Chapter 14

Here is some information on how to both remotely log in and copy files using a secure encrypted connection with Secure Shell (SSH) and Secure Copy (SCP). Similar programs such as Telnet and FTP can be security hazards as they do not encrypt their passwords. SSH and SCP could be the right choice for you. 

Using Secure Shell As A Replacement For Telnet

When you use Telnet to remotely log into a Linux box you run the risk of people being able to eavesdrop on your network wire to see your username and password as unencrypted text. None of the data flow in Telnet is encrypted, so all your activities can be monitored. 

RedHat Linux comes standard with Secure Shell (SSH) installed. This provides an encrypted data stream for you to use when you log in from one machine to another. When logging in from another Linux/UNIX machine you use the "ssh" command. There are GUI based SSH clients available for Windows, see the references in the bibliography. 

·    You can get SSH configured to start at boot by using the chkconfig command.

 

[root@bigboy tmp]# chkconfig --level 35 sshd on

 

·    You can also start/stop/restart SSH after booting by running the sshd initialization script.

 

[root@bigboy tmp]# /etc/init.d/sshd start

[root@bigboy tmp]# /etc/init.d/sshd stop

[root@bigboy tmp]# /etc/init.d/sshd restart

 

Remember to restart the SSH process every time you make a change to the configuration files for the changes to take effect on the running process.

Testing To See If SSH Is Running

You can test whether the SSH process is running with the following command. You should get a response of plain old process ID numbers:

 

[root@bigboy tmp]# pgrep sshd

The etc/ssh/sshd_config File

The SSH configuration file is called /etc/ssh/sshd_config. By default SSH listens on all your NICs and uses TCP port 22. See the configuration snippet below:

 

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

 

If you are afraid of people trying to hack in on a well known TCP port, then you can change port 22 to something else that won't interfere with other applications on your system, such as port 435

 

·    First make sure your system isn't listening on port 435, using the "netstat" command and using "grep" to filter out everything that doesn't have the string "435".

 

[root@bigboy root]# netstat -an | grep 435
[root@bigboy root]#

 

·    No response, OK. Change the Port line in /etc/ssh/sshd_config to mention 435 and remove the "#" at the beginning of the line. If port 435 is being used, pick another port and try again.

 

Port 435

 

·    Restart SSH

 

[root@bigboy tmp]# /etc/init.d/sshd restart

 

·    Check to ensure SSH is running on the new port

 

[root@bigboy root]# netstat -an | grep 435
tcp    0    0    192.168.1.100:435    0.0.0.0:*    LISTEN
[root@bigboy root]#

 

Using SSH To Login To A Remote Machine

Using SSH is similar to Telnet. To login from another Linux box use the "ssh" command with a "-l" to specify the username you wish to login as. If you leave out the "-l", your username will not change. Here are some examples for a server named “smallfry” in your /etc/hosts file.

User “root” Logs In To smallfry As User “root” 

[root@bigboy tmp]# ssh smallfry

 

User “root” Logs In To smallfry As User “peter” 

The examples below assume that you have created a user called “peter” on smallfry.

Using default port 22

[root@bigboy tmp]# ssh -l peter smallfry

 Using port 435

[root@bigboy tmp]# ssh -l peter -p 435 smallfry

 

 

What You Should Expect To See When You Log In

The first time you log in, you will get a warning message saying that the remote host doesn't know about your machine. Something like this:

 

[root@bigboy tmp]# ssh smallfry
Host key not found from the list of known hosts.
!! If host key is new or changed, ssh1 protocol is vulnerable to an
!! attack known as false-split, which makes it relativily easy to
!! hijack the connection without the attack being detected. It is
!! highly advisable to turn StrictHostKeyChecking to "yes" and
!! manually copy host keys to known_hosts.
Are you sure you want to continue connecting (yes/no)? yes
Host 'smallfry' added to the list of known hosts.
root@smallfry's password:
Last login: Thu Nov 14 10:18:45 2002 from 192.168.1.98
No mail.

[root@smallfry tmp]#

 

Deactivating Telnet once SSH is installed

Now you need to switch off Telnet. The Telnet server is controlled by the xinetd network security program. Xinetd is installed by default in RedHat 7.3 and newer. The configuration files for each  of the network programs it controls is located in the /etc/xinetd.d directory. Edit the file /etc/xinetd.d/telnet and set the disable parameter to "yes".

 

# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet
{

 

flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
disable = yes

 

}

 

 

Now restart xinetd.

 

[root@bigboy tmp]# /etc/init.d/xinetd restart
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
[root@bigboy tmp]# 

Using SCP as a more secure replacement for FTP

From a networking perspective, FTP isn't very secure as usernames, passwords and data are sent across the network unencrypted. More secure forms such as SFTP (Secure FTP) and SCP (Secure Copy) are available as a part of the Secure Shell package that is normally installed by default on RedHat. There is a windows scp client called WinSCP which can be downloaded at:

 

http://winscp.vse.cz/eng/

Secure Copy (SCP) is installed in parallel with SSH and they always run simultaneously on the same TCP port. SCP doesn't support anonymous downloads like FTP.

 

Copying Files To The Local Linux Box

Command Format:

 

scp username@address:remotefile localdir

 

Examples:

 

o       Copy file /tmp/software.rpm on the remote machine to the local directory /usr/rpm

 

[root@bigboy tmp]# scp root@smallfry:/tmp/software.rpm /usr/rpm

 

o       Copy file /tmp/software.rpm on the remote machine to the local directory /usr/rpm using TCP port 435

 

[root@bigboy tmp]# scp –P 435 root@smallfry:/tmp/software.rpm /usr/rpm

 

 

Copying Files To The Remote Linux Box

Command Format:

 

scp filename username@address:remotedir

 

Examples:

 

o       Copy file /etc/hosts on the local machine to directory /tmp on the remote server.

 

[root@bigboy tmp]# scp /etc/hosts root@192.168.1.103:/tmp