Securing network operations with OpenSSH
OpenSSH is a program that creates a secure connection between two computers. It is often used for things like remotely administer a computer, transferring files, or tunneling insecure protocols. SSH encrypts all traffic between the two computers, which makes it more difficult for someone to eavesdrop on the conversation or hijack the connection. This chapter will cover the basics of using OpenSSH, as well as how to rotate host keys and use certificate authentication. These latter two topics are especially useful when managing a large number of SSH connections.
OpenSSH overview
A network protocol that provides end-to-end protection for communications between the computers on your network, or between computers on your network and systems outside your network is SSH. Any computer you have a login for and the correct authentication methods can have an SSH session opened to it.
Ssh is a protocol that allows for communication between a client and a server. Any host that is running the sshd daemon can accept SSH connections from any other host. Hosts that are running sshd can have their own custom configurations, such as limiting who can have access and which authentication methods are allowed.
The original text discusses the topic of encryption keys and how they work. It states that each key pair has a public and private key, with the public key being used to encrypt and the private key used to decrypt. The text goes on to say that public keys should be freely shared but private keys must be protected and not shared. It warns that if a private key is compromised, anyone who has it can pose as the original key owner.
The client then compares the key to a known list of host keys, and if it finds a match, the client proceeds to authenticate the server. If the server cannot be authenticated, the client disconnects immediately. The client and server in SSH both authenticate each other meaning the server presents its public host key to the client. If the client finds a match, it proceeds to authenticate the server. If not, the client immediately disconnects. If the client does not have the appropriate host key, it is asked whether it should trust the server:
The authenticity of host '192.168.22.219 (192.168.22.219)' can't be established. ECDSA key fingerprint is SHA256:yXf6pjV26N0fegvEYIt3HgG95s3Q1X6WYRhtHLF99pUo. Are you sure you want to continue connecting (yes/no/[fingerprint])?
The user has the option to type “yes,” “no,” or paste their copy of the host key fingerprint for comparison.
If you give your users copies of your host key fingerprints, they can make sure they’re getting the right host keys. To do this, they paste their copy of the fingerprint, and ssh compares the fingerprints. If the fingerprints match, it means the host key is correct. This is more accurate than just looking at it.
You can’t necessarily trust that all users will use the correct verification methods. Even if the fingerprints don’t match, the user can still type “yes,” or copy the fingerprint from the message, and finish connecting.
Note: Matching host key fingerprints
If the public keys of a host have changed, the connection is denied with a scary warning:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ECDSA key sent by the remote host is SHA256:keNu/rJFWmpQu9B0SjIuo8NLjbeDY/x3Tktpl7oDJqo. Please contact your system administrator. Add correct host key in /home/geeko/.ssh/known_hosts to get rid of this message. Offending ECDSA key in /home/geeko/.ssh/known_hosts:210 You can use following command to remove the offending key: ssh-keygen -R 192.168.121.219 -f /home/geeko/.ssh/known_hosts ECDSA host key for 192.168.121.219 has changed and you have requested strict checking. Host key verification failed.
To get rid of the problem, you need to remove the key from ~/.ssh/known_hosts using the command from the scary message. After that, connect again and accept the host key.
The openssh package installs the server, client, and file transfer commands, as well as some utilities.
OpenSSH supports several different types of authentication:
- Password authentication
- Using a login and password from any system on a remote machine is the simplest and most flexible type of authentication. The downside to this method is that it is also the least secure, as it can be vulnerable to password-cracking and keystroke logging.
- Public key authentication
- This authentication method uses your personal SSH keys instead of a login and password. This is less flexible than password authentication because you can only open SSH sessions from a machine that has your private identity key. However, it is much stronger because it is not vulnerable to password cracking or keystroke logging. An attacker would need to have your private key and know the passphrase in order to gain access.
To learn how to use gnome-keyring for automated public key authentication in GNOME sessions, see Section 22.8.1, “Automatic public key logins in GNOME with gnome-keyring.”
To learn how to use ssh-agent for automated public key authentication in console sessions, see Section 22.8.2, “Automated public key logins in the console with ssh-agent.”
- Passphrase-less public key authentication
- A private key that does not have a passphrase is known as a public key authentication. This is useful for automated services, such as scripts and cron jobs. It is important to protect private keys as anyone who gains access to them can easily pretend to be the owner of the key.
- Certificate authentication
- OpenSSH supports a more secure method of authentication using certificates rather than just keys, for easy key management, stronger authentication, and large-scale SSH deployments.
SUSE Linux Enterprise Server installs the OpenSSH package by default, providing the following commands:
ssh- The SSH client command helps you to connect to a remote host.
scp- Secure file copy from or to a remote host.
sftp- This text is talking about using the SFTP protocol to securely transfer files between a client and server.
ssh-add- Add private key identities to the authentication agent, ssh-agent.
ssh-agent- The ssh-agent program manages a user’s private identity keys and their associated passphrases. It stores the passphrases in memory and applies them as needed so that the user does not have to re-type them every time they want to authenticate using their public key.
ssh-copy-id- To set up public key authentication, securely transfer a public key to a remote host.
Now let’s move on and introduce the concept of “piping”. We previously learned about the terminal process and how to run commands using Unix or Linux. We listed a few essential commands to commit to memory. Now let’s move on and introduce the concept of “piping”.
Man(ual) pages
Although there are those who have memorized the entire Unix manual, it is not necessary to do so. This tutorial will show you how to find the specific information you need in the manual, so that you can use commands effectively.
For example, the shell manual-browser is accessed using the shorthand “$ man <enter>” followed by a utility or other query. If you type in only the access phrase you will receive the prompt “What manual page did you want?” as in the following:
what manual page for grep do you want ~ $ What manual page do you want? What manual page for grep do you want?
Additionally, you can view the manual page for every program using the man command. To view the manual page for the grep utility, you can either open it in your terminal or use the man command.
You can specify one or more options by typing letters followed by a hyphen. Most programs have an option that displays help text. For example, when you are viewing man pages, you can type ‘h’ at any time to see the help text. This is important because it tells you how to exit the program (quit anytime by typing ‘q’).
-Instead of using a mouse to navigate around your screen, you will mostly be using keystrokes -We will be exploring this concept further with the Vim text editor -For now, just notice that you can use arrow keys to go up or down by line, and the spacebar will ‘page’ you down in screens -To quit, type ‘q’ and you should be brought back to your terminal prompt -Just like the up and down arrow keys, the ‘j’ and ‘k’ keys will move you up and down by line
The man page for grep tells us how to print a brief help message:
~ $ grep –help
If you want to find the help text for the grep utility, use the command $ man grep and look under description for the option: –help. You’ll find that most options only use a single hyphen, but in grep’s case, the grep utility man page tells us that for the help text, two hyphens are required. The single hyphen ‘-h’ option is reserved for something else. This is worth noting because in most programs the help text requires only one hyphen: ‘-h.’ Whenever your intuition fails you, seek out the man page for the program you’re using for the correct syntax. Browsing the array of options for programs can also be a source of inspiration for scripting/constructing command line statements.
**********
The command ‘echo’ is used to display text in the terminal. You can use this command to create a new file containing text by piping the output. Anything after the hashtag is a comment that is ignored by the program.
**********
Plumb your output with pipes
When programming in Unix, it is common to use pipes to connect multiple programs together. This allows you to chain together multiple programs so that the output of one program becomes the input of the next program. This can be done for as many programs as you want, and can create very long chains of programs.
This is an example of how you can use the command $ cat to print a file to the screen, and then pipe the output to the command $ wc to get word count statistics.
If you want to, you can use the output of one task as the input for another task. This can create a chain of tasks where the output of each task is the input for the next task. There are also pipes that can be used to replace or add files to the output of other programs. All these features can help you build content in a way that is driven by code.
So let’s begin, starting very simply. Basic pipe syntax:
The first command pipes the output from cmd1 to cmd2. The cmd > file.txt command replaces the contents of file.txt with the output from the cmd command. The cmd >> file.txt command appends the output from the cmd command to the end of file.txt.
The following text is a set of instructions on how to create a text file named testwc.txt containing the phrase “follow the white rabbit”, how to use the wc command to count the number of words in that text file, and how to delete the text file.
Public HTML
The ‘public_html’ directory is designed to be accessible from the internet, which means that it can be reached by anyone using your GoDaddy hosting account domain name. The settings for web servers determine how this is set up. We will discuss this in more detail later on, and perhaps create our own web server settings in a future installment covering VPS deployment.
We are going to create some HTML files that you can access from anywhere. The server will also save any logs written to: ~/access-logs/domain.tld, and they will be compressed monthly and saved to ~/logs. Let’s create a couple of files, write a redirect, and check the logs to see how many times the files are accessed.
Change directory to the web folder and create two files using echo and pipes (echo reprints the first argument, so be sure to encapsulate with quotes when you’re writing more than one word). The ‘&&’ between commands concatenates them to allow us more than one with a single statement:
$ cd ~/public_html $ echo file1 > file1.html && echo file2 > file2.html This will change your directory to the public_html folder and create two files, file1.html and file2.html, containing the text “file1” and “file2” respectively.
First, you need to browse to http://godaddy-domain-or-ip/file1.html. This will create a log entry. The page should just display the text “file1”, which was inserted by echo and a pipe to replace (in this case create) the file contents. Next, you need to create a redirect to file2.html by using a command-line text editor called Vim. Vim is a very confounding text editor at first, but it is essential for editing web server settings. If you follow along closely, you will be able to learn the basics and open up a whole new world of possibilities.
What’s up next?
After this fairly intense piece, we will relax and write some basic HTML pages. This will include the most important SEO components so you can see how a technical SEO professional does it. You will know how to write webpage code from scratch before we begin programming pages dynamically using more powerful code.
Related posts:
