[deployment-guide/comm-rel: 57/74] Changed the DocBook formatting.
dsilas
dsilas at fedoraproject.org
Tue Jul 6 21:14:11 UTC 2010
commit 02f9fbe8918f2ee5c0cb108676d6af0758580c11
Author: Jaromir Hradilek <jhradile at redhat.com>
Date: Mon Jun 28 16:49:24 2010 +0200
Changed the DocBook formatting.
This is basically to make it easier for me to navigate through the
document, and to ensure a consistent output.
en-US/OpenSSH.xml | 928 ++++++++++++++++++++++++++++++-----------------------
1 files changed, 518 insertions(+), 410 deletions(-)
---
diff --git a/en-US/OpenSSH.xml b/en-US/OpenSSH.xml
index 71312ac..e9a489e 100644
--- a/en-US/OpenSSH.xml
+++ b/en-US/OpenSSH.xml
@@ -1,85 +1,100 @@
<?xml version='1.0'?>
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
]>
-<chapter
- id="ch-OpenSSH">
+<chapter id="ch-OpenSSH">
<title>OpenSSH</title>
- <indexterm
- significance="normal">
+ <indexterm>
<primary>OpenSSH</primary>
</indexterm>
<para>
- <trademark
- class="trade">SSH</trademark> (or <emphasis>S</emphasis>ecure <emphasis>SH</emphasis>ell) is a protocol which facilitates secure communications between two systems using a client/server architecture and allows users to log into server host systems remotely. Unlike other remote communication protocols, such as FTP or Telnet, SSH encrypts the login session, rendering the connection difficult for intruders to collect unencrypted passwords.</para>
- <para>SSH is designed to replace older, less secure terminal applications used to log into remote hosts, such as <command>telnet</command> or <command>rsh</command>. A related program called <command>scp</command> replaces older programs designed to copy files between hosts, such as <command>rcp</command>. Because these older applications do not encrypt passwords transmitted between the client and the server, avoid them whenever possible. Using secure methods to log into remote systems decreases the risks for both the client system and the remote host.</para>
- <section
- id="s1-ssh-intro">
+ <trademark class="trade">SSH</trademark> (or <emphasis>S</emphasis>ecure <emphasis>SH</emphasis>ell) is a protocol which facilitates secure communications between two systems using a client/server architecture and allows users to log into server host systems remotely. Unlike other remote communication protocols, such as FTP or Telnet, SSH encrypts the login session, rendering the connection difficult for intruders to collect unencrypted passwords.
+ </para>
+ <para>
+ SSH is designed to replace older, less secure terminal applications used to log into remote hosts, such as <command>telnet</command> or <command>rsh</command>. A related program called <command>scp</command> replaces older programs designed to copy files between hosts, such as <command>rcp</command>. Because these older applications do not encrypt passwords transmitted between the client and the server, avoid them whenever possible. Using secure methods to log into remote systems decreases the risks for both the client system and the remote host.
+ </para>
+ <section id="s1-ssh-intro">
<title>Features of SSH</title>
- <indexterm
- significance="normal">
+ <indexterm>
<primary>SSH protocol</primary>
<secondary>features of</secondary>
</indexterm>
- <indexterm
- significance="normal">
+ <indexterm>
<primary>OpenSSH</primary>
<seealso>SSH</seealso>
</indexterm>
- <para>The SSH protocol provides the following safeguards:</para>
+ <para>
+ The SSH protocol provides the following safeguards:
+ </para>
<itemizedlist>
<listitem>
- <para>After an initial connection, the client can verify that it is connecting to the same server it had connected to previously.</para>
+ <para>
+ After an initial connection, the client can verify that it is connecting to the same server it had connected to previously.
+ </para>
</listitem>
<listitem>
- <para>The client transmits its authentication information to the server using strong, 128-bit encryption.</para>
+ <para>
+ The client transmits its authentication information to the server using strong, 128-bit encryption.
+ </para>
</listitem>
<listitem>
- <para>All data sent and received during a session is transferred using 128-bit encryption, making intercepted transmissions extremely difficult to decrypt and read.</para>
+ <para>
+ All data sent and received during a session is transferred using 128-bit encryption, making intercepted transmissions extremely difficult to decrypt and read.
+ </para>
</listitem>
<listitem>
- <para>The client can forward X11<footnote>
- <para>X11 refers to the X11R7 windowing display system, traditionally referred to as the X Window System or X. &MAJOROS; includes X11R7, an open source X Window System.</para>
- </footnote> applications from the server. This technique, called <firstterm>X11 forwarding</firstterm>, provides a secure means to use graphical applications over a network.</para>
+ <para>
+ The client can forward X11<footnote><para>X11 refers to the X11R7 windowing display system, traditionally referred to as the X Window System or X. &MAJOROS; includes X11R7, an open source X Window System.</para></footnote> applications from the server. This technique, called <firstterm>X11 forwarding</firstterm>, provides a secure means to use graphical applications over a network.
+ </para>
</listitem>
</itemizedlist>
- <para>Because the SSH protocol encrypts everything it sends and receives, it can be used to secure otherwise insecure protocols. Using a technique called <firstterm>port forwarding</firstterm>, an SSH server can become a conduit to securing otherwise insecure protocols, like POP, and increasing overall system and data security.</para>
- <para>The OpenSSH server and client can also be configured to create a tunnel similar to a virtual private network for traffic between server and client machines.</para>
- <para
- lang="en-US,as-IN,bn-IN,gu-IN,hi-IN,kn-IN,ml-IN,mr-IN,or-IN,pa-IN,si-LK,ta-IN,te-IN,pt-BR">
- Finally, OpenSSH servers and clients can be configured to authenticate using the GSSAPI implementation of the Kerberos network authentication protocol. For more information on configuring Kerberos authentication services, refer to <!-- TBD6: <xref
- linkend="ch-kerberos"/> -->.</para>
- <para>&MAJOROS; includes the general OpenSSH package (<filename>openssh</filename>) as well as the OpenSSH server (<filename>openssh-server</filename>) and client (<filename>openssh-clients</filename>) packages. Note, the OpenSSH packages require the OpenSSL package (<filename>openssl</filename>) which installs several important cryptographic libraries, enabling OpenSSH to provide encrypted communications.</para>
- <section
- id="s2-ssh-intro-why">
+ <para>
+ Because the SSH protocol encrypts everything it sends and receives, it can be used to secure otherwise insecure protocols. Using a technique called <firstterm>port forwarding</firstterm>, an SSH server can become a conduit to securing otherwise insecure protocols, like POP, and increasing overall system and data security.
+ </para>
+ <para>
+ The OpenSSH server and client can also be configured to create a tunnel similar to a virtual private network for traffic between server and client machines.
+ </para>
+ <para lang="en-US,as-IN,bn-IN,gu-IN,hi-IN,kn-IN,ml-IN,mr-IN,or-IN,pa-IN,si-LK,ta-IN,te-IN,pt-BR">
+ Finally, OpenSSH servers and clients can be configured to authenticate using the GSSAPI implementation of the Kerberos network authentication protocol. For more information on configuring Kerberos authentication services, refer to <!-- TBD6: <xref linkend="ch-kerberos" /> -->.
+ </para>
+ <para>
+ &MAJOROS; includes the general OpenSSH package (<filename>openssh</filename>) as well as the OpenSSH server (<filename>openssh-server</filename>) and client (<filename>openssh-clients</filename>) packages. Note, the OpenSSH packages require the OpenSSL package (<filename>openssl</filename>) which installs several important cryptographic libraries, enabling OpenSSH to provide encrypted communications.
+ </para>
+ <section id="s2-ssh-intro-why">
<title>Why Use SSH?</title>
- <indexterm
- significance="normal">
+ <indexterm>
<primary>SSH protocol</primary>
<secondary>security risks</secondary>
</indexterm>
- <para>Nefarious computer users have a variety of tools at their disposal enabling them to disrupt, intercept, and re-route network traffic in an effort to gain access to a system. In general terms, these threats can be categorized as follows:</para>
+ <para>
+ Nefarious computer users have a variety of tools at their disposal enabling them to disrupt, intercept, and re-route network traffic in an effort to gain access to a system. In general terms, these threats can be categorized as follows:
+ </para>
<itemizedlist>
<listitem>
<para>
- <emphasis>Interception of communication between two systems</emphasis> — In this scenario, the attacker can be somewhere on the network between the communicating parties, copying any information passed between them. The attacker may intercept and keep the information, or alter the information and send it on to the intended recipient.</para>
- <para>This attack can be mounted through the use of a packet sniffer — a common network utility.</para>
+ <emphasis>Interception of communication between two systems</emphasis> — In this scenario, the attacker can be somewhere on the network between the communicating parties, copying any information passed between them. The attacker may intercept and keep the information, or alter the information and send it on to the intended recipient.
+ </para>
+ <para>
+ This attack can be mounted through the use of a packet sniffer — a common network utility.
+ </para>
</listitem>
<listitem>
<para>
- <emphasis>Impersonation of a particular host</emphasis> — Using this strategy, an attacker's system is configured to pose as the intended recipient of a transmission. If this strategy works, the user's system remains unaware that it is communicating with the wrong host.</para>
- <para>This attack can be mounted through techniques known as DNS poisoning<footnote>
- <para>DNS poisoning occurs when an intruder cracks a DNS server, pointing client systems to a maliciously duplicated host.</para>
- </footnote> or IP spoofing<footnote>
- <para>IP spoofing occurs when an intruder sends network packets which falsely appear to be from a trusted host on the network.</para>
- </footnote>.</para>
+ <emphasis>Impersonation of a particular host</emphasis> — Using this strategy, an attacker's system is configured to pose as the intended recipient of a transmission. If this strategy works, the user's system remains unaware that it is communicating with the wrong host.
+ </para>
+ <para>
+ This attack can be mounted through techniques known as DNS poisoning<footnote><para>DNS poisoning occurs when an intruder cracks a DNS server, pointing client systems to a maliciously duplicated host.</para></footnote> or IP spoofing<footnote><para>IP spoofing occurs when an intruder sends network packets which falsely appear to be from a trusted host on the network.</para></footnote>.
+ </para>
</listitem>
</itemizedlist>
- <para>Both techniques intercept potentially sensitive information and, if the interception is made for hostile reasons, the results can be disastrous.</para>
- <para>If SSH is used for remote shell login and file copying, these security threats can be greatly diminished. This is because the SSH client and server use digital signatures to verify their identity. Additionally, all communication between the client and server systems is encrypted. Attempts to spoof the identity of either side of a communication does not work, since each packet is encrypted using a key known only by the local and remote systems.</para>
+ <para>
+ Both techniques intercept potentially sensitive information and, if the interception is made for hostile reasons, the results can be disastrous.
+ </para>
+ <para>
+ If SSH is used for remote shell login and file copying, these security threats can be greatly diminished. This is because the SSH client and server use digital signatures to verify their identity. Additionally, all communication between the client and server systems is encrypted. Attempts to spoof the identity of either side of a communication does not work, since each packet is encrypted using a key known only by the local and remote systems.
+ </para>
</section>
</section>
- <section
- id="s1-ssh-version">
+ <section id="s1-ssh-version">
<title>SSH Protocol Versions</title>
<indexterm
significance="normal">
@@ -101,100 +116,134 @@
<section
id="s1-ssh-conn">
<title>Event Sequence of an SSH Connection</title>
- <indexterm
- significance="normal">
+ <indexterm>
<primary>SSH protocol</primary>
<secondary>connection sequence</secondary>
</indexterm>
- <para>The following series of events help protect the integrity of SSH communication between two hosts.</para>
+ <para>
+ The following series of events help protect the integrity of SSH communication between two hosts.
+ </para>
<orderedlist>
<listitem>
- <para>A cryptographic handshake is made so that the client can verify that it is communicating with the correct server.</para>
+ <para>
+ A cryptographic handshake is made so that the client can verify that it is communicating with the correct server.
+ </para>
</listitem>
<listitem>
- <para>The transport layer of the connection between the client and remote host is encrypted using a symmetric cipher.</para>
+ <para>
+ The transport layer of the connection between the client and remote host is encrypted using a symmetric cipher.
+ </para>
</listitem>
<listitem>
- <para>The client authenticates itself to the server.</para>
+ <para>
+ The client authenticates itself to the server.
+ </para>
</listitem>
<listitem>
- <para>The remote client interacts with the remote host over the encrypted connection.</para>
+ <para>
+ The remote client interacts with the remote host over the encrypted connection.
+ </para>
</listitem>
</orderedlist>
- <section
- id="s2-ssh-protocol-conn-transport">
+ <section id="s2-ssh-protocol-conn-transport">
<title>Transport Layer</title>
- <indexterm
- significance="normal">
+ <indexterm>
<primary>SSH protocol</primary>
<secondary>layers of</secondary>
<tertiary>transport layer</tertiary>
</indexterm>
- <para>The primary role of the transport layer is to facilitate safe and secure communication between the two hosts at the time of authentication and during subsequent communication. The transport layer accomplishes this by handling the encryption and decryption of data, and by providing integrity protection of data packets as they are sent and received. The transport layer also provides compression, speeding the transfer of information.</para>
- <para>Once an SSH client contacts a server, key information is exchanged so that the two systems can correctly construct the transport layer. The following steps occur during this exchange:</para>
+ <para>
+ The primary role of the transport layer is to facilitate safe and secure communication between the two hosts at the time of authentication and during subsequent communication. The transport layer accomplishes this by handling the encryption and decryption of data, and by providing integrity protection of data packets as they are sent and received. The transport layer also provides compression, speeding the transfer of information.
+ </para>
+ <para>
+ Once an SSH client contacts a server, key information is exchanged so that the two systems can correctly construct the transport layer. The following steps occur during this exchange:
+ </para>
<itemizedlist>
<listitem>
- <para>Keys are exchanged</para>
+ <para>
+ Keys are exchanged
+ </para>
</listitem>
<listitem>
- <para>The public key encryption algorithm is determined</para>
+ <para>
+ The public key encryption algorithm is determined
+ </para>
</listitem>
<listitem>
- <para>The symmetric encryption algorithm is determined</para>
+ <para>
+ The symmetric encryption algorithm is determined
+ </para>
</listitem>
<listitem>
- <para>The message authentication algorithm is determined</para>
+ <para>
+ The message authentication algorithm is determined
+ </para>
</listitem>
<listitem>
- <para>The hash algorithm is determined</para>
+ <para>
+ The hash algorithm is determined
+ </para>
</listitem>
</itemizedlist>
- <para>During the key exchange, the server identifies itself to the client with a unique <firstterm>host key</firstterm>. If the client has never communicated with this particular server before, the server's host key is unknown to the client and it does not connect. OpenSSH gets around this problem by accepting the server's host key. This is done after the user is notified and has both accepted and verified the new host key. In subsequent connections, the server's host key is checked against the saved version on the client, providing confidence that the client is indeed communicating with the intended server. If, in the future, the host key no longer matches, the user must remove the client's saved version before a connection can occur.</para>
+ <para>
+ During the key exchange, the server identifies itself to the client with a unique <firstterm>host key</firstterm>. If the client has never communicated with this particular server before, the server's host key is unknown to the client and it does not connect. OpenSSH gets around this problem by accepting the server's host key. This is done after the user is notified and has both accepted and verified the new host key. In subsequent connections, the server's host key is checked against the saved version on the client, providing confidence that the client is indeed communicating with the intended server. If, in the future, the host key no longer matches, the user must remove the client's saved version before a connection can occur.
+ </para>
<warning>
<title>Caution</title>
- <para>It is possible for an attacker to masquerade as an SSH server during the initial contact since the local system does not know the difference between the intended server and a false one set up by an attacker. To help prevent this, verify the integrity of a new SSH server by contacting the server administrator before connecting for the first time or in the event of a host key mismatch.</para>
+ <para>
+ It is possible for an attacker to masquerade as an SSH server during the initial contact since the local system does not know the difference between the intended server and a false one set up by an attacker. To help prevent this, verify the integrity of a new SSH server by contacting the server administrator before connecting for the first time or in the event of a host key mismatch.
+ </para>
</warning>
- <para>SSH is designed to work with almost any kind of public key algorithm or encoding format. After an initial key exchange creates a hash value used for exchanges and a shared secret value, the two systems immediately begin calculating new keys and algorithms to protect authentication and future data sent over the connection.</para>
- <para>After a certain amount of data has been transmitted using a given key and algorithm (the exact amount depends on the SSH implementation), another key exchange occurs, generating another set of hash values and a new shared secret value. Even if an attacker is able to determine the hash and shared secret value, this information is only useful for a limited period of time.</para>
+ <para>
+ SSH is designed to work with almost any kind of public key algorithm or encoding format. After an initial key exchange creates a hash value used for exchanges and a shared secret value, the two systems immediately begin calculating new keys and algorithms to protect authentication and future data sent over the connection.
+ </para>
+ <para>
+ After a certain amount of data has been transmitted using a given key and algorithm (the exact amount depends on the SSH implementation), another key exchange occurs, generating another set of hash values and a new shared secret value. Even if an attacker is able to determine the hash and shared secret value, this information is only useful for a limited period of time.
+ </para>
</section>
- <section
- id="s2-ssh-protocol-authentication">
+ <section id="s2-ssh-protocol-authentication">
<title>Authentication</title>
- <indexterm
- significance="normal">
+ <indexterm>
<primary>SSH protocol</primary>
<secondary>authentication</secondary>
</indexterm>
- <para>Once the transport layer has constructed a secure tunnel to pass information between the two systems, the server tells the client the different authentication methods supported, such as using a private key-encoded signature or typing a password. The client then tries to authenticate itself to the server using one of these supported methods.</para>
- <para>SSH servers and clients can be configured to allow different types of authentication, which gives each side the optimal amount of control. The server can decide which encryption methods it supports based on its security model, and the client can choose the order of authentication methods to attempt from the available options.</para>
+ <para>
+ Once the transport layer has constructed a secure tunnel to pass information between the two systems, the server tells the client the different authentication methods supported, such as using a private key-encoded signature or typing a password. The client then tries to authenticate itself to the server using one of these supported methods.
+ </para>
+ <para>
+ SSH servers and clients can be configured to allow different types of authentication, which gives each side the optimal amount of control. The server can decide which encryption methods it supports based on its security model, and the client can choose the order of authentication methods to attempt from the available options.
+ </para>
</section>
- <section
- id="s2-ssh-protocol-connection">
+ <section id="s2-ssh-protocol-connection">
<title>Channels</title>
- <indexterm
- significance="normal">
+ <indexterm>
<primary>SSH protocol</primary>
<secondary>layers of</secondary>
<tertiary>channels</tertiary>
</indexterm>
- <para>After a successful authentication over the SSH transport layer, multiple channels are opened via a technique called <firstterm>multiplexing</firstterm>
- <footnote>
- <para>A multiplexed connection consists of several signals being sent over a shared, common medium. With SSH, different channels are sent over a common secure connection.</para>
- </footnote>. Each of these channels handles communication for different terminal sessions and for forwarded X11 sessions.</para>
- <para>Both clients and servers can create a new channel. Each channel is then assigned a different number on each end of the connection. When the client attempts to open a new channel, the clients sends the channel number along with the request. This information is stored by the server and is used to direct communication to that channel. This is done so that different types of sessions do not affect one another and so that when a given session ends, its channel can be closed without disrupting the primary SSH connection.</para>
- <para>Channels also support <firstterm>flow-control</firstterm>, which allows them to send and receive data in an orderly fashion. In this way, data is not sent over the channel until the client receives a message that the channel is open.</para>
- <para>The client and server negotiate the characteristics of each channel automatically, depending on the type of service the client requests and the way the user is connected to the network. This allows great flexibility in handling different types of remote connections without having to change the basic infrastructure of the protocol.</para>
+ <para>
+ After a successful authentication over the SSH transport layer, multiple channels are opened via a technique called <firstterm>multiplexing</firstterm><footnote><para>A multiplexed connection consists of several signals being sent over a shared, common medium. With SSH, different channels are sent over a common secure connection.</para></footnote>. Each of these channels handles communication for different terminal sessions and for forwarded X11 sessions.
+ </para>
+ <para>
+ Both clients and servers can create a new channel. Each channel is then assigned a different number on each end of the connection. When the client attempts to open a new channel, the clients sends the channel number along with the request. This information is stored by the server and is used to direct communication to that channel. This is done so that different types of sessions do not affect one another and so that when a given session ends, its channel can be closed without disrupting the primary SSH connection.
+ </para>
+ <para>
+ Channels also support <firstterm>flow-control</firstterm>, which allows them to send and receive data in an orderly fashion. In this way, data is not sent over the channel until the client receives a message that the channel is open.
+ </para>
+ <para>
+ The client and server negotiate the characteristics of each channel automatically, depending on the type of service the client requests and the way the user is connected to the network. This allows great flexibility in handling different types of remote connections without having to change the basic infrastructure of the protocol.
+ </para>
</section>
</section>
- <section
- id="s1-openssh-server-config">
+ <section id="s1-openssh-server-config">
<title>Configuring an OpenSSH Server</title>
- <indexterm
- significance="normal">
+ <indexterm>
<primary>OpenSSH</primary>
<secondary>server</secondary>
</indexterm>
- <para>To run an OpenSSH server, you must first make sure that you have the proper RPM packages installed. The <filename>openssh-server</filename> package is required and is dependent on the <filename>openssh</filename> package.</para>
+ <para>
+ To run an OpenSSH server, you must first make sure that you have the proper RPM packages installed. The <filename>openssh-server</filename> package is required and is dependent on the <filename>openssh</filename> package.
+ </para>
<indexterm
significance="normal">
<primary>OpenSSH</primary>
@@ -210,35 +259,37 @@
<secondary>server</secondary>
<tertiary>starting and stopping</tertiary>
</indexterm>
- <para
- lang="en-US,as-IN,bn-IN,gu-IN,hi-IN,kn-IN,ml-IN,mr-IN,or-IN,pa-IN,si-LK,ta-IN,te-IN">
- To start the OpenSSH service, use the command <command>/sbin/service sshd start</command>. To stop the OpenSSH server, use the command <command>/sbin/service sshd stop</command>. If you want the daemon to start automatically at boot time, refer to <xref
- linkend="ch-Controlling_Access_to_Services"/> for information on how to manage services.</para>
- <para>If you reinstall, the reinstalled system creates a new set of identification keys. Any clients who had connected to the system with any of the OpenSSH tools before the reinstall will see the following message:</para>
- <screen>
-@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
+ <para lang="en-US,as-IN,bn-IN,gu-IN,hi-IN,kn-IN,ml-IN,mr-IN,or-IN,pa-IN,si-LK,ta-IN,te-IN">
+ To start the OpenSSH service, use the command <command>/sbin/service sshd start</command>. To stop the OpenSSH server, use the command <command>/sbin/service sshd stop</command>. If you want the daemon to start automatically at boot time, refer to <xref linkend="ch-Controlling_Access_to_Services" /> for information on how to manage services.
+ </para>
+ <para>
+ If you reinstall, the reinstalled system creates a new set of identification keys. Any clients who had connected to the system with any of the OpenSSH tools before the reinstall will see the following message:
+ </para>
+ <screen>@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
-It is also possible that the RSA host key has just been changed.
-</screen>
- <para>If you want to keep the host keys generated for the system, backup the <filename>/etc/ssh/ssh_host*key*</filename> files and restore them after the reinstall. This process retains the system's identity, and when clients try to connect to the system after the reinstall, they will not receive the warning message.</para>
- <section
- id="s2-ssh-requiring">
+It is also possible that the RSA host key has just been changed.</screen>
+ <para>
+ If you want to keep the host keys generated for the system, backup the <filename>/etc/ssh/ssh_host*key*</filename> files and restore them after the reinstall. This process retains the system's identity, and when clients try to connect to the system after the reinstall, they will not receive the warning message.
+ </para>
+ <section id="s2-ssh-requiring">
<title>Requiring SSH for Remote Connections</title>
- <indexterm
- significance="normal">
+ <indexterm>
<primary>SSH protocol</primary>
<secondary>insecure protocols and</secondary>
</indexterm>
- <indexterm
- significance="normal">
+ <indexterm>
<primary>SSH protocol</primary>
<secondary>requiring for remote login</secondary>
</indexterm>
- <para>For SSH to be truly effective, using insecure connection protocols, such as Telnet and FTP, should be prohibited. Otherwise, a user's password may be protected using SSH for one session, only to be captured later while logging in using Telnet.</para>
- <para>Some services to disable include:</para>
+ <para>
+ For SSH to be truly effective, using insecure connection protocols, such as Telnet and FTP, should be prohibited. Otherwise, a user's password may be protected using SSH for one session, only to be captured later while logging in using Telnet.
+ </para>
+ <para>
+ Some services to disable include:
+ </para>
<itemizedlist>
<listitem>
<para>
@@ -262,594 +313,651 @@ It is also possible that the RSA host key has just been changed.
</listitem>
</itemizedlist>
<para>To disable insecure connection methods to the system, use the command line program <command>chkconfig</command>, the ncurses-based program <application>/usr/sbin/ntsysv</application>, or the <application>Services Configuration Tool</application> (<command>system-config-services</command>) graphical application. All of these tools require root level access.</para>
- <para
- lang="en-US,as-IN,bn-IN,gu-IN,hi-IN,kn-IN,ml-IN,mr-IN,or-IN,pa-IN,si-LK,ta-IN,te-IN">
- For more information on runlevels and configuring services with <command>chkconfig</command>, <application>/usr/sbin/ntsysv</application>, and the <application>Services Configuration Tool</application>, refer to <xref
- linkend="ch-Controlling_Access_to_Services"/>.</para>
+ <para lang="en-US,as-IN,bn-IN,gu-IN,hi-IN,kn-IN,ml-IN,mr-IN,or-IN,pa-IN,si-LK,ta-IN,te-IN">
+ For more information on runlevels and configuring services with <command>chkconfig</command>, <application>/usr/sbin/ntsysv</application>, and the <application>Services Configuration Tool</application>, refer to <xref linkend="ch-Controlling_Access_to_Services" />.
+ </para>
</section>
</section>
- <section
- id="s1-ssh-configfiles">
+ <section id="s1-ssh-configfiles">
<title>OpenSSH Configuration Files</title>
- <indexterm
- significance="normal">
+ <indexterm>
<primary>SSH protocol</primary>
<secondary>configuration files</secondary>
</indexterm>
- <indexterm
- significance="normal">
+ <indexterm>
<primary>OpenSSH</primary>
<secondary>configuration files for</secondary>
</indexterm>
- <para>OpenSSH has two different sets of configuration files: one for client programs (<command>ssh</command>, <command>scp</command>, and <command>sftp</command>) and one for the server daemon (<command>sshd</command>).</para>
- <para>System-wide SSH configuration information is stored in the <filename>/etc/ssh/</filename> directory:</para>
+ <para>
+ OpenSSH has two different sets of configuration files: one for client programs (<command>ssh</command>, <command>scp</command>, and <command>sftp</command>) and one for the server daemon (<command>sshd</command>).
+ </para>
+ <para>
+ System-wide SSH configuration information is stored in the <filename>/etc/ssh/</filename> directory:
+ </para>
<itemizedlist>
<listitem>
<para>
- <filename>moduli</filename> — Contains Diffie-Hellman groups used for the Diffie-Hellman key exchange which is critical for constructing a secure transport layer. When keys are exchanged at the beginning of an SSH session, a shared, secret value is created which cannot be determined by either party alone. This value is then used to provide host authentication.</para>
+ <filename>moduli</filename> — Contains Diffie-Hellman groups used for the Diffie-Hellman key exchange which is critical for constructing a secure transport layer. When keys are exchanged at the beginning of an SSH session, a shared, secret value is created which cannot be determined by either party alone. This value is then used to provide host authentication.
+ </para>
</listitem>
<listitem>
<para>
- <filename>ssh_config</filename> — The system-wide default SSH client configuration file. It is overridden if one is also present in the user's home directory (<filename>~/.ssh/config</filename>).</para>
+ <filename>ssh_config</filename> — The system-wide default SSH client configuration file. It is overridden if one is also present in the user's home directory (<filename>~/.ssh/config</filename>).
+ </para>
</listitem>
<listitem>
<para>
- <filename>sshd_config</filename> — The configuration file for the <command>sshd</command> daemon.</para>
+ <filename>sshd_config</filename> — The configuration file for the <command>sshd</command> daemon.
+ </para>
</listitem>
<listitem>
<para>
- <filename>ssh_host_dsa_key</filename> — The DSA private key used by the <command>sshd</command> daemon.</para>
+ <filename>ssh_host_dsa_key</filename> — The DSA private key used by the <command>sshd</command> daemon.
+ </para>
</listitem>
<listitem>
<para>
- <filename>ssh_host_dsa_key.pub</filename> — The DSA public key used by the <command>sshd</command> daemon.</para>
+ <filename>ssh_host_dsa_key.pub</filename> — The DSA public key used by the <command>sshd</command> daemon.
+ </para>
</listitem>
<listitem>
<para>
- <filename>ssh_host_key</filename> — The RSA private key used by the <command>sshd</command> daemon for version 1 of the SSH protocol.</para>
+ <filename>ssh_host_key</filename> — The RSA private key used by the <command>sshd</command> daemon for version 1 of the SSH protocol.
+ </para>
</listitem>
<listitem>
<para>
- <filename>ssh_host_key.pub</filename> — The RSA public key used by the <command>sshd</command> daemon for version 1 of the SSH protocol.</para>
+ <filename>ssh_host_key.pub</filename> — The RSA public key used by the <command>sshd</command> daemon for version 1 of the SSH protocol.
+ </para>
</listitem>
<listitem>
<para>
- <filename>ssh_host_rsa_key</filename> — The RSA private key used by the <command>sshd</command> daemon for version 2 of the SSH protocol.</para>
+ <filename>ssh_host_rsa_key</filename> — The RSA private key used by the <command>sshd</command> daemon for version 2 of the SSH protocol.
+ </para>
</listitem>
<listitem>
<para>
- <filename>ssh_host_rsa_key.pub</filename> — The RSA public key used by the <command>sshd</command> for version 2 of the SSH protocol.</para>
+ <filename>ssh_host_rsa_key.pub</filename> — The RSA public key used by the <command>sshd</command> for version 2 of the SSH protocol.
+ </para>
</listitem>
</itemizedlist>
- <para>User-specific SSH configuration information is stored in the user's home directory within the <filename>~/.ssh/</filename> directory:</para>
+ <para>
+ User-specific SSH configuration information is stored in the user's home directory within the <filename>~/.ssh/</filename> directory:
+ </para>
<itemizedlist>
<listitem>
<para>
- <filename>authorized_keys</filename> — This file holds a list of authorized public keys for servers. When the client connects to a server, the server authenticates the client by checking its signed public key stored within this file.</para>
+ <filename>authorized_keys</filename> — This file holds a list of authorized public keys for servers. When the client connects to a server, the server authenticates the client by checking its signed public key stored within this file.
+ </para>
</listitem>
<listitem>
<para>
- <filename>id_dsa</filename> — Contains the DSA private key of the user.</para>
+ <filename>id_dsa</filename> — Contains the DSA private key of the user.
+ </para>
</listitem>
<listitem>
<para>
- <filename>id_dsa.pub</filename> — The DSA public key of the user.</para>
+ <filename>id_dsa.pub</filename> — The DSA public key of the user.
+ </para>
</listitem>
<listitem>
<para>
- <filename>id_rsa</filename> — The RSA private key used by <command>ssh</command> for version 2 of the SSH protocol.</para>
+ <filename>id_rsa</filename> — The RSA private key used by <command>ssh</command> for version 2 of the SSH protocol.
+ </para>
</listitem>
<listitem>
<para>
- <filename>id_rsa.pub</filename> — The RSA public key used by <command>ssh</command> for version 2 of the SSH protocol</para>
+ <filename>id_rsa.pub</filename> — The RSA public key used by <command>ssh</command> for version 2 of the SSH protocol
+ </para>
</listitem>
<listitem>
<para>
- <filename>identity</filename> — The RSA private key used by <command>ssh</command> for version 1 of the SSH protocol.</para>
+ <filename>identity</filename> — The RSA private key used by <command>ssh</command> for version 1 of the SSH protocol.
+ </para>
</listitem>
<listitem>
<para>
- <filename>identity.pub</filename> — The RSA public key used by <command>ssh</command> for version 1 of the SSH protocol.</para>
+ <filename>identity.pub</filename> — The RSA public key used by <command>ssh</command> for version 1 of the SSH protocol.
+ </para>
</listitem>
<listitem>
<para>
- <filename>known_hosts</filename> — This file contains DSA host keys of SSH servers accessed by the user. This file is very important for ensuring that the SSH client is connecting the correct SSH server.</para>
+ <filename>known_hosts</filename> — This file contains DSA host keys of SSH servers accessed by the user. This file is very important for ensuring that the SSH client is connecting the correct SSH server.
+ </para>
<important>
<title>Important</title>
- <para>If an SSH server's host key has changed, the client notifies the user that the connection cannot proceed until the server's host key is deleted from the <filename>known_hosts</filename> file using a text editor. Before doing this, however, contact the system administrator of the SSH server to verify the server is not compromised.</para>
+ <para>
+ If an SSH server's host key has changed, the client notifies the user that the connection cannot proceed until the server's host key is deleted from the <filename>known_hosts</filename> file using a text editor. Before doing this, however, contact the system administrator of the SSH server to verify the server is not compromised.
+ </para>
</important>
</listitem>
</itemizedlist>
- <para>Refer to the <command>ssh_config</command> and <command>sshd_config</command> man pages for information concerning the various directives available in the SSH configuration files.</para>
+ <para>
+ Refer to the <command>ssh_config</command> and <command>sshd_config</command> man pages for information concerning the various directives available in the SSH configuration files.
+ </para>
</section>
- <section
- id="s1-openssh-client-config">
+ <section id="s1-openssh-client-config">
<title>Configuring an OpenSSH Client</title>
- <indexterm
- significance="normal">
+ <indexterm>
<primary>OpenSSH</primary>
<secondary>client</secondary>
</indexterm>
- <para>To connect to an OpenSSH server from a client machine, you must have the <filename>openssh-clients</filename> and <filename>openssh</filename> packages installed on the client machine.</para>
- <section
- id="s2-openssh-using-ssh">
+ <para>
+ To connect to an OpenSSH server from a client machine, you must have the <filename>openssh-clients</filename> and <filename>openssh</filename> packages installed on the client machine.
+ </para>
+ <section id="s2-openssh-using-ssh">
<title>Using the <command>ssh</command> Command</title>
- <indexterm
- significance="normal">
+ <indexterm>
<primary>
<command>ssh</command>
</primary>
<see>OpenSSH</see>
</indexterm>
- <indexterm
- significance="normal">
+ <indexterm>
<primary>OpenSSH</primary>
<secondary>client</secondary>
<tertiary>
<command>ssh</command>
</tertiary>
</indexterm>
- <para>The <command>ssh</command> command is a secure replacement for the <command>rlogin</command>, <command>rsh</command>, and <command>telnet</command> commands. It allows you to log in to a remote machine as well as execute commands on a remote machine.</para>
- <para>Logging in to a remote machine with <command>ssh</command> is similar to using <command>telnet</command>. To log in to a remote machine named penguin.example.net, type the following command at a shell prompt:</para>
- <screen>
-ssh penguin.example.net
-</screen>
- <para>The first time you <command>ssh</command> to a remote machine, you will see a message similar to the following:</para>
- <screen>
-The authenticity of host 'penguin.example.net' can't be established.
+ <para>
+ The <command>ssh</command> command is a secure replacement for the <command>rlogin</command>, <command>rsh</command>, and <command>telnet</command> commands. It allows you to log in to a remote machine as well as execute commands on a remote machine.
+ </para>
+ <para>
+ Logging in to a remote machine with <command>ssh</command> is similar to using <command>telnet</command>. To log in to a remote machine named penguin.example.net, type the following command at a shell prompt:
+ </para>
+ <screen>ssh penguin.example.net</screen>
+ <para>
+ The first time you <command>ssh</command> to a remote machine, you will see a message similar to the following:
+ </para>
+ <screen>The authenticity of host 'penguin.example.net' can't be established.
DSA key fingerprint is 94:68:3a:3a:bc:f3:9a:9b:01:5d:b3:07:38:e2:11:0c.
-Are you sure you want to continue connecting (yes/no)?
-</screen>
- <para>Type <userinput>yes</userinput> to continue. This will add the server to your list of known hosts (<filename>~/.ssh/known_hosts</filename>) as seen in the following message:</para>
- <screen>
-Warning: Permanently added 'penguin.example.net' (RSA) to the list of known hosts.
-</screen>
- <para>Next, you will see a prompt asking for your password for the remote machine. After entering your password, you will be at a shell prompt for the remote machine. If you do not specify a username the username that you are logged in as on the local client machine is passed to the remote machine. If you want to specify a different username, use the following command:</para>
- <screen>
-ssh <replaceable>username</replaceable>@penguin.example.net
-</screen>
- <para>You can also use the syntax <command>ssh -l <replaceable>username</replaceable> penguin.example.net</command>.</para>
- <para>The <command>ssh</command> command can be used to execute a command on the remote machine without logging in to a shell prompt. The syntax is <command> ssh <replaceable>hostname</replaceable>
- <replaceable>command</replaceable>
- </command>. For example, if you want to execute the command <command>ls /usr/share/doc</command> on the remote machine penguin.example.net, type the following command at a shell prompt:</para>
- <screen>
-ssh penguin.example.net ls /usr/share/doc
-</screen>
- <para>After you enter the correct password, the contents of the remote directory <filename>/usr/share/doc</filename> will be displayed, and you will return to your local shell prompt.</para>
+Are you sure you want to continue connecting (yes/no)?</screen>
+ <para>
+ Type <userinput>yes</userinput> to continue. This will add the server to your list of known hosts (<filename>~/.ssh/known_hosts</filename>) as seen in the following message:
+ </para>
+ <screen>Warning: Permanently added 'penguin.example.net' (RSA) to the list of known hosts.</screen>
+ <para>
+ Next, you will see a prompt asking for your password for the remote machine. After entering your password, you will be at a shell prompt for the remote machine. If you do not specify a username the username that you are logged in as on the local client machine is passed to the remote machine. If you want to specify a different username, use the following command:
+ </para>
+ <screen>ssh <replaceable>username</replaceable>@penguin.example.net</screen>
+ <para>
+ You can also use the syntax <command>ssh -l <replaceable>username</replaceable> penguin.example.net</command>.
+ </para>
+ <para>
+ The <command>ssh</command> command can be used to execute a command on the remote machine without logging in to a shell prompt. The syntax is <command> ssh <replaceable>hostname</replaceable> <replaceable>command</replaceable></command>. For example, if you want to execute the command <command>ls /usr/share/doc</command> on the remote machine penguin.example.net, type the following command at a shell prompt:
+ </para>
+ <screen>ssh penguin.example.net ls /usr/share/doc</screen>
+ <para>
+ After you enter the correct password, the contents of the remote directory <filename>/usr/share/doc</filename> will be displayed, and you will return to your local shell prompt.
+ </para>
</section>
- <section
- id="s2-openssh-using-scp">
+ <section id="s2-openssh-using-scp">
<title>Using the <command>scp</command> Command</title>
- <indexterm
- significance="normal">
+ <indexterm>
<primary>
<command>scp</command>
</primary>
<see>OpenSSH</see>
</indexterm>
- <indexterm
- significance="normal">
+ <indexterm>
<primary>OpenSSH</primary>
<secondary>client</secondary>
<tertiary>
<command>scp</command>
</tertiary>
</indexterm>
- <indexterm
- significance="normal">
+ <indexterm>
<primary>
<command>rcp</command>
</primary>
</indexterm>
- <para>The <command>scp</command> command can be used to transfer files between machines over a secure, encrypted connection. It is similar to <command>rcp</command>.</para>
- <para>The general syntax to transfer a local file to a remote system is as follows:</para>
- <screen>
-scp <replaceable><localfile></replaceable>
- <replaceable>username at tohostname:<remotefile></replaceable>
- </screen>
- <para>The <replaceable><localfile></replaceable> specifies the source including path to the file, such as <filename>/var/log/maillog</filename>. The <replaceable><remotefile></replaceable> specifies the destination, which can be a new filename such as <filename>/tmp/hostname-maillog</filename>. For the remote system, if you do not have a preceding <command>/</command>, the path will be relative to the home directory of <replaceable>username</replaceable>, typically <filename>/home/username/</filename>.</para>
- <para>To transfer the local file <filename>shadowman</filename> to the home directory of your account on penguin.example.net, type the following at a shell prompt (replace <replaceable>username</replaceable> with your username):</para>
- <screen>
-scp shadowman <replaceable>username</replaceable>@penguin.example.net:shadowman
-</screen>
- <para>This will transfer the local file <filename>shadowman</filename> to <filename>/home/<replaceable>username</replaceable>/shadowman</filename> on penguin.example.net. Alternately, you can leave off the final <computeroutput>shadowman</computeroutput> in the <command>scp</command> command.</para>
- <para>The general syntax to transfer a remote file to the local system is as follows:</para>
- <screen>
-scp <replaceable>username at tohostname:<remotefile></replaceable>
- <replaceable><newlocalfile></replaceable>
- </screen>
- <para>The <replaceable><remotefile></replaceable> specifies the source including path, and <replaceable><newlocalfile></replaceable> specifies the destination including path.</para>
- <para>Multiple files can be specified as the source files. For example, to transfer the contents of the directory <filename>downloads/</filename> to an existing directory called <filename>uploads/</filename> on the remote machine penguin.example.net, type the following at a shell prompt:</para>
- <screen>
-scp downloads/* <replaceable>username</replaceable>@penguin.example.net:uploads/
-</screen>
+ <para>
+ The <command>scp</command> command can be used to transfer files between machines over a secure, encrypted connection. It is similar to <command>rcp</command>.
+ </para>
+ <para>
+ The general syntax to transfer a local file to a remote system is as follows:
+ </para>
+ <screen>scp <replaceable><localfile></replaceable> <replaceable>username at tohostname:<remotefile></replaceable></screen>
+ <para>
+ The <replaceable><localfile></replaceable> specifies the source including path to the file, such as <filename>/var/log/maillog</filename>. The <replaceable><remotefile></replaceable> specifies the destination, which can be a new filename such as <filename>/tmp/hostname-maillog</filename>. For the remote system, if you do not have a preceding <command>/</command>, the path will be relative to the home directory of <replaceable>username</replaceable>, typically <filename>/home/username/</filename>.
+ </para>
+ <para>
+ To transfer the local file <filename>shadowman</filename> to the home directory of your account on penguin.example.net, type the following at a shell prompt (replace <replaceable>username</replaceable> with your username):
+ </para>
+ <screen>scp shadowman <replaceable>username</replaceable>@penguin.example.net:shadowman</screen>
+ <para>
+ This will transfer the local file <filename>shadowman</filename> to <filename>/home/<replaceable>username</replaceable>/shadowman</filename> on penguin.example.net. Alternately, you can leave off the final <computeroutput>shadowman</computeroutput> in the <command>scp</command> command.
+ </para>
+ <para>
+ The general syntax to transfer a remote file to the local system is as follows:
+ </para>
+ <screen>scp <replaceable>username at tohostname:<remotefile></replaceable> <replaceable><newlocalfile></replaceable></screen>
+ <para>
+ The <replaceable><remotefile></replaceable> specifies the source including path, and <replaceable><newlocalfile></replaceable> specifies the destination including path.
+ </para>
+ <para>
+ Multiple files can be specified as the source files. For example, to transfer the contents of the directory <filename>downloads/</filename> to an existing directory called <filename>uploads/</filename> on the remote machine penguin.example.net, type the following at a shell prompt:
+ </para>
+ <screen>scp downloads/* <replaceable>username</replaceable>@penguin.example.net:uploads/</screen>
</section>
- <section
- id="s2-openssh-using-sftp">
+ <section id="s2-openssh-using-sftp">
<title>Using the <command>sftp</command> Command</title>
- <indexterm
- significance="normal">
+ <indexterm>
<primary>
<command>sftp</command>
</primary>
<see>OpenSSH</see>
</indexterm>
- <indexterm
- significance="normal">
+ <indexterm>
<primary>OpenSSH</primary>
<secondary>client</secondary>
<tertiary>
<command>sftp</command>
</tertiary>
</indexterm>
- <para>The <command>sftp</command> utility can be used to open a secure, interactive FTP session. It is similar to <command>ftp</command> except that it uses a secure, encrypted connection. The general syntax is <command>sftp<replaceable> username at hostname.com</replaceable>
- </command>. Once authenticated, you can use a set of commands similar to those used by FTP. Refer to the <command>sftp</command> man page for a list of these commands. To read the man page, execute the command <command>man sftp</command> at a shell prompt. The <command>sftp</command> utility is only available in OpenSSH version 2.5.0p1 and higher.</para>
+ <para>
+ The <command>sftp</command> utility can be used to open a secure, interactive FTP session. It is similar to <command>ftp</command> except that it uses a secure, encrypted connection. The general syntax is <command>sftp<replaceable> username at hostname.com</replaceable></command>. Once authenticated, you can use a set of commands similar to those used by FTP. Refer to the <command>sftp</command> man page for a list of these commands. To read the man page, execute the command <command>man sftp</command> at a shell prompt. The <command>sftp</command> utility is only available in OpenSSH version 2.5.0p1 and higher.
+ </para>
</section>
</section>
- <section
- id="s1-ssh-beyondshell">
+ <section id="s1-ssh-beyondshell">
<title>More Than a Secure Shell</title>
- <para>A secure command line interface is just the beginning of the many ways SSH can be used. Given the proper amount of bandwidth, X11 sessions can be directed over an SSH channel. Or, by using TCP/IP forwarding, previously insecure port connections between systems can be mapped to specific SSH channels.</para>
- <section
- id="s2-ssh-beyondshell-x11">
+ <para>
+ A secure command line interface is just the beginning of the many ways SSH can be used. Given the proper amount of bandwidth, X11 sessions can be directed over an SSH channel. Or, by using TCP/IP forwarding, previously insecure port connections between systems can be mapped to specific SSH channels.
+ </para>
+ <section id="s2-ssh-beyondshell-x11">
<title>X11 Forwarding</title>
- <indexterm
- significance="normal">
+ <indexterm>
<primary>SSH protocol</primary>
<secondary>X11 forwarding</secondary>
</indexterm>
- <para>Opening an X11 session over an SSH connection is as easy as connecting to the SSH server using the <option>-Y</option> option and running an X program on a local machine.</para>
- <screen>
-ssh -Y <user>@example.com
-</screen>
- <para>When an X program is run from the secure shell prompt, the SSH client and server create a new secure channel, and the X program data is sent over that channel to the client machine transparently.</para>
- <para>X11 forwarding can be very useful. For example, X11 forwarding can be used to create a secure, interactive session of the <application>Printer Configuration Tool</application>. To do this, connect to the server using <application>ssh</application> and type:</para>
- <screen>
-system-config-printer &
-</screen>
- <para>After supplying the root password for the server, the <application>Printer Configuration Tool</application> appears and allows the remote user to safely configure printing on the remote system.</para>
+ <para>
+ Opening an X11 session over an SSH connection is as easy as connecting to the SSH server using the <option>-Y</option> option and running an X program on a local machine.
+ </para>
+ <screen>ssh -Y <user>@example.com</screen>
+ <para>
+ When an X program is run from the secure shell prompt, the SSH client and server create a new secure channel, and the X program data is sent over that channel to the client machine transparently.
+ </para>
+ <para>
+ X11 forwarding can be very useful. For example, X11 forwarding can be used to create a secure, interactive session of the <application>Printer Configuration Tool</application>. To do this, connect to the server using <application>ssh</application> and type:
+ </para>
+ <screen>system-config-printer &</screen>
+ <para>
+ After supplying the root password for the server, the <application>Printer Configuration Tool</application> appears and allows the remote user to safely configure printing on the remote system.
+ </para>
</section>
- <section
- id="s2-ssh-beyondshell-tcpip">
+ <section id="s2-ssh-beyondshell-tcpip">
<title>Port Forwarding</title>
- <indexterm
- significance="normal">
+ <indexterm>
<primary>SSH protocol</primary>
<secondary>port forwarding</secondary>
</indexterm>
- <para>SSH can secure otherwise insecure TCP/IP protocols via port forwarding. When using this technique, the SSH server becomes an encrypted conduit to the SSH client.</para>
- <para>Port forwarding works by mapping a local port on the client to a remote port on the server. SSH can map any port from the server to any port on the client; port numbers do not need to match for this technique to work.</para>
- <para>To create a TCP/IP port forwarding channel which listens for connections on the localhost, use the following command:</para>
- <screen>
-ssh -L <replaceable>local-port</replaceable>:<replaceable>remote-hostname</replaceable>:<replaceable>remote-port</replaceable>
- <replaceable>username</replaceable>@<replaceable>hostname</replaceable>
- </screen>
+ <para>
+ SSH can secure otherwise insecure TCP/IP protocols via port forwarding. When using this technique, the SSH server becomes an encrypted conduit to the SSH client.
+ </para>
+ <para>
+ Port forwarding works by mapping a local port on the client to a remote port on the server. SSH can map any port from the server to any port on the client; port numbers do not need to match for this technique to work.
+ </para>
+ <para>
+ To create a TCP/IP port forwarding channel which listens for connections on the localhost, use the following command:
+ </para>
+ <screen>ssh -L <replaceable>local-port</replaceable>:<replaceable>remote-hostname</replaceable>:<replaceable>remote-port</replaceable> <replaceable>username</replaceable>@<replaceable>hostname</replaceable></screen>
<note>
<title>Note</title>
- <para>Setting up port forwarding to listen on ports below 1024 requires root level access.</para>
+ <para>
+ Setting up port forwarding to listen on ports below 1024 requires root level access.
+ </para>
</note>
- <para>To check email on a server called <command>mail.example.com</command> using POP3 through an encrypted connection, use the following command:</para>
- <screen>
-ssh -L 1100:mail.example.com:110 mail.example.com
-</screen>
- <para>Once the port forwarding channel is in place between the client machine and the mail server, direct a POP3 mail client to use port 1100 on the localhost to check for new mail. Any requests sent to port 1100 on the client system are directed securely to the <command>mail.example.com</command> server.</para>
- <para>If <command>mail.example.com</command> is not running an SSH server, but another machine on the same network is, SSH can still be used to secure part of the connection. However, a slightly different command is necessary:</para>
- <screen>
-ssh -L 1100:mail.example.com:110 other.example.com
-</screen>
- <para>In this example, POP3 requests from port 1100 on the client machine are forwarded through the SSH connection on port 22 to the SSH server, <command>other.example.com</command>. Then, <command>other.example.com</command> connects to port 110 on <command>mail.example.com</command> to check for new mail. Note, when using this technique only the connection between the client system and <command>other.example.com</command> SSH server is secure.</para>
- <para>Port forwarding can also be used to get information securely through network firewalls. If the firewall is configured to allow SSH traffic via its standard port (22) but blocks access to other ports, a connection between two hosts using the blocked ports is still possible by redirecting their communication over an established SSH connection.</para>
+ <para>
+ To check email on a server called <command>mail.example.com</command> using POP3 through an encrypted connection, use the following command:
+ </para>
+ <screen>ssh -L 1100:mail.example.com:110 mail.example.com</screen>
+ <para>
+ Once the port forwarding channel is in place between the client machine and the mail server, direct a POP3 mail client to use port 1100 on the localhost to check for new mail. Any requests sent to port 1100 on the client system are directed securely to the <command>mail.example.com</command> server.
+ </para>
+ <para>
+ If <command>mail.example.com</command> is not running an SSH server, but another machine on the same network is, SSH can still be used to secure part of the connection. However, a slightly different command is necessary:
+ </para>
+ <screen>ssh -L 1100:mail.example.com:110 other.example.com</screen>
+ <para>
+ In this example, POP3 requests from port 1100 on the client machine are forwarded through the SSH connection on port 22 to the SSH server, <command>other.example.com</command>. Then, <command>other.example.com</command> connects to port 110 on <command>mail.example.com</command> to check for new mail. Note, when using this technique only the connection between the client system and <command>other.example.com</command> SSH server is secure.
+ </para>
+ <para>
+ Port forwarding can also be used to get information securely through network firewalls. If the firewall is configured to allow SSH traffic via its standard port (22) but blocks access to other ports, a connection between two hosts using the blocked ports is still possible by redirecting their communication over an established SSH connection.
+ </para>
<note>
<title>Note</title>
- <para>Using port forwarding to forward connections in this manner allows any user on the client system to connect to that service. If the client system becomes compromised, the attacker also has access to forwarded services.</para>
- <para>System administrators concerned about port forwarding can disable this functionality on the server by specifying a <command>No</command> parameter for the <command>AllowTcpForwarding</command> line in <filename>/etc/ssh/sshd_config</filename> and restarting the <command>sshd</command> service.</para>
+ <para>
+ Using port forwarding to forward connections in this manner allows any user on the client system to connect to that service. If the client system becomes compromised, the attacker also has access to forwarded services.
+ </para>
+ <para>
+ System administrators concerned about port forwarding can disable this functionality on the server by specifying a <command>No</command> parameter for the <command>AllowTcpForwarding</command> line in <filename>/etc/ssh/sshd_config</filename> and restarting the <command>sshd</command> service.
+ </para>
</note>
</section>
- <section
- id="s2-openssh-generate-keypairs">
+ <section id="s2-openssh-generate-keypairs">
<title>Generating Key Pairs</title>
- <indexterm
- significance="normal">
+ <indexterm>
<primary>OpenSSH</primary>
<secondary>generating key pairs</secondary>
</indexterm>
- <para>If you do not want to enter your password every time you use <command>ssh</command>, <command>scp</command>, or <command>sftp</command> to connect to a remote machine, you can generate an authorization key pair.</para>
- <para>Keys must be generated for each user. To generate keys for a user, use the following steps as the user who wants to connect to remote machines. If you complete the steps as root, only root will be able to use the keys.</para>
- <para>Starting with OpenSSH version 3.0, <filename>~/.ssh/authorized_keys2</filename>, <filename>~/.ssh/known_hosts2</filename>, and <filename>/etc/ssh_known_hosts2</filename> are obsolete. SSH Protocol 1 and 2 share the <filename>~/.ssh/authorized_keys</filename>, <filename>~/.ssh/known_hosts</filename>, and <filename>/etc/ssh/ssh_known_hosts</filename> files.</para>
- <para>&MAJOROSVER; uses SSH Protocol 2 and RSA keys by default.</para>
+ <para>
+ If you do not want to enter your password every time you use <command>ssh</command>, <command>scp</command>, or <command>sftp</command> to connect to a remote machine, you can generate an authorization key pair.
+ </para>
+ <para>
+ Keys must be generated for each user. To generate keys for a user, use the following steps as the user who wants to connect to remote machines. If you complete the steps as root, only root will be able to use the keys.
+ </para>
+ <para>
+ Starting with OpenSSH version 3.0, <filename>~/.ssh/authorized_keys2</filename>, <filename>~/.ssh/known_hosts2</filename>, and <filename>/etc/ssh_known_hosts2</filename> are obsolete. SSH Protocol 1 and 2 share the <filename>~/.ssh/authorized_keys</filename>, <filename>~/.ssh/known_hosts</filename>, and <filename>/etc/ssh/ssh_known_hosts</filename> files.
+ </para>
+ <para>
+ &MAJOROSVER; uses SSH Protocol 2 and RSA keys by default.
+ </para>
<note>
<title>Tip</title>
- <para>If you reinstall and want to save your generated key pair, backup the <filename>.ssh</filename> directory in your home directory. After reinstalling, copy this directory back to your home directory. This process can be done for all users on your system, including root.</para>
+ <para>
+ If you reinstall and want to save your generated key pair, backup the <filename>.ssh</filename> directory in your home directory. After reinstalling, copy this directory back to your home directory. This process can be done for all users on your system, including root.
+ </para>
</note>
- <section
- id="s3-openssh-rsa-keys-v2">
+ <section id="s3-openssh-rsa-keys-v2">
<title>Generating an RSA Key Pair for Version 2</title>
- <indexterm
- significance="normal">
+ <indexterm>
<primary>RSA keys</primary>
<secondary>generating</secondary>
</indexterm>
- <indexterm
- significance="normal">
+ <indexterm>
<primary>OpenSSH</primary>
<secondary>RSA keys</secondary>
<tertiary>generating</tertiary>
</indexterm>
- <para>Use the following steps to generate an RSA key pair for version 2 of the SSH protocol. This is the default starting with OpenSSH 2.9.</para>
- <indexterm
- significance="normal">
+ <para>
+ Use the following steps to generate an RSA key pair for version 2 of the SSH protocol. This is the default starting with OpenSSH 2.9.
+ </para>
+ <indexterm>
<primary>OpenSSH</primary>
<secondary>ssh-keygen</secondary>
<tertiary>RSA</tertiary>
</indexterm>
- <orderedlist
- continuation="restarts"
- inheritnum="ignore">
+ <orderedlist continuation="restarts" inheritnum="ignore">
<listitem>
- <para>To generate an RSA key pair to work with version 2 of the protocol, type the following command at a shell prompt:</para>
- <screen>
-ssh-keygen -t rsa
-</screen>
- <para>Accept the default file location of <filename>~/.ssh/id_rsa</filename>. Enter a passphrase different from your account password and confirm it by entering it again.</para>
- <para>The public key is written to <filename>~/.ssh/id_rsa.pub</filename>. The private key is written to <filename>~/.ssh/id_rsa</filename>. Never distribute your private key to anyone.</para>
+ <para>
+ To generate an RSA key pair to work with version 2 of the protocol, type the following command at a shell prompt:
+ </para>
+ <screen>ssh-keygen -t rsa</screen>
+ <para>
+ Accept the default file location of <filename>~/.ssh/id_rsa</filename>. Enter a passphrase different from your account password and confirm it by entering it again.
+ </para>
+ <para>
+ The public key is written to <filename>~/.ssh/id_rsa.pub</filename>. The private key is written to <filename>~/.ssh/id_rsa</filename>. Never distribute your private key to anyone.
+ </para>
</listitem>
<listitem>
- <para>Change the permissions of the <filename>.ssh</filename> directory using the following command:</para>
- <screen>
-chmod 755 ~/.ssh
-</screen>
+ <para>
+ Change the permissions of the <filename>.ssh</filename> directory using the following command:
+ </para>
+ <screen>chmod 755 ~/.ssh</screen>
</listitem>
<listitem>
- <para>Copy the contents of <filename>~/.ssh/id_rsa.pub</filename> into the file <filename>~/.ssh/authorized_keys</filename> on the machine to which you want to connect. If the file <filename>~/.ssh/authorized_keys</filename> exist, append the contents of the file <filename>~/.ssh/id_rsa.pub</filename> to the file <filename>~/.ssh/authorized_keys</filename> on the other machine.</para>
+ <para>
+ Copy the contents of <filename>~/.ssh/id_rsa.pub</filename> into the file <filename>~/.ssh/authorized_keys</filename> on the machine to which you want to connect. If the file <filename>~/.ssh/authorized_keys</filename> exist, append the contents of the file <filename>~/.ssh/id_rsa.pub</filename> to the file <filename>~/.ssh/authorized_keys</filename> on the other machine.
+ </para>
</listitem>
<listitem>
- <para>Change the permissions of the <filename>authorized_keys</filename> file using the following command:</para>
- <screen>
-chmod 644 ~/.ssh/authorized_keys
-</screen>
+ <para>
+ Change the permissions of the <filename>authorized_keys</filename> file using the following command:
+ </para>
+ <screen>chmod 644 ~/.ssh/authorized_keys</screen>
</listitem>
<listitem>
- <para>If you are running GNOME or are running in a graphical desktop with GTK2+ libraries installed, skip to <xref
- linkend="s3-openssh-ssh-agent-with-gnome"/>. If you are not running the X Window System, skip to <xref
- linkend="s3-openssh-config-ssh-agent"/>.</para>
+ <para>
+ If you are running GNOME or are running in a graphical desktop with GTK2+ libraries installed, skip to <xref linkend="s3-openssh-ssh-agent-with-gnome" />. If you are not running the X Window System, skip to <xref linkend="s3-openssh-config-ssh-agent" />.
+ </para>
</listitem>
</orderedlist>
</section>
- <section
- id="s3-openssh-dsa-key">
+ <section id="s3-openssh-dsa-key">
<title>Generating a DSA Key Pair for Version 2</title>
- <indexterm
- significance="normal">
+ <indexterm>
<primary>DSA keys</primary>
<secondary>generating</secondary>
</indexterm>
- <indexterm
- significance="normal">
+ <indexterm>
<primary>OpenSSH</primary>
<secondary>DSA keys</secondary>
<tertiary>generating</tertiary>
</indexterm>
- <para>Use the following steps to generate a DSA key pair for version 2 of the SSH Protocol.</para>
- <indexterm
- significance="normal">
+ <para>
+ Use the following steps to generate a DSA key pair for version 2 of the SSH Protocol.
+ </para>
+ <indexterm>
<primary>OpenSSH</primary>
<secondary>ssh-keygen</secondary>
<tertiary>DSA</tertiary>
</indexterm>
- <orderedlist
- continuation="restarts"
- inheritnum="ignore">
+ <orderedlist continuation="restarts" inheritnum="ignore">
<listitem>
- <para>To generate a DSA key pair to work with version 2 of the protocol, type the following command at a shell prompt:</para>
- <screen>
-ssh-keygen -t dsa
-</screen>
- <para>Accept the default file location of <filename>~/.ssh/id_dsa</filename>. Enter a passphrase different from your account password and confirm it by entering it again.</para>
+ <para>
+ To generate a DSA key pair to work with version 2 of the protocol, type the following command at a shell prompt:
+ </para>
+ <screen>ssh-keygen -t dsa</screen>
+ <para>
+ Accept the default file location of <filename>~/.ssh/id_dsa</filename>. Enter a passphrase different from your account password and confirm it by entering it again.
+ </para>
<note>
<title>Tip</title>
- <para>A passphrase is a string of words and characters used to authenticate a user. Passphrases differ from passwords in that you can use spaces or tabs in the passphrase. Passphrases are generally longer than passwords because they are usually phrases instead of a single word.</para>
+ <para>
+ A passphrase is a string of words and characters used to authenticate a user. Passphrases differ from passwords in that you can use spaces or tabs in the passphrase. Passphrases are generally longer than passwords because they are usually phrases instead of a single word.
+ </para>
</note>
- <para>The public key is written to <filename>~/.ssh/id_dsa.pub</filename>. The private key is written to <filename>~/.ssh/id_dsa</filename>. It is important never to give anyone the private key.</para>
+ <para>
+ The public key is written to <filename>~/.ssh/id_dsa.pub</filename>. The private key is written to <filename>~/.ssh/id_dsa</filename>. It is important never to give anyone the private key.
+ </para>
</listitem>
<listitem>
- <para>Change the permissions of the <filename>.ssh</filename> directory with the following command:</para>
- <screen>
-chmod 755 ~/.ssh
-</screen>
+ <para>
+ Change the permissions of the <filename>.ssh</filename> directory with the following command:
+ </para>
+ <screen>chmod 755 ~/.ssh</screen>
</listitem>
<listitem>
- <para>Copy the contents of <filename>~/.ssh/id_dsa.pub</filename> into the file <filename>~/.ssh/authorized_keys</filename> on the machine to which you want to connect. If the file <filename>~/.ssh/authorized_keys</filename> exist, append the contents of the file <filename>~/.ssh/id_dsa.pub</filename> to the file <filename>~/.ssh/authorized_keys</filename> on the other machine.</para>
+ <para>
+ Copy the contents of <filename>~/.ssh/id_dsa.pub</filename> into the file <filename>~/.ssh/authorized_keys</filename> on the machine to which you want to connect. If the file <filename>~/.ssh/authorized_keys</filename> exist, append the contents of the file <filename>~/.ssh/id_dsa.pub</filename> to the file <filename>~/.ssh/authorized_keys</filename> on the other machine.
+ </para>
</listitem>
<listitem>
- <para>Change the permissions of the <filename>authorized_keys</filename> file using the following command:</para>
- <screen>
-chmod 644 ~/.ssh/authorized_keys
-</screen>
+ <para>
+ Change the permissions of the <filename>authorized_keys</filename> file using the following command:
+ </para>
+ <screen>chmod 644 ~/.ssh/authorized_keys</screen>
</listitem>
<listitem>
- <para>If you are running GNOME or a graphical desktop environment with the GTK2+ libraries installed, skip to <xref
- linkend="s3-openssh-ssh-agent-with-gnome"/>. If you are not running the X Window System, skip to <xref
- linkend="s3-openssh-config-ssh-agent"/>.</para>
+ <para>
+ If you are running GNOME or a graphical desktop environment with the GTK2+ libraries installed, skip to <xref linkend="s3-openssh-ssh-agent-with-gnome" />. If you are not running the X Window System, skip to <xref linkend="s3-openssh-config-ssh-agent" />.
+ </para>
</listitem>
</orderedlist>
</section>
- <section
- id="s3-openssh-rsa-keys-v1">
+ <section id="s3-openssh-rsa-keys-v1">
<title>Generating an RSA Key Pair for Version 1.3 and 1.5</title>
- <indexterm
- significance="normal">
+ <indexterm>
<primary>RSA Version 1 keys</primary>
<secondary>generating</secondary>
</indexterm>
- <indexterm
- significance="normal">
+ <indexterm>
<primary>OpenSSH</primary>
<secondary>RSA Version 1 keys</secondary>
<tertiary>generating</tertiary>
</indexterm>
- <para>Use the following steps to generate an RSA key pair, which is used by version 1 of the SSH Protocol. If you are only connecting between systems that use DSA, you do not need an RSA version 1.3 or RSA version 1.5 key pair.</para>
- <indexterm
- significance="normal">
+ <para>
+ Use the following steps to generate an RSA key pair, which is used by version 1 of the SSH Protocol. If you are only connecting between systems that use DSA, you do not need an RSA version 1.3 or RSA version 1.5 key pair.
+ </para>
+ <indexterm>
<primary>OpenSSH</primary>
<secondary>ssh-keygen</secondary>
<tertiary>RSA Version 1</tertiary>
</indexterm>
- <orderedlist
- continuation="restarts"
- inheritnum="ignore">
+ <orderedlist continuation="restarts" inheritnum="ignore">
<listitem>
- <para>To generate an RSA (for version 1.3 and 1.5 protocol) key pair, type the following command at a shell prompt:</para>
- <screen>
-ssh-keygen -t rsa1
-</screen>
- <para>Accept the default file location (<filename>~/.ssh/identity</filename>). Enter a passphrase different from your account password. Confirm the passphrase by entering it again.</para>
- <para>The public key is written to <filename>~/.ssh/identity.pub</filename>. The private key is written to <filename>~/.ssh/identity</filename>. Do not give anyone the private key.</para>
+ <para>
+ To generate an RSA (for version 1.3 and 1.5 protocol) key pair, type the following command at a shell prompt:
+ </para>
+ <screen>ssh-keygen -t rsa1</screen>
+ <para>
+ Accept the default file location (<filename>~/.ssh/identity</filename>). Enter a passphrase different from your account password. Confirm the passphrase by entering it again.
+ </para>
+ <para>
+ The public key is written to <filename>~/.ssh/identity.pub</filename>. The private key is written to <filename>~/.ssh/identity</filename>. Do not give anyone the private key.
+ </para>
</listitem>
<listitem>
- <para>Change the permissions of your <filename>.ssh</filename> directory and your key with the commands <command>chmod 755 ~/.ssh</command> and <command>chmod 644 ~/.ssh/identity.pub</command>.</para>
+ <para>
+ Change the permissions of your <filename>.ssh</filename> directory and your key with the commands <command>chmod 755 ~/.ssh</command> and <command>chmod 644 ~/.ssh/identity.pub</command>.
+ </para>
</listitem>
<listitem>
- <para>Copy the contents of <filename>~/.ssh/identity.pub</filename> into the file <filename>~/.ssh/authorized_keys</filename> on the machine to which you wish to connect. If the file <filename>~/.ssh/authorized_keys</filename> does not exist, you can copy the file <filename>~/.ssh/identity.pub</filename> to the file <filename>~/.ssh/authorized_keys</filename> on the remote machine.</para>
+ <para>
+ Copy the contents of <filename>~/.ssh/identity.pub</filename> into the file <filename>~/.ssh/authorized_keys</filename> on the machine to which you wish to connect. If the file <filename>~/.ssh/authorized_keys</filename> does not exist, you can copy the file <filename>~/.ssh/identity.pub</filename> to the file <filename>~/.ssh/authorized_keys</filename> on the remote machine.
+ </para>
</listitem>
<listitem>
- <para>If you are running GNOME, skip to <xref
- linkend="s3-openssh-ssh-agent-with-gnome"/>. If you are not running GNOME, skip to <xref
- linkend="s3-openssh-config-ssh-agent"/>.</para>
+ <para>
+ If you are running GNOME, skip to <xref linkend="s3-openssh-ssh-agent-with-gnome" />. If you are not running GNOME, skip to <xref linkend="s3-openssh-config-ssh-agent" />.
+ </para>
</listitem>
</orderedlist>
</section>
- <section
- id="s3-openssh-ssh-agent-with-gnome">
+ <section id="s3-openssh-ssh-agent-with-gnome">
<title>Configuring <command>ssh-agent</command> with a GUI</title>
- <indexterm
- significance="normal">
+ <indexterm>
<primary>OpenSSH</primary>
<secondary>
<command>ssh-agent</command>
</secondary>
<tertiary>with GNOME</tertiary>
</indexterm>
- <indexterm
- significance="normal">
+ <indexterm>
<primary>
<command>ssh-agent</command>
</primary>
<secondary>with GNOME</secondary>
</indexterm>
- <para>The <command>ssh-agent</command> utility can be used to save your passphrase so that you do not have to enter it each time you initiate an <command>ssh</command> or <command>scp</command> connection. If you are using GNOME, the <command>gnome-ssh-askpass</command> package contains the application used to prompt you for your passphrase when you log in to GNOME and save it until you log out of GNOME. You will not have to enter your password or passphrase for any <command>ssh</command> or <command>scp</command> connection made during that GNOME session. If you are not using GNOME, refer to <xref
- linkend="s3-openssh-config-ssh-agent"/>.</para>
- <para>To save your passphrase during your GNOME session, follow the following steps:</para>
- <orderedlist
- continuation="restarts"
- inheritnum="ignore">
+ <para>
+ The <command>ssh-agent</command> utility can be used to save your passphrase so that you do not have to enter it each time you initiate an <command>ssh</command> or <command>scp</command> connection. If you are using GNOME, the <command>gnome-ssh-askpass</command> package contains the application used to prompt you for your passphrase when you log in to GNOME and save it until you log out of GNOME. You will not have to enter your password or passphrase for any <command>ssh</command> or <command>scp</command> connection made during that GNOME session. If you are not using GNOME, refer to <xref linkend="s3-openssh-config-ssh-agent" />.
+ </para>
+ <para>
+ To save your passphrase during your GNOME session, follow the following steps:
+ </para>
+ <orderedlist continuation="restarts" inheritnum="ignore">
<listitem>
- <para>You will need to have the package <filename>gnome-ssh-askpass</filename> installed; you can use the command <command>rpm -q openssh-askpass</command> to determine if it is installed or not. If it is not installed, install it from your &MAJOROS; CD-ROM set, from a Red Hat FTP mirror site, or using Red Hat Network.</para>
+ <para>
+ You will need to have the package <filename>gnome-ssh-askpass</filename> installed; you can use the command <command>rpm -q openssh-askpass</command> to determine if it is installed or not. If it is not installed, install it from your &MAJOROS; CD-ROM set, from a Red Hat FTP mirror site, or using Red Hat Network.
+ </para>
</listitem>
<listitem>
- <para>Select <guimenu>Main Menu Button</guimenu> (on the Panel) > <guimenuitem>Preferences</guimenuitem> > <guimenuitem>More Preferences</guimenuitem> > <guilabel>Sessions</guilabel>, and click on the <guilabel>Startup Programs</guilabel> tab. Click <guibutton>Add</guibutton> and enter <userinput>/usr/bin/ssh-add</userinput> in the <guilabel>Startup Command</guilabel> text area. Set it a priority to a number higher than any existing commands to ensure that it is executed last. A good priority number for <command>ssh-add</command> is 70 or higher. The higher the priority number, the lower the priority. If you have other programs listed, this one should have the lowest priority. Click <guibutton>Close</guibutton> to exit the program.</para>
+ <para>
+ Select <guimenu>Main Menu Button</guimenu> (on the Panel) > <guimenuitem>Preferences</guimenuitem> > <guimenuitem>More Preferences</guimenuitem> > <guilabel>Sessions</guilabel>, and click on the <guilabel>Startup Programs</guilabel> tab. Click <guibutton>Add</guibutton> and enter <userinput>/usr/bin/ssh-add</userinput> in the <guilabel>Startup Command</guilabel> text area. Set it a priority to a number higher than any existing commands to ensure that it is executed last. A good priority number for <command>ssh-add</command> is 70 or higher. The higher the priority number, the lower the priority. If you have other programs listed, this one should have the lowest priority. Click <guibutton>Close</guibutton> to exit the program.
+ </para>
</listitem>
<listitem>
- <para>Log out and then log back into GNOME; in other words, restart X. After GNOME is started, a dialog box will appear prompting you for your passphrase(s). Enter the passphrase requested. If you have both DSA and RSA key pairs configured, you will be prompted for both. From this point on, you should not be prompted for a password by <command>ssh</command>, <command>scp</command>, or <command>sftp</command>.</para>
+ <para>
+ Log out and then log back into GNOME; in other words, restart X. After GNOME is started, a dialog box will appear prompting you for your passphrase(s). Enter the passphrase requested. If you have both DSA and RSA key pairs configured, you will be prompted for both. From this point on, you should not be prompted for a password by <command>ssh</command>, <command>scp</command>, or <command>sftp</command>.
+ </para>
</listitem>
</orderedlist>
</section>
- <section
- id="s3-openssh-config-ssh-agent">
- <title>Configuring <command>ssh-agent</command>
- </title>
- <indexterm
- significance="normal">
+ <section id="s3-openssh-config-ssh-agent">
+ <title>Configuring <command>ssh-agent</command></title>
+ <indexterm>
<primary>OpenSSH</primary>
<secondary>
<command>ssh-agent</command>
</secondary>
</indexterm>
- <indexterm
- significance="normal">
+ <indexterm>
<primary>
<command>ssh-agent</command>
</primary>
</indexterm>
- <para>The <command>ssh-agent</command> can be used to store your passphrase so that you do not have to enter it each time you make a <command>ssh</command> or <command>scp</command> connection. If you are not running the X Window System, follow these steps from a shell prompt. If you are running GNOME but you do not want to configure it to prompt you for your passphrase when you log in (refer to <xref
- linkend="s3-openssh-ssh-agent-with-gnome"/>), this procedure will work in a terminal window, such as an XTerm. If you are running X but not GNOME, this procedure will work in a terminal window. However, your passphrase will only be remembered for that terminal window; it is not a global setting.</para>
- <indexterm
- significance="normal">
+ <para>
+ The <command>ssh-agent</command> can be used to store your passphrase so that you do not have to enter it each time you make a <command>ssh</command> or <command>scp</command> connection. If you are not running the X Window System, follow these steps from a shell prompt. If you are running GNOME but you do not want to configure it to prompt you for your passphrase when you log in (refer to <xref linkend="s3-openssh-ssh-agent-with-gnome" />), this procedure will work in a terminal window, such as an XTerm. If you are running X but not GNOME, this procedure will work in a terminal window. However, your passphrase will only be remembered for that terminal window; it is not a global setting.
+ </para>
+ <indexterm>
<primary>OpenSSH</primary>
<secondary>
<command>ssh-add</command>
</secondary>
</indexterm>
- <indexterm
- significance="normal">
+ <indexterm>
<primary>
<command>ssh-add</command>
</primary>
</indexterm>
- <orderedlist
- continuation="restarts"
- inheritnum="ignore">
- <listitem
- id="nox">
- <para>At a shell prompt, type the following command:</para>
- <screen>
-exec /usr/bin/ssh-agent $SHELL
-</screen>
+ <orderedlist continuation="restarts" inheritnum="ignore">
+ <listitem id="nox">
+ <para>
+ At a shell prompt, type the following command:
+ </para>
+ <screen>exec /usr/bin/ssh-agent $SHELL</screen>
</listitem>
<listitem>
- <para>Then type the command:</para>
- <screen>
-ssh-add
-</screen>
- <para>and enter your passphrase(s). If you have more than one key pair configured, you will be prompted for each one.</para>
+ <para>
+ Then type the command:
+ </para>
+ <screen>ssh-add</screen>
+ <para>
+ and enter your passphrase(s). If you have more than one key pair configured, you will be prompted for each one.
+ </para>
</listitem>
<listitem>
- <para>When you log out, your passphrase(s) will be forgotten. You must execute these two commands each time you log in to a virtual console or open a terminal window.</para>
+ <para>
+ When you log out, your passphrase(s) will be forgotten. You must execute these two commands each time you log in to a virtual console or open a terminal window.
+ </para>
</listitem>
</orderedlist>
</section>
</section>
</section>
- <section
- id="s1-openssh-additional-resources">
+ <section id="s1-openssh-additional-resources">
<title>Additional Resources</title>
- <indexterm
- significance="normal">
+ <indexterm>
<primary>OpenSSH</primary>
<secondary>additional resources</secondary>
</indexterm>
- <indexterm
- significance="normal">
+ <indexterm>
<primary>OpenSSL</primary>
<secondary>additional resources</secondary>
</indexterm>
- <para>The OpenSSH and OpenSSL projects are in constant development, and the most up-to-date information for them is available from their websites. The man pages for OpenSSH and OpenSSL tools are also good sources of detailed information.</para>
- <section
- id="s2-openssh-installed-docs">
+ <para>
+ The OpenSSH and OpenSSL projects are in constant development, and the most up-to-date information for them is available from their websites. The man pages for OpenSSH and OpenSSL tools are also good sources of detailed information.
+ </para>
+ <section id="s2-openssh-installed-docs">
<title>Installed Documentation</title>
<itemizedlist>
<listitem>
- <para>The <command>ssh</command>, <command>scp</command>, <command>sftp</command>, <command>sshd</command>, and <command>ssh-keygen</command> man pages — These man pages include information on how to use these commands as well as all the parameters that can be used with them.</para>
+ <para>
+ The <command>ssh</command>, <command>scp</command>, <command>sftp</command>, <command>sshd</command>, and <command>ssh-keygen</command> man pages — These man pages include information on how to use these commands as well as all the parameters that can be used with them.
+ </para>
</listitem>
</itemizedlist>
</section>
- <section
- id="s2-openssh-useful-websites">
+ <section id="s2-openssh-useful-websites">
<title>Useful Websites</title>
<itemizedlist>
<listitem>
<para>
- <ulink
- url="http://www.openssh.com/">http://www.openssh.com/</ulink> — The OpenSSH FAQ page, bug reports, mailing lists, project goals, and a more technical explanation of the security features.</para>
+ <ulink url="http://www.openssh.com/">http://www.openssh.com/</ulink> — The OpenSSH FAQ page, bug reports, mailing lists, project goals, and a more technical explanation of the security features.
+ </para>
</listitem>
<listitem>
<para>
- <ulink
- url="http://www.openssl.org/">http://www.openssl.org/</ulink> — The OpenSSL FAQ page, mailing lists, and a description of the project goal.</para>
+ <ulink url="http://www.openssl.org/">http://www.openssl.org/</ulink> — The OpenSSL FAQ page, mailing lists, and a description of the project goal.
+ </para>
</listitem>
<listitem>
<para>
- <ulink
- url="http://www.freessh.org/">http://www.freesshd.com/</ulink> — SSH client software for other platforms.</para>
+ <ulink url="http://www.freessh.org/">http://www.freesshd.com/</ulink> — SSH client software for other platforms.
+ </para>
</listitem>
</itemizedlist>
</section>
More information about the docs-commits
mailing list