|
Secure Remote Access to Your Server through SSH |
A 'How To' Guide for the Nanopublisher |
When setting up your server, the first thing you want to do is to secure it from attack using a firewall. For most home or small enterprise servers, this is done with a gateway router. A gateway router sits between your cable or DSL modem and your network. You'll need one that provides a firewall, and that is sophisticated enough to allow you to configure the firewall. I use the Netgear FR114P, but most gateway routers (also known as firewall routers or cable/dsl routers) will also work. By default, most firewalls are configured to allow you to access the internet from your network, but do not allow access from the internet to your network. So, if you want to host a website on your server, or allow it to receive email, you must configure your firewall to pass the traffic for these services to your server. You do so by adding rules for incoming services to your firewall. For your website, you would add a rule that tells the firewall to pass traffic on your HTTP port (port 80) to your server. For email, the rule would be for your SMTP port (port 25).
With this your network would be relatively safe from intruders. However, what if you need access to your server from outside your home? You are locked out as well. You could open more ports that would allow you download email from your server, transfer files, login etc., but doing so would reduce the security of your network. I use Apache for serving web pages and Postfix for receiving email, which are both robust and secure. Finding equally secure programs for these other services is tougher, particularly since most of these other services themselves are inherently insecure. Services such as POP, IMAP, and FTP require your to provide your password, and the password is sent in clear text (not encrypted). If your password is interecepted, then it can be used with these services to attack you. A better approach is to use SSH for remote access. It is designed for it, and as such it is very secure.
With SSH you connect to your server through an encrypted channel, and as such, any passwords you send are not observable. Once you connect, you have a shell available, so you can execute commands on your server. In addition, most SSH clients come with SFTP, a secure file transfer program, which allows you to move files to and from your server. But in addition, you can use your secure SSH channel to also run other services such as POP and IMAP securely. This document describes how you would use PuTTY, a popular SSH client for Windows, to provide this rich level of remote access to your server.
This document assumes you are running a Linux server and that an SSH server, such as OpenSSH, is configured and operating properly. This is generally the default with most versions of Linux. In addition, you might have to configure the SSH server to explicitly allow specific users access. Do this by adding "AllowUser username" directives to the SSH configuration file, which is in /etc/ssh/sshd_config on SuSE Linux.
Now configure a new incoming rule for your firewall that directs it to forward SSH traffic (port 22) to your server.
If you do not have PuTTY, download it from www.chiark.greenend.org.uk/~sgtatham/putty/ and install it. For the best security, assure that you have latest version.
PuTTY is a ssh client that is used to establish a secure connection to another machine. The PuTTY package comes with several utilities that are useful. For interactive use, there is PuTTY itself, which is a remote interactive shell, and PSFTP, a secure interactive FTP client. For non-interactive or scripting use, there is scp, a remote copy command, and Plink, a remote shell command. All of these commands use Pagent as a repository for keys that are used to authenticate the link to the server so that you don’t need to type in your password each time a connection to the server is made, and Pagent uses PuTTYgen to generate the keys. Use of Pagent is optional with the interactive tools, PuTTY and PSFTP, as with these tools you can simply type in your password interactively. However, with Plink and scp you must use Pagent.
If you do not already have a set of keys, use PuTTYgen to generate one. When generating the keys you should secure the private key by specifying a passphrase. Then save the private key into a file. You also need to save the public key into ~/.ssh/authorized_keys on your server (the remote host). In this way, when the PuTTY client connects to your server, it will use the public key, stored on there, and the private key, stored locally in Pagent, to confirm that you have permission to establish the connection.
You have a choice between generating an SSH1 key, an SSH2-RSA key, or an SSH2-DSA key. The SSH2-RSA provides the best security, but the SSH1 key requires a little less work because PuTTYgen does not produce the SSH2 public key in a form that can be read directly by OpenSSH, the SSH server used on most Linux workstations. PuTTYgen produces the public key in the following form ...
---- BEGIN SSH2 PUBLIC KEY ---- Comment: "rsa-key-20040723" AAAAB3NzaC1yc2EAAAABJQAAAQEAldBY9+Z55RcsYkRJfJswMZyRUaG5gv+HraIT kcE89uH2wq9GWY8vPIAa1QfKUAH2iEGG6lvN1Jpot9mabSuzqGYljASmrSibeDx9 KKTYUu94YV9sSNcpP09hU8yo/mznWqmvHYxqo4ZMEdhzEr6zIBDS4caNlJwgXvtB kdEy70003H0YYxarL/eIU8mT+eyQ8Mk47nKvvOzYq5tlOz7QFzlJBayCLWcBeXwp 2q0J0kQehD4Eep+jtqhlLRB+BSyeIQZXQ6fhIrLOBXph3/5TdwScJZKHjAT95BD6 nUNFe7MtOl+uIfRXgz3/bZMSwjho6lLoVJ/6MeYsPOmCp/Y87w== ---- END SSH2 PUBLIC KEY ---
The file must be edited to conform to the following form
# public ssh2 rsa key: "rsa-key-20040723" ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAldBY9+Z55RcsYkRJfJswMZyRUaG5gv+HraITkcE89uH2w q9GWY8vPIAa1QfKUAH2iEGG6lvN1Jpot9mabSuzqGYljASmrSibeDx9KKTYUu94YV9sSNcpP09hU8yo/m znWqm vHYxqo4ZMEdhzEr6zIBDS4caNlJwgXvtBkdEy70003H0YYxarLeIU8mT+eyQ8Mk47nKvvOzYq5tlO O7QFz lJBayCLWcBeXwp2q0J0kQehD4Eep+jtqhlLRY+BSyeIQZXQ6fhIrLOBXph35TdwScJZKHjAT95BD6 nUNF e7MtOl+uIfRXgz3/bZMSwjho6lLoVJ/6MeYsPOmCp/Y87w==
Noticed that the style of the comments were changed, the prefix “ssh-rsa” was added to the beginning of the key, and the newlines within the key body were removed.
Once started, the Pagent program is used to hold keys that are used by the PuTTY clients when connecting to authenticate their connections. When used properly, it allows you to login to remote systems without giving your username or password. When you run Pagent, it puts a icon in you systray that looks like a computer wearing a hat. To add keys, right-click on the icon and select “Add Keys”. Then give it the path to your private key file. It will ask you for your passphase to assure you have authority to use the private key. Once authenticated, the key is now on your keyring and available to PuTTY and Plink.
If you do not want to manually start Pagent and specify the path to the key file, you can configure a short cut to Pagent that includes the path to the key file as an argument. For example
"C:\Program Files\PuTTY\pageant.exe" "c:\My Documents\Keys\private key.ppk"
If you put this short cut in your start up directory, then Pagent will start automatically when you log in. Of course, you will need to give your passphrase at this time.
Starting PuTTY brings up the “PuTTY Configuration” window. From here you set the parameters of the connection. Here are some recommendations:
Then give your connection a name and save it. Finally, click on Open to connect. If you have done everything correctly, it should connect and login without requiring you to provide your username or password.
You can create a Windows shortcut to PuTTY in such a way that it immediately brings up a particular configuration. To do so, go to “c:\Program Files\PuTTY”, right click on “putty.exe” and select Create Shortcut. Then right click on the newly created “Shortcut to putty.exe” and add “ -load "<configuration>"” to the end of the target, where <configuration> is the name of the configuration to use.
PuTTY allows you to connect local ports to ports on the remote host. In this way, normally insecure services such as POP are run through a secure channel.
If you have an X server running locally (I have had great success using the cygwin X server on my Windows laptop), it is a simple matter of just typing in a X command into PuTTY to have the resulting window pop up on your local machine. This assumes that you enabled X11 forwarding when specifying the PuTTY configuration.
POP (post-office protocol) is used to allow email clients to download email from a server. Running POP through SSH is a good idea because it hides your password, which would otherwise be sent in clear text. POP traditionally uses port 110, and though not necessary, this port will be used on both ends of our SSH tunnel. To wire the POP (post-office protocol) server on the remote machine to respond to requests on port 110 on the local machine, bring up the PuTTY Configuration window and go to the Connections->SSH->Tunnels pane. At the bottom of the Port Forwarding section, assure the Local button is set. Then, under the Add new forwarded port section, type in the local port number, in this case 110, and the destination, in this case localhost:110. This tunnel is denoted “L110 localhost:110” by PuTTY, where ‘L110’ refers to the source of the tunnel and ‘localhost:110’ refers to the destination. The first portion of the destination could be any hostname on the remote network, but in this case we want to connect to the POP server on the same host that SSH is connected to, so the generic name localhost is used. It is important to recognize that in this case the term ‘localhost’ refers to the remote server because the destination is specified from the perspective of the server (the far end of the tunnel). Finally, the trailing part of the destination is the port number on the remote machine that the desired service responds to, in this case 110 for POP. Once this is done, you will need to reconfigure your mail application so that it uses port 110 on the local host rather than port 110 on the remote host. To do so, replace remote-host-name with localhost. In this case, the host name is specified relative to the machine where the mail tool is running, and so ‘localhost’ refers to the client machine and not the server.
IMAP is like POP in that it is a protocol for delivering mail from the server to a remote machine. Whether you use POP or IMAP is a matter of personal choice. With POP the mail is downloaded to a remote machine, which works best if that remote machine is the only place you would read your mail. IMAP keeps the mail on the server, which is problematic if you often read your mail through a slow internet connection but is preferred when you tend to read your mail from more than one machine. Configure SSH to support IMAP in the same way you do with POP, except use port 143.
POP is used to pick up incoming mail from a POP server. SMTP (simple mail transfer protocol) is used when sending mail. It uses port 25. If you wish to use SSH to pass outgoing mail to the remote machine, rewire port 25 on the local host to connect to port 25 on the remote host (L25 localhost:25).
VNC allows you to start a desktop on the server and display it and interact with it on the remote machine. Before you can do this, you must start a vnc server on the remote machine. This will create the desktop that you will later connect to. The desktop remains even after you disconnect from it, meaning that you can reconnect later.
If the vncserver is not yet running, you should start by running the it from your PuTTY console. If this is the first time you are starting the server, you must first create a password for your server sessions using vncpasswd. Then start the server using something like
vncserver -geometry 1014x700 -depth 24 :0
This creates a desktop with the specified size that uses 24-bit colors. The desktop or screen number, in this case is 0. It can be any unused number from 0 to 9.
To create and SSH tunnel for VNC, configure SSH to provide a tunnel between port 590n and 590n on the local and remote machines (L590n localhost:590n). The value of n is determined by the screen number being used by VNC. Use 0 (or 5900) for screen :0, 1 (or 5901) for screen :1, etc. Once SSH is running, start the VNC viewer locally with localhost:n as the name of the VNC server.
WinCVS is a GUI-based windows application that allow you to check out and manage files from a CVS repository. In this case the repository is assumed to reside on your server. WinCVS uses Plink as a remote shell command to connect to the server. If you do not have WinCVS, download it from www.wincvs.org and install it.
To configure ssh use Admin > Login and push the ‘...’ button in the lower right. Select the protocol to be ssh, the username to be your username, the hostname to be your domain name (yourSite.com) and the PrivateKey to be the path to your private key.
To check out the files associated with a module, use Remote->Check Out Module. You will be asked to provide, or confirm, the module name and the local path where the files are to be placed. You might also be asked to provide the location of your home directory, this is where it will place various dot files.
Other things you might want to do with WinCVS ...
To navigate to a new directory use View > Browse Location.
Use Modify > Update Selection to update the files in your local directory from the latest in the repository.
Use Modify > Commit to deposit your latest version in the repository.
Use Query > Diff Selection to determine what is different between your local file and the one in the repository.
Use Query > Graph to show version tree.
To import a module (initial upload of files to CVS) use Remote->Import Module. Then you must check out the module.
FTP is a more complex beast than most in that it employs two pairs of ports to form its link. However, it is possible to fully protect an FTP link with SSH if FTP is restricted to only allow passive transfers using SSH. To see how it is done, go here. Alternatively, you can just use the SFTP client provided with PuTTY (PSFTP) or you can use WinSCP.
A graphical file transfer tool similar to WinFTP called WinSCP is available from here. It works through SSH and is compatible with the PuTTY keys.
Rsync is file copy utility like rcp, except that it only copies files that are out-of-date, meaning that rsync will make small updates to large collections of files much more quickly than rcp (or scp).
To use rsync through SSH, configure SSH to forward port 873 (L873 localhost:873). Then “localhost::user” is used to represent /home/user on your server. So
rsync localhost::user
lists the contents of /home/user on your server,
rsync dir localhost::user
copies the directory dir and its contents to /home/user on your server, and
rsync localhost::user/dir .
copies the directory /home/user/dir and its contents to the local machine.
It is tricky to use SSH to share files and printers, but it is possible. I personally have not had experience doing this, but you can find instructions here.
|
|
Any questions or comments on these notes can be directed to theNurds@nurdletech.com.
Created and hosted by |
|||||||||||
 |
|
|
|
|
|
|
|
|
|
|
|