ssh configuration.

[ink3]

Maybe somebody make how to configure & use ssh?
client----serwer.

[Shador]

For your local network or the public internet?

If you want ssh on your local network just fire up the ssh(d) daemon on the server (make it autostart too if you want). The default config works. Then run on the client 'ssh server' or if your user name differs or you want to login as a different user run 'ssh user@server'. There's also 'scp file user@server:dest' to copy a file. Again user can be omitted than the user you're logged in as is used. And much more like sshfs, ...
Couldn't be more straightforward.

That's not to be used if publically accessible on the internet as the default setup is especially because of password-based authentication not safe for the public internet. But it's easy to use and convenient for local, trusted networks.

[JRD]

To add some information to Shador:
To enable ssh on the server:

Code: Select all

chmod +x /etc/rc.d/rc.sshd && service start sshd

To connect to it on the client, just use "ssh" or "scp" command, or you could also use "remmina" to graphically connect to it and transfer files.

[djemos]

For large files can use rsync with ssh so file transfers can be interrupted and resumed later.
rsync -avP -e ssh file user@server:dest

[Shador]

To add some information to Shador:
To enable ssh on the server:

Code: Select all

chmod +x /etc/rc.d/rc.sshd && service start sshd

To connect to it on the client, just use "ssh" or "scp" command, or you could also use "remmina" to graphically connect to it and transfer files.

Actually the chmod +x command is not needed. service start sshd already does this implicitly. And the graphical frontend available under System Tools is even easier for enabling/starting or disabling/stopping a service.

[ink3]

Ok.

1. I generated keys on "local" and "remote" host (local network 192 ... )

Code: Select all

$ ssh-keygen -t rsa

2. Copy key to remote host

Code: Select all

scp /home/local/.ssh/id_rsa.pub remote@192...:~/id_rsa.pub

3. Connect to remote host

Code: Select all

$ ssh remote@192...

4. And add my public key ( I want login to remote without a password).

Code: Select all

$ cat id_rsa.pub >> .ssh/authorized_keys

What about security? Privilege (.ssh and files into)?
hosts.deny and hosts.allow ?
What else?

[Shador]

This is not exactly secure, as anybody getting access to a machine with the private key on it or access to that private key, gets access to all other machines. So permissions of the private key file should be at least so that nobody except that one user can read that file (600). But that's forced by ssh anyway I think.
Still I recommend to put a key on the file and to use ssh-agent to store the password for your session so you only have to enter it once per session. This is quite comfortable and much more secure. Although for use on a local, trusted and firewalled network it shouldn't matter. On Xfce ssh-agent is started with your session automatically so all it needs to store the key is:

Code: Select all

ssh-add

I have for example an autostart like this that prompts me for the password once I log in:

Code: Select all

terminator -x ssh-add

On other DEs that don't start ssh-agent e.g. openbox you might need this to some startup file like .xinitrc:

Code: Select all

SSHAGENT=/usr/bin/ssh-agent
SSHAGENTARGS="-s"
if [ -z "$SSH_AUTH_SOCK" -a -x "$SSHAGENT" ]; then
   eval `$SSHAGENT $SSHAGENTARGS`
   trap "kill $SSH_AGENT_PID" 0
fi

if you make the ssh service publicly available on the internet e.g. by opening ports on your router you should at least do this:

Code: Select all

PermitRootLogin no
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
PasswordAuthentication no


So only key-based authentication for non-root users is allowed and login to root is disabled. Because once somebody gets access to that account, you've got a very big problem. If he gets access to another account, you've got a problem too, but then he still has your root password to crack to get you into really big trouble.

[ink3]

ok. thanks to all