On a Linux or Unix system, ssh is used to make a secure connection to a remote machine. This connection can be used as a communications transport for other programs. In this article I describe how to setup an encrypted ssh connection between two machines. This connection can be used to log in to the remote machine, synchronize files between the machines, or display locally the GUI of a program running on a remote machine.
For the purposes of this article, alfa and beta are the peer machines we wish to configure. Both have a user account named bill.
The first step is to install openssh on machine alfa:
bill@alfa: sudo apt-get install openssh-server openssh-client bill@alfa: sudo apt-get install rssh molly-guard openssh-blacklist openssh-blacklist-extra
We install both the ssh client and server portion as we will both be ssh'ing from and to these machines. The packages on the second line are optional, but a good idea. Refer to the man pages for more information.
At this point, we could use ssh to access a remote machine (running a ssh server) and be prompted for a password to validate access. Password login validation for ssh is a bad idea because it opens a security hole. Instead we follow the steps below to exchange security keys with the target machine and eliminate the ability to ssh using a password.
Create the encryption key on alfa:
bill@alfa: ssh-keygen -t rsa -C "user bill on alfa"
Enter a filename, for example: bill_on_alfa. If the generated files are not created in ~/.ssh, move them there. The -C comment at the end of the command is optional, but a good idea as it help human readers identify the key. The public portion of the key and the comment ends up as part of the identity string in alfa's authentication agent, and in beta's authorized_keys file.
Now add the RSA identity to alfa's authentication agent. On alfa, type:
bill@alfa: ssh-add bill_on_alfa
Listing the RSA identities in alfa's authentication agent is done by:
bill@alfa: ssh-add -L
You should see the public key parameter of the just generated key as well as the "user bill on alfa" comment.
Since the identity is registered in alfa's authentication agent, we can use the 'short form' of ssh-copy-id to propagate the public key to beta's authorized_keys file.
This command behaves nicely, creating the authorized_keys file if none exists, or appending the key if the file already exists.
Test the configuration by ssh to beta. No password should be required if things are configured correctly:
bill@alfa: ssh beta.local bill@beta:
To test this further, rename beta's authorized_keys to another filename. A ssh from alfa to beta should again require a password. Restore beta's authorized_keys to restore the ssh key configuration.
ssh Password SecurityThe best password security for ssh is removing the ability to ssh using a password!
Since a key has been installed for authentication, we no longer need a password to log in. Let's change the ssh server settings on beta to only authenticate using a key. First, make a write protected backup of the original sshd_config file:
bill@beta: sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak bill@beta: sudo chmod a-w /etc/ssh/sshd_config.bak
The sshd_config file contains password authentication settings. To remove the possibility to log in with a password, we find the line:
And replace it with a line that looks like this:
What editor will you use to make the change? If you answered Emacs, then no further hoops need jumping through as Emacs can run from the command line. Alternatively, gedit can be run with a little ssh magic: X11 forwarding.
From alfa, start gedit on beta, but have the GUI displayed on alfa:
bill@alfa: ssh -X beta.local bill@beta: sudo gedit /etc/ssh/sshd_config
For the password authentication setting to take effect we need to restart the ssh server on beta.
bill@beta: sudo /etc/init.d/ssh restart
That's it. Now (only) alfa can ssh to beta. Invert the instructions above for the secure ssh connection from beta to alfa.
ExtrasWe have already seen X11 forwarding with gedit over X. Another powerful tool is the use of rsync over ssh. I use this to keep my files synchronized between my machines. I gain the ability to work on local files on my machines, with the bonus side effect of having each machine function as file backup repository.
bill@alfa: rsync --progress -avz -e ssh email@example.com:~/Desktop/bu/ ~/Desktop/bu
It is a good idea to experiment first with an additional parameter, -n, so that a 'dry run' is done with no changes.
- As with all information found on the internet, especially information which could affect the security on your computer, don't rely on this as an oracle of correct information. Please read the man pages and do web searches on all information presented here.
- Please contact me if you do see any errors here.
- If you have trouble making ssh contact with a computer using a wireless network, ensure that wireless connection is configured so that it starts without anyone logging in. Under Ubuntu: right click on the connection icon, select 'Edit Connections', click on the Wireless tab, double-click on the active wireless connection and mark both 'Connect automatically' (at the top) and 'Available to all users' (at the bottom), then press 'Apply'.
Finally, it pays to be security conscious. After making these ssh changes to your computers, run:
bill@alfa: nmap 192.168.1.0-255
Change '192.168' if your internal network uses a different configuration. Ensure that you know what all the open ports in the resulting report are doing.