How to use ssh to make secure connections on its network infrastructure, installation of the daemon on the server until the numerous examples of connection and use.

Start to install the ssh daemon on the server:

apt-get install ssh

proceed on the client in creating a pair of public/private key for the user must connect to the service:

ssh-keygen -t dsa

at some point you are prompted to enter a pass-phrase, you may want to include a very long sentence (the pass-phrase is simply a text string that is used to encrypt the private key), This allows you to further increase security.

After running the above command in the directory ~/.ssh/, has been created a key-pair consists of two files: id_dsa and id_dsa.pub.

The file id_dsa contains the private password created for the user, must be preserved with great care, so it is recommended the allocation of permits 600 (eadable and writable only to the user who owns the file).

The file id_dsa.pub does contain the public key that must be stored on the server so it can be used for user authentication.


We must then enter our public key among those authorized for the corresponding user on the server eseguento the following commands:

scp ~/.ssh/id_dsa.pub user@remoteserver:
ssh user@remoteserver: "cat id_dsa.pub >> .ssh/authorized_keys && rm id_dsa.pub"

completed the steps above, the server will behave as follows soon receive a request for access by a specific user:

• verify that the key submitted during the connection is authorized by the corresponding local user
• ask the local user pass-phrase previously inserted
• if all checks will be completed, the server will allow access without asking for further authentication

should be borne in mind that in case you should reinstall the server and consequently regenerate a new key-pair, when connecting, you receive the following message:

warning: remote host identification has changed!


this should put us on alert, and we should worry about having a secure connection, the report confirms key pair changed on the server, this maybe to exclude a possible attack type man-in-the-middle.

So to access the service from a remote computer:

ssh user@remoteserver:

you can't input continuously the pass-phrase using "ssh-agent", a program for managing secure pass-phrase.

Connection examples:

run the command...

ssh user@server command

copy files...

scp filename user@remoteserver:/path_destination_file/

the server which is running the sshd daemon is also able to run a file transfer service, regardless of the presence of the FTP service without further change the configuration of the sshd daemon.

Examples:

sftp user@remoteserver



get filename
ls and cd
mkdir dirname
put filename
rm filename

simply adding the character "l" before commands, they will run locally.

You can also redirect the display of X11 applications, This requires setting X11Forwarding yes into configuration file /etc/ssh/sshd_config.