pam_apparmor
In networked environments, it is often necessary to access hosts from a
remote location. If a user sends login and password strings for
authentication purposes as plain text, they could be intercepted and
misused to gain access to that user account without the authorized user
knowing about it. This would open all the user's files to an attacker
and the illegal account could be used to obtain administrator or
root
access, or to penetrate
other systems. In the past, remote connections were established with
telnet
, rsh
or
rlogin
, which offered no guards against eavesdropping
in the form of encryption or other security mechanisms. There are other
unprotected communication channels, like the traditional FTP protocol
and some remote copying programs like rcp
.
The SSH suite provides the necessary protection by encrypting the authentication strings (usually a login name and a password) and all the other data exchanged between the hosts. With SSH, the data flow could still be recorded by a third party, but the contents are encrypted and cannot be reverted to plain text unless the encryption key is known. So SSH enables secure communication over insecure networks, such as the Internet. The SSH implementation coming with openSUSE Leap is OpenSSH.
openSUSE Leap installs the OpenSSH package by default providing the
commands ssh
, scp
, and
sftp
. In the default configuration, remote access of a
openSUSE Leap system is only possible with the OpenSSH utilities, and
only if the sshd
is running and
the firewall permits access.
SSH on openSUSE Leap uses cryptographic hardware acceleration if available. As a result, the transfer of large quantities of data through an SSH connection is considerably faster than without cryptographic hardware. As an additional benefit, the CPU will see a significant reduction in load.
ssh
—Secure Shell #
With ssh
it is possible to log in to remote
systems and to work interactively. To log in to the host
sun
as user tux
enter one of
the following commands:
ssh tux@sun ssh -l tux sun
If the user name is the same on both machines, you can omit it. Using
ssh sun
is sufficient. The remote host
prompts for the remote user's password. After a successful
authentication, you can work on the remote command line or use
interactive applications, such as YaST in text mode.
Furthermore, ssh
offers the possibility to run
non-interactive commands on remote systems using ssh
HOST COMMAND.
COMMAND needs to be properly quoted. Multiple
commands can be concatenated as on a local shell.
ssh root@sun "dmesg -T | tail -n 25" ssh root@sun "cat /etc/issue && uptime"
SSH also simplifies the use of remote X applications. If you run
ssh
with the -X
option, the
DISPLAY
variable is automatically set on the remote
machine and all X output is exported to the local machine over the
existing SSH connection. At the same time, X applications started
remotely cannot be intercepted by unauthorized individuals.
By adding the -A
option, the ssh-agent authentication
mechanism is carried over to the next machine. This way, you can work
from different machines without having to enter a password, but only if
you have distributed your public key to the destination hosts and
properly saved it there. Refer to
Section 14.5.2, “Copying an SSH Key” for details.
This mechanism is deactivated in the default settings, but can be
permanently activated at any time in the systemwide configuration file
/etc/ssh/sshd_config
by setting
AllowAgentForwarding yes
.
scp
—Secure Copy #
scp
copies files to or from a remote machine. If
the user name on jupiter is different than the user name on
sun, specify the latter using the
USER_NAME@host
format. If
the file should be copied into a directory other than the remote
user's home directory, specify it as
sun:DIRECTORY. The following
examples show how to copy a file from a local to a remote machine and
vice versa.
# local -> remote scp ~/MyLetter.tex tux@sun:/tmp # remote -> local scp tux@sun:/tmp/MyLetter.tex ~
-l
Option
With the ssh
command, the option
-l
can be used to specify a remote user (as an
alternative to the
USER_NAME@host
format). With scp
the option -l
is used to limit the bandwidth consumed by scp
.
After the correct password is entered, scp
starts the
data transfer. It displays a progress bar and the time remaining for each
file that is copied. Suppress all output with the -q
option.
scp
also provides a recursive copying feature for
entire directories. The command
scp -r src/ sun:backup/
copies the entire contents of the directory src
including all subdirectories to the ~/backup
directory on the host sun. If this subdirectory does not
exist, it is created automatically.
The -p
option tells scp
to leave the
time stamp of files unchanged. -C
compresses the data
transfer. This minimizes the data volume to transfer, but creates a
heavier burden on the processors of both machines.
sftp
—Secure File Transfer #sftp
#
If you want to copy several files from or to different locations,
sftp
is a convenient alternative to
scp
. It opens a shell with a set of commands similar
to a regular FTP shell. Type help
at the sftp-prompt
to get a list of available commands. More details are available from the
sftp
man page.
sftp sun Enter passphrase for key '/home/tux/.ssh/id_rsa': Connected to sun. sftp> help Available commands: bye Quit sftp cd path Change remote directory to 'path' [...]
As with a regular FTP server, a user cannot only download,
but also upload files to a remote machine running an SFTP server
by using the put
command. By default the
files will be uploaded to the remote host with the same
permissions as on the local host. There are two options to
automatically alter these permissions:
A umask works as a filter against the permissions of the original file on the local host. It can only withdraw permissions:
permissions original |
umask |
permissions uploaded |
---|---|---|
0666 |
0002 |
0664 |
0600 |
0002 |
0600 |
0775 |
0025 |
0750 |
To apply a umask on an SFTP server, edit the file
/etc/ssh/sshd_configuration
. Search for the line
beginning with Subsystem sftp
and add the
-u
parameter with the desired setting, for example:
Subsystem sftp /usr/lib/ssh/sftp-server -u 0002
Explicitly setting the permissions sets the same permissions for all
files uploaded via SFTP. Specify a three-digit pattern such as
600
, 644
, or
755
with -u
. When both
-m
and -u
are specified,
-u
is ignored.
To apply explicit permissions for uploaded files on an SFTP server,
edit the file /etc/ssh/sshd_configuration
.
Search for the line beginning with Subsystem sftp
and add the -m
parameter with the desired setting,
for example:
Subsystem sftp /usr/lib/ssh/sftp-server -m 600
sshd
) #
To work with the SSH client programs ssh
and
scp
, a server (the SSH daemon) must be running in the
background, listening for connections on TCP/IP port
22
. The daemon generates three key pairs when starting for the
first time. Each key pair consists of a private and a public key.
Therefore, this procedure is called public key-based. To
guarantee the security of the communication via SSH, access to the
private key files must be restricted to the system administrator. The
file permissions are set accordingly by the default installation. The
private keys are only required locally by the SSH daemon and must not be
given to anyone else. The public key components (recognizable by the name
extension .pub
) are sent to the client requesting
the connection. They are readable for all users.
A connection is initiated by the SSH client. The waiting SSH daemon and the requesting SSH client exchange identification data to compare the protocol and software versions, and to prevent connections through the wrong port. Because a child process of the original SSH daemon replies to the request, several SSH connections can be made simultaneously.
For the communication between SSH server and SSH client, OpenSSH supports
versions 1 and 2 of the SSH protocol. Version 2 of the
SSH protocol is used by default. Override this to use version 1
of protocol with the -1
option.
When using version 1 of SSH, the server sends its public host key and a server key, which is regenerated by the SSH daemon every hour. Both allow the SSH client to encrypt a freely chosen session key, which is sent to the SSH server. The SSH client also tells the server which encryption method (cipher) to use. Version 2 of the SSH protocol does not require a server key. Both sides use an algorithm according to Diffie-Hellman to exchange their keys.
The private host and server keys are absolutely required to decrypt the
session key and cannot be derived from the public parts. Only the
contacted SSH daemon can decrypt the session key using its private keys.
This initial connection phase can be watched closely by turning on
verbose debugging using the -v
option of the SSH client.
To watch the log entries from the sshd
use the following command:
tux >
sudo journalctl -u sshd
It is recommended to back up the private and public keys stored in
/etc/ssh/
in a secure, external location. In this
way, key modifications can be detected or the old ones can be used again
after having installed a new system.
If you install openSUSE Leap on a machine with existing Linux installations, the installation routine automatically imports the SSH host key with the most recent access time from an existing installation.
When establishing a secure connection with a remote host for the first
time, the client stores all public host keys in
~/.ssh/known_hosts
. This prevents any
man-in-the-middle attacks—attempts by foreign SSH servers to use
spoofed names and IP addresses. Such attacks are detected either by a
host key that is not included in ~/.ssh/known_hosts
,
or by the server's inability to decrypt the session key in the absence of
an appropriate private counterpart.
If the public keys of a host have changed (that needs to be verified
before connecting to such a server), the offending keys can be
removed with ssh-keygen -r
HOSTNAME
.
As of version 6.8, OpenSSH comes with a protocol extension that supports host key rotation. It makes sense to replace keys, if you are still using weak keys such as 1024-bit RSA keys. It is strongly recommended to replace such a key and go for 2048-bit DSA keys or something even better. The client will then use the “best” host key.
After installing new host keys on the server, restart sshd.
This protocol extension can
inform a client of all the new host keys on the server, if the user
initiates a connection with ssh
. Then, the
software on the client updates
~/.ssh/known_hosts
, and the user is not
required to accept new keys of previously known and trusted hosts
manually. The local known_hosts
file will
contain all the host keys of the remote hosts, in addition to the
one that authenticated the host during this session.
Once the administrator of the server knows that all the clients have
fetched the new keys, they can remove the old keys. The protocol
extension ensures that the obsolete keys will be removed from the
client's configuration, too. The key removal occurs while initiating
an ssh
session.
For more information, see:
http://blog.djm.net.au/2015/02/key-rotation-in-openssh-68.html
http://heise.de/-2540907 (“Endlich neue Schlüssel für SSH-Server”, German only)
In its simplest form, authentication is done by entering the user's
password just as if logging in locally. However, having to memorize
passwords of several users on remote machines is inefficient. What is
more, these passwords may change. On the other hand—when
granting root
access—an administrator needs to be able
to quickly revoke such a permission without having to change the
root
password.
To accomplish a login that does not require to enter the remote
user's password, SSH uses another key pair, which needs to be generated
by the user. It consists of a public (id_rsa.pub
or
id_dsa.pub
) and a private key
(id_rsa
or id_dsa
).
To be able to log in without having to specify the remote user's
password, the public key of the “SSH user” must be
in ~/.ssh/authorized_keys
. This approach also
ensures that the remote user has got full control: adding the key
requires the remote user's password and removing the key revokes the
permission to log in from remote.
For maximum security such a key should be protected by a passphrase which
needs to be entered every time you use ssh
,
scp
, or sftp
. Contrary to the
simple authentication, this passphrase is independent from the remote
user and therefore always the same.
An alternative to the key-based authentication described above, SSH also offers a host-based authentication. With host-based authentication, users on a trusted host can log in to another host on which this feature is enabled using the same user name. openSUSE Leap is set up for using key-based authentication, covering setting up host-based authentication on openSUSE Leap is beyond the scope of this manual.
If the host-based authentication is to be used, the file
/usr/lib/ssh/ssh-keysign
(32-bit systems) or
/usr/lib64/ssh/ssh-keysign
(64-bit systems) should
have the setuid bit set, which is not the default setting in
openSUSE Leap. In such case, set the file permissions manually. You
should use /etc/permissions.local
for this purpose,
to make sure that the setuid bit is preserved after security updates of
openssh.
To generate a key with default parameters (RSA, 2048 bits), enter the
command ssh-keygen
.
Accept the default location to store the key
(~/.ssh/id_rsa
) by pressing
Enter (strongly recommended) or enter an
alternative location.
Enter a passphrase consisting of 10 to 30 characters. The same rules as for creating safe passwords apply. It is strongly advised to refrain from specifying no passphrase.
You should make absolutely sure that the private key is not accessible
by anyone other than yourself (always set its permissions to
0600
). The private key must never fall into the hands
of another person.
To change the password of an existing key pair, use the command
ssh-keygen -p
.
To copy a public SSH key to ~/.ssh/authorized_keys
of a user on a remote machine, use the command
ssh-copy-id
. To copy your personal key
stored under ~/.ssh/id_rsa.pub
you may use the
short form. To copy DSA keys or keys of other users, you need
to specify the path:
# ~/.ssh/id_rsa.pub
ssh-copy-id -i tux@sun# ~/.ssh/id_dsa.pub
ssh-copy-id -i ~/.ssh/id_dsa.pub tux@sun# ~notme/.ssh/id_rsa.pub
ssh-copy-id -i ~notme/.ssh/id_rsa.pub tux@sun
To successfully copy the key, you need to enter the remote
user's password. To remove an existing key, manually edit
~/.ssh/authorized_keys
.
ssh-agent
#
When doing lots of secure shell operations it is cumbersome to type the
SSH passphrase for each such operation. Therefore, the SSH package
provides another tool, ssh-agent
, which retains the
private keys for the duration of an X or terminal session. All other
windows or programs are started as clients to the
ssh-agent
. By starting the agent, a set of
environment variables is set, which will be used by
ssh
, scp
, or
sftp
to locate the agent for automatic login. See
the ssh-agent
man page for details.
After the ssh-agent
is started, you need to add your
keys by using ssh-add
. It will prompt for the
passphrase. After the password has been provided once, you can use the
secure shell commands within the running session without having to
authenticate again.
ssh-agent
in an X Session #
On openSUSE Leap, the ssh-agent
is automatically
started by the GNOME display manager. To also invoke
ssh-add
to add your keys to the agent at the
beginning of an X session, do the following:
Log in as the desired user and check whether the file
~/.xinitrc
exists.
If it does not exist, use an existing template or copy it from
/etc/skel
:
if [ -f ~/.xinitrc.template ]; then mv ~/.xinitrc.template ~/.xinitrc; \ else cp /etc/skel/.xinitrc.template ~/.xinitrc; fi
If you have copied the template, search for the following lines and
uncomment them. If ~/.xinitrc
already existed,
add the following lines (without comment signs).
# if test -S "$SSH_AUTH_SOCK" -a -x "$SSH_ASKPASS"; then # ssh-add < /dev/null # fi
When starting a new X session, you will be prompted for your SSH passphrase.
ssh-agent
in a Terminal Session #
In a terminal session you need to manually start the
ssh-agent
and then call ssh-add
afterward. There are two ways to start the agent. The first example
given below starts a new Bash shell on top of your existing shell. The
second example starts the agent in the existing shell and modifies the
environment as needed.
ssh-agent -s /bin/bash eval $(ssh-agent)
After the agent has been started, run ssh-add
to
provide the agent with your keys.
ssh
can also be used to redirect TCP/IP connections.
This feature, also called SSH tunneling
, redirects TCP
connections to a certain port to another machine via an encrypted
channel.
With the following command, any connection directed to jupiter port 25 (SMTP) is redirected to the SMTP port on sun. This is especially useful for those using SMTP servers without SMTP-AUTH or POP-before-SMTP features. From any arbitrary location connected to a network, e-mail can be transferred to the “home” mail server for delivery.
ssh -L 25:sun:25 jupiter
Similarly, all POP3 requests (port 110) on jupiter can be forwarded to the POP3 port of sun with this command:
ssh -L 110:sun:110 jupiter
Both commands must be executed as root
, because the connection
is made to privileged local ports. E-mail is sent and retrieved by
normal users in an existing SSH connection. The SMTP and POP3 host
must be set to localhost
for this to
work. Additional information can be found in the manual pages for
each of the programs described above and in the OpenSSH package
documentation under
/usr/share/doc/packages/openssh
.
The home page of OpenSSH
The OpenSSH Wikibook
man sshd
The man page of the OpenSSH daemon
man ssh_config
The man page of the OpenSSH SSH client configuration files
man scp
, man sftp
, man slogin
, man ssh
, man ssh-add
, man ssh-agent
, man ssh-copy-id
, man ssh-keyconvert
, man ssh-keygen
, man ssh-keyscan
Man pages of several binary files to securely copy files
(scp
, sftp
), to log in
(slogin
, ssh
), and to manage
keys.
/usr/share/doc/packages/openssh/README.SUSE
,
/usr/share/doc/packages/openssh/README.FIPS
SUSE package specific documentation; changes in defaults with respect to upstream, notes on FIPS mode etc.