OpenSSH is a free software suite that implements secure, remote login and file transfer capabilities using the SSH protocol. It provides a secure replacement for older protocols like telnet, FTP, and rlogin. OpenSSH allows for remote login, file transfer, port forwarding, X11 forwarding, and more. It offers strong security features like public-key authentication and encrypted connections.

1. OpenSSH
tomas.corej@websupport.sk
@tomas_corej

2. OpenSSH
● nastroj pre bezpecne, vzdialene
prihlasovanie
● prepisana verzia originalneho SSH
nastroja
● priklad flexibilneho nastroja pouzitelneho
na ovela viac nez len vzdialene
prihlasovanie
● nahrada za telnet, ftp, rlogin
●

3. Od zaciatku
pesnik:~$ ssh testor
alebo
pesnik:~$ ln -s /usr/bin/ssh-argv0 $HOME/bin/testor
pesnik:~$ testor

4. Od zaciatku
pesnik:~$ ssh testor
user@testor password: ^C
pesnik:~$ ssh-keygen
pesnik:~$ ssh-copy-id testor
Now try logging into the machine, with "ssh 'testor'", and check in:
~/.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.

5. Od zaciatku
pesnik:~$ ssh testor
Warning: the RSA host key for 'testor' differs from the key for the IP
address '37.9.170.2'
Offending key for IP in /home/tomas.corej/.ssh/known_hosts:57
Matching host key in /home/tomas.corej/.ssh/known_hosts:875
You have mail.
Last login: Thu Jul 11 00:12:57 2012 from services
testor:~$ ^D
pesnik: ~$ ssh-keygen -R 37.9.170.2

6. Od zaciatku
pesnik:~$ ssh testor
You have mail.
Last login: Thu Jul 11 00:12:57 2012 from pesnik
testor:~$

7. Od zaciatku
pesnik:~$ ssh testor
You have mail.
Last login: Thu Jul 11 00:12:57 2012 from services
testor:~$
testor:~$ ~?
Supported escape sequences:
~. - terminate connection (and any multiplexed sessions)
~B - send a BREAK to the remote system
~C - open a command line
~R - Request rekey (SSH protocol 2 only)
~^Z - suspend ssh
~# - list forwarded connections
~& - background ssh (when waiting for connections to terminate)
~? - this message
~~ - send the escape character by typing it twice
(Note that escapes are only recognized immediately after newline.)

8. Pouzitelne v skriptoch
pesnik:~$ ssh testor /bin/true && echo ok
ok
if ssh testor prikaz; then
...
fi

9. Nechce sa mi pouzit scp
pesnik:~$ dllllhyyy prikaz | ssh testor "cat >
remotefile"
pesnik:~$ mysqldump -uroot -p db | ssh testor "gzip -
> db.gz"
pesnik:~$ mysqldump -uroot -p db |gzip - | ssh testor
"cat > db.gz"
pesnik:~$ cat zoznam | ssh testor "while read input;
do prikaz $input $USER;done"

10. X11 jednoducho
pesnik:~$ ssh -X testor firefox
pesnik:~$ ssh -X testor.vpn gnome-terminal
pesnik:~$ ssh -X testor.vpn xeyes

11. Agent forwarding
tomas.corej@pesnik:~$ ssh-add -l
2048 f8:c6:6a:f4:ca:ee:0e:57:86:ed:f1:4b:ec:d3:84:ba /home/tomas.corej/.ssh/id_rsa (RSA)
tomas.corej@pesnik:~$ ssh -A testor
tomas.corej@testor:~$ ssh-add -l
2048 f8:c6:6a:f4:ca:ee:0e:57:86:ed:f1:4b:ec:d3:84:ba /home/tomas.corej/.ssh/id_rsa (RSA)
tomas.corej@pesnik:~$ ssh -A testor2
mozne bezpecnostne riziko
adresar s unixovym socketom pristupny v /tmp
moze viest k chybam hlavne pri spustani cron skriptov

12. SOCKS proxy a tunelovanie
pesnikl:~$ ssh -D 3128 testor
-L[bind_address:]port:host:hostport Request local forward
-R[bind_address:]port:host:hostport Request remote forward
-D[bind_address:]port Request dynamic forward
1.

13. Host *
User root
ForwardAgent yes
ForwardX11 yes
ConnectTimeout=20
PreferredAuthentications=publickey,password,keyboard-
interactive
StrictHostKeyChecking=no
ControlMaster auto
ControlPath ~/.ssh/sockets/%r@%h:%p
SendEnv BASH_ENV
IdentityFile ~/.ssh/id_rsa
IdentityFile ~/.ssh/customers_vps
Compression yes
Host abcd
IdentityFile ~/.ssh/abcd.pub
Ulozme si to vsetko do $HOME/.ssh/config

14. level++

15. ProxyCommand
● moze to byt cokolvek, dolezite je, aby to
spracovavalo STDIN a STDOUT
ssh -o ProxyCommand="$HOME/.ssh/gateway.sh %h %p" testor
● Nahradzuje %h, %p a %r
● pristup cez prostrednika
ssh -o ProxyCommand="ssh user@testor nc %h %p" user@192.
168.1.2 "uname -a"
● parameter -W
● riziko DOS

16. Multiplexovanie SSH spojeni
● pri castom generovani SSH spojeni a vo
velkom mnozstve
● skracuje cas a znizuje overhead (0.2s vs
0.014s)
● config
ControlMaster auto
ControlPath ~/.ssh/sockets/%r@%h:%p
● ovladanie cez -O check,forward,stop,exit

17. Multiplexovanie SSH spojeni
pesnik:~$ ssh testor
You have mail.
Last login: Thu Jul 11 00:12:57 2012 from pesnik
testor:~$
testor:~$ ~^Z
pesnik:~$ cd ~/.ssh/sockets
pesnik:~$ ~/.ssh/sockets$ ls
user@testor:22
pesnik:~$ ssh -O check user@testor
Master running (pid=22797)
pesnik:~$ fg
testor:~$

18. Subsystemy
● ina forma spustania remotnych prikazov
● SFTP je subsystem
● moze ist aj o internu funkcionalitu (sftp a
chroot)
● server sshd_config
Subsystem backup /root/bin/backupcmd
● ssh klient
ssh -s backup root@testor

19. DNS SSHFP
● rozsireny sposob verifikacie odtlackov
● fingerprinty SSHD je mozne ulozit aj do
DNS zaznamov
● VerifyHostKeyDNS yes|ask|no

20. Sukromne kluce
● sukromne kluce sa nachadzaju v
$HOME/id_rsa (defaulne)
● Kluce je mozne dodatocne specifikovat
no-port-forwarding,no-user-rc,no-X11-forwarding,no-pty,
command="/bin/nc $SSH_ORIGINAL_COMMAND" ssh-rsa
AAAAB3NzMMAND" ssh-rsa AAAAB3Nza....
● $SSH_ORIGINAL_COMMAND obsahuje
text prikazu
ssh root@testor prikaz

21. OpenSSH-lpk
● OpenSSH-lpk patch
○ sposobuje dotazovanie sa na verejne kluce na
LDAP server

23. factotum
● prispevok zo sveta operacneho systemu
Plan9