NOTE: CentOS Enterprise Linux 5 is built from the Red Hat Enterprise Linux source code. Other than logo and name changes CentOS Enterprise Linux 5 is compatible with the equivalent Red Hat version. This document applies equally to both Red Hat and CentOS Enterprise Linux 5.
A secure command line interface is just the beginning of the
many ways SSH can be used. Given the proper amount of
bandwidth, X11 sessions can be directed over an SSH
channel. Or, by using TCP/IP forwarding, previously insecure
port connections between systems can be mapped to specific SSH
channels.
17.7.1. X11 Forwarding
Opening an X11 session over an SSH connection is as easy as
connecting to the SSH server using the -Y
option and running an X program on a local machine.
ssh -Y <user>@example.com
When an X program is run from the secure shell prompt, the
SSH client and server create a new secure channel, and the X
program data is sent over that channel to the client machine
transparently.
X11 forwarding can be very useful. For example, X11
forwarding can be used to create a secure, interactive
session of the
Printer Configuration Tool. To do this,
connect to the server using ssh and type:
system-config-printer &
After supplying the root password for the server, the
Printer Configuration Tool
appears and allows the remote user to safely configure
printing on the remote system.
17.7.2. Port Forwarding
SSH can secure otherwise insecure TCP/IP protocols via port
forwarding. When using this technique, the SSH server
becomes an encrypted conduit to the SSH client.
Port forwarding works by mapping a local port on the client
to a remote port on the server. SSH can map any port from
the server to any port on the client; port numbers do not
need to match for this technique to work.
To create a TCP/IP port forwarding channel which listens for
connections on the localhost, use the following command:
Setting up port forwarding to listen on ports below 1024
requires root level access.
To check email on a server called mail.example.com using POP3 through
an encrypted connection, use the following command:
ssh -L 1100:mail.example.com:110 mail.example.com
Once the port forwarding channel is in place between the
client machine and the mail server, direct a POP3 mail client
to use port 1100 on the localhost to check for new mail. Any
requests sent to port 1100 on the client system are directed
securely to the mail.example.com server.
If mail.example.com is not
running an SSH server, but another machine on the same
network is, SSH can still be used to secure part of the
connection. However, a slightly different command is
necessary:
In this example, POP3 requests from port 1100 on the client
machine are forwarded through the SSH connection on port 22
to the SSH server, other.example.com. Then, other.example.com connects to port
110 on mail.example.com to
check for new mail. Note, when using this technique only the
connection between the client system and other.example.com SSH server is
secure.
Port forwarding can also be used to get information securely
through network firewalls. If the firewall is configured to
allow SSH traffic via its standard port (22) but blocks
access to other ports, a connection between two hosts using
the blocked ports is still possible by redirecting their
communication over an established SSH connection.
Note
Using port forwarding to forward connections in this manner
allows any user on the client system to connect to that
service. If the client system becomes compromised, the
attacker also has access to forwarded services.
System administrators concerned about port forwarding can
disable this functionality on the server by specifying a
No parameter for the
AllowTcpForwarding line
in /etc/ssh/sshd_config and
restarting the sshd
service.
17.7.3. Generating Key Pairs
If you do not want to enter your password every time you use
ssh, scp, or sftp to connect to a remote machine,
you can generate an authorization key pair.
Keys must be generated for each user. To generate keys for a
user, use the following steps as the user who wants to connect
to remote machines. If you complete the steps as root, only
root will be able to use the keys.
Starting with OpenSSH version 3.0, ~/.ssh/authorized_keys2, ~/.ssh/known_hosts2, and /etc/ssh_known_hosts2 are
obsolete. SSH Protocol 1 and 2 share the ~/.ssh/authorized_keys, ~/.ssh/known_hosts, and /etc/ssh/ssh_known_hosts files.
Red Hat Enterprise Linux 5 uses SSH Protocol 2 and RSA keys by default.
Tip
If you reinstall and want to save your generated key pair,
backup the .ssh directory
in your home directory. After reinstalling, copy this
directory back to your home directory. This process can be
done for all users on your system, including root.
17.7.3.1. Generating an RSA Key Pair for Version 2
Use the following steps to generate an RSA key pair for
version 2 of the SSH protocol. This is the default starting
with OpenSSH 2.9.
To generate an RSA key pair to work with version 2 of
the protocol, type the following command at a shell
prompt:
ssh-keygen -t rsa
Accept the default file location of ~/.ssh/id_rsa. Enter a
passphrase different from your account password and confirm
it by entering it again.
The public key is written to ~/.ssh/id_rsa.pub. The private
key is written to ~/.ssh/id_rsa. Never distribute
your private key to anyone.
Change the permissions of the .ssh directory using the
following command:
chmod 755 ~/.ssh
Copy the contents of ~/.ssh/id_rsa.pub into the
file ~/.ssh/authorized_keys on the
machine to which you want to connect. If the file
~/.ssh/authorized_keys exist,
append the contents of the file ~/.ssh/id_rsa.pub to the file
~/.ssh/authorized_keys on the
other machine.
Change the permissions of the authorized_keys file using
the following command:
Use the following steps to generate a DSA key pair for
version 2 of the SSH Protocol.
To generate a DSA key pair to work with version 2 of the
protocol, type the following command at a shell prompt:
ssh-keygen -t dsa
Accept the default file location of ~/.ssh/id_dsa. Enter a
passphrase different from your account password and
confirm it by entering it again.
Tip
A passphrase is a string of words and characters used to
authenticate a user. Passphrases differ from passwords
in that you can use spaces or tabs in the
passphrase. Passphrases are generally longer than
passwords because they are usually phrases instead of a
single word.
The public key is written to ~/.ssh/id_dsa.pub. The
private key is written to ~/.ssh/id_dsa. It is
important never to give anyone the private key.
Change the permissions of the .ssh directory with the
following command:
chmod 755 ~/.ssh
Copy the contents of ~/.ssh/id_dsa.pub into the
file ~/.ssh/authorized_keys on the
machine to which you want to connect. If the file
~/.ssh/authorized_keys exist,
append the contents of the file ~/.ssh/id_dsa.pub to the file
~/.ssh/authorized_keys on the
other machine.
Change the permissions of the authorized_keys file using
the following command:
17.7.3.3. Generating an RSA Key Pair for Version 1.3 and 1.5
Use the following steps to generate an RSA key pair, which
is used by version 1 of the SSH Protocol. If you are only
connecting between systems that use DSA, you do not need an
RSA version 1.3 or RSA version 1.5 key pair.
To generate an RSA (for version 1.3 and 1.5 protocol)
key pair, type the following command at a shell prompt:
ssh-keygen -t rsa1
Accept the default file location (~/.ssh/identity). Enter a
passphrase different from your account
password. Confirm the passphrase by entering it again.
The public key is written to ~/.ssh/identity.pub. The
private key is written to ~/.ssh/identity. Do not give
anyone the private key.
Change the permissions of your .ssh directory and your key
with the commands chmod 755
~/.ssh and chmod 644
~/.ssh/identity.pub.
Copy the contents of ~/.ssh/identity.pub into the
file ~/.ssh/authorized_keys on the
machine to which you wish to connect. If the file
~/.ssh/authorized_keys does
not exist, you can copy the file ~/.ssh/identity.pub to the
file ~/.ssh/authorized_keys on the
remote machine.
The ssh-agent utility can
be used to save your passphrase so that you do not have to
enter it each time you initiate an ssh or scp connection. If you are using
GNOME, the gnome-ssh-askpass package
contains the application used to prompt you for your
passphrase when you log in to GNOME and save it until you
log out of GNOME. You will not have to enter your password
or passphrase for any ssh
or scp connection made
during that GNOME session. If you are not using GNOME, refer
to Section 17.7.3.5, “Configuring ssh-agent”.
To save your passphrase during your GNOME session, follow
the following steps:
You will need to have the package gnome-ssh-askpass
installed; you can use the command rpm -q openssh-askpass
to determine if it is installed or not. If it is not
installed, install it from your Red Hat Enterprise Linux
CD-ROM set, from a Red Hat FTP mirror site, or using Red
Hat Network.
Select Main Menu
Button (on the Panel) => Preferences =>
More
Preferences => Sessions, and click on the
Startup Programs
tab. Click Add
and enter /usr/bin/ssh-add in the
Startup Command
text area. Set it a priority to a number higher than any
existing commands to ensure that it is executed last. A
good priority number for ssh-add is 70 or higher. The
higher the priority number, the lower the priority. If
you have other programs listed, this one should have the
lowest priority. Click Close to exit the program.
Log out and then log back into GNOME; in other words,
restart X. After GNOME is started, a dialog box will
appear prompting you for your passphrase(s). Enter the
passphrase requested. If you have both DSA and RSA key
pairs configured, you will be prompted for both. From
this point on, you should not be prompted for a password
by ssh, scp, or sftp.
17.7.3.5. Configuring ssh-agent
The ssh-agent can be used
to store your passphrase so that you do not have to enter it
each time you make a ssh
or scp connection. If you
are not running the X Window System, follow these steps from
a shell prompt. If you are running GNOME but you do not want
to configure it to prompt you for your passphrase when you
log in (refer to Section 17.7.3.4, “Configuring ssh-agent with a GUI”), this procedure
will work in a terminal window, such as an XTerm. If you are
running X but not GNOME, this procedure will work in a
terminal window. However, your passphrase will only be
remembered for that terminal window; it is not a global
setting.
At a shell prompt, type the following command:
exec /usr/bin/ssh-agent $SHELL
Then type the command:
ssh-add
and enter your passphrase(s). If you have more than one
key pair configured, you will be prompted for each one.
When you log out, your passphrase(s) will be
forgotten. You must execute these two commands each time
you log in to a virtual console or open a terminal
window.