WIXLIB

SSHSSHThomas PetazzoniFree Electrons1Free Electrons. Kernel, drivers and embedded Linux development, consulting, training and support. http//free electrons.com

Rights to copy Copyright 2008 2009, Free Electronsfeedback@free electrons.comDocument sources, updates and translations:http://free electrons.com/docs/sshCorrections, suggestions, contributions andtranslations are welcome!Attribution – ShareAlike 3.0You are freeto copy, distribute, display, and perform the workto make derivative worksto make commercial use of the workUnder the following conditionsLatest update: Jan 29, 2009Attribution. You must give the original author credit.Share Alike. If you alter, transform, or build upon this work, youmay distribute the resulting work only under a license identical tothis one.For any reuse or distribution, you must make clear to others the licenseterms of this work.Any of these conditions can be waived if you get permission from thecopyright holder.Your fair use and other rights are in no way affected by the above.License text: http://creativecommons.org/licenses/by sa/3.0/legalcode2Free Electrons. Kernel, drivers and embedded Linux development, consulting, training and support. http//free electrons.com

IntroductionSSH stands for Secure SHellSSH is a secure communication protocol that allows remotelogin, file transfer and port tunneling, normalized by RFC 4251,4252, 4253 and 4254.Replacement for telnet, rlogin, rsh, etc.On Linux, the main implementation is OpenSSH, with both theserver and client programsA smaller implementation for embedded systems calledDropbear is also availableOn Windows, Putty is one of the free SSH client available.3Free Electrons. Kernel, drivers and embedded Linux development, consulting, training and support. http//free electrons.com

Installation and basic usageOpenSSH is available as a package in all GNU/LinuxdistributionsOn Ubuntu, two packages are availableopenssh client, the client programsopenssh server, the server programConnecting to an SSH server is as simple asssh username@hostnamessh will prompt for the user password and log in to theremote system.4Free Electrons. Kernel, drivers and embedded Linux development, consulting, training and support. http//free electrons.com

File transfer and X forwardingFiles can be transferred using the scp client programscp myfile1 myfile2 \username@hostname: /dest/directory/scp r mydirectory user@host: /dest/With ssh X option, one can tell ssh to enable X11forwardingIt allows graphical applications run on the remote host to bedisplayed on the local screenOn the server, X11Forwarding must be enabled in theconfiguration file /etc/ssh/sshd config.5Free Electrons. Kernel, drivers and embedded Linux development, consulting, training and support. http//free electrons.com

Remote executionssh not only allows to connect to a remote host, but alsoallows remote execution of commandsssh user@host lsThis is very useful in shell scripts, for examplessh is also used by other programs as a transport layerrsync, the synchronisation tool, can work over sshrsync e ssh /work user@workhost: /workCVS, Subversion and most of the version control tools canwork over SSH6Free Electrons. Kernel, drivers and embedded Linux development, consulting, training and support. http//free electrons.com

Skipping the password with keysAn interesting feature of SSH is that you can bypass thepassword step by using cryptographic keysFirst, generate a private and public SSH key usingssh keygen t dsaIt will prompt you for a passphrase, which will be required to«unlock» your private key everytime you use timeThe key has been generated in /.ssh/id dsa, the private key, that no one should haveaccess to /.ssh/id dsa.pub, the public key, that you can transferpublicly to everybody7Free Electrons. Kernel, drivers and embedded Linux development, consulting, training and support. http//free electrons.com

Skipping the password with keys (2)Now, you need to transfer the public key to the hosts youwant to connect tossh copy id user@hostThe public key has been transferred to the remote host, andyou should see it in /.ssh/authorized keys on theremote hostTrying to login to the remote host should ask you thepassphrase of the private keyThis allows to replace our dozens of different passwords bya single passphrase, which is easier to remember.8Free Electrons. Kernel, drivers and embedded Linux development, consulting, training and support. http//free electrons.com

Skipping the password with keys (3)ssh agent allows to avoid giving the passphrase at everylogin. It keeps the passphrase in memory, either forever or for alimited timeRun the agent: (eval ssh agent)Will run the ssh agent programWill set a few environment variables so that the other sshprograms can connect to the agentGive the passphrase to the agent: ssh addThe other ssh programs can now login to remote hosts thatknow about your public key without entering the password9Free Electrons. Kernel, drivers and embedded Linux development, consulting, training and support. http//free electrons.com

Skipping the password with keys (4)The environment variables set by ssh agent disappear whenyou exit the current shellThe best solution is to start the ssh agent before starting theX server so that all your applications will have access tothese environment variablesThis is usually done by default on most distributions,including UbuntuThe file /etc/X11/Xsession.options sets the use ssh agent optionA script in /etc/X11/Xsession.d/ starts the agent if theuse ssh agent option is set10Free Electrons. Kernel, drivers and embedded Linux development, consulting, training and support. http//free electrons.com

Skipping the password with keys (5)The process of telling the agent your passphrase can befurther improved byInstalling a graphical ssh add program: ssh askpass gnomefor Gnome or ksshaskpass for KDE (only available in the nextUbuntu version)Running ssh add automatically when the graphicalenvironment starts. The exact configuration depends on yourwindow manager.11Free Electrons. Kernel, drivers and embedded Linux development, consulting, training and support. http//free electrons.com

Port tunnelingSSH can also be used to tunnel portsCreate a local port that connects to a remote host through aSSH connection to another hostssh L 12345:localhost:25 user@hostAny connection on the local port 12345 will in fact reach port 25on the destination, through an encrypted tunnelCreate a remote port that connects to a host through a SSHconnection to localhostssh R 4242:kernel.org:80 user@hostAny connection on the remote host port 4242 will in fact reachport 80 of kernel.org through an encrypted tunnel12Free Electrons. Kernel, drivers and embedded Linux development, consulting, training and support. http//free electrons.com

Configuration fileSSH stores a configuration file in /.ssh/configIt can be used to set global options, but also per hostoptions, likeHost openmokoHostName 192.168.0.202User rootUsing these options, running “ssh openmoko” will connectautomatically to IP 192.168.0.202 with the root login.13Free Electrons. Kernel, drivers and embedded Linux development, consulting, training and support. http//free electrons.com

Practical lab – Using SSHTime to start Lab !Ask your neighbor to create anaccount for youLogin to your neighbor systemusing sshSet up the keys to login withoutentering any password14Free Electrons. Kernel, drivers and embedded Linux development, consulting, training and support. http//free electrons.com

ThanksTo people who sent corrections, suggestions or improvementsGuillaume Lelarge15Free Electrons. Kernel, drivers and embedded Linux development, consulting, training and support. http//free electrons.com

Related documentsAll the technical presentations and training materials created and used by FreeElectrons, available under a free documentation license (more than 1500 pages!).http://free electrons.com/trainingLinux USB driversIntroduction to Unix and GNU/LinuxReal time in embedded Linux systemsEmbedded Linux kernel and driver developmentIntroduction to uClinuxFree Software tools for embedded Linux systemsLinux on TI OMAP processorsAudio in embedded Linux systemsFree Software development toolsMultimedia in embedded Linux systemsJava in embedded Linux systemshttp://free electrons.com/articlesIntroduction to GNU/Linux and Free SoftwareLinux and ecologyAdvantages of Free Software in embedded systemsWhat's new in Linux 2.6?Embedded Linux optimizationsHow to port Linux on a new PDAEmbedded Linux from Scratch. in 40 min!16Free Electrons. Kernel, drivers and embedded Linux development, consulting, training and support. http//free electrons.com

How to helpIf you support this work, you can help .By sending corrections, suggestions, contributions andtranslationsBy asking your organization to order training sessionsperformed by the author of these documents (seehttp://free electrons.com/training)By speaking about it to your friends, colleaguesand local Free Software community.By adding links to our on line materials on your website,to increase their visibility in search engine results.17Free Electrons. Kernel, drivers and embedded Linux development, consulting, training and support. http//free electrons.com

Embedded Linux TrainingUnix and GNU/Linux basicsLinux kernel and drivers developmentReal time LinuxuClinuxDevelopment and profiling toolsLightweight tools for embedded systemsRoot filesystem creationAudio and multimediaSystem optimizationConsultingHelp in decision makingSystem architectureIdentification of suitable technologiesManaging licensing requirementsSystem design and performance reviewhttp://free electrons.comFree Electrons servicesCustom DevelopmentSystem integrationEmbedded Linux demos and prototypesSystem optimizationLinux kernel driversApplication and interface developmentTechnical SupportDevelopment tool and application supportIssue investigation and solution follow up withmainstream developersHelp getting started

Free Electrons. Kernel, drivers and embedded Linux development, consulting, training and support. http//free electrons.com Introduction SSH stands for Secure SHell SSH is a secure communication protocol that allows remote login, file transfer and port tunneling, normalized by RFC 4251, 4252, 4253 and 4254.