Five steps to a secure login using
SSH
Version 1.0
March 21, 2005
By A Guest Contributor
Takeaway
One of the best ways to ensure all of your network's communication links are secure is to implement system-wide
encryption. This download shows you how to setup of a Secure Shell (SSH) that will encrypt all the traffic on a
network.
Table of Contents
OPENSSH..................................................................................................................................................................................2
DEFINITIONS ............................................................................................................................................................................2
PROCESS .................................................................................................................................................................................2
1. Get the source code .....................................................................................................................................................2
2. Compile and install the software, and generate a host key....................................................................................2
3. Generate a user key.....................................................................................................................................................2
4. Configure authentication..............................................................................................................................................3
5. Start SSH and log in.....................................................................................................................................................3
ADDITIONAL NOTES .................................................................................................................................................................3
TECHREPUBLIC ......................................................................................................................................................................4
Additional resources .........................................................................................................................................................4
Version history...................................................................................................................................................................4
Tell us what you think .......................................................................................................................................................4
Page 1
Copyright ©2005 CNET Networks, Inc. All rights reserved.
To see more downloads and get your free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html.
Five steps to a secure login using SSH
OpenSSH
In this age of hacker attacks and electronic identity theft, prevention really is the only cure. And one of the most
important things you can do to protect yourself is to ensure that all of your network's communication links are
secure. This means encrypting all the data flowing in and out of your system, so as to prevent cyber-sniffers from
reading it and using it to gain unauthorized access to your data.
This is much easier than it sounds, thanks to a variety of freely-available tools designed specifically to improve
network security. And one of the most effective is the Secure Shell (SSH) program, which ensures that only
trusted users can log in to a system.
This tutorial shows you how to set up OpenSSH on a *NIX system, in five easy steps.
Definitions
Local host: The host from which you will be logging in (in this example, local.site.com)
Remote host: The host to which you will be logging in (in this example, faraway.site.com)
Local user account: A user account on the local host (in this example, rufus@local.site.com)
Remote user account: A user account on the remote host (in this example,
webmaster@faraway.site.com)
Process
1. Get the source code
Begin by downloading the source for OpenSSH. The program is available for a variety of different UNIX operating
systems, so you should have no trouble finding a version for yours. Once the file has downloaded to the local
host, log in as root, copy it to the system's temporary directory and uncompress it using the tar program.
root@local.site.com $ tar -xzvf openssh-4.0p1.tar.gz
Repeat this step for the remote host.
2. Compile and install the software, and generate a host key
Compile and install the software on the local host using the traditional configure-make-install process:
root@local.site.com $ ./configure
root@local.site.com $ make
root@local.site.com $ make install
Repeat this step for the remote host.
The compilation process could take between five and twenty minutes depending on the system configuration. By
default, the software will be installed to the /usr/local/ directory tree once compilation is complete.
Once the software has installed, it will automatically generate a host key for the system on which is has been
installed. This host key is a pair of cryptographic signatures that uniquely identifies the system, and it is used for
host-based authentication and identity verification.
3. Generate a user key
Log in to the local user account and generate a user key by running the ssh-keygen command.
rufus@local.site.com $ ssh-keygen -t dsa
This command generates a key pair that uniquely identifies the combination of user and host. The key pair
consists of two keys, a public key (id_dsa.pub) and a private key (id_dsa), both stored in the user's ~/.ssh
directory.
During the key generation phase, you will be asked for a passphrase. Enter a hard-to-guess passphrase and also
commit it to memory. This passphrase will be used to verify the user's identity at a later stage. Note that the public
key may be widely distributed, but the private key and passphrase should be accessible and known only to the
user.
Page 2
Copyright ©2005 CNET Networks, Inc. All rights reserved.
To see more downloads and get your free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html.
Five steps to a secure login using SSH
On successful completion, you will see a message like this:
Your identification has been saved in /home/rufus/.ssh/id_dsa.
Your public key has been saved in /home/rufus/.ssh/id_dsa.pub.
The key fingerprint is:
f9:c2:d4:73:bf:54:d4:4a:14:6f:ea:0d:f1:23:eb:00 rufus@local.site.com
Here's an example of the public key generated by this step:
ssh-dss
AAAAB3NzaC1kc3MAAACBAK/OZUL/HrUFbjSHEf8FyV2TQciMJTHtLt813Og8vifngpGFZEtvjtgn29rU2DI
rVYesf01QrtOtyOVubN6dpWdLVgICL++4s6UsAjynf9h8PO0oguZKHyilLsNKjSwymR+Uv+Mi++doi6xHn+
5BQdrizndwzva1L4QdIND5QcVJGLAAAAFQCLXzRJjPhW/31F5qPM/N1l/9S87wAAAIByEvyWZt0dUA3yllZ
T9adcoIQxLU6FtPbhNXmp+K0W7uypWIB8q6lYQSlahWZBC8ecG63m6CknsTxTmu3xvz+4+0VeJdMBeSveE9
OeY8Hk3v4Xep2VuDaKLZtJaUXs1874UUVV8NsRFs/t2IrEGSkUJzKNaMGaYlHasVJJY2R+bClgo1wAAAIA2
MOpeX75UiJ2+asMZ9sGi1cRFb+ADXt3jcmvzo3jxw8jcjBW1rHa9iExE2OPi0v/ThJvnTZdVXYy7XL/Gq6Z
96pxzbsL0cJNRh4lAFMGwCj03wvA6TC5eVehYI5pJoIfKLagrgQAdKEBeh5UmQ4axsjtRSLVhcW/wle2Ez3
2QAA== rufus@local.site.com
4. Configure authentication
Use FTP or telnet to log in to the remote user account. On the remote host, create a ~/.ssh directory in the remote
user's home directory and upload the public key file (id_dsa.pub) generated in the previous step. Then, create a
file named authorized_keys in the ~/.ssh directory. Copy the contents of the public key file to the authorized_keys
file, as shown below:
webmaster@faraway.site.com $ mkdir .ssh
webmaster@faraway.site.com $ cat id_dsa.pub >> .ssh/authorized_keys
5. Start SSH and log in
On both remote and local hosts, start SSH with the sshd command:
root@local.site.com $ /usr/local/sbin/sshd
root@faraway.site.com $ /usr/local/sbin/sshd
Then, on the local host, use the ssh command to log in to the remote user account:
rufus@local.site.com $ ssh -l webmaster faraway.site.com
Notice that the ssh command includes both the name of the remote user and remote host.
You will be asked for the passphrase to the private key, as entered in step 3. Enter this, and you will be logged in
to the remote user account. All communication between the two hosts will now be encrypted, foiling any attempt
to electronically eavesdrop on the connection. You're done!
Additional Notes
Disabling telnet
The normal telnet command sends passwords and other data in clear text over the network link. Hence,
once you have an encrypted SSH connection configured and working, it's a good idea to disable the
normal telnet command. To do this, look in your system's /etc/xinetd.d/telnet file and ensure it contains
the line disable = yes. Then, restart the xinetd service with the command /etc/rc.d/init.d/xinetd restart.
Automatically loading SSH at startup
You can have SSH automatically start at system boot-up, by adding the command /usr/sbin/sshd to your
system's start-up file, for example /etc/rc.local.
Page 3
Copyright ©2005 CNET Networks, Inc. All rights reserved.
To see more downloads and get your free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html.
Five steps to a secure login using SSH
TechRepublic
Additional resources
•
Use SSH tunneling for secure B2B networking (Article)
•
SSH and Intrusion Detection (White paper)
•
Monitor and manage logs in Linux/UNIX (Download)
Version history
Version: 1.0
Published: March 22, 2005
Tell us what you think
TechRepublic downloads are designed to help you get your job done as painlessly and effectively as possible.
Because we're continually looking for ways to improve the usefulness of these tools, we need your feedback.
Please take a minute to drop us a line and tell us how well this download worked for you and offer your suggestions
for improvement.
Thanks!
—The TechRepublic Downloads Team
Page 4
Copyright ©2005 CNET Networks, Inc. All rights reserved.
To see more downloads and get your free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html.
0
