure5.3.2 File Permissions5.3.2.1 Acceptable permissions for user files5.3.3 TCP/IP Settings5.3.3.1 Port number and network interface5.3.3.2 Invocation by inetd or xinetd5.3.3.3 Restarting the SSH server for each connection5.3.3.4 Keepalive messages5.3.3.5 Idle connections5.3.3.6 Failed logins5.3.3.7 Limiting simultaneous connections5.3.3.8 Reverse IP mappings5.3.3.9 Controlling the Nagle Algorithm5.3.3.10 Discovering other servers5.3.4 Key Regeneration5.3.5 Encryption Algorithms5.3.6 Integrity-Checking (MAC) Algorithms5.3.7 SSH Protocol Settings5.3.7.1 Protocol version string5.3.8 Compression
Authentication: Verifying Identities
5.4.1 Authentication Syntax5.4.2 Password Authentication5.4.2.1 Failed password attempts5.4.2.2 Empty passwords5.4.2.3 Expired passwords5.4.3 Public-Key Authentication5.4.4 Hostbased Authentication5.4.5 Keyboard-Interactive Authentication5.4.5.1 OpenSSH keyboard-interactive authentication5.4.5.2 Tectia’s keyboard-interactive authentication5.4.6 PGP Authentication5.4.7 Kerberos Authentication5.4.7.1 Kerberos and OpenSSH5.4.7.2 Kerberos and Tectia5.4.8 PAM Authentication5.4.9 Privilege Separation5.4.10 Selecting a Login Program
Access Control: Letting People In
5.5.1 Account Access Control5.5.1.1 Restricting all logins5.5.2 Group Access Control5.5.3 Hostname Access Control5.5.4 shosts Access Control5.5.5 Root Access Control5.5.6 External Access Control5.5.7 Restricting Directory Access with chroot5.5.8 Summary of Authentication and Access Control
User Logins and Accounts
5.6.1 Welcome Messages for the User5.6.2 Setting Environment Variables5.6.3 Initialization Scripts
Forwarding
5.7.1 Port Forwarding5.7.2 X Forwarding5.7.3 Agent Forwarding
Subsystems
Logging and Debugging
5.9.1 OpenSSH Logging and Debugging5.9.2 Tectia Logging and Debugging5.9.3 Debugging Under inetd or xinetd
Compatibility Between SSH-1 and SSH-2 Servers
5.10.1 Security Issues with Tectia’s SSH-1 Compatibility Mode
Summary
6. Key Management and Agents
What Is an Identity?
6.1.1 OpenSSH Identities6.1.2 Tectia Identities
Creating an Identity
6.2.1 Generating Keys for OpenSSH6.2.1.1 Creating OpenSSH keys6.2.1.2 Working with OpenSSH keys6.2.2 Generating Keys for Tectia6.2.2.1 Creating Tectia keys6.2.2.2 Working with Tectia keys6.2.3 Selecting a Passphrase6.2.4 Generating New Groups for Diffie-Hellman Key Exchange
SSH Agents
6.3.1 Agents Do Not Expose Keys6.3.2 Starting an Agent6.3.2.1 Single-shell method6.3.2.2 Subshell method6.3.2.3 Format of environment variable commands6.3.3 Loading Keys with ssh-add6.3.3.1 Automatic agent loading (single-shell method)6.3.3.2 Automatic agent loading (subshell method)6.3.3.3 Automatic agent loading (X Window System)6.3.4 Agents and Security6.3.4.1 Access control6.3.4.2 Cracking an agent6.3.5 Agent Forwarding6.3.5.1 A firewall example6.3.5.2 How agent forwarding works6.3.5.3 Enabling agent forwarding6.3.6 Agent CPU Usage6.3.7 Debugging the Agent
Multiple Identities
6.4.1 Switching Identities Manually6.4.2 Switching Identities with an Agent6.4.3 Tailoring Sessions Based on Identity
PGP Authentication in Tectia
Tectia External Keys
Summary
7. Advanced Client Use
How to Configure Clients
7.1.1 Command-Line Options7.1.2 Client Configuration Files7.1.2.1 Keywords versus command-line options7.1.2.2 Global and local files7.1.2.3 Configuration-file sections7.1.2.4 Multiple matches7.1.2.5 Making nicknames for hosts7.1.2.6 Comments, indenting, and style7.1.3 Environment Variables
Precedence
Introduction to Verbose Mode
Client Configuration in Depth
7.4.1 Remote Account Name7.4.1.1 Tricks with remote account names7.4.2 User Identity7.4.2.1 Using identities7.4.3 Host Keys and Known-Hosts Databases7.4.3.1 Strict host-key checking7.4.3.2 Verifying host keys by DNS7.4.3.3 Host key aliasing7.4.3.4 Ignoring host keys for localhost7.4.3.5 Moving the known hosts files7.4.4 SSH Protocol Settings7.4.4.1 Choosing a protocol version7.4.4.2 Connection sharing7.4.4.3 Setting environment variables in the server7.4.5 TCP/IP Settings7.4.5.1 Selecting a remote port7.4.5.2 Connecting via a given network interface7.4.5.3 Forcing a nonprivileged local port7.4.5.4 Keepalive messages7.4.5.5 Controlling TCP_NODELAY7.4.5.6 Requiring IPv4 and IPv67.4.6 Making Connections7.4.6.1 Number of connection attempts7.4.6.2 Password prompting in OpenSSH7.4.6.3 Password prompting in Tectia7.4.6.4 Batch mode: suppressing prompts7.4.6.5 Pseudo-terminal allocation (TTY/PTY/PTTY)7.4.6.6 Backgrounding a remote command7.4.6.7 Backgrounding a remote command, take two7.4.6.8 Escaping7.4.7 Proxies and SOCKS7.4.7.1 SOCKS in OpenSSH: using DynamicForward7.4.7.2 SOCKS in Tectia7.4.8 Forwarding7.4.9 Encryption Algorithms7.4.10 Integrity-Checking (MAC) Algorithms7.4.11 Host Key Types7.4.12 Session Rekeying7.4.13 Authentication7.4.13.1 Requesting an authentication technique7.4.13.2 The server is the boss7.4.13.3 Detecting successful authentication7.4.13.4 Using ssh-keysign for hostbased authentication7.4.14 Data Compression7.4.15 Program Locations7.4.16 Subsystems7.4.17 Logging and Debugging7.4.18 Random Seeds
Secure Copy with scp
7.5.1 Full Syntax of scp7.5.2 Handling of Wildcards7.5.3 Recursive Copy of Directories7.5.4 Preserving Permissions7.5.5 Automatic Removal of Original File7.5.6 Safety Features7.5.6.1 Directory confirmation7.5.6.2 No-execute mode7.5.6.3 Overwriting existing files7.5.7 Batch Mode7.5.8 User Identity7.5.9 SSH Protocol Settings7.5.10 TCP/IP Settings7.5.11 Encryption Algorithms7.5.12 Controlling Bandwidth7.5.13 Data Compression7.5.14 File Conversion7.5.15 Optimizations7.5.16 Statistics Display7.5.17 Locating the ssh Executable7.5.18 Getting Help7.5.19 For Internal Use Only7.5.20 Further Configuration
Secure, Interactive Copy with sftp
7.6.1 Interactive Commands7.6.2 Command-Line Options
Summary
8. Per-Account Server Configuration
Limits of This Technique
8.1.1 Overriding Serverwide Settings8.1.2 Authentication Issues
Public-Key-Based Configuration
8.2.1 OpenSSH Authorization Files8.2.2 Tectia Authorization Files8.2.2.1 Tectia PGP key authentication8.2.3 Forced Commands8.2.3.1 Security issues8.2.3.2 Rejecting connections with a custom message8.2.3.3 Displaying a command menu8.2.3.4 Examining the client’s original command8.2.3.5 Restricting a client’s original command8.2.3.6 Logging a client’s original command8.2.3.7 Forced commands and secure copy (scp)8.2.4 Restricting Access by Host or Domain8.2.4.1 OpenSSH host access control8.2.4.2 Tectia host access control8.2.5 Setting Environment Variables8.2.5.1 Example: CVS and $LOGNAME8.2.6 Setting Idle Timeout8.2.7 Disabling or Limiting Forwarding8.2.8 Disabling TTY Allocation
Hostbased Access Control
The User rc File
Summary
9. Port Forwarding and X Forwarding
What Is Forwarding?
Port Forwarding
9.2.1 Local Forwarding9.2.1.1 Local forwarding and GatewayPorts9.2.1.2 Remote forwarding9.2.2 Trouble with Multiple Connections9.2.3 Comparing Local and Remote Port Forwarding9.2.3.1 Common elements9.2.3.2 Local versus remote forwarding: the distinction9.2.4 Forwarding Off-Host9.2.4.1 Privacy9.2.4.2 Access control and the loopback address9.2.4.3 Listening on (“binding”) an interface9.2.5 Bypassing a Firewall9.2.6 Port Forwarding Without a Remote Login9.2.6.1 One-shot forwarding9.2.7 The Listening Port Number9.2.8 Choosing the Target Forwarding Address9.2.9 Termination9.2.9.1 The TIME_WAIT problem9.2.10 Configuring Port Forwarding in the Server9.2.10.1 Compile-time configuration9.2.10.2 Serverwide configuration9.2.10.3 Per-account configuration9.2.11 Protocol-Specific Forwarding: FTP
Dynamic Port Forwarding
9.3.1. SOCKS v4, SOCKS v5, and Names9.3.2 Other Uses of Dynamic Forwarding
X Forwarding
9.4.1 The X Window System9.4.2 How X Forwarding Works9.4.3 Enabling X Forwarding9.4.4 Configuring X Forwarding9.4.4.1 Compile-time configuration9.4.4.2 Serverwide configuration9.4.4.3 Per-account configuration9.4.5 X Authentication9.4.5.1 How X authentication works9.4.5.2 xauth and the SSH rc files9.4.5.3 Trusted X forwarding9.4.5.4 Problems with X authentication9.4.5.5 SSH and authentication spoofing9.4.5.6 Improving authentication spoofing9.4.5.7 Nonstandard X clients9.4.6 Further Issues9.4.6.1 X server configuration9.4.6.2 Setting your DISPLAY environment variable9.4.6.3 Shared accounts9.4.6.4 Location of the xauth program9.4.6.5 X forwarding and the GatewayPorts feature
Forwarding Security: TCP-Wrappers and libwrap
9.5.1 TCP-Wrappers Configuration9.5.2 Notes About TCP-Wrappers
Summary
10. A Recommended Setup
The Basics
Compile-Time Configuration
Serverwide Configuration
10.3.1 Disable Other Means of Access10.3.2 sshd_config for OpenSSH10.3.2.1 Choice of protocol10.3.2.2 Important files10.3.2.3 File and directory permissions10.3.2.4 TCP/IP settings10.3.2.5 Login time10.3.2.6 Authentication10.3.2.7 Access control10.3.2.8 Forwarding10.3.2.9 SFTP10.3.3 sshd2_config for Tectia10.3.3.1 Choice of protocol10.3.3.2 Important files10.3.3.3 File and directory permissions10.3.3.4 TCP/IP settings10.3.3.5 Login time10.3.3.6 Authentication10.3.3.7 Access control10.3.3.8 Forwarding10.3.3.9 Encryption10.3.3.10 SFTP
Per-Account Configuration
Key Management
Client Configuration
Remote Home Directories (NFS, AFS)
10.7.1 NFS Security Risks10.7.2 NFS Access Problems10.7.3 AFS Access Problems
Summary
11. Case Studies
Unattended SSH: Batch or cron Jobs
11.1.1 Password Authentication11.1.2 Public-Key Authentication11.1.2.1 Storing the passphrase in the filesystem11.1.2.2 Using a plaintext key11.1.2.3 Using an agent11.1.3 Hostbased Authentication11.1.4 Kerberos11.1.5 General Precautions for Batch Jobs11.1.5.1 Least-privilege accounts11.1.5.2 Separate, locked-down automation accounts11.1.5.3 Restricted-use keys11.1.5.4 Useful ssh options11.1.6 Recommendations
FTP and SSH
11.2.1 FTP-Specific Tools for SSH11.2.1.1 VanDyke’s SecureFX11.2.1.2 Tectia client11.2.2 Static Port Forwarding and FTP: A Study in Pain11.2.3 The FTP Protocol11.2.4 Forwarding the Control Connection11.2.4.1 Choosing the forwarding target11.2.4.2 Using passive mode11.2.4.3 The “PASV port theft” problem11.2.5 FTP, Firewalls, and Passive Mode11.2.6 FTP and Network Address Translation (NAT)11.2.6.1 Server-side NAT issues11.2.7 All About Data Connections11.2.7.1 The usual method of file transfer11.2.7.2 Passive mode in depth11.2.7.3 FTP with the default data ports11.2.8 Forwarding the Data Connection
Pine, IMAP, and SSH
11.3.1 Securing IMAP Authentication11.3.1.1 Pine and preauthenticated IMAP11.3.1.2 Making Pine use SSH11.3.2 Mail Relaying and News Access11.3.3 Using a Connection Script
Connecting Through a Gateway Host
11.4.1 Making Transparent SSH Connections11.4.2 Using SCP Through a Gateway11.4.3 Another Approach: SSH-in-SSH (Port Forwarding)11.4.4 SSH-in-SSH with a Proxy Command (OpenSSH)11.4.5 Comparing the Techniques11.4.5.1 Smoothness11.4.5.2 Security
Scalable Authentication for SSH
11.5.1 Tectia with X.509 Certificates11.5.1.1 What’s a PKI?11.5.1.2 Using certificates with Tectia host keys11.5.1.3 A simple configuration11.5.1.4 Getting a certificate11.5.1.5 Hostkey verification: configuring the server11.5.1.6 Hostkey verification: configuring the Client11.5.1.7 User authentication: configuring the client11.5.1.8 User authentication: configuring the server11.5.2 OpenSSH and Tectia with Kerberos11.5.2.1 How Kerberos works11.5.2.2 Kerberos support in SSH11.5.2.3 Kerberos interoperability with OpenSSH and Tectia
Tectia Extensions to Server Configuration Files
11.6.1 Metaconfiguration11.6.2 Subconfiguration Files11.6.3 Quoted Values
Tectia Plugins
11.7.1 A Plugin for Changing Expired Passwords11.7.1.1 The ssh-passwd-plugin program11.7.1.2 A Perl package implementing the Tectia plugin protocol11.7.1.3 Creating a customized password-change plugin11.7.2 A Plugin for Keyboard-Interactive Authentication11.7.3 A Plugin for External Authorization
12. Troubleshooting and FAQ
Debug Messages: Your First Line of Defense
12.1.1 Client Debugging12.1.2 Server DebuggingThe Top 10 SSH Questions
Problems and Solutions
12.2.1 General Problems12.2.2 Authentication Problems12.2.2.1 General authentication problems12.2.2.2 Password authentication12.2.2.3 Hostbased authentication12.2.2.4 Public-key authentication12.2.2.5 PGP key authentication12.2.3 Key and Agent Problems12.2.3.1 ssh-keygen12.2.3.2 ssh-agent and ssh-add12.2.3.3 Per-account authorization files12.2.4 Server Problems12.2.4.1 sshd_config, sshd2_config12.2.5 Client Problems12.2.5.1 General client problems12.2.5.2 Client configuration file12.2.5.3 ssh12.2.5.4 scp12.2.5.5 sftp12.2.5.6 Port forwarding
Other SSH Resources
12.3.1 Web Sites12.3.2 Usenet Newsgroups
13. Overview of Other Implementations
Common Features
Covered Products
Other SSH Products
13.3.1 BeOS13.3.2 Commodore Amiga13.3.3 GNU Emacs13.3.4 Java13.3.5 Macintosh OS 913.3.6 Macintosh OS X13.3.7 Microsoft Windows13.3.8 Microsoft Windows CE (PocketPC)13.3.9 OS/213.3.10 Palm OS13.3.11 Perl13.3.12 Unix Variants (Linux, OpenBSD, etc.)13.3.13 VMS
14. OpenSSH for Windows
Installation
Using the SSH Clients
Setting Up the SSH Server
14.3.1 Opening Remote Windows on the Desktop
Public-Key Authentication
14.4.1 Running an Agent
Troubleshooting
Summary
15. OpenSSH for Macintosh
Using the SSH Clients
Using the OpenSSH Server
15.2.1 Enabling the Server15.2.2 Opening the Firewall15.2.3 Control by xinetd15.2.4 Server Configuration Details15.2.5 Kerberos Support
16. Tectia for Windows
Obtaining and Installing
Basic Client Use
Key Management
Accession Lite
Advanced Client Use
Port Forwarding
Connector
16.7.1 General Settings16.7.2 Servers for Outgoing SSH Connections16.7.3 Filter Rules for Dynamic Port Forwarding16.7.4 Configuration File
File Transfers
Command-Line Programs
Troubleshooting
Server
16.11.1 Server Operation16.11.2 Server Configuration16.11.3 Commands and Interactive Sessions16.11.4 Authentication16.11.5 Access Control16.11.6 Forwarding16.11.7 SFTP Server16.11.8 Logging and Debugging
17. SecureCRT and SecureFX for Windows
Obtaining and Installing
Basic Client Use
Key Management
17.3.1 Key Generation Wizard17.3.1.1 Automatic installation of keys17.3.1.2 Manual installation of keys17.3.2 Using Multiple Identities17.3.3 The SSH Agent
Advanced Client Use
17.4.1 Mandatory Fields17.4.2 Data Compression17.4.3 Firewall Use
Forwarding
17.5.1 Port Forwarding17.5.2 X Forwarding
Command-Line Client Programs
File Transfer
17.7.1 The vcp and vsftp Commands17.7.2 Zmodem File Transfer17.7.3 SecureFX
Troubleshooting
17.8.1 Authentication17.8.2 Forwarding
VShell
Summary
18. PuTTY for Windows
Obtaining and Installing
Basic Client Use
18.2.1 Plink, a Console Client18.2.2 Running Remote Commands
File Transfer
18.3.1 File Transfer with PSCP18.3.2 File Transfer with PSFTP
Key Management
18.4.1 Choosing a Key18.4.2 Pageant, an SSH Agent
Advanced Client Use
18.5.1 Saved Sessions18.5.2 Host Keys18.5.3 Choosing a Protocol Version18.5.4 TCP/IP Settings18.5.4.1 Selecting a remote port18.5.4.2 Keepalive messages18.5.4.3 The Nagle Algorithm18.5.5 Pseudo-Terminal Allocation18.5.6 Proxies and SOCKS18.5.7 Encryption Algorithms18.5.8 Authentication18.5.9 Compression18.5.10 Logging and Debugging18.5.11 Batch Jobs
Forwarding
18.6.1 Forwarding with PuTTY18.6.2 Forwarding with Plink
Summary
A. OpenSSH 4.0 New Features
Server Features: sshd
Logging of Access Control ViolationsAddressFamily KeywordPassword and Account Expiration Warnings
Client Features: ssh, scp, and sftp
KbdInteractiveDevices KeywordMore Control for Connection SharingHashing of HostnamesPort Forwardingsftp Command-Line Features
ssh-keygen
Hashing Your Known Hosts FileManaging Hosts
B. Tectia Manpage for sshregex
Regex Syntax: Egrep Patterns
Escaped Tokens for Regex Syntax Egrep
Regex Syntax: ZSH_FILEGLOB (or Traditional) Patterns
Character Sets for Egrep and ZSH_FILEGLOB
Example
Regex Syntax: SSH Patterns
Escaped Tokens for Regex Syntax SSHCharacter Sets for Regex Syntax SSHExample
Authors
See Also
C. Tectia Module Names for Debugging
D. SSH-1 Features of OpenSSH and Tectia
OpenSSH Features
Serverwide ConfigurationClient ConfigurationFiles
Tectia Features
Serverwide ConfigurationClient ConfigurationFile TransfersKey ManagementAuthentication Agent
E. SSH Quick Reference
Legend
sshd Options
sshd Keywords
ssh Options
scp Options
ssh and scp Keywords
ssh-keygen Options
ssh-agent Options
ssh-add Options
Identity and Authorization Files, OpenSSH
Identity and Authorization Files, Tectia
Environment Variables
Index
About the Authors
Colophon
Copyright

Content preview from SSH, The Secure Shell: The Definitive Guide, 2nd Edition

Creating an Identity

Most SSH implementations include a program for creating key pairs. We cover ssh-keygen from OpenSSH and Tectia.

6.2.1 Generating Keys for OpenSSH

OpenSSH uses the program ssh-keygen to create key pairs. [2.4.2] Let’s go into more detail about this program for creating new keys or modifying existing keys.

6.2.1.1 Creating OpenSSH keys

When creating a new key, you must indicate the key type (DSA or RSA) using the -t flag:

    $ ssh-keygen -t dsa

You may also specify these options for creating keys:

The number of bits in the key, using -b; the default is 1024 bits:
```
    $ ssh-keygen -t dsa -b 2048
```
The name of the private-key file to be generated, using -f. The name is relative to your current directory. Recall that the public-key file is named after the private one with .pub appended.
```
    $ ssh-keygen -t dsa -f mykey         Creates mykey and mykey.pub
```
If you omit the -f option, you are prompted for the information:
```
    $ ssh-keygen -t dsa
    ...
    Enter file in which to save the key (/home/barrett/.ssh/id_dsa): mykey
```
The default filename for DSA keys is ~/.ssh/id_dsa, and for RSA keys it’s ~/.ssh/id_rsa.

The passphrase to decode the key, using -N:

    $ ssh-keygen -t dsa -N secretword

If you omit this option, you’ll be prompted for the information:

    $ ssh-keygen -t dsa
    ...
    Enter passphrase: [nothing is echoed]
    Enter the same passphrase again: [nothing is echoed]

A textual comment associated with the key, using -C. If you omit this option, the comment is username@host, where username is your username and ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Mastering Linux Security and Hardening - Second Edition

Publisher Resources

ISBN: 0596008953Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills