Table Of Content,TITLE.16235 Page 1 Tuesday, March 13, 2001 3:33 PM
SSH, the Secure Shell
The Definitive Guide
www.it-ebooks.info
,TITLE.16235 Page 2 Tuesday, March 13, 2001 3:33 PM
www.it-ebooks.info
,TITLE.16235 Page 3 Tuesday, March 13, 2001 3:33 PM
SSH, the Secure Shell
The Definitive Guide
Daniel J. Barrett and Richard E. Silverman
Beijing• Cambridge• Farnham• Köln• Paris• Sebastopol• Taipei• Tokyo
www.it-ebooks.info
,COPYRIGHT.25667 Page 1 Thursday, March 15, 2001 11:41 AM
SSH, the Secure Shell: The Definitive Guide
by Daniel J. Barrett and Richard E. Silverman
Copyright © 2001 O’Reilly & Associates, Inc. All rights reserved.
Printed in the United States of America.
Published by O’Reilly & Associates, Inc., 101 Morris Street, Sebastopol, CA 95472.
Editor: Mike Loukides
Production Editor: Mary Anne Weeks Mayo
Cover Designer: Ellie Volckhausen
Printing History:
February 2001: First Edition.
Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered
trademarks of O’Reilly & Associates, Inc. Many of the designations used by manufacturers
andsellerstodistinguishtheirproductsareclaimedastrademarks. Wherethosedesignations
appear in this book, and O’Reilly & Associates, Inc. was aware of a trademark claim, the
designationshavebeenprintedincapsorinitialcaps.Theassociationbetweentheimageof
a land snail and the topic of SSH is a trademark of O’Reilly & Associates, Inc.
Whileeveryprecautionhasbeentakeninthepreparationofthisbook,thepublisherassumes
no responsibility for errors or omissions, or for damages resulting from the use of the
information contained herein.
ISBN: 0-596-00011-1 [3/01]
[M]
www.it-ebooks.info
,sshTOC.fm.11051 Page v Tuesday, February 20, 2001 2:14 PM
Table of Contents
Preface ..................................................................................................................... ix
1. Introduction to SSH .................................................................................. 1
1.1. What Is SSH? ............................................................................................. 2
1.2. What SSH Is Not ....................................................................................... 2
1.3. The SSH Protocol ..................................................................................... 4
1.4. Overview of SSH Features ....................................................................... 5
1.5. History of SSH ........................................................................................ 10
1.6. Related Technologies ............................................................................. 12
1.7. Summary ................................................................................................. 18
2. Basic Client Use ....................................................................................... 19
2.1. A Running Example ............................................................................... 19
2.2. Remote Terminal Sessions with ssh ...................................................... 20
2.3. Adding Complexity to the Example ...................................................... 22
2.4. Authentication by Cryptographic Key ................................................... 26
2.5. The SSH Agent ....................................................................................... 32
2.6. Connecting Without a Password or Passphrase ................................... 37
2.7. Miscellaneous Clients ............................................................................. 38
2.8. Summary ................................................................................................. 40
3. Inside SSH .................................................................................................. 41
3.1. Overview of Features ............................................................................. 42
3.2. A Cryptography Primer .......................................................................... 45
3.3. The Architecture of an SSH System ....................................................... 49
3.4. Inside SSH-1 ........................................................................................... 52
v
Oracle 8i Internal Services for Waits, Latches, Locks, and Memory, eMatter Edition
Copyright © 2001 O’Reilly & Associates, Inc. All rights reserved.
www.it-ebooks.info
,sshTOC.fm.11051 Page vi Tuesday, February 20, 2001 2:14 PM
vi Table of Contents
3.5. Inside SSH-2 ........................................................................................... 72
3.6. As-User Access (userfile) ....................................................................... 85
3.7. Randomness ............................................................................................ 86
3.8. SSH and File Transfers (scp and sftp) ................................................... 88
3.9. Algorithms Used by SSH ........................................................................ 91
3.10. Threats SSH Can Counter ................................................................... 100
3.11. Threats SSH Doesn’t Prevent ............................................................. 103
3.12. Summary ............................................................................................. 107
4. Installation and Compile-Time Configuration ......................... 108
4.1. SSH1 and SSH2 ..................................................................................... 108
4.2. F-Secure SSH Server ............................................................................. 129
4.3. OpenSSH ............................................................................................... 130
4.4. Software Inventory ............................................................................... 134
4.5. Replacing R-Commands with SSH ....................................................... 135
4.6. Summary ............................................................................................... 138
5. Serverwide Configuration ................................................................. 139
5.1. The Name of the Server ....................................................................... 140
5.2. Running the Server ............................................................................... 141
5.3. Server Configuration: An Overview .................................................... 143
5.4. Getting Ready: Initial Setup ................................................................. 148
5.5. Letting People in: Authentication and Access Control ....................... 166
5.6. User Logins and Accounts ................................................................... 187
5.7. Subsystems ............................................................................................ 190
5.8. History, Logging, and Debugging ....................................................... 192
5.9. Compatibility Between SSH-1 and SSH-2 Servers .............................. 201
5.10. Summary ............................................................................................. 203
6. Key Management and Agents .......................................................... 204
6.1. What Is an Identity? .............................................................................. 205
6.2. Creating an Identity .............................................................................. 209
6.3. SSH Agents ........................................................................................... 216
6.4. Multiple Identities ................................................................................. 235
6.5. Summary ............................................................................................... 238
7. Advanced Client Use ............................................................................ 240
7.1. How to Configure Clients .................................................................... 240
7.2. Precedence ........................................................................................... 250
7.3. Introduction to Verbose Mode ............................................................ 251
Oracle 8i Internal Services for Waits, Latches, Locks, and Memory, eMatter Edition
Copyright © 2001 O’Reilly & Associates, Inc. All rights reserved.
www.it-ebooks.info
,sshTOC.fm.11051 Page vii Tuesday, February 20, 2001 2:14 PM
Table of Contents vii
7.4. Client Configuration in Depth ............................................................. 252
7.5. Secure Copy with scp .......................................................................... 284
7.6. Summary ............................................................................................... 292
8. Per-Account Server Configuration .................................................. 293
8.1. Limits of This Technique ..................................................................... 294
8.2. Public Key-Based Configuration .......................................................... 295
8.3. Trusted-Host Access Control ............................................................... 313
8.4. The User rc File .................................................................................... 315
8.5. Summary ............................................................................................... 315
9. Port Forwarding and X Forwarding ............................................. 316
9.1. What Is Forwarding? ............................................................................ 317
9.2. Port Forwarding .................................................................................... 318
9.3. X Forwarding ........................................................................................ 340
9.4. Forwarding Security: TCP-wrappers and libwrap .............................. 353
9.5. Summary ............................................................................................... 359
10. A Recommended Setup ....................................................................... 360
10.1. The Basics ........................................................................................... 360
10.2. Compile-Time Configuration ............................................................. 361
10.3. Serverwide Configuration .................................................................. 362
10.4. Per-Account Configuration ................................................................. 366
10.5. Key Management ................................................................................ 367
10.6. Client Configuration ........................................................................... 367
10.7. Remote Home Directories (NFS, AFS) ............................................... 368
10.8. Summary ............................................................................................. 371
11. Case Studies ............................................................................................ 372
11.1. Unattended SSH: Batch or cron Jobs ................................................ 372
11.2. FTP Forwarding .................................................................................. 379
11.3. Pine, IMAP, and SSH .......................................................................... 400
11.4. Kerberos and SSH .............................................................................. 408
11.5. Connecting Through a GatewayHost ................................................ 428
12. Troubleshooting and FAQ .................................................................. 437
12.1. Debug Messages: Your First Line of Defense ................................... 437
12.2. Problems and Solutions ..................................................................... 440
12.3. Other SSH Resources ......................................................................... 459
12.4. Reporting Bugs ................................................................................... 460
Oracle 8i Internal Services for Waits, Latches, Locks, and Memory, eMatter Edition
Copyright © 2001 O’Reilly & Associates, Inc. All rights reserved.
www.it-ebooks.info
,sshTOC.fm.11051 Page viii Tuesday, February 20, 2001 2:14 PM
viii Table of Contents
13. Overview of Other Implementations ............................................ 461
13.1. Common Features .............................................................................. 461
13.2. Covered Products ............................................................................... 462
13.3. Table of Products ............................................................................... 462
13.4. Other SSH-Related Products .............................................................. 470
14. SSH1 Port by Sergey Okhapkin (Windows) ................................ 471
14.1. Obtaining and Installing Clients ........................................................ 471
14.2. Client Use ............................................................................................ 475
14.3. Obtaining and Installing the Server ................................................... 476
14.4. Troubleshooting ................................................................................. 478
14.5. Summary ............................................................................................. 479
15. SecureCRT (Windows) ......................................................................... 480
15.1. Obtaining and Installing .................................................................... 480
15.2. Basic Client Use .................................................................................. 481
15.3. Key Management ................................................................................ 482
15.4. Advanced Client Use .......................................................................... 483
15.5. Forwarding .......................................................................................... 484
15.6. Troubleshooting ................................................................................. 486
15.7. Summary ............................................................................................. 487
16. F-Secure SSH Client (Windows, Macintosh) ................................ 488
16.1. Obtaining and Installing .................................................................... 488
16.2. Basic Client Use .................................................................................. 489
16.3. Key Management ................................................................................ 490
16.4. Advanced Client Use .......................................................................... 491
16.5. Forwarding .......................................................................................... 493
16.6. Troubleshooting ................................................................................. 495
16.7. Summary ............................................................................................. 497
17. NiftyTelnet SSH (Macintosh) ............................................................ 498
17.1. Obtaining and Installing .................................................................... 498
17.2. Basic Client Use .................................................................................. 499
17.3. Troubleshooting ................................................................................. 501
17.4. Summary ............................................................................................. 502
A. SSH2 Manpage for sshregex .............................................................. 503
B. SSH Quick Reference ............................................................................ 506
Index .................................................................................................................... 521
Oracle 8i Internal Services for Waits, Latches, Locks, and Memory, eMatter Edition
Copyright © 2001 O’Reilly & Associates, Inc. All rights reserved.
www.it-ebooks.info
,ch00.5787 Page ix Tuesday, February 20, 2001 2:06 PM
Preface
Privacy is a basic human right, but on today’s computer networks, privacy isn’t
guaranteed. Much of the data that travels on the Internet or local networks is
transmitted as plain text, and may be captured and viewed by anybody with a
little technical know-how. The email you send, the files you transmit between
computers, even the passwords you type may be readable by others. Imagine
the damage that can be done if an untrusted third party—a competitor, the CIA,
your in-laws— intercepted your most sensitive communications in transit.
Network security is big business as companies scramble to protect their informa-
tion assets behind firewalls, establish virtual private networks (VPNs), and encrypt
files and transmissions. But hidden away from all the bustle, there is a small, unas-
suming, yet robust solution many big companies have missed. It’s reliable, reason-
ably easy to use, cheap, and available for most of today’s operating systems.
It’s SSH, the Secure Shell.
Protect Your Network with SSH
SSH is a low-cost, software-based solution for keeping prying eyes away from the
data on a network. It doesn’t solve every privacy and security problem, but it elim-
inates several of them effectively. Its major features are:
• A secure, client/server protocol for encrypting and transmitting data over a
network
• Authentication (recognition) of users by password, host, or public key, plus
optional integration with other popular authentication systems, including Ker-
beros, SecurID, PGP, TIS Gauntlet, and PAM
ix
This is the Title of the Book, eMatter Edition
Copyright © 2001 O’Reilly & Associates, Inc. All rights reserved.
www.it-ebooks.info
,ch00.5787 Page x Tuesday, February 20, 2001 2:06 PM
x Preface
• The ability to add security to insecure network applications such as Telnet,
FTP, and many other TCP/IP-based programs and protocols
• Almost complete transparency to the end user
• Implementations for most operating systems
Intended Audience
We’ve written this book for system administrators and technically minded users.
Some chapters are suitable for a wide audience, while others are thoroughly tech-
nical and intended for computer and networking professionals.
End-User Audience
Do you have two or more computer accounts on different machines? SSH lets you
connect one to another with a high degree of security. You can copy files between
accounts, remotely log into one account from the other, or execute remote com-
mands, all with the confidence that nobody can intercept your username, pass-
word, or data in transit.
Do you connect from a personal computer to an Internet service provider (ISP)? In
particular, do you connect to a Unix shell account at your ISP? If so, SSH can make
this connection significantly more secure. An increasing number of ISPs are run-
ning SSH servers for their users. In case your ISP doesn’t, we’ll show you how to
run a server yourself.
Do you develop software? Are you creating distributed applications that must com-
municate over a network securely? Then don’t reinvent the wheel: use SSH to
encrypt the connections. It’s a solid technology that may reduce your develop-
ment time.
Even if you have only a single computer account, as long as it’s connected to a
network, SSH can still be useful. For example, if you’ve ever wanted to let other
people use your account, such as family members or employees, but didn’t want
to give them unlimited use, SSH can provide a carefully controlled, limited access
channel into your account.
Prerequisites
We assume you are familiar with computers and networking as found in any mod-
ern business office or home system with an Internet connection. Ideally, you are
familiar with the Telnet and FTP applications. If you are a Unix user, you should
be familiar with the programs rsh, rlogin, and rcp, and with the basics of writing
shell scripts.
This is the Title of the Book, eMatter Edition
Copyright © 2001 O’Reilly & Associates, Inc. All rights reserved.
www.it-ebooks.info
