[clug] Cool when you're new to *nix - ssh

[Tim Jones]

> This is just a quick overview of something cool that anyone new to the whole
> linux thing might not be aware of. I'm trying for the "this is what you want
> to be able to do, this is how to do it." vibe. Tell me if it sucks. If the
> approach is any good, maybe someone else might like to do something similar
> with different software in a week's time or so. But do wait the week - this
> is probably info freako overload as it is.

Thanks Hal! I really like this idea, and would be totally in favour of
more overviews of cool things/tools/whatever. Picking up knowledge
like this is the primary reason I lurk on this list.

Tim

2009/6/21 Hal Ashburner <hal.ashburner at gmail.com>:
> ...and still very cool some years later.
> is ssh and gnu screen.
>
> This is just a quick overview of something cool that anyone new to the whole
> linux thing might not be aware of. I'm trying for the "this is what you want
> to be able to do, this is how to do it." vibe. Tell me if it sucks. If the
> approach is any good, maybe someone else might like to do something similar
> with different software in a week's time or so. But do wait the week - this
> is probably info freako overload as it is.
>
> Log in to your home computer from work.
> Being able to login to your computer over the interwebs from anywhere in the
> world is just awesomely massively cool. And it's not just being able to log
> in, you can also copy stuff to and from the machine with a cool little
> command called 'scp'
>
> If you're doing this from a windows machine you probably want something like
> putty to login and maybe winscp to be able to copy to and from the box.
>
> So what about gnu screen then? Well this is a terminal multiplexer. So
> instead of having, say 3 connections to you home server to get 3 terminal
> windows so you can do 3 things, you just get one connection, then start
> screen. ctrl+a c  will give you a new terminal (ctrl+a is "this is going to
> be a screen command, c for create). ctrl+a n will switch to the n next
> terminal, ctrl+a p will switch to the p previous terminal.
>
> So that's all good, pretty useful but not really earth shattering yet. The
> bit that rocked my world is that if you close the connection the screen
> session stays alive. so you can log back in from anywhere at any time and
> tell screen to reconnect.
>
> bash$ screen -rd
> -r is reconnect, -d is disconnect any other connections I might have to this
> screen session.
>
> Ok so your connection drops out or you just want to close the terminal, the
> command you were running does not close it just keeps running until it
> finishes, whether you're watching or not. Some people use this to have a
> permanent irc client that stays in their favourite channel logging away.
>
> But wait, all this talk on the mailing list about people trying to hack into
> ssh servers? Won't running one mean I'm exposed to nasty hacker-crackers?
> Maybe a little but it's ok if you don't need military grade security and you
> follow some basic precautions.
>
> check the default options your distribution has in /etc/ssh/sshd_config
> (note the d on the sshd_config - means this is a daemon or server).
>
> PermitRootLogin no
> #there is no reason to login over ssh as root, ever.  Many of the
> brute-force password guessing scripts use root as the user, as this user
> will exist. Force them to guess your user name as well as your password.
>
> AllowUsers your_user_name_here
> #so only your account is available to log in to.
>
> If on top of this you install Fail2Ban on your machine - a script that
> blocks an ip from making ssh login requests for 10 minutes if there are 3
> failures. This will also prevent brute force attacks.
>
> As long as you have a good password that much will probably make you
> close-enough-for-country-dancing to being secure - assuming you're not ASIO
> or whatever.
>
> What's a good password? One that's long, not a dictionary word and has
> symbols and numbers in it. So how do you make one that's memorable? One
> trick is to use a phrase and run it all together or take the first letter of
> each word.
> nky-wydat    =>   nobody knows you - when you're down and out.
> ija^tt<tastt>  =>   it's just a jump to the left and  then a step to the
> right.
> You'll think of better ones that mean more to you than Jimmy Witherspoon and
> Rocky Horror lyrics. :)
>
> How do you find your machine? Something like dyndns.org - free dynamic dns.
> You can go there, get a (pretty silly) domain name and make either your
> server or your adsl modem/router update the ip address for that domain name
> each time it changes. If you want you can buy a domain name that's more to
> your taste and specifically yours and use something like zoneedit.com to
> keep it pointing at whatever your home ip address is.
>
> But you still can't log in or copy files from an insecure machine. You
> pretty much have to assume every net cafe machine is full of nasties,
> including keystroke loggers so if you login from one of those, baddies have
> your password. bad.
>
> Not using passwords at all is better still for ssh. ssh-keygen is the
> command to explore to generate an ssh key with a password associated with
> the key.  The keys will be in /home/you/.ssh/
> you need to copy id_rsa.pub to /home/you/.ssh/authorized_keys on the machine
> you wish log in to and have id_rsa on the local machine you're using to make
> the connection.
> cat /home/you/.ssh/id_rsa.pub >>/home/you/.ssh/authorized_keys
> will append your public key to the authorized_keys file.
> Then take your .ssh directory with you on your travels to "the outside
> world"
>
> If you do this you can change your /etc/ssh/sshd_config to read
> PasswordAuthentication no
> Which makes things a bit more secure.
>
> CLUG gurus have mentioned "port knocking" and running ssh on a port that
> isn't the default (ie not port 22). You can look into these additional
> measures as well if you care to. I haven't cared to myself yet. Opinions
> will differ and mine may not be the best informed on the CLUG list.
>
> You could get hacked with a setup like this. And you have to decide whether
> the risk is worth it. For me it is, the convenience is just fantastic. If I
> forget to take things with me to work/on holiday/whatever I can just copy
> them.
>
> If what you're dealing with is anything like source code, revision control
> works great over ssh. CVS, SVN, HG, GIT all. Revision control is just
> wonderful stuff and can be used for source code, documents, even photographs
> but it's a topic for another time.
>
> Finally if you're not confident about what you've done and want to switch
> off the ssh server.
>
> #/etc/init.d/ssh stop
> will switch it off temporarily. You'll need to find out how your
> distribution let's you make sure it doesn't come on every time you reboot.
> Many have graphical programs that you can use to do this. google something
> like "disable ssh service fedora"  or "disable ssh server ubuntu" or
> similar.
>
> As ever all the gory details are there in
> man 1 ssh
> man 2 ssh-keygen
> man 1 screen
> man 5 sshd_config
> http://www.fail2ban.org/wiki/index.php/Main_Page
> dyndns.com
> netregistry.com.au - to buy your own domain, other people will sell you one
> as well.
> zoneedit.com
> winscp.net
> http://chiark.greenend.org.uk/~sgtatham/putty/download.html - putty. ssh
> client for windows.
> Further problems, questions you can't find answers, worries. The CLUG list
> will help you out.
>
>
> --
>
> If anything in the above gives you pause, do please let me know. Of
> particular interest would be the reaction of someone who doesn't know all
> about ssh, screen and dynamic dns already.
> "I know know what it is and what it does and why I do/don't want it."
> Or
> "WTF? That's all greek - you're writing is rubbish." or anything in between.
> Cheers.
>
> "Obviously this is not really what we have in mind for CLUG" - also useful
> feedback.
> --
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux
>