Linux and Secure Communications

Purpose


      The purpose of this page is threefold:


Secure Shell (SSH)


      Probably the most common encryption protocol (and the one we employ) is called secure shell, or ssh. It's most used as a substitute for telnet when the network it's being used over is connected to the "outside" world. The problem with telnet is that it transmits both username and password in plaintext. That is, it's possible to "listen in" on the communication and find out both the username and password, which can then be used to break in to a computer.

      What secure shell does is encrypts the entire communication, so that only the proper machine can decrypt the message to find out what it says. To everyone else, it's meaningless. This means that it is a safe way to send your username and password to the computer you want to connect to. There are different ways that secure shell encrypts the communication session. The most secure way uses a unique key pair for each person that you generate and then encode with a passphrase. The "public key" is placed on any remote computers that you wish to communicate with, and the "private key" is kept on your own computer. Even if you don't generate a key pair (or if you are using a computer different than the one with your private key is on) you can still use secure shell to safely connect to a remote computer; in this case the program asks for and then sends your password over the encrypted session. We'll see examples of this later.

      There are several different versions of secure shell for different operating systems. The Minnesota Supercomputing Institute has a nice webpage that has links to different download sites for versions of secure shell for unix, linux, windows, etc, as well as an explanation of why it's important to use. I would recommend putty for windows, since it's really easy to use. Just make sure you select "SSH", not "TELNET" on the first window it pops up (now the default, I think).

      For linux OpenSSH is available and most likely installed by default with all newer distributions.


Using SSH on Linux


      To generate your own unique key pair, execute the command ssh-keygen on your computer. Here's the output for when I tried this:

        [john@martin john]$ ssh-keygen
        Generating RSA keys: ............ooooooO.......ooooooO
        Key generation complete.

Just hit "return" here:

        Enter file in which to save the key (/home/john/.ssh/identity):

Now enter your secret passphrase, twice:

        Enter passphrase (empty for no passphrase):
        Enter same passphrase again:
        Your identification has been saved in /home/john/.ssh/identity.
        Your public key has been saved in /home/john/.ssh/identity.pub.

Notice the last line, the location of the public key. We'll need this later to put on remote computers we want to connect to.

      Once we have our key generated, the correct way to use it is to put your public key on a computer you want to be able to connect to. To do this from your linux computer, first connect the computer:

        [john@martin john]$ ssh gibbs
        john@martin.chem.umn.edu's password:

Notice that it asked me for my password, not passphrase- that's because I haven't put my key on the remote computer yet. Now that we're logged in, make a directory in your home directory called .ssh:

        [john@gibbs john]$ mkdir ~/.ssh
        [john@gibbs john]$ chmod 700 .ssh

Notice the period before the directory's name- that means it's "hidden" form normal sight (since you don't normally care about its existance. To see the difference, try these two commands:

        ls -l ~/
        ls -la ~/

Hidden directories hold important user information, but not things you want to be bothered with).

The chmod command is necessary to make the directory only readable to you, and no one else with an account on the computer. This is an added security precaution. Now go into that directory and put your public key there in a file called authorized_keys:

        [john@gibbs john]$ cd .ssh
        [john@gibbs .ssh]$ vi authorized_keys


Now paste in your public key from the computer you generated your key pair on. You could also use emacs or pico or whatever to edit the file and add your key. Once you're done, make sure to issue the following command:

        [john@gibbs .ssh]$ chmod 600 authorized_keys

This is for the same reason as before- secure shell won't recognize it as an acceptable key until it's unreadable by other users with the chmod command. Now logout, and try to log in again. If you did it correctly, you should see the following:

        [john@gibbs .ssh]$ logout
        Connection to gibbs.chem.umn.edu closed.

        [john@martin john]$ ssh gibbs
        Enter passphrase for RSA key 'john@martin.chem.umn.edu':

        [john@gibbs john]$

If you instead get asked for your password again, log in and make sure the directory .ssh and the file authorized_keys are correctly in place with the appropriate chmod executed on them. If your username is different on the machine you want to connect to, you must specify it with the "-l [username]" option:

        [john@martin john]$ ssh -l john gibbs

In this case it is not necessary since my username is the same, but it shows how to use the "-l" option. More information can be obtained from the manual page by typing

        [john@martin john]$ man ssh


Securely copying files with Linux


      Now we can log in safely, but what about transferring files? The more familiar program, ftp suffers from the same problems as telnet, that is, unsecurely sending username and password.

      There are several solutions to this problem, but the two that we use are scp and sftp. scp is nice in that it is "built-in" to secure shell- it is usually in the software package with secure shell. Note that this is not the case with the windows secure shell programs, but fortunately versions of both are available, pscp.exe from the same website as putty, and sftp for windows.

      Both scp and sftp are installed on all of our lab's computers, but only scp will be on other computers that you may use, and you will have to install sftp yourself in order to use it. The benefit to sftp is that it provides the sames features as ftp such as directory listings (ls) but over a safe connection. However, first we'll look at how to use the default, scp. The basic syntax for using scp is:

        scp [files to copy from] [files to copy to]

Whichever one of the objects (from or to) is on the remote computer has to have the additional information of your login name and the computer name. Thus, to put the file "test.f" from my current computer to my home directory on gibbs, I would type:

        [john@martin john]$ scp test.f john@gibbs:/home/john

this can even be simplified to:

        [john@martin john]$ scp test.f john@gibbs:

To get a file called "test_b.f" from my home directory in gibbs, I would type:

        [john@martin john]$ scp john@gibbs:test_b.f ./

Where the "./" signifies the directory I'm currently in as the place to put the file "test_b.f".

      To install sftp on a computer that doesn't have it, you need to get the source code from the developer's website, here.

The use of sftp is very similar to ssh (in fact it uses ssh to function). For example, to open a connection to gibbs, I would do the following:

        [john@martin john]$ sftp -l john gibbs
        Enter passphrase for RSA key 'john@martin.chem.umn.edu':

        sftp> help

will print out a list of commands and their usage. The "-l [username]" is used exactly the same as above. To put our file "test.f" onto gibbs, we would type:

        sftp> put test.f

To get our file "test_b.f" from gibbs, we would type:

        sftp> get test_b.f

As always, more information on use can be found in the manual page by typing

        [john@martin john]$ man sftp

Since there are alot of reasons why something might not work, one good thing to do is trial and error with variants on the commands found in the manual page. This usually works.


Links of Interest


Linux Security


Pretty Good Privacy Encryption