Administration with the Secure Shell

Secure Shell Session

The Secure Shell daemon (sshd) is normally started at boot from the /etc/init.d/sshd script. The daemon listens for connections from clients. A Secure Shell session begins when the user runs the ssh, scp, or sftp command. Secure Shell daemon is secure because it encrypts messages. To make it simple, listeners on the network cannot read the messages between SSH clients and servers. The client and server must authenticate themselves to each other. After successful authentication, the user can execute commands remotely and copy data between hosts.

Regular SSH: ssh username@server.example.com  or ssh -l username servername

For Graphical SSH: ssh -X sername@server.example.com  -> It will let you get in to graphical desktop of the remote server as regular terminal ssh. By default both ssh and -X are enabled in the server.


Authentication 

You can verbose the authentication process: # ssh -vvv servername

The steps in the authentication process for Secure Shell are as follows:

1. The user runs the ssh, scp, or sftp command.
2. The client and server agree on a shared session key.
   In v1, the remote host sends its host (RSA) key and a server (RSA) key to the client. Note that the server key is typically generated every hour and stored in memory only. The client checks that the remote host key is stored in the $HOME/.ssh/known_hosts file on the local host. The client then generates a 256 bit random number and encrypts it with the remote host's host key and server key. The encrypted random number is used as a session key to encrypt all further communications in the session.
3. The local and remote hosts authenticate each other.                                                                                                                                 

The following table summarizes the major Secure Shell commands.

Command	Description
ssh	A program for logging in to a remote machine and for executing commands on a remote machine. The command is intended to replace rlogin and rsh, and provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel.
sshd	The daemon for Secure listens. This daemon listens for connections from clients and provides secure encrypted communications between two untrusted hosts over an insecure network.
ssh-keygen	Generates and manages authentication keys for ssh.
ssh-agent	A program that holds private keys that are used for public key authentication. ssh-agent is started at the beginning of an X-session or a login session, and all other windows or programs are started as clients to the ssh-agent program. Through the use of environment variables, the agent can be located and automatically used for authentication when users log in to other machines while using ssh.
ssh-add	Adds RSA or DSA identities (keys) to the authentication agent, ssh-agent.
scp	Securely copies files between hosts on a network by using ssh for data transfer. Unlike rcp, scp asks for passwords or passphrases (if they are needed for authentication).
sftp	An interactive file transfer program, similar to ftp, that performs all operations over an encrypted ssh transport. sftpconnects and logs into the specified host name and then enters an interactive command mode.

Secure Shell Files

The following table shows the important Secure Shell files and the suggested UNIX permissions.

File Name	Description	Suggested Permissions and Owner
/etc/ssh/sshd_config	Contains configuration data for sshd, the Secure Shell daemon.	-rw-r--r-- root
/etc/ssh/ssh_host_key	Contains the host private key.	-rw------- root
/etc/ssh_host_key.pub	Contains the host public key. Used to copy the host key to the localknown_hosts file.	-rw-r--r-- root
/var/run/sshd.pid	Contains the process ID of the Secure Shell daemon, sshd, which listens for connections (if there are multiple daemons, the file contains the last daemon that was started).	rw-r--r-- root
$HOME/.ssh/authorized_keys	Lists the RSA keys that can be used with v1 to log into the user's account, or the DSA and RSA keys that can be used with v2.	-rw-rw-r-- johndoe
/etc/ssh/ssh_known_hosts	Contains the host public keys for all hosts with which the client may communicate securely. The file should be prepared by the administrator.	-rw-r--r-- root
$HOME/.ssh/known_hosts	Contains the host public keys for all hosts with which the client may communicate securely. The file is maintained automatically. Whenever the user connects with an unknown host, the remote host key is added to the file.	-rw-r--r-- johndoe
/etc/nologin	If this file exists, sshd refuses to let anyone except root log in. The contents are displayed to users who are attempting to log in.	-rw-r--r-- root
$HOME/.rhosts	Contains the host-user name pairs that specifies the hosts to which the user can log in to without a password. The file is used Secure Shell, as well as by therlogind and rshd daemons.	-rw-r—r-- johndoe
$HOME/.shosts	Contains the host-user name pairs that specifies the hosts to which the user can log in to without a password using Secure Shell only.	-rw-r—r-- johndoe
/etc/hosts.equiv	Contains the hosts that are used in .rhosts authentication and Secure Shell authentication.	-rw-r--r-- root
/etc/ssh/shosts.equiv	Contains the hosts that are used in Secure Shell authentication.	-rw-r--r-- root
$HOME/.ssh/environment	Used for initialization to make assignments at login.	-rw------- johndoe
$HOME/.ssh/rc	Runs initialization routines before the user shell starts.	-rw------- johndoe
/etc/ssh/sshrc	Runs host-specific initialization routines that are specified by an administrator for all users.	-rw-r--r-- root