[clug] Cool when you're new to *nix - ssh
Hal Ashburner
hal.ashburner at gmail.com
Sun Jun 21 10:29:32 GMT 2009
...and still very cool some years later.
is ssh and gnu screen.
This is just a quick overview of something cool that anyone new to the
whole linux thing might not be aware of. I'm trying for the "this is
what you want to be able to do, this is how to do it." vibe. Tell me if
it sucks. If the approach is any good, maybe someone else might like to
do something similar with different software in a week's time or so. But
do wait the week - this is probably info freako overload as it is.
Log in to your home computer from work.
Being able to login to your computer over the interwebs from anywhere in
the world is just awesomely massively cool. And it's not just being able
to log in, you can also copy stuff to and from the machine with a cool
little command called 'scp'
If you're doing this from a windows machine you probably want something
like putty to login and maybe winscp to be able to copy to and from the box.
So what about gnu screen then? Well this is a terminal multiplexer. So
instead of having, say 3 connections to you home server to get 3
terminal windows so you can do 3 things, you just get one connection,
then start screen. ctrl+a c will give you a new terminal (ctrl+a is
"this is going to be a screen command, c for create). ctrl+a n will
switch to the n next terminal, ctrl+a p will switch to the p previous
terminal.
So that's all good, pretty useful but not really earth shattering yet.
The bit that rocked my world is that if you close the connection the
screen session stays alive. so you can log back in from anywhere at any
time and tell screen to reconnect.
bash$ screen -rd
-r is reconnect, -d is disconnect any other connections I might have to
this screen session.
Ok so your connection drops out or you just want to close the terminal,
the command you were running does not close it just keeps running until
it finishes, whether you're watching or not. Some people use this to
have a permanent irc client that stays in their favourite channel
logging away.
But wait, all this talk on the mailing list about people trying to hack
into ssh servers? Won't running one mean I'm exposed to nasty
hacker-crackers? Maybe a little but it's ok if you don't need military
grade security and you follow some basic precautions.
check the default options your distribution has in /etc/ssh/sshd_config
(note the d on the sshd_config - means this is a daemon or server).
PermitRootLogin no
#there is no reason to login over ssh as root, ever. Many of the
brute-force password guessing scripts use root as the user, as this user
will exist. Force them to guess your user name as well as your password.
AllowUsers your_user_name_here
#so only your account is available to log in to.
If on top of this you install Fail2Ban on your machine - a script that
blocks an ip from making ssh login requests for 10 minutes if there are
3 failures. This will also prevent brute force attacks.
As long as you have a good password that much will probably make you
close-enough-for-country-dancing to being secure - assuming you're not
ASIO or whatever.
What's a good password? One that's long, not a dictionary word and has
symbols and numbers in it. So how do you make one that's memorable? One
trick is to use a phrase and run it all together or take the first
letter of each word.
nky-wydat => nobody knows you - when you're down and out.
ija^tt<tastt> => it's just a jump to the left and then a step to the
right.
You'll think of better ones that mean more to you than Jimmy Witherspoon
and Rocky Horror lyrics. :)
How do you find your machine? Something like dyndns.org - free dynamic
dns. You can go there, get a (pretty silly) domain name and make either
your server or your adsl modem/router update the ip address for that
domain name each time it changes. If you want you can buy a domain name
that's more to your taste and specifically yours and use something like
zoneedit.com to keep it pointing at whatever your home ip address is.
But you still can't log in or copy files from an insecure machine. You
pretty much have to assume every net cafe machine is full of nasties,
including keystroke loggers so if you login from one of those, baddies
have your password. bad.
Not using passwords at all is better still for ssh. ssh-keygen is the
command to explore to generate an ssh key with a password associated
with the key. The keys will be in /home/you/.ssh/
you need to copy id_rsa.pub to /home/you/.ssh/authorized_keys on the
machine you wish log in to and have id_rsa on the local machine you're
using to make the connection.
cat /home/you/.ssh/id_rsa.pub >>/home/you/.ssh/authorized_keys
will append your public key to the authorized_keys file.
Then take your .ssh directory with you on your travels to "the outside
world"
If you do this you can change your /etc/ssh/sshd_config to read
PasswordAuthentication no
Which makes things a bit more secure.
CLUG gurus have mentioned "port knocking" and running ssh on a port that
isn't the default (ie not port 22). You can look into these additional
measures as well if you care to. I haven't cared to myself yet. Opinions
will differ and mine may not be the best informed on the CLUG list.
You could get hacked with a setup like this. And you have to decide
whether the risk is worth it. For me it is, the convenience is just
fantastic. If I forget to take things with me to work/on
holiday/whatever I can just copy them.
If what you're dealing with is anything like source code, revision
control works great over ssh. CVS, SVN, HG, GIT all. Revision control is
just wonderful stuff and can be used for source code, documents, even
photographs but it's a topic for another time.
Finally if you're not confident about what you've done and want to
switch off the ssh server.
#/etc/init.d/ssh stop
will switch it off temporarily. You'll need to find out how your
distribution let's you make sure it doesn't come on every time you
reboot. Many have graphical programs that you can use to do this. google
something like "disable ssh service fedora" or "disable ssh server
ubuntu" or similar.
As ever all the gory details are there in
man 1 ssh
man 2 ssh-keygen
man 1 screen
man 5 sshd_config
http://www.fail2ban.org/wiki/index.php/Main_Page
dyndns.com
netregistry.com.au - to buy your own domain, other people will sell you
one as well.
zoneedit.com
winscp.net
http://chiark.greenend.org.uk/~sgtatham/putty/download.html - putty.
ssh client for windows.
Further problems, questions you can't find answers, worries. The CLUG
list will help you out.
--
If anything in the above gives you pause, do please let me know. Of
particular interest would be the reaction of someone who doesn't know
all about ssh, screen and dynamic dns already.
"I know know what it is and what it does and why I do/don't want it."
Or
"WTF? That's all greek - you're writing is rubbish." or anything in
between. Cheers.
"Obviously this is not really what we have in mind for CLUG" - also
useful feedback.
More information about the linux
mailing list