The Secure Shell (ssh)
The Secure Shell (ssh) enables users to securely access a remote system over an insecure network. You use the Secure Shell to do the following:
Before the Secure Shell was available, remote connections wereand still can behandled via rlogin, rsh, and rcp. These commands create insecure connections and are prone to security risks.
With the Secure Shell, you establish secure communication between two hosts on an insecure network. The two hosts are referred to as the client (the host that requests the connection) and the server (the host being connected to). The Secure Shell daemon, sshd, starts up on each host at system boot, when the svc:/network/ssh:default service has been enabled by the SMF. The sshd daemon listens for connections, and it handles the encrypted authentication exchange between the hosts. When authentication is complete, the user can execute commands and copy files remotely.
The ssh on the client side is controlled by the /etc/ssh/ssh_config file and by ssh command line options. The ssh_config file controls which types of authentication are permitted for accessing the server. Optionally, a user can also provide ssh settings in his or her own $HOME/.ssh/config file.
The sshd on the server side is controlled by the /etc/ssh/sshd_config file, which is controlled by the system administrator.
Normally, each user wanting to use SSH with authentication runs the ssh-keygen command once to create the authentication key in $HOME/.ssh/identity, $HOME/.ssh/id_dsa, or $HOME/.ssh/id_rsa. The client maintains the private key, and the server is provided with the public key that is needed to complete authentication. Public-key authentication is a stronger type of authentication than typical password authentication because the private key never travels over the network. To create a public/private key for public key authentication, follow Step by Step 4.11.
In the following step by step, you'll set up Public Key Authentication so that bcalkins can log in to a remote host using ssh. For this step by step, you'll need two systems. One will be the client, and the other will be the remote host.
Make sure both systems have a user account named bcalkins, a password assigned to the account, and an established home directory named /export/home/bcalkins.
Make sure each account has a .ssh directory in the /export/home/bcalkins home directory. If not, you can create the .ssh directory by running the ssh-keygen command described in step 7.
As root, enable host-based authentication on the client by adding the following line to the /etc/ssh/ssh_config
On the remote host, enable host based authentication by adding the following line to the /etc/ssh/sshd_config file
Start up sshd
on the remote host if it is not currently running by typing
If the ssh
service is already running, restart it.
On the remote host, ensure that the sshd
daemon can access the list of trusted hosts by setting IgnoreRhosts
in the /etc/ssh/sshd_config
file as follows
On the client, log in as bcalkins
and create the client's public key. To generate the public key on the client, issue the following command:
Use the -t
option to specify the type of algorithm; rsa
, or rsa1
. The system responds with
Generating public/private rsa key pair.
Enter file in which to save the key (//.ssh/id_rsa):
you press Enter, the system responds with
Created directory '/export/home/bcalkins/.ssh'.
Enter passphrase(empty for no passphrase):
is used for encrypting the private key. A good passphrase
is 1030 characters long, mixes alphabetic and numeric characters, and avoids simple English prose and English names. A carriage return entry means that no passphrase
is used; this type of blank passphrase
is strongly discouraged for user accounts. The passphrase
is not displayed when you type it in, as shown here:
Enter same passphrase again:
Enter the passphrase
again to confirm it. The system responds with
Your identification has been saved in /export/home/bcalkins/.ssh
Your public key has been saved in /export/home/bcalkins/.ssh
The key fingerprint is:
The key fingerprint is displayed as a colon-separated series of two-digit hexadecimal values. You should check to make sure the path to the key is correct. In this example, the path is /export/home/bcalkins/.ssh/id_rsa.pub. At this point, you have created a public/private key pair. Now, copy the public key and append the key to the $HOME/.ssh/authorized_keys file in your home directory on the remote host.
the public key has been created on the client and copied to the remote host, you can start using the Secure Shell to log in to the remote system by typing this line, where <hostname>
is the name of the remote host that you want to connect to:
first time you run ssh
you're prompted with questions regarding the authenticity of the remote host as follows:
The authenticity of host '192.168.0.252' can't be established.
RSA key fingerprint in md5 is: \
Are you sure you want to continue connecting(yes/no)? yes
This is a normal message for initial connections to the remote host. If you enter yes
, the system responds with
Permanently added '192.168.0.252' (RSA) to the list of known hosts.
Enter passphrase for key '/export/home/bcalkins/.ssh/id_rsa':
you enter your passphrase
, the system will log you into the remote host.
Last login: Wed Oct 19 20:43:57 2005 from ultra5
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
To copy files by using the Secure Shell, you start the secure copy program by typing the scp command, using the following syntax:
scp <sourcefile> <username>@<hostname>:</destinationdir>
Table 4.26 describes the arguments to the scp command.
Table 4.26. scp Command Arguments
The name of the local file that you want to copy
The username on the remote host to which you want to connect
The name of the remote system to which the file will be copied
The name of the directory on the remote host to which you will copy the file
You should type the secure passphrase when prompted. The system responds by displaying the following:
The percentage of the file transferred as it is being copied
The quantity of data transferred as it is being transferred
The estimated time of arrival when the entire file will be copied to the remote directory
This example copies the file named file1 to the home directory of bcalkins on the remote host:
scp file1 firstname.lastname@example.org:~
The system responds with this:
If you enter the user login password, you are then logged in to the remote host:
file1 100% |*************************************| 12540 0:00
For more information on using the Secure Shell, refer to the ssh and sshd man pages.