home | O'Reilly's CD bookshelfs | FreeBSD | Linux | Cisco | Cisco Exam  


Previous SectionNext Section

12.3 The Secure Shell

The Secure Shell (SSH) lets you connect to a system from another system via TCP/IP and obtain a shell prompt, from which you can issue commands and view output in a secure fashion. SSH works similarly to Telnet, but differs in that conversations between SSH and its clients are sent in encrypted form so hackers cannot easily discover private information, including user account names and passwords.

12.3.1 Installing SSH

The installation procedure automatically installs an SSH client and server and associates the sshd service with runlevels 3-5. You can start, stop, and restart the sshd service and changes its associations with runlevels by using the Service Configuration Tool. The service must be running in order to respond to clients.

The SSH service has several configuration files, residing in /etc/ssh. You don't have to modify them to get SSH running. If you're curious about them, view the sshd manpage.

12.3.2 Using SSH

To verify that the SSH server is properly running, you can access it via a client on the local system by issuing the following command:

$ ssh localhost

The client will attempt to log you on to the local system using your current user account and will prompt you for your password. If you supply the correct password, you should see a shell prompt, indicating that the client and server are functioning correctly. Type exit and press Enter to exit SSH.

To log on to a remote system, simply specify the hostname or IP address of the remote system in place of localhost. If you want to log in to a user account other than one named identically to the account you're using on the local system, issue the command:

$ ssh  userid@host 

where host is the hostname or IP address of the remote host and userid is the name of the user account you want to use. For example:

$ ssh billmccarty@gonzo.apu.edu

You can use the SSH client's scp command to transfer files to or from a remote system running an SSH server. To transfer a file to a remote system, issue a command such as this one:

$ scp  file userid@host:destination 

where file is the path of the file to be transferred, host is the hostname or IP address of the remote host, destination is the directory to which the file should be transferred, and userid is your user account on the remote system. If given as a relative path, the destination path is understood as being relative to the home directory of the specified user. For example:

$ scp rhbook_rev.txt billmccarty@gonzo.apu.edu: files

To transfer files to your home directory on the remote system, omit the path argument; however, retain the colon or the command will be misinterpreted.

You can specify multiple files to be transferred if you like. You can use shell metacharacters to specify a set of files to be transferred. You can also specify the -r flag, which specifies that scp should recursively copy a directory. For example, the following command copies an entire directory to the remote system:

$ scp -r Desktop billmccarty@gonzo.apu.edu: files

To transfer files from a remote system, issue a command based on this pattern:

$ scp  userid@host:file path 

where host is the hostname or IP address of the remote system, file is the path of the file to be transferred, path is the destination path of the file, and userid is your user account on the remote system. For example:

$ scp billmccarty@author.ora.com:/out/ch12.doc files

This command would log in the user billmccarty to author.ora.com/out, retrieve the ch12.doc file, and place it in his files directory.

SSH also provides the sftp command, which lets you transfer files in much the same way the ftp command does. The command has the following form:

$ sftp  user@host 

The command will prompt for the password associated with the specified user account. For example, to transfer files to and from the host author.ora.com, you could issue the following command:

$ sftp billmccarty@author.ora.com

After establishing a connection to the specified host, the sftp command presents a prompt that lets you enter commands similar to those supported by the ftp command. Use the help command to learn more about the supported commands.

12.3.3 Using a Windows SSH Client

To log on to your Linux system from a remote system via SSH, you must install an SSH client on the remote system. A suitable client for Windows is Simon Tatham's PuTTY, available at http://www.chiark.greenend.org.uk/~sgtatham/putty. Simply download PuTTY to any convenient directory (the windows directory is a good choice). The program doesn't have a setup script; you can run it by selecting Start Run and typing putty; if the directory in which PuTTY resides is not on the execution path, you must type the drive, path, and filename. Alternatively, you can create a shortcut that spares you the trouble. Figure 12-6 shows PuTTY's main screen.

Figure 12-6. PuTTY's screen
figs/rh3_1206.gif

To use PuTTY to connect to a host, specify the following information:

Hostname

The hostname or IP address of the SSH server.

Protocol

You should select SSH. This causes PuTTY to automatically select port 22, the default SSH port. If the SSH server listens on a different port, specify the nonstandard port by using the Port text box.

Click Open to make the connection to the specified host.

The left pane of PuTTY's screen provides access to several configuration options, such as:

  • Key mappings

  • Character translations

  • Selection, copy, and paste options

  • Screen colors

Like most Telnet or FTP clients, PuTTY lets you save configurations so you can quickly connect to often-used hosts. Use the Load, Save, and Delete buttons to manage your list of hosts and associated configurations.

For best results when using PuTTY to view screens that include color, enable the option Use background color to erase screen, found in the Terminal settings.

Another useful Windows SSH tool is WinSCP, which provides a user interface resembling that of a graphical FTP client. Figure 12-7 shows a WinSCP session. To learn more about WinSCP or obtain the program, visit http://winscp.vse.cz/eng/.

Figure 12-7. The WinSCP SSH client
figs/rh3_1207.gif

12.3.4 Protocol Tunneling

SSH lets you establish a network connection that you can use as a Virtual Private Network (VPN), so called because traffic flowing over the connection is encrypted and therefore secure from eavesdroppers. This facility is known as protocol tunneling because the data that flows via the connection need not use the standard TCP/IP protocol; for example, the data might be encoded using Novell's IPX protocol.

Configuring and troubleshooting a VPN is not a task for a Linux newbie. However, if your Linux skills are growing and you desire a challenge, see The Official Red Hat Linux Security Guide, available at http://www.redhat.com/docs/manuals/linux/RHL-8.0-Manual/security-guide/. Also see Virtual Private Networks, by Charlie Scott, Paul Wolfe, and Mike Erwin (O'Reilly & Associates, Inc.).

    Previous SectionNext Section