Using SSHEveryone Should Know this
Aaron BurgemeisterFOSS BigotNovell, Inc. [email protected]
© Novell Inc. All rights reserved
2
What is SSH?
• SSH is a network Protocol– NAT Friendly
– Secure
• Allows Data to be Exchanged Securely– Port Forwarding
– GUI Forwarding
• Multiple OS Support– NetWare
– Windows (Not Natively)
– Linux
– MAC
© Novell Inc. All rights reserved
3
SSH Experience
• Heard of it?
• Used it?
• Tunneled?
• Forwarded GUI?
• Remote Commands?• Copied File?
© Novell Inc. All rights reserved
4
Why SSH?????
• It's already there (cross-plat)
• It's secure (SSHv2 (good) vs. SSHv1 (old/bad))
• It's fast (no graphical overhead, doesn't send tons of data to maintain connections, command-line based)
© Novell Inc. All rights reserved
5
Available SSH ToolsOn Linux and Mac
• SSH is standard on Linux and Mac, and NetWare, and can be added to any OS as the source code is freely available
SSH
SCP
• Putty is even available for Linux– http://www.chiark.greenend.org.uk/~sgtatham/putty/
© Novell Inc. All rights reserved
6
Available SSH Tools on Windows
Putty (and related applications below)– http://www.chiark.greenend.org.uk/~sgtatham/puttyl
PLINK (Great for scripting uses)
PAGENT (Key Material Management)
© Novell Inc. All rights reserved
7
Available SSH Tools on Windows
WinSCP– http://winscp.net/eng/index.php
XMING– http://sourceforge.net/projects/xming
Cygwin– http://www.cygwin.com/
© Novell Inc. All rights reserved
8
SSH Server (Daemons)
• The SSH Daemon is Supported by All OS's
– Windows must use cygwin or OpenSSH to run the Daemon
– NetWare 6.5 SP3 or greater
• Multiple Authentication Back-ends
– Using PAM authentication> /etc/passwd
> eDirectory/LDAP
> Active Directory
– Centrify (www.centrify.com)
How Can SSH Be Used?
© Novell Inc. All rights reserved
10
Basic SSH Connection
Basic SSH Connection
Access Files
Launch Scripts
Launch Programs
Install Linux Remotely
ssh root@ssh_server
© Novell Inc. All rights reserved
11
Basic SSH Connection
SSH is a Shell Connection
Full Access to the Remote Computer
Redirect Sound
Restart Services
Install Software
© Novell Inc. All rights reserved
12
Tunneling with SSH
SSH Can Tunnel any TCP Traffic
Local Forwarding / Remote Forwarding
Local Forwarding● Involves forwarding a socket from the client to the
server
Remote Forwarding● Involves forwarding a socket from the server to the
client.
Gateway Port and Security Note
© Novell Inc. All rights reserved
13
Tunneling with SSH - Security
Security Benefits of Tunneling
From SSH Client to SSH Server the connection is secure
From the SSH Server to the remote service may not be secure, for example, HTTP, telnet, etc.
May provide a way to easily secure an insecure application
Access to otherwise inaccessible (more-secure) applications via a single locked-down server.
Preventing it from happening (for admins)?
© Novell Inc. All rights reserved
14
ssh username@ssh_server -L 993:imap_server:993
© Novell Inc. All rights reserved
15
ssh username@ssh_server -L 1993:imap_server:993
E-Mail – Making a Connection
Making the SSH Connection
The e-mail client can then simply be pointed to the local computer on port '1993' to connect to the remote, otherwise inaccessible IMAP server.
The “pointing” could be done via client connection parameters, a modified 'hosts' file, DNS, etc.
© Novell Inc. All rights reserved
16
rdesktop localhost:3389
ssh username@ssh_server -L 3389:win_server:3389
Remote Desktop -Making a Connection
Making the SSH Connection
Starting the Linux RDP Client
© Novell Inc. All rights reserved
17
ssh username@ssh_server -L 1993:imap_server:993 -L 3389:win_server:3389-L 1025:smtp_server:25
Multiple Connections
Single Tunnel Point
Multiple Destinations
Multiple Ports
Whole command as one single line
Redirecting X (GUI)
© Novell Inc. All rights reserved
19
Redirecting the “GUI”
Redirecting the Graphical Screens of the Remote Computer, Installation, Application, to the Local Computer
Very Simple
Redirect an Oracle Installer
Redirect Skype
© Novell Inc. All rights reserved
20
ssh username@ssh_server -X
From Linux to Linux
Very Simple
Native Support
© Novell Inc. All rights reserved
21
From Windows to Linux
Not as Simple
No Native Support
• Enable X Redirection and use one of the following X Servers
– xming> http://sourceforge.net/projects/xming
– XwinLogon> http://www.calcmaster.net/visual-c++/xwinlogon/
– LabF's WinaXe> http://www.labf.com/winaxeplus/index.html
© Novell Inc. All rights reserved
22
ssh username@ssh_server -X
From Mac to Linux
Very Simple
Native Support
Redirect– YaST
– Skype
– Installs
Copying Files with SSH
© Novell Inc. All rights reserved
24
scp localfile.txt username@ssh_server:/remote/destination/path/
Simple File Copy with SSH
Very Simple
Fairly Fast
Secure
scp username@ssh_server:/remote/destination/path/file.txt/local/destination/path/
© Novell Inc. All rights reserved
25
rsync -avz -e ssh /source_dir/ username@ssh_server:/dest_dir/
RSYNC Over SSH
Very Simple
Requires RSYNC client
Synchronizes whole folder structures
Running Remote Commands with SSH
© Novell Inc. All rights reserved
27
ssh username@ssh_server 'ps aux';ssh username@ssh_server 'top -d1 -n1';
Remote Commands
Output returned to client machine sending command
Makes connection, runs, and exits
Useful for monitoring remote machines– Mentioned in Nagios session an hour ago
Key Material Management and Usage
© Novell Inc. All rights reserved
29
Key Material
Makes the Connection More Secure (passwords can be disabled to prevent feasibility of brute-force attacks)
Allows for unprompted Authentication– Immediate access to the system
– Provide access to the system without ever giving out the password, even as different identities than the user's own user
• Steps Involved:– Generating a client key
– Copying the keys to the remote destination's store
– 'ssh-agent' used to store keys for you
© Novell Inc. All rights reserved
30
Demo
• Novell® Remote– Give access to specific services in a restricted environment
– Useful for support to access environments behind firewall
– Share access to a VM environment (NAT, Host-only)
• Audience Demo– Requirement: Network Access; support.novell.com
account preferably
Top Related