Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Using Secure Shell on Linux: What Everyone Should Know


Published on

Secure Shell, or SSH, is a network protocol that allows data to be exchanged over a secure channel. SSH is much more than just data being passed over the wire. SSH can be used to tunnel traffic and specific ports or applications across multiple servers. SSH is a must for anyone using Linux. If you haven't used SSH, then you have not used Linux!

This session is designed for all technical staff or decision makers curious about great Linux tools and making access to Windows services, remote desktops and remote servers easier and less complicated. During this session, we will demonstrate techniques to tunnel RDP sessions, SOAP sessions and HTTP sessions between remote systems.

  • Be the first to comment

Using Secure Shell on Linux: What Everyone Should Know

  1. 1. Using SSH on Linux Everyone Should Know This Jared Jennings Aaron Burgemeister Senior Consultant Technical Support Engineer Data Technique, Inc. Novell, Inc.
  2. 2. What is SSH? SSH is a Network Protocol – NAT Friendly – Secure Cross-platform Support 2 © Novell, Inc. All rights reserved.
  3. 3. SSH Experience? • Heard of it? • Used it? • Tunneled? • Forwarded GUI? • Remote commands? • File copies (scp or rsync over ssh)? • Authentication other than passwords (keys, GSSAPI)? • Came here just to find presenter inaccuracies? 3 © Novell, Inc. All rights reserved.
  4. 4. Why Use SSH? Accessibility Fast Allows data to be exchanged securely – Port forwarding – GUI forwarding 4 © Novell, Inc. All rights reserved.
  5. 5. SSH Commands On Linux and Mac SSH SCP SSH is standard on Linux, Unix and Mac 5 © Novell, Inc. All rights reserved.
  6. 6. Available SSH Tools on Windows • Putty – • – PLINK (great for scripting uses) – PAGENT (key material management) – pscp (file management) 6 © Novell, Inc. All rights reserved.
  7. 7. Available SSH Tools on Windows WinSCP – XMING – Cygwin – 7 © Novell, Inc. All rights reserved.
  8. 8. SSH Server (Daemons) • The SSH daemon is supported by all OS's – Linux/Unix/Mac X – Windows must use third-party software to run the Daemon – NetWare 6.5 sp3 or greater ® • Multiple authentication back-ends – Using PAM authentication > Novell eDirectory , files, OpenLDAP ® ™ • Multiple authentication methods – Password; Public Key – Challenge/Response – Kerberos – Host-based 8 © Novell, Inc. All rights reserved.
  9. 9. How Can SSH Be Used?
  10. 10. Basic SSH Connection • Access files • Control remote system > ssh -l ab #explicit > ssh #simple 10 © Novell, Inc. All rights reserved.
  11. 11. Tunneling with SSH SSH can tunnel just about any TCP traffic (IPv4 or Ipv6) Local forwarding/remote forwarding Local forwarding – Involves forwarding a socket from the client to the server Remote forwarding – Involves forwarding a socket from the server to the client 11 © Novell, Inc. All rights reserved.
  12. 12. Tunneling with SSH Puposes/Security Benefits of tunneling Connection from client to server is secure – Regular connections from client to server may not otherwise be secure – rsync, http, etc. Access an otherwise-inaccessible network – Similar to a VPN, but without as much setup – Access a single system with access to secure apps 12 © Novell, Inc. All rights reserved.
  13. 13. Tunneling with SSH Details One side opens an address/port on the specified listening side See the (by default) localhost-listening socket with netstat SSH takes all TCP data from that address/port and sends it through the established, doing-whatever-else, SSH connection. The opposite side sends the TCP data to the destination address/port as specified during the connection setup. The TCP client, whose traffic is tunneled, thinks it is talking to the SSH machine on the listening side of the tunnel. The TCP server, whose traffic is tunneled, thinks the SSH machine at the end of the tunnel is the TCP client. Everything outside of the SSH participants and the TCP client and server just sees a single SSH connection sending data from time to time 13 © Novell, Inc. All rights reserved.
  14. 14. HTTP (Web Server) Client in SSH Web Insecure Land Server Server Firewall Forwarding SSH sh -L 1080:http_server:80 14 © Novell, Inc. All rights reserved.
  15. 15. HTTP Making a Connection Making the SSH connection ssh -L 1080:http_server:80 Pointing the web browser to the site http://localhost:1080/rest/of/the/url.html 15 © Novell, Inc. All rights reserved.
  16. 16. Novell GroupWise ® ® ssh -L 1677:groupWise_server:1677 16 © Novell, Inc. All rights reserved.
  17. 17. Novell GroupWise ® ® Making a Connection Making the SSH connection ssh -L 1677:groupWise_server:1677 Starting the Novell GroupWise client grpwise.exe -ipa=localhost -ipp=1677 17 © Novell, Inc. All rights reserved.
  18. 18. Remote Desktop (RDP) Making a Connection Making the SSH connection ssh -L 13389:WindowsServer:3389 Starting the Linux RDP client rdesktop localhost:13389 18 © Novell, Inc. All rights reserved.
  19. 19. Multiple Connections Single Multiple Multiple Tunnel Point Destinations Ports ssh -L 1080:http_server:80 -L 3389:broken_windows:3389 -L 19001:groupwise_server:1677 19 © Novell, Inc. All rights reserved.
  20. 20. Redirecting X (GUI)
  21. 21. Redirecting the “GUI” Redirecting the graphical screens of the remote computer, installation, application, to the local computer Very Simple Redirect Skype Redirect the GroupWise Installer ® 21 © Novell, Inc. All rights reserved.
  22. 22. From Linux/Mac to Linux • Very simple • Native support • Redirect – YaST – SUSE Linux setup tool ® – Skype – VoIP application – Installs – anything else ssh -X 22 © Novell, Inc. All rights reserved.
  23. 23. From Windows to Linux • Not as simple • No native support • Still works Enable X redirection and use one of the following X servers: – xming > – XwinLogon > – LabF's WinaXe > 23 © Novell, Inc. All rights reserved.
  24. 24. Copying Files with SSH
  25. 25. Simple File Copy with SSH • Very simple • Fairly fast • Secure • Supports entire directory structures • Same syntax as cp (copy) except with a host – Can actually function as a local cp command cp ./file #here to there scp ./ #there to here 25 © Novell, Inc. All rights reserved.
  26. 26. RSYNC Over SSH • Very simple • Requires RSYNC client • Synchronizes whole folder structures rsync -avz -e ssh source_dir 26 © Novell, Inc. All rights reserved.
  27. 27. Running Remote Commands with SSH
  28. 28. Commands Run Remotely • Output returned to client machine sending command • Makes connection, runs, and exits • Useful for monitoring/configuring/patching remote machines ssh ab@ssh_svr 'ps aux' ssh -t ab@ssh_svr 'top -d1 -n1' 28 © Novell, Inc. All rights reserved.
  29. 29. Key Material Management and Usage
  30. 30. Key Material • Makes the authentication MORE secure – Disable passwords to prevent successful brute-forcing • Allows for un-prompted authentication – Immediate access to the system; automated scripting possible – Provide access to the system without ever giving out the password; can also change identities or use multiples Steps Involved: 1. Generate the client keys 2. Copying the public key to the remote machine 3. Login as usual 30 © Novell, Inc. All rights reserved.
  31. 31. SSH Proxy Server
  32. 32. SSH to Proxy Traffic • Uses: – Lets you access content despite your client-side filters – Lets you access proxy-enabled services securely – Does NOT proxy DNS requests unless the DNS-using application knows to send DNS via the same connection – #connect and use 5555 as the SOCKS port locally – #then forward all proxy-able data through – ssh -D 5555 32 © Novell, Inc. All rights reserved.
  33. 33. SSH to Proxy Traffic - Browser • Configure your browser's proxy to point to – – (or whichever socket is configured to listen on the client side) Do not configure other fields to use this!! 33 © Novell, Inc. All rights reserved.
  34. 34. SSH Troubleshooting
  35. 35. SSH Troubleshooting • Understand the technology and feature – TCP-based – Tunneling/proxying opens sockets – X-forwarding requires X libraries on the forwarding side, X- server on the forwarded side – Authentication can happen in multiple ways • Test another system – Maybe client or server is a lemon, e.g. running Windows :-) • Use the -v[v[v]] options from the command line – More 'v' mean more-verbose... lots of good data in here – Get a baseline BEFORE it breaks 35 © Novell, Inc. All rights reserved.
  36. 36. Demo • Novell Remote ® – Give access to specific services in a restricted environment – Useful for support to access environments behind firewall – Share access to a VM environment (NAT, Host-only) • Audience Demo – Requirement: Network Access; account preferably 36 © Novell, Inc. All rights reserved.
  37. 37. Unpublished Work of Novell, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.