The ssh command is a secure replacement for the
rlogin, rsh, and
telnet commands. It allows you to log in to
a remote machine as well as execute commands on a remote machine.
Logging in to a remote machine with ssh is similar
to using telnet. To log in to a remote machine
named penguin.example.net, type the following command at a shell
prompt:
ssh penguin.example.net
The first time you ssh to a remote machine, you
will see a message similar to the following:
The authenticity of host 'penguin.example.net' can't be established.
DSA key fingerprint is 94:68:3a:3a:bc:f3:9a:9b:01:5d:b3:07:38:e2:11:0c.
Are you sure you want to continue connecting (yes/no)?
Type yes to continue. This will add the server
to your list of known hosts (~/.ssh/known_hosts/)
as seen in the following message:
Warning: Permanently added 'penguin.example.net' (RSA) to the list of known hosts.
Next, you will see a prompt asking for your password for the remote
machine. After entering your password, you will be at a shell prompt
for the remote machine. If you do not specify a username
the username that you are logged in as on the
local client machine is passed to the remote machine. If you want to
specify a different username, use the following command:
ssh username@penguin.example.net
You can also use the syntax ssh -l
username penguin.example.net.
The ssh command can be used to execute a command on
the remote machine without logging in to a shell prompt. The syntax
is ssh hostnamecommand. For example, if you
want to execute the command ls /usr/share/doc on
the remote machine penguin.example.net, type the following command at a
shell prompt:
ssh penguin.example.net ls /usr/share/doc
After you enter the correct password, the contents of the remote directory
/usr/share/doc will be displayed, and you will
return to your local shell prompt.
The scp command can be used to transfer files
between machines over a secure, encrypted connection. It is similar
to rcp.
The general syntax to transfer a local file to a remote system is as
follows:
scp <localfile>username@tohostname:<remotefile>
The <localfile> specifies the source
including path to the file, such as
/var/log/maillog. The
<remotefile> specifies the
destination, which can be a new filename such as
/tmp/hostname-maillog. For the remote system, if
you do not have a preceding /, the path will be
relative to the home directory of username,
typically /home/username/.
To transfer the local file shadowman to the home
directory of your account on penguin.example.net, type the following
at a shell prompt (replace username with
your username):
This will transfer the local file shadowman to
/home/username/shadowman
on penguin.example.net. Alternately, you can leave off the final
shadowman in the
scp command.
The general syntax to transfer a remote file to the local system is as
follows:
The <remotefile> specifies the source
including path, and <newlocalfile>
specifies the destination including path.
Multiple files can be specified as the source files. For example, to
transfer the contents of the directory downloads/
to an existing directory called uploads/ on the
remote machine penguin.example.net, type the following at a shell
prompt:
The sftp utility can be used to open a secure,
interactive FTP session. It is similar to ftp
except that it uses a secure, encrypted connection. The general syntax
is sftp
[email protected]. Once authenticated, you
can use a set of commands similar to those used by FTP. Refer to the
sftp man page for a list of these commands. To
read the man page, execute the command man sftp
at a shell prompt. The sftp utility is only
available in OpenSSH version 2.5.0p1 and higher.
If you do not want to enter your password every time you use
ssh, scp, or
sftp to connect to a remote machine,
you can generate an authorization key pair.
Keys must be generated for each user. To generate keys for a
user, use the following steps as the user who wants to connect
to remote machines. If you complete the steps as root,
only root will be able to use the keys.
Starting with OpenSSH version 3.0,
~/.ssh/authorized_keys2,
~/.ssh/known_hosts2, and
/etc/ssh_known_hosts2 are obsolete. SSH
Protocol 1 and 2 share the
~/.ssh/authorized_keys,
~/.ssh/known_hosts, and
/etc/ssh/ssh_known_hosts files.
Red Hat Enterprise Linux 4 uses SSH Protocol 2 and RSA keys by default.
Tip
If you reinstall and want to save your generated key pair,
backup the .ssh directory in your home
directory. After reinstalling, copy this directory back to your home
directory. This process can be done for all users on your system,
including root.
Use the following steps to generate an RSA key pair for version 2
of the SSH protocol. This is the default starting with OpenSSH 2.9.
To generate an RSA key pair to work with version 2 of the
protocol, type the following command at a shell prompt:
ssh-keygen -t rsa
Accept the default file location of
~/.ssh/id_rsa. Enter a passphrase
different from your account password and confirm it by entering
it again.
The public key is written to
~/.ssh/id_rsa.pub. The private key is
written to ~/.ssh/id_rsa. Never distribute
your private key to anyone.
Change the permissions of the .ssh directory
using the following command:
chmod 755 ~/.ssh
Copy the contents of ~/.ssh/id_rsa.pub
into the file ~/.ssh/authorized_keys on the
machine to which you want to connect. If the file
~/.ssh/authorized_keys exist, append the
contents of the file ~/.ssh/id_rsa.pub to
the file ~/.ssh/authorized_keys on the
other machine.
Change the permissions of the authorized_keys file
using the following command:
Use the following steps to generate a DSA key pair for version 2 of
the SSH Protocol.
To generate a DSA key pair to work with version 2 of the
protocol, type the following command at a shell prompt:
ssh-keygen -t dsa
Accept the default file location of
~/.ssh/id_dsa. Enter a passphrase
different from your account password and confirm it by
entering it again.
Tip
A passphrase is a string of words and characters used to
authenticate a user. Passphrases differ from passwords in
that you can use spaces or tabs in the
passphrase. Passphrases are generally longer than passwords
because they are usually phrases instead of a single word.
The public key is written to
~/.ssh/id_dsa.pub. The private key is
written to ~/.ssh/id_dsa. It is important
never to give anyone the private key.
Change the permissions of the .ssh
directory with the following command:
chmod 755 ~/.ssh
Copy the contents of ~/.ssh/id_dsa.pub
into the file ~/.ssh/authorized_keys on the
machine to which you want to connect. If the file
~/.ssh/authorized_keys exist, append the
contents of the file ~/.ssh/id_dsa.pub to
the file ~/.ssh/authorized_keys on the
other machine.
Change the permissions of the authorized_keys file
using the following command:
Use the following steps to generate an RSA key pair, which is used
by version 1 of the SSH Protocol. If you are only connecting
between systems that use DSA, you do not need an RSA version 1.3
or RSA version 1.5 key pair.
To generate an RSA (for version 1.3 and 1.5 protocol) key pair,
type the following command at a shell prompt:
ssh-keygen -t rsa1
Accept the default file location
(~/.ssh/identity). Enter a passphrase
different from your account password. Confirm the passphrase
by entering it again.
The public key is written to
~/.ssh/identity.pub. The private key is
written to ~/.ssh/identity. Do not give
anyone the private key.
Change the permissions of your .ssh
directory and your key with the commands chmod 755
~/.ssh and chmod 644
~/.ssh/identity.pub.
Copy the contents of ~/.ssh/identity.pub
into the file ~/.ssh/authorized_keys on the
machine to which you wish to connect. If the file
~/.ssh/authorized_keys does not exist, you
can copy the file ~/.ssh/identity.pub to
the file ~/.ssh/authorized_keys on the
remote machine.
The ssh-agent utility can be used to save your
passphrase so that you do not have to enter it each time you
initiate an ssh or scp
connection. If you are using GNOME, the
openssh-askpass-gnome package contains the
application used to prompt you for your passphrase when you log in
to GNOME and save it until you log out of GNOME. You will not have
to enter your password or passphrase for any ssh
or scp connection made during that GNOME
session. If you are not using GNOME, refer to Section 21.3.4.5 Configuring ssh-agent.
To save your passphrase during your GNOME session, follow the
following steps:
You will need to have the package
openssh-askpass-gnome installed; you can
use the command rpm -q
openssh-askpass-gnome to determine if it is
installed or not. If it is not installed, install it from
your Red Hat Enterprise Linux CD-ROM set, from a Red Hat FTP mirror site, or using
Red Hat Network.
Select Main Menu Button (on the Panel) =>
Preferences =>
More Preferences =>
Sessions,
and click on the
Startup Programs tab. Click
Add and enter
/usr/bin/ssh-add in the Startup
Command text area. Set it a priority to a number
higher than any existing commands to ensure that it is executed
last. A good priority number for ssh-add is
70 or higher. The higher the priority number, the lower the
priority. If you have other programs listed, this one should
have the lowest priority. Click Close to exit
the program.
Log out and then log back into GNOME; in other words, restart
X. After GNOME is started, a dialog box will appear prompting
you for your passphrase(s). Enter the passphrase requested.
If you have both DSA and RSA key pairs configured, you will be
prompted for both. From this point on, you should not be
prompted for a password by ssh,
scp, or sftp.
The ssh-agent can be used to store your
passphrase so that you do not have to enter it each time you make a
ssh or scp connection. If you
are not running the X Window System, follow these steps from a shell
prompt. If you are running GNOME but you do not want to configure it
to prompt you for your passphrase when you log in (refer to Section 21.3.4.4 Configuring ssh-agent with GNOME), this procedure will work in a
terminal window, such as an XTerm. If you are running X but not
GNOME, this procedure will work in a terminal window.
However, your passphrase will only be remembered for that
terminal window; it is not a global setting.
At a shell prompt, type the following command:
exec /usr/bin/ssh-agent $SHELL
Then type the command:
ssh-add
and enter your passphrase(s). If you have more than one
key pair configured, you will be prompted for each one.
When you log out, your passphrase(s) will be forgotten. You must
execute these two commands each time you log in to a virtual
console or open a terminal window.
