| |
@@ -4,6 +4,8 @@
|
| |
|
| |
[[ch-OpenSSH]]
|
| |
= OpenSSH
|
| |
+ :toc:
|
| |
+
|
| |
indexterm:[OpenSSH]
|
| |
`SSH` (Secure Shell) is a protocol which facilitates secure communications between two systems using a client-server architecture and allows users to log into server host systems remotely. Unlike other remote communication protocols, such as `FTP`, `Telnet`, or [command]#rlogin#, SSH encrypts the login session, rendering the connection difficult for intruders to collect unencrypted passwords.
|
| |
|
| |
@@ -132,7 +134,7 @@
|
| |
indexterm:[SSH protocol,configuration files]
|
| |
There are two different sets of configuration files: those for client programs (that is, [command]#ssh#, [command]#scp#, and [command]#sftp#), and those for the server (the [command]#sshd# daemon).
|
| |
indexterm:[SSH protocol,configuration files,system-wide configuration files]indexterm:[SSH protocol,configuration files,user-specific configuration files]
|
| |
- System-wide SSH configuration information is stored in the `/etc/ssh/` directory as described in xref:OpenSSH.adoc#table-ssh-configuration-configs-system[System-wide configuration files]. User-specific SSH configuration information is stored in `~/.ssh/` within the user's home directory as described in xref:OpenSSH.adoc#table-ssh-configuration-configs-user[User-specific configuration files].
|
| |
+ System-wide SSH configuration information is stored in the `/etc/ssh/` directory as described in xref:table-ssh-configuration-configs-system[System-wide configuration files]. User-specific SSH configuration information is stored in `~/.ssh/` within the user's home directory as described in xref:table-ssh-configuration-configs-user[User-specific configuration files].
|
| |
|
| |
[[table-ssh-configuration-configs-system]]
|
| |
.System-wide configuration files
|
| |
@@ -219,7 +221,7 @@
|
| |
It is also possible that the RSA host key has just been changed.
|
| |
----
|
| |
|
| |
- To prevent this, you can backup the relevant files from the `/etc/ssh/` directory (see xref:OpenSSH.adoc#table-ssh-configuration-configs-system[System-wide configuration files] for a complete list), and restore them whenever you reinstall the system.
|
| |
+ To prevent this, you can backup the relevant files from the `/etc/ssh/` directory (see xref:table-ssh-configuration-configs-system[System-wide configuration files] for a complete list), and restore them whenever you reinstall the system.
|
| |
|
| |
[[s2-ssh-configuration-requiring]]
|
| |
=== Requiring SSH for Remote Connections
|
| |
@@ -262,7 +264,7 @@
|
| |
|
| |
To be able to use [command]#ssh#, [command]#scp#, or [command]#sftp# to connect to the server from a client machine, generate an authorization key pair by following the steps below. Note that keys must be generated for each user separately.
|
| |
|
| |
- {MAJOROSVER} uses SSH Protocol 2 and RSA keys by default (see xref:OpenSSH.adoc#s2-ssh-versions[Protocol Versions] for more information).
|
| |
+ {MAJOROSVER} uses SSH Protocol 2 and RSA keys by default (see xref:s2-ssh-versions[Protocol Versions] for more information).
|
| |
|
| |
.Do not generate key pairs as root
|
| |
[IMPORTANT]
|
| |
@@ -405,7 +407,7 @@
|
| |
+
|
| |
This will copy the content of `~/.ssh/id_ecdsa.pub` into the `~/.ssh/authorized_keys` on the machine to which you want to connect. If the file already exists, the keys are appended to its end.
|
| |
|
| |
- See xref:OpenSSH.adoc#s3-ssh-configuration-keypairs-agent[Configuring ssh-agent] for information on how to set up your system to remember the passphrase.
|
| |
+ See xref:s3-ssh-configuration-keypairs-agent[Configuring ssh-agent] for information on how to set up your system to remember the passphrase.
|
| |
|
| |
.Never share your private key
|
| |
[IMPORTANT]
|
| |
@@ -750,7 +752,7 @@
|
| |
|
| |
. On user's systems. remove keys belonging to hosts from the `~/.ssh/known_hosts` file if the user has previously logged into the host configured above. When a user logs into the host they should no longer be presented with the warning about the hosts authenticity.
|
| |
|
| |
- To test the host certificate, on a client system, ensure the client has set up the global `/etc/ssh/known_hosts` file, as described in xref:OpenSSH.adoc#proc-Trusting_the_Host_Signing_Key[Trusting the Host Signing Key], and that the server's public key is not in the `~/.ssh/known_hosts` file. Then attempt to log into the server over SSH as a remote user. You should not see a warning about the authenticity of the host. If required, add the [option]`-v` option to the SSH command to see logging information.
|
| |
+ To test the host certificate, on a client system, ensure the client has set up the global `/etc/ssh/known_hosts` file, as described in xref:proc-Trusting_the_Host_Signing_Key[Trusting the Host Signing Key], and that the server's public key is not in the `~/.ssh/known_hosts` file. Then attempt to log into the server over SSH as a remote user. You should not see a warning about the authenticity of the host. If required, add the [option]`-v` option to the SSH command to see logging information.
|
| |
|
| |
[[sec-Creating_SSH_Certificates_for_Authenticating_Users]]
|
| |
==== Creating SSH Certificates for Authenticating Users
|
| |
@@ -833,7 +835,7 @@
|
| |
-rw-r--r--. 1 user1 user1 421 May 7 12:37 id_rsa.pub
|
| |
----
|
| |
+
|
| |
- See xref:OpenSSH.adoc#s2-ssh-configuration-keypairs[Using Key-based Authentication] for more examples of key generation and for instructions on setting the correct directory permissions.
|
| |
+ See xref:s2-ssh-configuration-keypairs[Using Key-based Authentication] for more examples of key generation and for instructions on setting the correct directory permissions.
|
| |
|
| |
. The chosen public key must be copied to the server designated as the CA, in order to be signed. The secure copy command can be used to do this, the command has the following format:
|
| |
+
|
| |
@@ -852,7 +854,7 @@
|
| |
id_rsa.pub 100% 421 0.4KB/s 00:00
|
| |
----
|
| |
+
|
| |
- If you have configured the client system to trust the host signing key as described in xref:OpenSSH.adoc#proc-Trusting_the_Host_Signing_Key[Trusting the Host Signing Key] then you should not see a warning about the authenticity of the remote host.
|
| |
+ If you have configured the client system to trust the host signing key as described in xref:proc-Trusting_the_Host_Signing_Key[Trusting the Host Signing Key] then you should not see a warning about the authenticity of the remote host.
|
| |
|
| |
. On the CA server, sign the user's public key. For example, as `root`:
|
| |
+
|
| |
