Ok I've seen many posts and stuff on SSH, and I want to know what its used for. I figured it encrypts but does it encrypt every thing, like VNC or just data it sends. Also is it a Terminal, does it only send commands to the other computer or can it send data also? I'm at a lose here. Can someone please FULLY explain this? Also where would I go to connect to a computer that had SSH server running (asuming I figured it out)


Many Thanks

SSH lets you connect securely to another computer running sshd. Once connected you can poass commands acrposs the network or internet as if you were on the other computer. scp is a variation on ssh used for transferring files.

SSH is how I can sit at home and administrate a small corporate linux network.

So SSH is like a secure telenet or Command line vnc . Is there a GUI SSH out there (wait that would be just a regular vnc + security now wouldn't it.)

and you can transfer files over the network through it useing scp
I'm guessing this
dd if=/dev/hda | ssh user@remotehost /bin/dd of=/tmp/mypc_hda.img is useing scp type commands?

do you need a special server to transfer files?

Thank you, this has been bugging me for ever.

Well I wouldn't use dd to transfer files through ssh. Personally I don't care much for scp. If I want to transfer files over ssh I either use fish in konq or more comonly make a shell link using mc.

If you want to try out ssh just make sure it's started on the server box like this:
/etc/init.s/sshd start

As root of course.

If you want to transfer files you can either learn scp, or try using fish in konqueror. After you open konq, just type the following in the address bar
fish://user@ipaddress.

Again, you can do the same thing by creating a ssh link in midnight commander (mc), hilighting the file you want to copy, and pressing F5 to copy the file to the other directory.

Hope this helps.

Adam

I would say that being able to ssh into another box remotely and control it. Wether you are sitting next to it or 1/2 way around the world, needs mention. If you have 2 machines and cds you can play with this yourself.

Open a root shell and set a new password:


passwd

Set a static ip address.


netcardconfig

No DHCP

Accept defaults. This machine is now know as 192.168.0.1
Set-up the the other machine the same except its ip address will be 192.168.0.10
Typing from machine 192.168.0.1

ssh 192.168.0.10
you will be asked if you want to continue, type yes
type in the password for machine 192.168.0.10
If all has gone well you are now working on machine 192.168.0.10 even though you are still sitting in front of machine 192.168.0.1. Machine 192.168.0.10 can be in the basement and just an ethernet cable to access it. It dose this all encrypted. Check the man page. You can get secure access to your computer (if it has internet access) from any where in the world.

johnb

ssh is a network protcol, designed to replace older 'insecure' protcols which passed plain text authentication.

What this means in practice is since a shell also passes lots of other stuff that you can make a connection with ssh and then use whatever you want over a secure connection.

Technically johnb's access isn't available to the world becuase its a non routable RFC IP address. To access this from anywhere you would need to use the external address, not the internal one....

However, say you are connected internally from .1 to .10
If you type anything you are typing it ON that computer.

lets say your on .10 and ssh'd into .1
If you export the display variable for X from the ssh session
export DISPLAY=102.168.0.10:0.0
then start an X application it will start on your screen becuase it will run on YOUR X server.

even better, if you use gdm as a login manager (technically you can do it with any but gdm is the easiest setup) you can actually start a whole X sesssion on the remote computer but display it on your screen.

You can do the same with telent or the insecure protcols too.

At home on an internal netwrok there is little advantage using ssh over telnet or rsh becuase the requests cannot be passed outside the internal network. However it is good practice to get used to using it by default!

thanks for the correction
johnb

The company I work for allows http, ftp, cvs, and ssh through the firewall. All of my home boxes (2 desktops & Linux router) run sshd. I can and do use my own network all day from work. Just try putting a windows pc that is unpatched, missing virus definitions or is running some default windows services (rpc) *cough* and your box will be banned from the network. Connect to home with your Linux box through ssh and security couldn't care less. ;)

At work I have a Linux box and a windows box. On windows use Putty or Cygwin to ssh into your Linux boxen.

There is AFAIK no free ssh server for wimpdows. :(

There is a GUI for ssh:

apt-get install secpanel
Generate ssh hostkeys:

ssh-keygen -b 1024 -t rsa1 -f /etc/ssh/ssh_host_key -N ""
ssh-keygen -b 1024 -t rsa -f /etc/ssh/ssh_host_rsa_key -N ""
ssh-keygen -b 1024 -t dsa -f /etc/ssh/ssh_host_dsa_key -N ""
Make sshd start on boot:

update-rc.d ssh defaults
Nifty:

alias home="ssh -l <username on remote box> 12.345.67.89"

(you can add that to /etc/profile to make it stick across reboot)

thanks for the correction
johnb
It wasn't really a correction. Your explanation was fine its just if someone tried it from an external address it wouldn't work.

If you had tried explaining it in terms of internal/external it would have been a lot less clear. I thought about it, then thought better of it!

wow I wasn't expecting all these replies. Thank you for clearing this up.

OK i've been trying to export the display form my remote pc to my local computer but I can't seem to get it working. :cry:

Can someone please give me a mini tutorial on how to do it? I'd really appreicate it. I'm not (too) afriad of useing the command line.

Thanks!

OK i've been trying to export the display form my remote pc to my local computer but I can't seem to get it working. :cry:

Can someone please give me a mini tutorial on how to do it? I'd really appreicate it. I'm not (too) afriad of useing the command line.

Thanks!


On the remote machine edit the file /etc/ssh/sshd_config and change this line.


X11Forwarding no

To say yes save the file and then /etc/init.d/ssh restart to restart the daemon on the remote machine with the new configuration then when you login to the machine again use ssh -X user@192.168.0.1 and you should now be able to start an X application remotely and have the output displayed on the local machine.

NO good. Oculd you give a step by step from the begining? I really appreciate ytour help.

NO good. Oculd you give a step by step from the begining? I really appreciate ytour help.

I already have for a working ssh on the remote machine. You need to provide more information than "No good" for anyone to be able to help you with the problem the error messages would be a good start along with all steps you have taken so far, a link below to help you in the effort.

http://www.catb.org/~esr/faqs/smart-questions.html

Well first when I followed your advice to change the x11 forward it was already yes. So then I type ssh -X knoppix@192.168.1.106 into the local and I get something along the lines of can't it can't validate the key and its useing fake X11 info. Once I do connect I get a regular trminal screen. When I type in export Display=192.168.1.102:0.0 nothing happens not even an error.

This is really bugging me.

I hope thats enough info.

Well first when I followed your advice to change the x11 forward it was already yes. So then I type ssh -X knoppix@192.168.1.106 into the local and I get something along the lines of can't it can't validate the key and its useing fake X11 info. Once I do connect I get a regular trminal screen. When I type in export Display=192.168.1.102:0.0 nothing happens not even an error.

This is really bugging me.

I hope thats enough info.

You do not need the export step the -X in the connection command line is enough. Have you tried to run an X application remotely say like gvim by just typing it's name in the console window and seeing if it displays on your screen. That is better but seeing the exact output is of more help than you paraphrasing it. Here is what the output of a typical command looks like the version I am running and the config file it used when I connected it looks like yours should be working but I do not get the using fake info so you may want to compare the two files and look for differences.



>$ ssh -X stephen@192.168.0.2
stephen@192.168.0.2's password:
Welcome to Knoppix (Kernel 2.4.22-xfs)

stephen@DocTux:~$ gvim
-bash: gvim: command not found
stephen@DocTux:~$ xinvaders
X connection to localhost:10.0 broken (explicit kill or server shutdown).
stephen@DocTux:~$ apt-cache policy ssh
ssh:
Installed: 1:3.6.1p2-12
Candidate: 1:3.6.1p2-12
Version Table:
*** 1:3.6.1p2-12 0
990 http://ftp.de.debian.org testing/main Packages
500 http://ftp.de.debian.org unstable/main Packages
100 /var/lib/dpkg/status
1:3.4p1-1.woody.3 0
500 http://security.debian.org stable/updates/main Packages
500 http://ftp.de.debian.org stable/main Packages
stephen@DocTux:~$ cat /etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.38 2001/04/15 21:41:29 deraadt Exp $

# This sshd was compiled with PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin

# This is the sshd server system-wide configuration file. See sshd(8)
# for more information.

Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /etc/ssh/ssh_host_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
ServerKeyBits 768
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin no
#
# Don't read ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
StrictModes yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog no
KeepAlive yes

# Logging
SyslogFacility AUTH
LogLevel INFO
#obsoletes QuietMode and FascistLogging

RhostsAuthentication no
#
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
#
RSAAuthentication yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no

# Uncomment to disable s/key passwords
#ChallengeResponseAuthentication no

# Uncomment to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt yes

# To change Kerberos options
# NB: Debian's ssh ships without Kerberos Support
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no

# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes

#CheckMail yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net
#ReverseMappingCheck yes

Subsystem sftp /usr/lib/sftp-server

I've got the error that I'm getting when I try to connect.

No xauth data; using fake authentication data for X11 forwarding.

Although everything seems to be working fine now. Though konqueror does give me this error when starting up

Xlib: extension "XFree86-DRI" missing on display ":0.0".
libGL error: failed to open DRM: Operation not permitted
libGL error: reverting to (slow) indirect rendering
_KDE_IceTransmkdir: Owner of /tmp/.ICE-unix should be set to root
QPixmap: Cannot create a QPixmap when no GUI is being used
QPixmap: Cannot create a QPixmap when no GUI is being used
Xlib: extension "XFree86-DRI" missing on display ":0.0".
libGL error: failed to open DRM: Operation not permitted
libGL error: reverting to (slow) indirect rendering
QPixmap: Cannot create a QPixmap when no GUI is being used
QPixmap: Cannot create a QPixmap when no GUI is being used

though it seems to work without any problems.

Also is there anyway to transfer sound or is that a something I cna't have?

Everything seems to be working just fine when I call it up, only porblem is even if I use -x it will still be called up. Oh well. I worry about that problem when It matters. Thank you Stephen for your help.

Also is there anyway to transfer sound or is that a something I cna't have?

Everything seems to be working just fine when I call it up, only porblem is even if I use -x it will still be called up. Oh well. I worry about that problem when It matters. Thank you Stephen for your help.

Your welcome and good to hear you got it going. I get close to the same thing here when I start konqueror and it works as you say, only worry about things when they cause you problems there are always little warnings or output like that and they do not seem to matter most of the time. For the sound that is something I have never tried although I would image there is some kind of network sound server out there somewhere, a quick search here comes up with rplay-server which may be what you are looking for.



>$ apt-cache search network sound
librplay3 - Shared libraries for the rplay network audio system.
librplay3-dev - Development libraries for the rplay network audio system.
liby2 - Y Sound Server Library
linuxcookbook - Tips and techniques to help the busy modern computer user
npadmin - Query information from SNMP featured printer
quadra - multiplayer puzzle game
rplay - A fake transitional package.
rplay-client - The basic rplay clients.
rplay-contrib - Contributed binaries for the rplay network audio system.
rplay-perl - Perl modules for the rplay network audio system.
rplay-server - The rplay network audio system server.
lxdoom - Linux port of boom, an enhanced version of DOOM
speak-freely - Voice Communication Over Data Networks
ant-phone - An interactive ISDN telephone application
armagetron - 3D Tron-like high speed game
audiooss - transparent OSS emulation over NAS
freecraft - Realtime fantasy strategy game for Unix and X
gnome-audio - Audio files for Gnome
imaze-sounds - Multiplayer network maze game like MidiMaze
koules - Space action game for X11
lg-issue47 - Issue 47 of the Linux Gazette.
libmas-dev - Media Application Server development libraries
libmas0 - Media Application Server runtime libraries
libwine-nas - Windows Emulator (NAS Sound Module)
liby-dev - Y Sound Server Library Header Files
liby2-14 - Y Sound Server Library
mas-server - Media Application Server daemon
mas-utils - Media Application Server utilities
python1.5 - An interactive object-oriented scripting language (version 1.5)
sfront - MPEG 4 Structured Audio decoder.
xpilot-client-nas - Client (with nas sound support) for XPilot
yiff-server - Y Sound Server
asterisk - Open Source Private Branch Exchange (PBX)
fceu-doc - Documentation for FCE Ultra - a nintendo (8-bit) emulator
fceu-sdl - SDL version of FCE Ultra - a nintendo (8-bit) emulator
fceu-svga - Linux SVGALIB version of FCE Ultra - a nintendo (8-bit) emulator
gnome-applets - Various applets for GNOME 2 panel
python - An interactive high-level object-oriented language (default version)
python2.1 - An interactive high-level object-oriented language (version 2.1)
python2.2 - An interactive high-level object-oriented language (version 2.2)
python2.3 - An interactive high-level object-oriented language (version 2.3)
vlc-plugin-alsa - ALSA audio output plugin for VLC
vlc-plugin-arts - aRts audio output plugin for VLC
vlc-plugin-esd - Esound audio output plugin for VLC
realplayer - Real Player (installer)



>$ apt-cache show rplay-server
Package: rplay-server
Priority: optional
Section: sound
Installed-Size: 272
Maintainer: lantz moore <lmoore@debian.org>
Architecture: i386
Source: rplay
Version: 3.3.2-8
Replaces: rplay (<< 3.3.2-2)
Depends: libc6 (>= 2.2.4-4), libgsm1 (>= 1.0.10-11), librplay3 (>= 3.3.2-2)
Suggests: mpg123, vorbis-tools
Conflicts: rplay (<< 3.3.2-2)
Filename: pool/main/r/rplay/rplay-server_3.3.2-8_i386.deb
Size: 67028
MD5sum: 86e70d70d8fff1efeeeca5838f723ec9
Description: The rplay network audio system server.
This package contains the rplay server. The rplay server allows sounds
to be played on the system.
.
RPlay allows sounds to be played to and from local and remote Unix
systems. Sounds can be played with or without sending audio data over
the network using either UDP or TCP/IP. RPlay audio servers can be
configured to share sound files with each other.
.
Support for RPlay is included in several applications. These include
xpilot, xlockmore, xboing, fvwm, and ctwm.


>$ apt-cache policy rplay-server
rplay-server:
Installed: (none)
Candidate: 3.3.2-8
Version Table:
3.3.2-8 0
500 http://ftp2.de.debian.org stable/main Packages
990 http://ftp2.de.debian.org testing/main Packages
600 http://ftp2.de.debian.org unstable/main Packages