|
|
|
|
NOTE: CentOS Enterprise Linux is built from the Red Hat Enterprise Linux source code. Other than logo and name changes CentOS Enterprise Linux is compatible with the equivalent Red Hat version. This document applies equally to both Red Hat and CentOS Enterprise Linux.
To connect to an OpenSSH server from a client machine, you must
have the openssh-clients and openssh packages installed on the client
machine.
The ssh command is a secure replacement
for the rlogin, rsh, and telnet commands.
It allows you to log in to a remote machine as well as execute
commands on a remote machine.
Logging in to a remote machine with ssh
is similar to using telnet. To log in to a
remote machine named penguin.example.net, type the following
command at a shell prompt:
The first time you ssh to a remote
machine, you will see a message similar to the following:
The authenticity of host 'penguin.example.net' can't be established.
DSA key fingerprint is 94:68:3a:3a:bc:f3:9a:9b:01:5d:b3:07:38:e2:11:0c.
Are you sure you want to continue connecting (yes/no)?
|
Type yes to continue. This will add
the server to your list of known hosts (~/.ssh/known_hosts/) as seen in the following
message:
Warning: Permanently added 'penguin.example.net' (RSA) to the list of known hosts.
|
Next, you will see a prompt asking for your password for the
remote machine. After entering your password, you will be at a
shell prompt for the remote machine. If you do not specify a
username the username that you are logged in as on the local client
machine is passed to the remote machine. If you want to specify a
different username, use the following command:
ssh username@penguin.example.net
|
You can also use the syntax ssh -l
username
penguin.example.net.
The ssh command can be used to execute
a command on the remote machine without logging in to a shell
prompt. The syntax is ssh hostname command. For example, if you want to
execute the command ls /usr/share/doc on
the remote machine penguin.example.net, type the following command
at a shell prompt:
ssh penguin.example.net ls /usr/share/doc
|
After you enter the correct password, the contents of the remote
directory /usr/share/doc will be
displayed, and you will return to your local shell prompt.
The scp command can be used to transfer
files between machines over a secure, encrypted connection. It is
similar to rcp.
The general syntax to transfer a local file to a remote system
is as follows:
scp <localfile> username@tohostname:<remotefile>
|
The <localfile> specifies
the source including path to the file, such as /var/log/maillog. The <remotefile> specifies the destination,
which can be a new filename such as /tmp/hostname-maillog. For the remote system, if
you do not have a preceding /, the path
will be relative to the home directory of username, typically /home/username/.
To transfer the local file shadowman
to the home directory of your account on penguin.example.net, type
the following at a shell prompt (replace username with your username):
scp shadowman username@penguin.example.net:shadowman
|
This will transfer the local file shadowman to /home/username/shadowman on penguin.example.net.
Alternately, you can leave off the final shadowman in the scp command.
The general syntax to transfer a remote file to the local system
is as follows:
scp username@tohostname:<remotefile> <newlocalfile>
|
The <remotefile> specifies
the source including path, and <newlocalfile> specifies the destination
including path.
Multiple files can be specified as the source files. For
example, to transfer the contents of the directory downloads/ to an existing directory called
uploads/ on the remote machine
penguin.example.net, type the following at a shell prompt:
scp downloads/* username@penguin.example.net:uploads/
|
The sftp utility can be used to open a
secure, interactive FTP session. It is similar to ftp except that it uses a secure, encrypted
connection. The general syntax is sftp [email protected]. Once
authenticated, you can use a set of commands similar to those used
by FTP. Refer to the sftp man page for a
list of these commands. To read the man page, execute the command
man sftp at a shell prompt. The sftp utility is only available in OpenSSH version
2.5.0p1 and higher.
If you do not want to enter your password every time you use
ssh, scp, or
sftp to connect to a remote machine, you
can generate an authorization key pair.
Keys must be generated for each user. To generate keys for a
user, use the following steps as the user who wants to connect to
remote machines. If you complete the steps as root, only root will
be able to use the keys.
Starting with OpenSSH version 3.0, ~/.ssh/authorized_keys2, ~/.ssh/known_hosts2, and /etc/ssh_known_hosts2 are obsolete. SSH Protocol 1
and 2 share the ~/.ssh/authorized_keys,
~/.ssh/known_hosts, and /etc/ssh/ssh_known_hosts files.
Red Hat Enterprise Linux 4 uses SSH Protocol 2 and RSA keys by
default.
|
Tip |
|
If you reinstall and want to save your generated key pair,
backup the .ssh directory in your home
directory. After reinstalling, copy this directory back to your
home directory. This process can be done for all users on your
system, including root.
|
Use the following steps to generate an RSA key pair for version
2 of the SSH protocol. This is the default starting with OpenSSH
2.9.
-
To generate an RSA key pair to work with version 2 of the
protocol, type the following command at a shell prompt:
Accept the default file location of ~/.ssh/id_rsa. Enter a passphrase different from
your account password and confirm it by entering it again.
The public key is written to ~/.ssh/id_rsa.pub. The private key is written to
~/.ssh/id_rsa. Never distribute your
private key to anyone.
-
Change the permissions of the .ssh
directory using the following command:
-
Copy the contents of ~/.ssh/id_rsa.pub
into the file ~/.ssh/authorized_keys on
the machine to which you want to connect. If the file ~/.ssh/authorized_keys exist, append the contents
of the file ~/.ssh/id_rsa.pub to the file
~/.ssh/authorized_keys on the other
machine.
-
Change the permissions of the authorized_keys file using the following
command:
chmod 644 ~/.ssh/authorized_keys
|
-
If you are running GNOME, skip to Section
21.3.4.4 Configuring ssh-agent with
GNOME. If you are not running the X Window System, skip to
Section
21.3.4.5 Configuring ssh-agent.
Use the following steps to generate a DSA key pair for version 2
of the SSH Protocol.
-
To generate a DSA key pair to work with version 2 of the
protocol, type the following command at a shell prompt:
Accept the default file location of ~/.ssh/id_dsa. Enter a passphrase different from
your account password and confirm it by entering it again.
|
Tip |
|
A passphrase is a string of words and characters used to
authenticate a user. Passphrases differ from passwords in that you
can use spaces or tabs in the passphrase. Passphrases are generally
longer than passwords because they are usually phrases instead of a
single word.
|
The public key is written to ~/.ssh/id_dsa.pub. The private key is written to
~/.ssh/id_dsa. It is important never to
give anyone the private key.
-
Change the permissions of the .ssh
directory with the following command:
-
Copy the contents of ~/.ssh/id_dsa.pub
into the file ~/.ssh/authorized_keys on
the machine to which you want to connect. If the file ~/.ssh/authorized_keys exist, append the contents
of the file ~/.ssh/id_dsa.pub to the file
~/.ssh/authorized_keys on the other
machine.
-
Change the permissions of the authorized_keys file using the following
command:
chmod 644 ~/.ssh/authorized_keys
|
-
If you are running GNOME, skip to Section
21.3.4.4 Configuring ssh-agent with
GNOME. If you are not running the X Window System, skip to
Section
21.3.4.5 Configuring ssh-agent.
Use the following steps to generate an RSA key pair, which is
used by version 1 of the SSH Protocol. If you are only connecting
between systems that use DSA, you do not need an RSA version 1.3 or
RSA version 1.5 key pair.
-
To generate an RSA (for version 1.3 and 1.5 protocol) key pair,
type the following command at a shell prompt:
Accept the default file location (~/.ssh/identity). Enter a passphrase different from
your account password. Confirm the passphrase by entering it
again.
The public key is written to ~/.ssh/identity.pub. The private key is written to
~/.ssh/identity. Do not give anyone the
private key.
-
Change the permissions of your .ssh
directory and your key with the commands chmod
755 ~/.ssh and chmod 644
~/.ssh/identity.pub.
-
Copy the contents of ~/.ssh/identity.pub into the file ~/.ssh/authorized_keys on the machine to which you
wish to connect. If the file ~/.ssh/authorized_keys does not exist, you can copy
the file ~/.ssh/identity.pub to the file
~/.ssh/authorized_keys on the remote
machine.
-
If you are running GNOME, skip to Section
21.3.4.4 Configuring ssh-agent with
GNOME. If you are not running GNOME, skip to Section
21.3.4.5 Configuring ssh-agent.
The ssh-agent utility can be used to
save your passphrase so that you do not have to enter it each time
you initiate an ssh or scp connection. If you are using GNOME, the
openssh-askpass-gnome package contains the
application used to prompt you for your passphrase when you log in
to GNOME and save it until you log out of GNOME. You will not have
to enter your password or passphrase for any ssh or scp connection made
during that GNOME session. If you are not using GNOME, refer to
Section
21.3.4.5 Configuring ssh-agent.
To save your passphrase during your GNOME session, follow the
following steps:
-
You will need to have the package openssh-askpass-gnome installed; you can use the
command rpm -q openssh-askpass-gnome to
determine if it is installed or not. If it is not installed,
install it from your Red Hat Enterprise Linux CD-ROM set, from a
Red Hat FTP mirror site, or using Red Hat Network.
-
Select (on the Panel)
=> => => Sessions, and click on the Startup Programs tab. Click Add and enter /usr/bin/ssh-add in the Startup Command text area. Set it a priority to a
number higher than any existing commands to ensure that it is
executed last. A good priority number for ssh-add is 70 or higher. The higher the priority
number, the lower the priority. If you have other programs listed,
this one should have the lowest priority. Click Close to exit the program.
-
Log out and then log back into GNOME; in other words, restart X.
After GNOME is started, a dialog box will appear prompting you for
your passphrase(s). Enter the passphrase requested. If you have
both DSA and RSA key pairs configured, you will be prompted for
both. From this point on, you should not be prompted for a password
by ssh, scp, or
sftp.
The ssh-agent can be used to store your
passphrase so that you do not have to enter it each time you make a
ssh or scp
connection. If you are not running the X Window System, follow
these steps from a shell prompt. If you are running GNOME but you
do not want to configure it to prompt you for your passphrase when
you log in (refer to Section
21.3.4.4 Configuring ssh-agent with
GNOME), this procedure will work in a terminal window, such
as an XTerm. If you are running X but not GNOME, this procedure
will work in a terminal window. However, your passphrase will only
be remembered for that terminal window; it is not a global
setting.
-
At a shell prompt, type the following command:
exec /usr/bin/ssh-agent $SHELL
|
-
Then type the command:
and enter your passphrase(s). If you have more than one key pair
configured, you will be prompted for each one.
-
When you log out, your passphrase(s) will be forgotten. You must
execute these two commands each time you log in to a virtual
console or open a terminal window.
|
|
|