Upload
novell
View
1.613
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Secure Shell, or SSH, is a network protocol that allows data to be exchanged over a secure channel. SSH is much more than just data being passed over the wire. SSH can be used to tunnel traffic and specific ports or applications across multiple servers. SSH is a must for anyone using Linux. If you haven't used SSH, then you have not used Linux!This session is designed for all technical staff or decision makers curious about great Linux tools and making access to Windows services, remote desktops and remote servers easier and less complicated. During this session, we will demonstrate techniques to tunnel RDP sessions, SOAP sessions and HTTP sessions between remote systems.
Citation preview
Using SSH on LinuxEveryone Should Know This
Jared JenningsSenior ConsultantData Technique, [email protected]
Aaron BurgemeisterTechnical Support EngineerNovell, [email protected]
© Novell, Inc. All rights reserved.2
What is SSH?
SSH is a Network Protocol
– NAT Friendly
– Secure
Cross-platform Support
© Novell, Inc. All rights reserved.3
SSH Experience?
• Heard of it?
• Used it?
• Tunneled?
• Forwarded GUI?
• Remote commands?
• File copies (scp or rsync over ssh)?
• Authentication other than passwords (keys, GSSAPI)?
• Came here just to find presenter inaccuracies?
© Novell, Inc. All rights reserved.4
Accessibility
Fast
Allows data to be exchanged securely
– Port forwarding
– GUI forwarding
Why Use SSH?
© Novell, Inc. All rights reserved.5
SSH CommandsOn Linux and Mac
SSH is standard on Linux, Unix and Mac
SSH SCP
© Novell, Inc. All rights reserved.6
Available SSH Tools on Windows
• Putty– http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
• http://www.chiark.greenend.org.uk/~sgtatham/putty– PLINK (great for scripting uses)– PAGENT (key material management)– pscp (file management)
© Novell, Inc. All rights reserved.7
Available SSH Tools on Windows
WinSCP– http://winscp.net/eng/index.php
XMING– http://sourceforge.net/projects/xming
Cygwin– http://www.cygwin.com/
© Novell, Inc. All rights reserved.8
SSH Server (Daemons)
• The SSH daemon is supported by all OS's– Linux/Unix/Mac X– Windows must use third-party software to run the Daemon– NetWare® 6.5 sp3 or greater
• Multiple authentication back-ends– Using PAM authentication
> Novell® eDirectory™, files, OpenLDAP
• Multiple authentication methods– Password; Public Key– Challenge/Response– Kerberos– Host-based
How Can SSH Be Used?
© Novell, Inc. All rights reserved.10
Basic SSH Connection
• Access files
• Control remote system
> ssh sshsvr.com -l ab #explicit > ssh [email protected] #simple
© Novell, Inc. All rights reserved.11
Tunneling with SSH
SSH can tunnel just about any TCP traffic (IPv4 or Ipv6)
Local forwarding/remote forwarding
Local forwarding– Involves forwarding a socket from the client to the server
Remote forwarding– Involves forwarding a socket from the server to the client
© Novell, Inc. All rights reserved.12
Benefits of tunneling
Connection from client to server is secure
– Regular connections from client to server may not otherwise be secure – rsync, http, etc.
Access an otherwise-inaccessible network
– Similar to a VPN, but without as much setup
– Access a single system with access to secure apps
Tunneling with SSHPuposes/Security
© Novell, Inc. All rights reserved.13
Tunneling with SSHDetails
One side opens an address/port on the specified listening side
See the (by default) localhost-listening socket with netstat
SSH takes all TCP data from that address/port and sends it through the established, doing-whatever-else, SSH connection.
The opposite side sends the TCP data to the destination address/port as specified during the connection setup.
The TCP client, whose traffic is tunneled, thinks it is talking to the SSH machine on the listening side of the tunnel.
The TCP server, whose traffic is tunneled, thinks the SSH machine at the end of the tunnel is the TCP client.
Everything outside of the SSH participants and the TCP client and server just sees a single SSH connection sending data from time to time
© Novell, Inc. All rights reserved.14
HTTP (Web Server)
SSH Server
Client in Insecure Land
WebServer
Firewall Forwarding SSH
sh [email protected] -L 1080:http_server:80
© Novell, Inc. All rights reserved.15
HTTP Making a Connection
Making the SSH connection
Pointing the web browser to the site
http://localhost:1080/rest/of/the/url.html
ssh sshsvr.com -L 1080:http_server:80
© Novell, Inc. All rights reserved.16
Novell® GroupWise®
ssh [email protected] -L 1677:groupWise_server:1677
© Novell, Inc. All rights reserved.17
Novell® GroupWise® Making a Connection
Making the SSH connection
Starting the Novell GroupWise client
grpwise.exe -ipa=localhost -ipp=1677
ssh [email protected] -L 1677:groupWise_server:1677
© Novell, Inc. All rights reserved.18
Remote Desktop (RDP)Making a Connection
Making the SSH connection
Starting the Linux RDP client
rdesktop localhost:13389
ssh [email protected] -L 13389:WindowsServer:3389
© Novell, Inc. All rights reserved.19
Multiple Connections
ssh [email protected] -L 1080:http_server:80 -L 3389:broken_windows:3389 -L 19001:groupwise_server:1677
SingleTunnel Point
MultipleDestinations
MultiplePorts
Redirecting X (GUI)
© Novell, Inc. All rights reserved.21
Redirecting the “GUI”
Redirecting the graphical screens of the remote computer, installation, application, to the local computer
Very Simple Redirect Skype
Redirect theGroupWise® Installer
© Novell, Inc. All rights reserved.22
From Linux/Mac to Linux
• Very simple• Native support• Redirect
– YaST – SUSE® Linux setup tool
– Skype – VoIP application
– Installs – anything else
ssh [email protected] -X
© Novell, Inc. All rights reserved.23
From Windows to Linux
• Not as simple• No native support• Still worksEnable X redirection and use one of the following X servers:
– xming> http://sourceforge.net/projects/xming
– XwinLogon> http://www.calcmaster.net/visual-c++/xwinlogon/
– LabF's WinaXe> http://www.labf.com/winaxeplus/index.html
Copying Files with SSH
© Novell, Inc. All rights reserved.25
Simple File Copy with SSH
• Very simple
• Fairly fast
• Secure
• Supports entire directory structures
• Same syntax as cp (copy) except with a host
– Can actually function as a local cp command
cp ./file [email protected]:/home/ab/ #here to there scp [email protected]:/home/ab/file ./ #there to here
© Novell, Inc. All rights reserved.26
RSYNC Over SSH
• Very simple
• Requires RSYNC client
• Synchronizes whole folder structures
rsync -avz -e ssh source_dir [email protected]:/dest_path
Running Remote Commands with SSH
© Novell, Inc. All rights reserved.28
Commands Run Remotely
• Output returned to client machine sending command
• Makes connection, runs, and exits
• Useful for monitoring/configuring/patching remote machines
ssh ab@ssh_svr 'ps aux' ssh -t ab@ssh_svr 'top -d1 -n1'
Key Material Management and Usage
© Novell, Inc. All rights reserved.30
Key Material
• Makes the authentication MORE secure– Disable passwords to prevent successful brute-forcing
• Allows for un-prompted authentication– Immediate access to the system; automated scripting possible– Provide access to the system without ever giving out the
password; can also change identities or use multiples
Steps Involved: 1. Generate the client keys 2. Copying the public key to the remote machine 3. Login as usual
SSH Proxy Server
© Novell, Inc. All rights reserved.32
SSH to Proxy Traffic
• Uses:
– Lets you access content despite your client-side filters
– Lets you access proxy-enabled services securely
– Does NOT proxy DNS requests unless the DNS-using application knows to send DNS via the same connection
– #connect and use 5555 as the SOCKS port locally
– #then forward all proxy-able data through ssh_svr.com
– ssh ab@ssh_svr.com -D 5555
© Novell, Inc. All rights reserved.33
SSH to Proxy Traffic - Browser
• Configure your browser's proxy to point to
– 127.0.0.1:5555
– (or whichever socket
is configured to listen
on the client side)
Do not configure other fields to use this!!
SSH Troubleshooting
© Novell, Inc. All rights reserved.35
SSH Troubleshooting
• Understand the technology and feature– TCP-based– Tunneling/proxying opens sockets– X-forwarding requires X libraries on the forwarding side, X-
server on the forwarded side– Authentication can happen in multiple ways
• Test another system– Maybe client or server is a lemon, e.g. running Windows :-)
• Use the -v[v[v]] options from the command line– More 'v' mean more-verbose... lots of good data in here– Get a baseline BEFORE it breaks
© Novell, Inc. All rights reserved.36
Demo
• Novell® Remote
– Give access to specific services in a restricted environment
– Useful for support to access environments behind firewall
– Share access to a VM environment (NAT, Host-only)
• Audience Demo
– Requirement: Network Access; support.novell.com account preferably
Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.