[clug] Cool when you're new to *nix - ssh

Hal Ashburner hal.ashburner at gmail.com
Sun Jun 21 10:29:32 GMT 2009 

...and still very cool some years later.
is ssh and gnu screen.

This is just a quick overview of something cool that anyone new to the 
whole linux thing might not be aware of. I'm trying for the "this is 
what you want to be able to do, this is how to do it." vibe. Tell me if 
it sucks. If the approach is any good, maybe someone else might like to 
do something similar with different software in a week's time or so. But 
do wait the week - this is probably info freako overload as it is.

Log in to your home computer from work.
Being able to login to your computer over the interwebs from anywhere in 
the world is just awesomely massively cool. And it's not just being able 
to log in, you can also copy stuff to and from the machine with a cool 
little command called 'scp'

If you're doing this from a windows machine you probably want something 
like putty to login and maybe winscp to be able to copy to and from the box.

So what about gnu screen then? Well this is a terminal multiplexer. So 
instead of having, say 3 connections to you home server to get 3 
terminal windows so you can do 3 things, you just get one connection, 
then start screen. ctrl+a c  will give you a new terminal (ctrl+a is 
"this is going to be a screen command, c for create). ctrl+a n will 
switch to the n next terminal, ctrl+a p will switch to the p previous 
terminal.

So that's all good, pretty useful but not really earth shattering yet. 
The bit that rocked my world is that if you close the connection the 
screen session stays alive. so you can log back in from anywhere at any 
time and tell screen to reconnect.

bash$ screen -rd
-r is reconnect, -d is disconnect any other connections I might have to 
this screen session.

Ok so your connection drops out or you just want to close the terminal, 
the command you were running does not close it just keeps running until 
it finishes, whether you're watching or not. Some people use this to 
have a permanent irc client that stays in their favourite channel 
logging away.

But wait, all this talk on the mailing list about people trying to hack 
into ssh servers? Won't running one mean I'm exposed to nasty 
hacker-crackers? Maybe a little but it's ok if you don't need military 
grade security and you follow some basic precautions.

check the default options your distribution has in /etc/ssh/sshd_config
(note the d on the sshd_config - means this is a daemon or server).

PermitRootLogin no
 #there is no reason to login over ssh as root, ever.  Many of the 
brute-force password guessing scripts use root as the user, as this user 
will exist. Force them to guess your user name as well as your password.

AllowUsers your_user_name_here
 #so only your account is available to log in to.

If on top of this you install Fail2Ban on your machine - a script that 
blocks an ip from making ssh login requests for 10 minutes if there are 
3 failures. This will also prevent brute force attacks.

As long as you have a good password that much will probably make you 
close-enough-for-country-dancing to being secure - assuming you're not 
ASIO or whatever.

What's a good password? One that's long, not a dictionary word and has 
symbols and numbers in it. So how do you make one that's memorable? One 
trick is to use a phrase and run it all together or take the first 
letter of each word.
nky-wydat    =>   nobody knows you - when you're down and out.
ija^tt<tastt>  =>   it's just a jump to the left and  then a step to the 
right.
You'll think of better ones that mean more to you than Jimmy Witherspoon 
and Rocky Horror lyrics. :)

How do you find your machine? Something like dyndns.org - free dynamic 
dns. You can go there, get a (pretty silly) domain name and make either 
your server or your adsl modem/router update the ip address for that 
domain name each time it changes. If you want you can buy a domain name 
that's more to your taste and specifically yours and use something like 
zoneedit.com to keep it pointing at whatever your home ip address is.

But you still can't log in or copy files from an insecure machine. You 
pretty much have to assume every net cafe machine is full of nasties, 
including keystroke loggers so if you login from one of those, baddies 
have your password. bad.

Not using passwords at all is better still for ssh. ssh-keygen is the 
command to explore to generate an ssh key with a password associated 
with the key.  The keys will be in /home/you/.ssh/
you need to copy id_rsa.pub to /home/you/.ssh/authorized_keys on the 
machine you wish log in to and have id_rsa on the local machine you're 
using to make the connection.
cat /home/you/.ssh/id_rsa.pub >>/home/you/.ssh/authorized_keys
will append your public key to the authorized_keys file.
Then take your .ssh directory with you on your travels to "the outside 
world"

If you do this you can change your /etc/ssh/sshd_config to read
PasswordAuthentication no
Which makes things a bit more secure.

CLUG gurus have mentioned "port knocking" and running ssh on a port that 
isn't the default (ie not port 22). You can look into these additional 
measures as well if you care to. I haven't cared to myself yet. Opinions 
will differ and mine may not be the best informed on the CLUG list.

You could get hacked with a setup like this. And you have to decide 
whether the risk is worth it. For me it is, the convenience is just 
fantastic. If I forget to take things with me to work/on 
holiday/whatever I can just copy them.

If what you're dealing with is anything like source code, revision 
control works great over ssh. CVS, SVN, HG, GIT all. Revision control is 
just wonderful stuff and can be used for source code, documents, even 
photographs but it's a topic for another time.

Finally if you're not confident about what you've done and want to 
switch off the ssh server.

#/etc/init.d/ssh stop
will switch it off temporarily. You'll need to find out how your 
distribution let's you make sure it doesn't come on every time you 
reboot. Many have graphical programs that you can use to do this. google 
something like "disable ssh service fedora"  or "disable ssh server 
ubuntu" or similar.

As ever all the gory details are there in
 man 1 ssh
 man 2 ssh-keygen
 man 1 screen
 man 5 sshd_config
 http://www.fail2ban.org/wiki/index.php/Main_Page
 dyndns.com
 netregistry.com.au - to buy your own domain, other people will sell you 
one as well.
 zoneedit.com
 winscp.net
 http://chiark.greenend.org.uk/~sgtatham/putty/download.html - putty. 
ssh client for windows.
Further problems, questions you can't find answers, worries. The CLUG 
list will help you out.


--

If anything in the above gives you pause, do please let me know. Of 
particular interest would be the reaction of someone who doesn't know 
all about ssh, screen and dynamic dns already.
"I know know what it is and what it does and why I do/don't want it."
Or
"WTF? That's all greek - you're writing is rubbish." or anything in 
between. Cheers.

"Obviously this is not really what we have in mind for CLUG" - also 
useful feedback.

More information about the linux mailing list