Differences

This shows you the differences between two versions of the page.

--- ops102:ssh [2024/01/15 12:52] – created chris
+++ ops102:ssh [2024/04/16 18:10] (current) – external edit 127.0.0.1
@@ Line 20: / Line 20: @@
 The most basic use of SSH is for a text-based connection used to enter commands and view command output, or execute a text-based application such a menu-driven system.
-Some SSH clients have a graphical interface. For those used from the command line, the most basic form of invocation is:
+Some SSH clients have a graphical interface. For OpenSSH and others used from the command line, the most basic form of invocation is:
 <code>
@@ Line 47: / Line 47: @@
   * Run ''df -h'' on the remote system, and display the graphics on the local computer: ''ssh -XC kim@winter firefox''
-======  Using SSH for a Graphical Application (X11 Tunnelling)  ======
+=====  Simplified SSH Access  =====
-SSH is capable of carrying graphical traffic using the X Window System (X11) protocol. This means that if your client system is running the X Window System (most Unix/Linux systems, and any Mac or Windows system on which an X Server has been started), you can run remote graphical programs and display the output (windows) locally.
+If you're using OpenSSH (the ssh client used on most Linux systems and other platforms), you can simplify ssh command lines by placing host connection details in the file ''~/.ssh/config'' (or on Windows, ''%HOME%\.ssh\config''), like this:
-To enable this, add the ''-X'' or ''-Y'' options to your command line. The difference between -X and -Y is that (ideally) the -X option will prevent certain advanced types of access which are not required by most graphical programs and which may present a security vulnerability, such as taking a screenshot of your desktop.
-=====  Example  =====
-  *  Run Firefox on the remote system, and display the graphics on the local computer: ''ssh -XC kim@winter firefox''
-======  Using SSH with Tunnelling  ======
-In addition to X11 tunnelling, SSH permits you to set up your own tunnels to carry arbitrary network traffic either from the client system to the server, or from the server to your client. This allows you to encrypt the traffic for security/privacy, and to circumvent firewalls.
-For local, forward (client to server) tunnels, the syntax is:
 <code>
- ssh -L //listenport//://destinationhost//://destinationport// [[//OPTIONS//]] [//user//@]//host// [[//command//]]</code>
+ Host "matrix"
+         hostname "matrix.senecapolytechnic.ca"
-Where:
+         user "YourUserID"</code>
-  *  //listenport// is the port on the client machine which will accept connections
-  *  //destinationhost// is the remote computer hostname or IP address to which connections will be directed. This is usually ''localhost'', which denotes the SSH server, but it can also be the name of a system which the server can directly reach. Note that communication between the server and the //destinationhost// is **not** encrypted.
-  *  //destinationport// is the port on the //destinationhost// to which the connection will be directed
-For reverse (server to client) tunnels, the syntax is:
+Once you have added these lines (inserting your user ID where appropriate) and set the permission on that file (on Linux, ''chmod 0600 ~/.ssh/config'') you can use this simplified command to access the server:
 <code>
- ssh -R //listenport//://destinationhost//://destinationport// [[//OPTIONS//]] [//user//@]//host// [[//command//]]</code>
+ ssh matrix</code>
-The arguments have the same meaning, but are executed one the opposite hosts, so the tunnel listens on the server and communicates to the destination through the client system.
-=====  Examples  =====
-  *  To connect port 8080 on the local computer to port 80 on the server //winter//, using the account //sam//: ''ssh -L 8080:localhost:80 sam@winter''
-    *  After the tunnel above was put in place, you could access ''http:<nowiki>//</nowiki>localhost:8080/'' and be connected to the webserver (port 80) on the host //winter//
-  *  To connect port 2000 on the local computer to port 1234 on the host //spring//, which is on the same LAN as the SSH server //winter//: ''ssh -R 2000:spring:1234 sam@winter''
-  *  To connect port 3000 on the server //winter// to port 5900 on the local computer: ''ssh -L 3000:localhost:5900 sam@winter''
+You can similarly configure simplified access in most other SSH client programs.
 ======  Using SSH for File Transfer  ======
 SSH provides two mechanisms for file transfer: //scp// and //sftp//. You can use these from the command line using the OpenSSH software (installed by default in most MacOS, Windows, and Linux systems) or you can use a graphical tool that uses these protocols.
-The following instructions are for using the OpenSSH version of scp/sftp from the command line:
 =====  scp - Secure Copy  =====
-The //scp// command functions like the normal Unix/Linux copy (cp) command, but accepts a hostname (and optional user ID) prepended to a filename for copying to/from remote systems:
+The ''scp'' command, which is included as part of the OpenSSH software, functions like the normal Unix/Linux copy (cp) command, but accepts a hostname (and optional user ID) prepended to a filename for copying to/from remote systems:
 <code>
- scp [[//user//@]]//host//://sourcefilename// [[//user//@]]//host//://destinationfilename//</code>
+  scp user@host:sourcefilename destinationfilename</code>
-The options are the same as for the ssh command, except that to specify a port number, use <code>-P</code (capital) instead of <code>-p</code> (lowercase).
+or
-For example:
+<code>
+  scp sourcefilename user@host:destinationfilename</code>
 ====  Examples  ====
@@ Line 110: / Line 84: @@
   * Copy the file ''test.tar'' from the home directory of the user //chris// on the computer //ireland// to the current directory: ''scp chris@ireland:~/test.tar .''
+=====  Graphical File Management over SSH  =====
-=====  sftp - Secure FTP  =====
+Many graphical file managers, such as the GNOME //Nautilus// and KDE //Konqueror// programs (both on Linux) or graphical file managers (on many operating system platforms), know how to manage files remotely using the ssh/scp/sftp protocols.
-//sftp// provides an encrypted version of FTP. The command usage is:
+For example, on GNOME, you can select the menu option Places>Connect to Server, enter the connection details, and view a file management window on a remote server. You can then rename, copy, move, and delete files using drag-and-drop operations (for example, you can copy a file by dragging it from your desktop to the remote window). You can also create bookmarks for rapid access to remote filesystems at a later date.
-<code>
- sftp [[//user//@]]//host//</code>
-At which point you can use any standard FTP command.
-====  Example  ====
-  *  Open a secure FTP connection to the account //john.doe// on the server //matrix.senecac.on.ca//: ''sftp john.doe@matrix.senecac.on.ca''
-=====  Graphical File Management over SSH  =====
-Many Linux graphical file managers, such as the GNOME //Nautilus// and KDE //Konqueror// programs, know how to manage files remotely using the ssh/scp/sftp protocols. For example, on GNOME, you can select the menu option Places>Connect to Server, enter the connection details, and view a file management window on a remote server. You can then rename, copy, move, and delete files using drag-and-drop operations (for example, you can copy a file by dragging it from your desktop to the remote window). You can also create bookmarks for rapid access to remote filesystems at a later date.
 ======  Using SSH with Public-Key Authentication  ======
 Although SSH can be used with passwords, a sysadmin may need to initiate hundreds of SSH connections a day, and typing passwords that often is tedious. SSH therefore permits authentication using public and private keys.
 =====  Background: Public Key Cryptography  =====
 See [[Public Key Cryptography]] for an overview of how this technology works.
 =====  Using Public Keys with SSH  =====
 ====  Creating a Public/Private Key Pair  ====
@@ Line 150: / Line 107: @@
     *  Answer the questions asked by ssh-keygen. Use default values for most questions. The use of a passphrase is **strongly** recommended. Avoid changing the filename from the default (unless there is a really good reason), because the location, name, and permission of keys is critical.
     *  ssh-keygen will produce two files:
-  - <nowiki>**</nowiki> ''~/.ssh/id_ed25519'' - your private key
+      - ''~/.ssh/id_ed25519'' - your private key
-  - <nowiki>**</nowiki> ''~/.ssh/id_ed25519.pub'' - your public key
+      - ''~/.ssh/id_ed25519.pub'' - your public key
 A note on key type and length: ssh-keygen can generate multiple types of keys, including rsa, dsa, ecdsa, and ed25519. Any of these types serves the same purpose, and rsa/dsa can be generated with varying key lengths. The longer the key, the more difficult it is to break the key by guessing it (trying successive values until the right key is found) - each bit added to the key doubles the number of possible key values. Key lengths of 1024-4096 bits are considered reasonably secure; as computers become faster, key lengths should be increased. Better yet, use the ed25519 eliptic curve option, which is considered the most secure format supported by the current OpenSSH implementation (8.4 as of the time of writing).