SSH, The Secure Shell: The Definitive Guide, 2nd Edition

Book description

Are you serious about network security? Then check out SSH, the Secure Shell, which provides key-based authentication and transparent encryption for your network connections. It's reliable, robust, and reasonably easy to use, and both free and commercial implementations are widely available for most operating systems. While it doesn't solve every privacy and security problem, SSH eliminates several of them very effectively.Everything you want to know about SSH is in our second edition of SSH, The Secure Shell: The Definitive Guide. This updated book thoroughly covers the latest SSH-2 protocol for system administrators and end users interested in using this increasingly popular TCP/IP-based solution.How does it work? Whenever data is sent to the network, SSH automatically encrypts it. When data reaches its intended recipient, SSH decrypts it. The result is "transparent" encryption-users can work normally, unaware that their communications are already encrypted. SSH supports secure file transfer between computers, secure remote logins, and a unique "tunneling" capability that adds encryption to otherwise insecure network applications. With SSH, users can freely navigate the Internet, and system administrators can secure their networks or perform remote administration.Written for a wide, technical audience, SSH, The Secure Shell: The Definitive Guide covers several implementations of SSH for different operating systems and computing environments. Whether you're an individual running Linux machines at home, a corporate network administrator with thousands of users, or a PC/Mac owner who just wants a secure way to telnet or transfer files between machines, our indispensable guide has you covered. It starts with simple installation and use of SSH, and works its way to in-depth case studies on large, sensitive computer networks.No matter where or how you're shipping information, SSH, The Secure Shell: The Definitive Guide will show you how to do it securely.

Publisher resources

View/Submit Errata

Table of contents

  1. SSH, the Secure Shell, 2nd Edition
  2. Preface
    1. Protect Your Network with SSH
    2. Intended Audience
      1. End-User Audience
        1. Prerequisites
      2. System-Administrator Audience
        1. Prerequisites
    3. Reading This Book
    4. Our Approach
    5. Which Chapters Are for You?
    6. Supported Platforms
    7. Disclaimers
    8. Conventions Used in This Book
    9. Comments and Questions
    10. Safari Enabled
    11. Acknowledgments
  3. 1. Introduction to SSH
    1. What Is SSH?
    2. What SSH Is Not
    3. The SSH Protocol
      1. 1.3.1 Protocols, Products, Clients, and Confusion
    4. Overview of SSH Features
      1. 1.4.1 Secure Remote Logins
      2. 1.4.2 Secure File Transfer
      3. 1.4.3 Secure Remote Command Execution
      4. 1.4.4 Keys and Agents
      5. 1.4.5 Access Control
      6. 1.4.6 Port Forwarding
    5. History of SSH
    6. Related Technologies
      1. 1.6.1 rsh Suite (r-Commands)
      2. 1.6.2 Pretty Good Privacy (PGP) and GNU Privacy Guard (GnuPG)
      3. 1.6.3 Kerberos
      4. 1.6.4 IPSEC and Virtual Private Networks
      5. 1.6.5 Secure Remote Password (SRP)
      6. 1.6.6 Secure Socket Layer (SSL) Protocol
      7. 1.6.7 SSL-Enhanced Telnet and FTP
      8. 1.6.8 stunnel
      9. 1.6.9 Firewalls
    7. Summary
  4. 2. Basic Client Use
    1. A Running Example
    2. Remote Terminal Sessions with ssh
      1. 2.2.1 File Transfer with scp
    3. Adding Complexity to the Example
      1. 2.3.1 Known Hosts
      2. 2.3.2 The Escape Character
    4. Authentication by Cryptographic Key
      1. 2.4.1 A Brief Introduction to Keys
      2. 2.4.2 Generating Key Pairs with ssh-keygen
      3. 2.4.3 Installing a Public Key on an SSH Server Machine
        1. 2.4.3.1 Instructions for OpenSSH
        2. 2.4.3.2 Instructions for Tectia
      4. 2.4.4 If You Change Your Key
    5. The SSH Agent
      1. 2.5.1 Agents and Automation
      2. 2.5.2 A More Complex Passphrase Problem
      3. 2.5.3 Agent Forwarding
    6. Connecting Without a Password or Passphrase
    7. Miscellaneous Clients
      1. 2.7.1 sftp
      2. 2.7.2 slogin
    8. Summary
  5. 3. Inside SSH
    1. Overview of Features
      1. 3.1.1 Privacy (Encryption)
      2. 3.1.2 Integrity
      3. 3.1.3 Authentication
      4. 3.1.4 Authorization
      5. 3.1.5 Forwarding (Tunneling)
    2. A Cryptography Primer
      1. 3.2.1 How Secure Is Secure?
      2. 3.2.2 Public-and Secret-Key Cryptography
      3. 3.2.3 Hash Functions
    3. The Architecture of an SSH System
    4. Inside SSH-2
      1. 3.4.1 Protocol Summary
      2. 3.4.2 SSH Transport Layer Protocol (SSH-TRANS)
        1. 3.4.2.1 Connection
        2. 3.4.2.2 Protocol version selection
        3. 3.4.2.3 Parameter negotiation
        4. 3.4.2.4 Key exchange and server authentication
        5. 3.4.2.5 Server authentication and antispoofing: some gory details
        6. 3.4.2.6 Wonder security powers, activate!
      3. 3.4.3 SSH Authentication Protocol (SSH-AUTH)
        1. 3.4.3.1 The authentication request
        2. 3.4.3.2 The authentication response
        3. 3.4.3.3 Getting started: the “none” request
        4. 3.4.3.4 Public-key authentication
        5. 3.4.3.5 Password authentication
        6. 3.4.3.6 Hostbased authentication
      4. 3.4.4 SSH Connection Protocol (SSH-CONN)
        1. 3.4.4.1 Channels
        2. 3.4.4.2 Requests
        3. 3.4.4.3 The finish line
    5. Inside SSH-1
    6. Implementation Issues
      1. 3.6.1 Host Keys
      2. 3.6.2 Authorization in Hostbased Authentication
        1. 3.6.2.1 Hostbased access files
        2. 3.6.2.2 Control file details
        3. 3.6.2.3 Netgroups as wildcards
        4. 3.6.2.4 Summary
      3. 3.6.3 SSH-1 Backward Compatibility
      4. 3.6.4 Randomness
      5. 3.6.5 Privilege Separation in OpenSSH
    7. SSH and File Transfers (scp and sftp)
      1. 3.7.1 What’s in a Name?
      2. 3.7.2 scp Details
      3. 3.7.3 scp2/sftp Details
    8. Algorithms Used by SSH
      1. 3.8.1 Public-Key Algorithms
        1. 3.8.1.1 Rivest-Shamir-Adleman (RSA)
        2. 3.8.1.2 Digital Signature Algorithm (DSA)
        3. 3.8.1.3 Diffie-Hellman key agreement
      2. 3.8.2 Secret-Key Algorithms
        1. 3.8.2.1 International Data Encryption Algorithm (IDEA)
        2. 3.8.2.2 Advanced Encryption Standard (AES)
        3. 3.8.2.3 Data Encryption Standard (DES)
        4. 3.8.2.4 Triple-DES
        5. 3.8.2.5 ARCFOUR (RC4)
        6. 3.8.2.6 Blowfish
        7. 3.8.2.7 Twofish
        8. 3.8.2.8 CAST
      3. 3.8.3 Hash Functions
        1. 3.8.3.1 CRC-32
        2. 3.8.3.2 MD5
        3. 3.8.3.3 SHA-1
        4. 3.8.3.4 RIPEMD-160
      4. 3.8.4 Compression Algorithms: zlib
    9. Threats SSH Can Counter
      1. 3.9.1 Eavesdropping
      2. 3.9.2 Name Service and IP Spoofing
      3. 3.9.3 Connection Hijacking
      4. 3.9.4 Man-in-the-Middle Attacks
    10. Threats SSH Doesn’t Prevent
      1. 3.10.1 Password Cracking
      2. 3.10.2 IP and TCP Attacks
      3. 3.10.3 Traffic Analysis
      4. 3.10.4 Covert Channels
      5. 3.10.5 Carelessness
    11. Threats Caused by SSH
    12. Summary
  6. 4. Installation and Compile-Time Configuration
    1. Overview
      1. 4.1.1 Install the Prerequisites
      2. 4.1.2 Obtain the Sources
      3. 4.1.3 Verify the Signature
      4. 4.1.4 Extract the Source Files
      5. 4.1.5 Perform Compile-Time Configuration
      6. 4.1.6 Compile Everything
      7. 4.1.7 Install the Programs and Configuration Files
    2. Installing OpenSSH
      1. 4.2.1 Prerequisites
      2. 4.2.2 Downloading and Extracting the Files
        1. 4.2.2.1 Verifying with GnuPG
      3. 4.2.3 Building and Installing
      4. 4.2.4 Configuration Options
        1. 4.2.4.1 File locations
        2. 4.2.4.2 Random number generation
        3. 4.2.4.3 Networking
        4. 4.2.4.4 Authentication
        5. 4.2.4.5 Access control
    3. Installing Tectia
      1. 4.3.1 Prerequisites
      2. 4.3.2 Obtaining and Extracting the Files
      3. 4.3.3 Verifying with md5sum
      4. 4.3.4 Building and Installing
      5. 4.3.5 Configuration Options
        1. 4.3.5.1 File locations and permission
        2. 4.3.5.2 Random number generation
        3. 4.3.5.3 Networking
        4. 4.3.5.4 X Window System
        5. 4.3.5.5 TCP port forwarding
        6. 4.3.5.6 Encryption
        7. 4.3.5.7 Authentication
        8. 4.3.5.8 SOCKS proxies
        9. 4.3.5.9 Debugging
        10. 4.3.5.10 SSH-1 protocol compatibility
      6. 4.3.6 SSH-1 Compatibility Support for Tectia
    4. Software Inventory
    5. Replacing r-Commands with SSH
      1. 4.5.1 Concurrent Versions System (CVS)
      2. 4.5.2 GNU Emacs
      3. 4.5.3 Pine
      4. 4.5.4 rsync, rdist
    6. Summary
  7. 5. Serverwide Configuration
    1. Running the Server
      1. 5.1.1 Running sshd as the Superuser
      2. 5.1.2 Running sshd as an Ordinary User
    2. Server Configuration: An Overview
      1. 5.2.1 Server Configuration Files
      2. 5.2.2 Checking Configuration Files
        1. 5.2.2.1 Checking OpenSSH configuration files
        2. 5.2.2.2 Checking Tectia configuration files
      3. 5.2.3 Command-Line Options
      4. 5.2.4 Changing the Configuration
      5. 5.2.5 A Tricky Reconfiguration Example
    3. Getting Ready: Initial Setup
      1. 5.3.1 File Locations
        1. 5.3.1.1 Host key files
        2. 5.3.1.2 Random seed file
        3. 5.3.1.3 Process ID file
        4. 5.3.1.4 Server configuration file
        5. 5.3.1.5 User SSH directory
        6. 5.3.1.6 Per-account authorization files
        7. 5.3.1.7 utmp file structure
      2. 5.3.2 File Permissions
        1. 5.3.2.1 Acceptable permissions for user files
      3. 5.3.3 TCP/IP Settings
        1. 5.3.3.1 Port number and network interface
        2. 5.3.3.2 Invocation by inetd or xinetd
        3. 5.3.3.3 Restarting the SSH server for each connection
        4. 5.3.3.4 Keepalive messages
        5. 5.3.3.5 Idle connections
        6. 5.3.3.6 Failed logins
        7. 5.3.3.7 Limiting simultaneous connections
        8. 5.3.3.8 Reverse IP mappings
        9. 5.3.3.9 Controlling the Nagle Algorithm
        10. 5.3.3.10 Discovering other servers
      4. 5.3.4 Key Regeneration
      5. 5.3.5 Encryption Algorithms
      6. 5.3.6 Integrity-Checking (MAC) Algorithms
      7. 5.3.7 SSH Protocol Settings
        1. 5.3.7.1 Protocol version string
      8. 5.3.8 Compression
    4. Authentication: Verifying Identities
      1. 5.4.1 Authentication Syntax
      2. 5.4.2 Password Authentication
        1. 5.4.2.1 Failed password attempts
        2. 5.4.2.2 Empty passwords
        3. 5.4.2.3 Expired passwords
      3. 5.4.3 Public-Key Authentication
      4. 5.4.4 Hostbased Authentication
      5. 5.4.5 Keyboard-Interactive Authentication
        1. 5.4.5.1 OpenSSH keyboard-interactive authentication
        2. 5.4.5.2 Tectia’s keyboard-interactive authentication
      6. 5.4.6 PGP Authentication
      7. 5.4.7 Kerberos Authentication
        1. 5.4.7.1 Kerberos and OpenSSH
        2. 5.4.7.2 Kerberos and Tectia
      8. 5.4.8 PAM Authentication
      9. 5.4.9 Privilege Separation
      10. 5.4.10 Selecting a Login Program
    5. Access Control: Letting People In
      1. 5.5.1 Account Access Control
        1. 5.5.1.1 Restricting all logins
      2. 5.5.2 Group Access Control
      3. 5.5.3 Hostname Access Control
      4. 5.5.4 shosts Access Control
      5. 5.5.5 Root Access Control
      6. 5.5.6 External Access Control
      7. 5.5.7 Restricting Directory Access with chroot
      8. 5.5.8 Summary of Authentication and Access Control
    6. User Logins and Accounts
      1. 5.6.1 Welcome Messages for the User
      2. 5.6.2 Setting Environment Variables
      3. 5.6.3 Initialization Scripts
    7. Forwarding
      1. 5.7.1 Port Forwarding
      2. 5.7.2 X Forwarding
      3. 5.7.3 Agent Forwarding
    8. Subsystems
    9. Logging and Debugging
      1. 5.9.1 OpenSSH Logging and Debugging
      2. 5.9.2 Tectia Logging and Debugging
      3. 5.9.3 Debugging Under inetd or xinetd
    10. Compatibility Between SSH-1 and SSH-2 Servers
      1. 5.10.1 Security Issues with Tectia’s SSH-1 Compatibility Mode
    11. Summary
  8. 6. Key Management and Agents
    1. What Is an Identity?
      1. 6.1.1 OpenSSH Identities
      2. 6.1.2 Tectia Identities
    2. Creating an Identity
      1. 6.2.1 Generating Keys for OpenSSH
        1. 6.2.1.1 Creating OpenSSH keys
        2. 6.2.1.2 Working with OpenSSH keys
      2. 6.2.2 Generating Keys for Tectia
        1. 6.2.2.1 Creating Tectia keys
        2. 6.2.2.2 Working with Tectia keys
      3. 6.2.3 Selecting a Passphrase
      4. 6.2.4 Generating New Groups for Diffie-Hellman Key Exchange
    3. SSH Agents
      1. 6.3.1 Agents Do Not Expose Keys
      2. 6.3.2 Starting an Agent
        1. 6.3.2.1 Single-shell method
        2. 6.3.2.2 Subshell method
        3. 6.3.2.3 Format of environment variable commands
      3. 6.3.3 Loading Keys with ssh-add
        1. 6.3.3.1 Automatic agent loading (single-shell method)
        2. 6.3.3.2 Automatic agent loading (subshell method)
        3. 6.3.3.3 Automatic agent loading (X Window System)
      4. 6.3.4 Agents and Security
        1. 6.3.4.1 Access control
        2. 6.3.4.2 Cracking an agent
      5. 6.3.5 Agent Forwarding
        1. 6.3.5.1 A firewall example
        2. 6.3.5.2 How agent forwarding works
        3. 6.3.5.3 Enabling agent forwarding
      6. 6.3.6 Agent CPU Usage
      7. 6.3.7 Debugging the Agent
    4. Multiple Identities
      1. 6.4.1 Switching Identities Manually
      2. 6.4.2 Switching Identities with an Agent
      3. 6.4.3 Tailoring Sessions Based on Identity
    5. PGP Authentication in Tectia
    6. Tectia External Keys
    7. Summary
  9. 7. Advanced Client Use
    1. How to Configure Clients
      1. 7.1.1 Command-Line Options
      2. 7.1.2 Client Configuration Files
        1. 7.1.2.1 Keywords versus command-line options
        2. 7.1.2.2 Global and local files
        3. 7.1.2.3 Configuration-file sections
        4. 7.1.2.4 Multiple matches
        5. 7.1.2.5 Making nicknames for hosts
        6. 7.1.2.6 Comments, indenting, and style
      3. 7.1.3 Environment Variables
    2. Precedence
    3. Introduction to Verbose Mode
    4. Client Configuration in Depth
      1. 7.4.1 Remote Account Name
        1. 7.4.1.1 Tricks with remote account names
      2. 7.4.2 User Identity
        1. 7.4.2.1 Using identities
      3. 7.4.3 Host Keys and Known-Hosts Databases
        1. 7.4.3.1 Strict host-key checking
        2. 7.4.3.2 Verifying host keys by DNS
        3. 7.4.3.3 Host key aliasing
        4. 7.4.3.4 Ignoring host keys for localhost
        5. 7.4.3.5 Moving the known hosts files
      4. 7.4.4 SSH Protocol Settings
        1. 7.4.4.1 Choosing a protocol version
        2. 7.4.4.2 Connection sharing
        3. 7.4.4.3 Setting environment variables in the server
      5. 7.4.5 TCP/IP Settings
        1. 7.4.5.1 Selecting a remote port
        2. 7.4.5.2 Connecting via a given network interface
        3. 7.4.5.3 Forcing a nonprivileged local port
        4. 7.4.5.4 Keepalive messages
        5. 7.4.5.5 Controlling TCP_NODELAY
        6. 7.4.5.6 Requiring IPv4 and IPv6
      6. 7.4.6 Making Connections
        1. 7.4.6.1 Number of connection attempts
        2. 7.4.6.2 Password prompting in OpenSSH
        3. 7.4.6.3 Password prompting in Tectia
        4. 7.4.6.4 Batch mode: suppressing prompts
        5. 7.4.6.5 Pseudo-terminal allocation (TTY/PTY/PTTY)
        6. 7.4.6.6 Backgrounding a remote command
        7. 7.4.6.7 Backgrounding a remote command, take two
        8. 7.4.6.8 Escaping
      7. 7.4.7 Proxies and SOCKS
        1. 7.4.7.1 SOCKS in OpenSSH: using DynamicForward
        2. 7.4.7.2 SOCKS in Tectia
      8. 7.4.8 Forwarding
      9. 7.4.9 Encryption Algorithms
      10. 7.4.10 Integrity-Checking (MAC) Algorithms
      11. 7.4.11 Host Key Types
      12. 7.4.12 Session Rekeying
      13. 7.4.13 Authentication
        1. 7.4.13.1 Requesting an authentication technique
        2. 7.4.13.2 The server is the boss
        3. 7.4.13.3 Detecting successful authentication
        4. 7.4.13.4 Using ssh-keysign for hostbased authentication
      14. 7.4.14 Data Compression
      15. 7.4.15 Program Locations
      16. 7.4.16 Subsystems
      17. 7.4.17 Logging and Debugging
      18. 7.4.18 Random Seeds
    5. Secure Copy with scp
      1. 7.5.1 Full Syntax of scp
      2. 7.5.2 Handling of Wildcards
      3. 7.5.3 Recursive Copy of Directories
      4. 7.5.4 Preserving Permissions
      5. 7.5.5 Automatic Removal of Original File
      6. 7.5.6 Safety Features
        1. 7.5.6.1 Directory confirmation
        2. 7.5.6.2 No-execute mode
        3. 7.5.6.3 Overwriting existing files
      7. 7.5.7 Batch Mode
      8. 7.5.8 User Identity
      9. 7.5.9 SSH Protocol Settings
      10. 7.5.10 TCP/IP Settings
      11. 7.5.11 Encryption Algorithms
      12. 7.5.12 Controlling Bandwidth
      13. 7.5.13 Data Compression
      14. 7.5.14 File Conversion
      15. 7.5.15 Optimizations
      16. 7.5.16 Statistics Display
      17. 7.5.17 Locating the ssh Executable
      18. 7.5.18 Getting Help
      19. 7.5.19 For Internal Use Only
      20. 7.5.20 Further Configuration
    6. Secure, Interactive Copy with sftp
      1. 7.6.1 Interactive Commands
      2. 7.6.2 Command-Line Options
    7. Summary
  10. 8. Per-Account Server Configuration
    1. Limits of This Technique
      1. 8.1.1 Overriding Serverwide Settings
      2. 8.1.2 Authentication Issues
    2. Public-Key-Based Configuration
      1. 8.2.1 OpenSSH Authorization Files
      2. 8.2.2 Tectia Authorization Files
        1. 8.2.2.1 Tectia PGP key authentication
      3. 8.2.3 Forced Commands
        1. 8.2.3.1 Security issues
        2. 8.2.3.2 Rejecting connections with a custom message
        3. 8.2.3.3 Displaying a command menu
        4. 8.2.3.4 Examining the client’s original command
        5. 8.2.3.5 Restricting a client’s original command
        6. 8.2.3.6 Logging a client’s original command
        7. 8.2.3.7 Forced commands and secure copy (scp)
      4. 8.2.4 Restricting Access by Host or Domain
        1. 8.2.4.1 OpenSSH host access control
        2. 8.2.4.2 Tectia host access control
      5. 8.2.5 Setting Environment Variables
        1. 8.2.5.1 Example: CVS and $LOGNAME
      6. 8.2.6 Setting Idle Timeout
      7. 8.2.7 Disabling or Limiting Forwarding
      8. 8.2.8 Disabling TTY Allocation
    3. Hostbased Access Control
    4. The User rc File
    5. Summary
  11. 9. Port Forwarding and X Forwarding
    1. What Is Forwarding?
    2. Port Forwarding
      1. 9.2.1 Local Forwarding
        1. 9.2.1.1 Local forwarding and GatewayPorts
        2. 9.2.1.2 Remote forwarding
      2. 9.2.2 Trouble with Multiple Connections
      3. 9.2.3 Comparing Local and Remote Port Forwarding
        1. 9.2.3.1 Common elements
        2. 9.2.3.2 Local versus remote forwarding: the distinction
      4. 9.2.4 Forwarding Off-Host
        1. 9.2.4.1 Privacy
        2. 9.2.4.2 Access control and the loopback address
        3. 9.2.4.3 Listening on (“binding”) an interface
      5. 9.2.5 Bypassing a Firewall
      6. 9.2.6 Port Forwarding Without a Remote Login
        1. 9.2.6.1 One-shot forwarding
      7. 9.2.7 The Listening Port Number
      8. 9.2.8 Choosing the Target Forwarding Address
      9. 9.2.9 Termination
        1. 9.2.9.1 The TIME_WAIT problem
      10. 9.2.10 Configuring Port Forwarding in the Server
        1. 9.2.10.1 Compile-time configuration
        2. 9.2.10.2 Serverwide configuration
        3. 9.2.10.3 Per-account configuration
      11. 9.2.11 Protocol-Specific Forwarding: FTP
    3. Dynamic Port Forwarding
      1. 9.3.1. SOCKS v4, SOCKS v5, and Names
      2. 9.3.2 Other Uses of Dynamic Forwarding
    4. X Forwarding
      1. 9.4.1 The X Window System
      2. 9.4.2 How X Forwarding Works
      3. 9.4.3 Enabling X Forwarding
      4. 9.4.4 Configuring X Forwarding
        1. 9.4.4.1 Compile-time configuration
        2. 9.4.4.2 Serverwide configuration
        3. 9.4.4.3 Per-account configuration
      5. 9.4.5 X Authentication
        1. 9.4.5.1 How X authentication works
        2. 9.4.5.2 xauth and the SSH rc files
        3. 9.4.5.3 Trusted X forwarding
        4. 9.4.5.4 Problems with X authentication
        5. 9.4.5.5 SSH and authentication spoofing
        6. 9.4.5.6 Improving authentication spoofing
        7. 9.4.5.7 Nonstandard X clients
      6. 9.4.6 Further Issues
        1. 9.4.6.1 X server configuration
        2. 9.4.6.2 Setting your DISPLAY environment variable
        3. 9.4.6.3 Shared accounts
        4. 9.4.6.4 Location of the xauth program
        5. 9.4.6.5 X forwarding and the GatewayPorts feature
    5. Forwarding Security: TCP-Wrappers and libwrap
      1. 9.5.1 TCP-Wrappers Configuration
      2. 9.5.2 Notes About TCP-Wrappers
    6. Summary
  12. 10. A Recommended Setup
    1. The Basics
    2. Compile-Time Configuration
    3. Serverwide Configuration
      1. 10.3.1 Disable Other Means of Access
      2. 10.3.2 sshd_config for OpenSSH
        1. 10.3.2.1 Choice of protocol
        2. 10.3.2.2 Important files
        3. 10.3.2.3 File and directory permissions
        4. 10.3.2.4 TCP/IP settings
        5. 10.3.2.5 Login time
        6. 10.3.2.6 Authentication
        7. 10.3.2.7 Access control
        8. 10.3.2.8 Forwarding
        9. 10.3.2.9 SFTP
      3. 10.3.3 sshd2_config for Tectia
        1. 10.3.3.1 Choice of protocol
        2. 10.3.3.2 Important files
        3. 10.3.3.3 File and directory permissions
        4. 10.3.3.4 TCP/IP settings
        5. 10.3.3.5 Login time
        6. 10.3.3.6 Authentication
        7. 10.3.3.7 Access control
        8. 10.3.3.8 Forwarding
        9. 10.3.3.9 Encryption
        10. 10.3.3.10 SFTP
    4. Per-Account Configuration
    5. Key Management
    6. Client Configuration
    7. Remote Home Directories (NFS, AFS)
      1. 10.7.1 NFS Security Risks
      2. 10.7.2 NFS Access Problems
      3. 10.7.3 AFS Access Problems
    8. Summary
  13. 11. Case Studies
    1. Unattended SSH: Batch or cron Jobs
      1. 11.1.1 Password Authentication
      2. 11.1.2 Public-Key Authentication
        1. 11.1.2.1 Storing the passphrase in the filesystem
        2. 11.1.2.2 Using a plaintext key
        3. 11.1.2.3 Using an agent
      3. 11.1.3 Hostbased Authentication
      4. 11.1.4 Kerberos
      5. 11.1.5 General Precautions for Batch Jobs
        1. 11.1.5.1 Least-privilege accounts
        2. 11.1.5.2 Separate, locked-down automation accounts
        3. 11.1.5.3 Restricted-use keys
        4. 11.1.5.4 Useful ssh options
      6. 11.1.6 Recommendations
    2. FTP and SSH
      1. 11.2.1 FTP-Specific Tools for SSH
        1. 11.2.1.1 VanDyke’s SecureFX
        2. 11.2.1.2 Tectia client
      2. 11.2.2 Static Port Forwarding and FTP: A Study in Pain
      3. 11.2.3 The FTP Protocol
      4. 11.2.4 Forwarding the Control Connection
        1. 11.2.4.1 Choosing the forwarding target
        2. 11.2.4.2 Using passive mode
        3. 11.2.4.3 The “PASV port theft” problem
      5. 11.2.5 FTP, Firewalls, and Passive Mode
      6. 11.2.6 FTP and Network Address Translation (NAT)
        1. 11.2.6.1 Server-side NAT issues
      7. 11.2.7 All About Data Connections
        1. 11.2.7.1 The usual method of file transfer
        2. 11.2.7.2 Passive mode in depth
        3. 11.2.7.3 FTP with the default data ports
      8. 11.2.8 Forwarding the Data Connection
    3. Pine, IMAP, and SSH
      1. 11.3.1 Securing IMAP Authentication
        1. 11.3.1.1 Pine and preauthenticated IMAP
        2. 11.3.1.2 Making Pine use SSH
      2. 11.3.2 Mail Relaying and News Access
      3. 11.3.3 Using a Connection Script
    4. Connecting Through a Gateway Host
      1. 11.4.1 Making Transparent SSH Connections
      2. 11.4.2 Using SCP Through a Gateway
      3. 11.4.3 Another Approach: SSH-in-SSH (Port Forwarding)
      4. 11.4.4 SSH-in-SSH with a Proxy Command (OpenSSH)
      5. 11.4.5 Comparing the Techniques
        1. 11.4.5.1 Smoothness
        2. 11.4.5.2 Security
    5. Scalable Authentication for SSH
      1. 11.5.1 Tectia with X.509 Certificates
        1. 11.5.1.1 What’s a PKI?
        2. 11.5.1.2 Using certificates with Tectia host keys
        3. 11.5.1.3 A simple configuration
        4. 11.5.1.4 Getting a certificate
        5. 11.5.1.5 Hostkey verification: configuring the server
        6. 11.5.1.6 Hostkey verification: configuring the Client
        7. 11.5.1.7 User authentication: configuring the client
        8. 11.5.1.8 User authentication: configuring the server
      2. 11.5.2 OpenSSH and Tectia with Kerberos
        1. 11.5.2.1 How Kerberos works
        2. 11.5.2.2 Kerberos support in SSH
        3. 11.5.2.3 Kerberos interoperability with OpenSSH and Tectia
    6. Tectia Extensions to Server Configuration Files
      1. 11.6.1 Metaconfiguration
      2. 11.6.2 Subconfiguration Files
      3. 11.6.3 Quoted Values
    7. Tectia Plugins
      1. 11.7.1 A Plugin for Changing Expired Passwords
        1. 11.7.1.1 The ssh-passwd-plugin program
        2. 11.7.1.2 A Perl package implementing the Tectia plugin protocol
        3. 11.7.1.3 Creating a customized password-change plugin
      2. 11.7.2 A Plugin for Keyboard-Interactive Authentication
      3. 11.7.3 A Plugin for External Authorization
  14. 12. Troubleshooting and FAQ
    1. Debug Messages: Your First Line of Defense
      1. 12.1.1 Client Debugging
      2. 12.1.2 Server Debugging
        1. The Top 10 SSH Questions
    2. Problems and Solutions
      1. 12.2.1 General Problems
      2. 12.2.2 Authentication Problems
        1. 12.2.2.1 General authentication problems
        2. 12.2.2.2 Password authentication
        3. 12.2.2.3 Hostbased authentication
        4. 12.2.2.4 Public-key authentication
        5. 12.2.2.5 PGP key authentication
      3. 12.2.3 Key and Agent Problems
        1. 12.2.3.1 ssh-keygen
        2. 12.2.3.2 ssh-agent and ssh-add
        3. 12.2.3.3 Per-account authorization files
      4. 12.2.4 Server Problems
        1. 12.2.4.1 sshd_config, sshd2_config
      5. 12.2.5 Client Problems
        1. 12.2.5.1 General client problems
        2. 12.2.5.2 Client configuration file
        3. 12.2.5.3 ssh
        4. 12.2.5.4 scp
        5. 12.2.5.5 sftp
        6. 12.2.5.6 Port forwarding
    3. Other SSH Resources
      1. 12.3.1 Web Sites
      2. 12.3.2 Usenet Newsgroups
  15. 13. Overview of Other Implementations
    1. Common Features
    2. Covered Products
    3. Other SSH Products
      1. 13.3.1 BeOS
      2. 13.3.2 Commodore Amiga
      3. 13.3.3 GNU Emacs
      4. 13.3.4 Java
      5. 13.3.5 Macintosh OS 9
      6. 13.3.6 Macintosh OS X
      7. 13.3.7 Microsoft Windows
      8. 13.3.8 Microsoft Windows CE (PocketPC)
      9. 13.3.9 OS/2
      10. 13.3.10 Palm OS
      11. 13.3.11 Perl
      12. 13.3.12 Unix Variants (Linux, OpenBSD, etc.)
      13. 13.3.13 VMS
  16. 14. OpenSSH for Windows
    1. Installation
    2. Using the SSH Clients
    3. Setting Up the SSH Server
      1. 14.3.1 Opening Remote Windows on the Desktop
    4. Public-Key Authentication
      1. 14.4.1 Running an Agent
    5. Troubleshooting
    6. Summary
  17. 15. OpenSSH for Macintosh
    1. Using the SSH Clients
    2. Using the OpenSSH Server
      1. 15.2.1 Enabling the Server
      2. 15.2.2 Opening the Firewall
      3. 15.2.3 Control by xinetd
      4. 15.2.4 Server Configuration Details
      5. 15.2.5 Kerberos Support
  18. 16. Tectia for Windows
    1. Obtaining and Installing
    2. Basic Client Use
    3. Key Management
    4. Accession Lite
    5. Advanced Client Use
    6. Port Forwarding
    7. Connector
      1. 16.7.1 General Settings
      2. 16.7.2 Servers for Outgoing SSH Connections
      3. 16.7.3 Filter Rules for Dynamic Port Forwarding
      4. 16.7.4 Configuration File
    8. File Transfers
    9. Command-Line Programs
    10. Troubleshooting
    11. Server
      1. 16.11.1 Server Operation
      2. 16.11.2 Server Configuration
      3. 16.11.3 Commands and Interactive Sessions
      4. 16.11.4 Authentication
      5. 16.11.5 Access Control
      6. 16.11.6 Forwarding
      7. 16.11.7 SFTP Server
      8. 16.11.8 Logging and Debugging
  19. 17. SecureCRT and SecureFX for Windows
    1. Obtaining and Installing
    2. Basic Client Use
    3. Key Management
      1. 17.3.1 Key Generation Wizard
        1. 17.3.1.1 Automatic installation of keys
        2. 17.3.1.2 Manual installation of keys
      2. 17.3.2 Using Multiple Identities
      3. 17.3.3 The SSH Agent
    4. Advanced Client Use
      1. 17.4.1 Mandatory Fields
      2. 17.4.2 Data Compression
      3. 17.4.3 Firewall Use
    5. Forwarding
      1. 17.5.1 Port Forwarding
      2. 17.5.2 X Forwarding
    6. Command-Line Client Programs
    7. File Transfer
      1. 17.7.1 The vcp and vsftp Commands
      2. 17.7.2 Zmodem File Transfer
      3. 17.7.3 SecureFX
    8. Troubleshooting
      1. 17.8.1 Authentication
      2. 17.8.2 Forwarding
    9. VShell
    10. Summary
  20. 18. PuTTY for Windows
    1. Obtaining and Installing
    2. Basic Client Use
      1. 18.2.1 Plink, a Console Client
      2. 18.2.2 Running Remote Commands
    3. File Transfer
      1. 18.3.1 File Transfer with PSCP
      2. 18.3.2 File Transfer with PSFTP
    4. Key Management
      1. 18.4.1 Choosing a Key
      2. 18.4.2 Pageant, an SSH Agent
    5. Advanced Client Use
      1. 18.5.1 Saved Sessions
      2. 18.5.2 Host Keys
      3. 18.5.3 Choosing a Protocol Version
      4. 18.5.4 TCP/IP Settings
        1. 18.5.4.1 Selecting a remote port
        2. 18.5.4.2 Keepalive messages
        3. 18.5.4.3 The Nagle Algorithm
      5. 18.5.5 Pseudo-Terminal Allocation
      6. 18.5.6 Proxies and SOCKS
      7. 18.5.7 Encryption Algorithms
      8. 18.5.8 Authentication
      9. 18.5.9 Compression
      10. 18.5.10 Logging and Debugging
      11. 18.5.11 Batch Jobs
    6. Forwarding
      1. 18.6.1 Forwarding with PuTTY
      2. 18.6.2 Forwarding with Plink
    7. Summary
  21. A. OpenSSH 4.0 New Features
    1. Server Features: sshd
      1. Logging of Access Control Violations
      2. AddressFamily Keyword
      3. Password and Account Expiration Warnings
    2. Client Features: ssh, scp, and sftp
      1. KbdInteractiveDevices Keyword
      2. More Control for Connection Sharing
      3. Hashing of Hostnames
      4. Port Forwarding
      5. sftp Command-Line Features
    3. ssh-keygen
      1. Hashing Your Known Hosts File
      2. Managing Hosts
  22. B. Tectia Manpage for sshregex
    1. Regex Syntax: Egrep Patterns
      1. Escaped Tokens for Regex Syntax Egrep
    2. Regex Syntax: ZSH_FILEGLOB (or Traditional) Patterns
    3. Character Sets for Egrep and ZSH_FILEGLOB
        1. Example
    4. Regex Syntax: SSH Patterns
      1. Escaped Tokens for Regex Syntax SSH
      2. Character Sets for Regex Syntax SSH
        1. Example
    5. Authors
    6. See Also
  23. C. Tectia Module Names for Debugging
  24. D. SSH-1 Features of OpenSSH and Tectia
    1. OpenSSH Features
      1. Serverwide Configuration
      2. Client Configuration
      3. Files
    2. Tectia Features
      1. Serverwide Configuration
      2. Client Configuration
      3. File Transfers
      4. Key Management
      5. Authentication Agent
  25. E. SSH Quick Reference
    1. Legend
    2. sshd Options
    3. sshd Keywords
    4. ssh Options
    5. scp Options
    6. ssh and scp Keywords
    7. ssh-keygen Options
    8. ssh-agent Options
    9. ssh-add Options
    10. Identity and Authorization Files, OpenSSH
    11. Identity and Authorization Files, Tectia
    12. Environment Variables
  26. Index
  27. About the Authors
  28. Colophon
  29. Copyright

Product information

  • Title: SSH, The Secure Shell: The Definitive Guide, 2nd Edition
  • Author(s): Daniel J. Barrett, Richard E. Silverman, Robert G. Byrnes
  • Release date: May 2005
  • Publisher(s): O'Reilly Media, Inc.
  • ISBN: 9780596008956