Using Solaris Secure Shell
Solaris Secure Shell provides secure access between a local shell and a
remote shell. For more information, see the ssh_config(4) and ssh(1) man pages.
How to Generate a Public/Private Key Pair for Use With Solaris Secure Shell
Users must generate a public/private key pair when their site implements host-based authentication
or user public-key authentication. For additional options, see the ssh-keygen(1) man page.
Before You Begin
Determine from your system administrator if host-based authentication is configured.
- Start the key generation program.
myLocalHost% ssh-keygen -t rsa
Generating public/private rsa key pair.
…
where -t is the type of algorithm, one of rsa, dsa, or
rsa1.
- Specify the path to the file that will hold the key.
By default, the file name id_rsa, which represents an RSA v2 key, appears in
parentheses. You can select this file by pressing the Return key. Or,
you can type an alternative file name.
Enter file in which to save the key (/home/jdoe/.ssh/id_rsa):<Press Return>
The file name of the public key is created automatically by appending the
string .pub to the name of the private key file.
- Type a passphrase for using your key.
This passphrase is used for encrypting your private key. A null entry is
strongly discouraged. Note that the passphrase is not displayed when you type it in.
Enter passphrase (empty for no passphrase): <Type passphrase>
- Retype the passphrase to confirm it.
Enter same passphrase again: <Type passphrase>
Your identification has been saved in /home/jdoe/.ssh/id_rsa.
Your public key has been saved in /home/jdoe/.ssh/id_rsa.pub.
The key fingerprint is:
0e:fb:3d:57:71:73:bf:58:b8:eb:f3:a3:aa:df:e0:d1 jdoe@myLocalHost
- Check the results.
Check that the path to the key file is correct.
% ls ~/.ssh
id_rsa
id_rsa.pub
At this point, you have created a public/private key pair.
- Choose the appropriate option:
- (Optional) Reduce the prompting for passphrases.
For a procedure, see How to Reduce Password Prompts in Solaris Secure Shell. For more information, see the ssh-agent(1) and
ssh-add(1) man pages.
Example 19-2 Establishing a v1 RSA Key for a User
In the following example, the user can contact hosts that run v1 of
the Solaris Secure Shell protocol. To be authenticated by v1 hosts, the user
creates a v1 key, then copies the public key portion to the remote
host.
myLocalHost% ssh-keygen -t rsa1 -f /home/jdoe/.ssh/identity
Generating public/private rsa key pair.
…
Enter passphrase (empty for no passphrase): <Type passphrase>
Enter same passphrase again: <Type passphrase>
Your identification has been saved in /home/jdoe/.ssh/identity.
Your public key has been saved in /home/jdoe/.ssh/identity.pub.
The key fingerprint is:
…
myLocalHost% ls ~/.ssh
id_rsa
id_rsa.pub
identity
identity.pub
myLocalHost% cat $HOME/.ssh/identity.pub | ssh myRemoteHost \
'cat >> .ssh/authorized_keys && echo "Key copied"'
How to Change the Passphrase for a Solaris Secure Shell Private Key
The following procedure does not change the private key. The procedure changes the
authentication mechanism for the private key, the passphrase. For more information, see the
ssh-keygen(1) man page.
- Change your passphrase.
Type the ssh-keygen command with the -p option, and answer the prompts.
myLocalHost% ssh-keygen -p
Enter file which contains the private key (/home/jdoe/.ssh/id_rsa):<Press Return>
Enter passphrase (empty for no passphrase): <Type passphrase>
Enter same passphrase again: <Type passphrase>
where -p requests changing the passphrase of a private key file.
How to Log In to a Remote Host With Solaris Secure Shell
- Start a Solaris Secure Shell session.
Type the ssh command, and specify the name of the remote host.
myLocalHost% ssh myRemoteHost
A prompt questions the authenticity of the remote host:
The authenticity of host 'myRemoteHost' can't be established.
RSA key fingerprint in md5 is: 04:9f:bd:fc:3d:3e:d2:e7:49:fd:6e:18:4f:9c:26
Are you sure you want to continue connecting(yes/no)?
This prompt is normal for initial connections to remote hosts.
- If prompted, verify the authenticity of the remote host key.
- If you cannot confirm the authenticity of the remote host, type no
and contact your system administrator.
Are you sure you want to continue connecting(yes/no)? no
The administrator is responsible for updating the global /etc/ssh/ssh_known_hosts file. An updated
ssh_known_hosts file prevents this prompt from appearing.
- If you confirm the authenticity of the remote host, answer the prompt and
continue to the next step.
Are you sure you want to continue connecting(yes/no)? yes
- Authenticate yourself to Solaris Secure Shell.
- When prompted, type your passphrase.
Enter passphrase for key '/home/jdoe/.ssh/id_rsa': <Type passphrase>
- When prompted, type your account password.
jdoe@myRemoteHost's password: <Type password>
Last login: Fri Jul 20 14:24:10 2001 from myLocalHost
myRemoteHost%
- Conduct transactions on the remote host.
The commands that you send are encrypted. Any responses that you receive are
encrypted.
- Close the Solaris Secure Shell connection.
When you are finished, type exit or use your usual method for exiting
your shell.
myRemoteHost% exit
myRemoteHost% logout
Connection to myRemoteHost closed
myLocalHost%
How to Reduce Password Prompts in Solaris Secure Shell
If you do not want to type your passphrase and your password
to use Solaris Secure Shell, you can use the agent daemon. Start the
daemon at the beginning of the session. Then, store your private keys with
the agent daemon by using the ssh-add command. If you have different
accounts on different hosts, add the keys that you need for the session.
You can start the agent daemon manually when needed, as described in the
following procedure. Or, you can set the agent daemon to run automatically at
the start of every session as described in How to Set Up the ssh-agent Command to Run Automatically in CDE.
- Start the agent daemon.
myLocalHost% ssh-agent
- Verify that the agent daemon has been started.
myLocalHost% eval `ssh-agent`
Agent pid 9892
- Add your private key to the agent daemon.
Type the ssh-add command.
myLocalHost% ssh-add
Enter passphrase for /home/jdoe/.ssh/id_rsa: <Type passphrase>
Identity added: /home/jdoe/.ssh/id_rsa(/home/jdoe/.ssh/id_rsa)
myLocalHost%
- Start a Solaris Secure Shell session.
myLocalHost% ssh myRemoteHost
You are not prompted for a passphrase.
Example 19-3 Using ssh-add Options
In this example, jdoe adds two keys to the agent daemon. The -l
option is used to list all keys that are stored in the daemon.
At the end of the session, the -D option is used to remove
all the keys from the agent daemon.
myLocalHost% ssh-agent
myLocalHost% ssh-add
Enter passphrase for /home/jdoe/.ssh/id_rsa: <Type passphrase>
Identity added: /home/jdoe/.ssh/id_rsa(/home/jdoe/.ssh/id_rsa)
myLocalHost% ssh-add /home/jdoe/.ssh/id_dsa
Enter passphrase for /home/jdoe/.ssh/id_dsa: <Type passphrase>
Identity added:
/home/jdoe/.ssh/id_dsa(/home/jdoe/.ssh/id_dsa)
myLocalHost% ssh-add -l
md5 1024 0e:fb:3d:53:71:77:bf:57:b8:eb:f7:a7:aa:df:e0:d1
/home/jdoe/.ssh/id_rsa(RSA)
md5 1024 c1:d3:21:5e:40:60:c5:73:d8:87:09:3a:fa:5f:32:53
/home/jdoe/.ssh/id_dsa(DSA)
User conducts Solaris Secure Shell transactions
myLocalHost% ssh-add -D
Identity removed:
/home/jdoe/.ssh/id_rsa(/home/jdoe/.ssh/id_rsa.pub)
/home/jdoe/.ssh/id_dsa(DSA)
How to Set Up the ssh-agent Command to Run Automatically in CDE
If you use CDE, you can avoid providing your passphrase and password whenever
you use Solaris Secure Shell by automatically starting an agent daemon, ssh-agent.
You can start the agent daemon from the .dtprofile script. To add your
passphrase and password to the agent daemon, see Example 19-3.
Caution - If you use the Sun JavaTM Desktop System (Java DS), do not set
up the ssh-agent command to run automatically. Because the killing of the ssh-agent
process is controlled by a CDE interface, when you exit the Java DS,
the daemon continues to run. For example, if you start the daemon in
a CDE session, move to a Java DS session, and then log out,
the daemon continues to run.
A running daemon uses system resources. Although no known issues are associated with
leaving the ssh-agent daemon running, the daemon contains a password, which could create a
security risk.
- Start the agent daemon automatically in a user startup script.
Add the following lines to the end of the $HOME/.dtprofile script:
if [ "$SSH_AUTH_SOCK" = "" -a -x /usr/bin/ssh-agent ]; then
eval `/usr/bin/ssh-agent`
fi
- Terminate the agent daemon when you exit the CDE session.
Add the following lines to the $HOME/.dt/sessions/sessionexit script:
if [ "$SSH_AGENT_PID" != "" -a -x /usr/bin/ssh-agent ]; then
/usr/bin/ssh-agent -k
fiThis entry ensures that no one can use the Solaris Secure Shell
agent after a CDE session is terminated. Because the script uses a CDE-specific
interface, sessionexit, this procedure does not terminate the agent daemon in a
Sun Java Desktop System session.
How to Use Port Forwarding in Solaris Secure Shell
You can specify that a local port be forwarded to a remote
host. Effectively, a socket is allocated to listen to the port on the
local side. The connection from this port is made over a secure channel
to the remote host. For example, you might specify port 143 to obtain
email remotely with IMAP4. Similarly, a port can be specified on the remote
side.
Before You Begin
To use port forwarding, the administrator must have enabled port forwarding on the
remote Solaris Secure Shell server. For details, see How to Configure Port Forwarding in Solaris Secure Shell.
- To use secure port forwarding, choose one of the following options:
- To set a local port to receive secure communication from a remote port,
specify both ports.
Specify the local port that listens for remote communication. Also, specify the remote
host and the remote port that forward the communication.
myLocalHost% ssh -L localPort:remoteHost:remotePort
- To set a remote port to receive a secure connection from a
local port, specify both ports.
Specify the remote port that listens for remote communication. Also, specify the local
host and the local port that forward the communication.
myLocalHost% ssh -R remotePort:localhost:localPort
Example 19-4 Using Local Port Forwarding to Receive Mail
The following example demonstrates how you can use local port forwarding to receive
mail securely from a remote server.
myLocalHost% ssh -L 9143:myRemoteHost:143 myRemoteHost
This command forwards connections from port 9143 on myLocalHost to port 143.
Port 143 is the IMAP v2 server port on myRemoteHost. When the user launches
a mail application, the user needs to specify the local port number, as
shown in the following dialog box.
Do not confuse localhost in the dialog box with myLocalHost. myLocalHost is
a hypothetical host name. localhost is a keyword that identifies your local system.
Example 19-5 Using Remote Port Forwarding to Communicate Outside of a Firewall
This example demonstrates how a user in an enterprise environment can forward connections
from a host on an external network to a host inside a corporate
firewall.
myLocalHost% ssh -R 9022:myLocalHost:22 myOutsideHost
This command forwards connections from port 9022 on myOutsideHost to port 22,
the sshd server, on the local host.
myOutsideHost% ssh -p 9022 localhost
myLocalHost%
How to Copy Files With Solaris Secure Shell
The following procedure shows how to use the scp command to copy encrypted
files between hosts. You can copy encrypted files either between a local host
and a remote host, or between two remote hosts. The command operates similarly
to the rcp command, except that the scp command prompts for authentication.
For more information, see the scp(1) man page.
You can also use the sftp, a more secure form of the ftp
command. For more information, see the sftp(1) man page. For an example, see
Example 19-6.
- Start the secure copy program.
Specify the source file, the user name at the remote destination, and the
destination directory.
myLocalHost% scp myfile.1 jdoe@myRemoteHost:~
- Supply your passphrase when prompted.
Enter passphrase for key '/home/jdoe/.ssh/id_rsa': <Type passphrase>
myfile.1 25% |******* | 640 KB 0:20 ETA
myfile.1
After you type the passphrase, a progress meter is displayed. See the second
line in the preceding output. The progress meter displays:
The file name
The percentage of the file that has been transferred
A series of asterisks that indicate the percentage of the file that has been transferred
The quantity of data transferred
The estimated time of arrival, or ETA, of the complete file (that is, the remaining amount of time)
Example 19-6 Specifying a Port When Using the sftp Command
In this example, the user wants the sftp command to use a specific
port. The user uses the -o option to specify the port.
% sftp -o port=2222 guest@RemoteFileServer
How to Set Up Default Connections to Hosts Outside a Firewall
You can use Solaris Secure Shell to make a connection from a
host inside a firewall to a host outside the firewall. This task is
done by specifying a proxy command for ssh either in a configuration file
or as an option on the command line. For the command-line option, see
Example 19-7.
In general, you can customize your ssh interactions through a configuration file.
You can customize either your own personal file in ~/.ssh/config.
Or, you can use the settings in the administrative configuration file, /etc/ssh/ssh_config.
The files can be customized with two types of proxy commands. One
proxy command is for HTTP connections. The other proxy command is for SOCKS5
connections. For more information, see the ssh_config(4) man page.
- Specify the proxy commands and hosts in a configuration file.
Use the following syntax to add as many lines as you need:
[Host outside-host]
ProxyCommand proxy-command [-h proxy-server] \
[-p proxy-port] outside-host|%h outside-port|%p
- Host outside-host
Limits the proxy command specification to instances when a remote host name is specified on the command line. If you use a wildcard for outside-host, you apply the proxy command specification to a set of hosts.
- proxy-command
Specifies the proxy command.
The command can be either of the following:
- -h proxy-server and -p proxy-port
These options specify a proxy server and a proxy port, respectively. If present, the proxies override any environment variables that specify proxy servers and proxy ports, such as HTTPPROXY, HTTPPROXYPORT, SOCKS5_PORT, SOCKS5_SERVER, and http_proxy. The http_proxy variable specifies a URL. If the options are not used, then the relevant environment variables must be set. For more information, see the ssh-socks5-proxy-connect(1) and ssh-http-proxy-connect(1) man pages.
- outside-host
Designates a specific host to connect to. Use the %h substitution argument to specify the host on the command line.
- outside-port
Designates a specific port to connect to. Use the %p substitution argument to specify the port on the command line. By specifying %h and %p without using the Host outside-host option, the proxy command is applied to the host argument whenever the ssh command is invoked.
- Run Solaris Secure Shell, specifying the outside host.
For example, type the following:
myLocalHost% ssh myOutsideHost
This command looks for a proxy command specification for myOutsideHost in your
personal configuration file. If the specification is not found, then the command looks
in the system-wide configuration file, /etc/ssh/ssh_config. The proxy command is substituted for
the ssh command.
Example 19-7 Connecting to Hosts Outside a Firewall From the Command Line
How to Set Up Default Connections to Hosts Outside a Firewall explains how to specify a proxy command in a configuration file. In
this example, a proxy command is specified on the ssh command line.
% ssh -o'Proxycommand=/usr/lib/ssh/ssh-http-proxy-connect \
-h myProxyServer -p 8080 myOutsideHost 22' myOutsideHost
The -o option to the ssh command provides a command-line method of specifying
a proxy command. This example command does the following:
Substitutes the HTTP proxy command for ssh
Uses port 8080 and myProxyServer as the proxy server
Connects to port 22 on myOutsideHost
