Tài liệu Chapter-24-Basic network access-clients docx

A somewhat different approach is the Network File System or NFS, which mounts file systems from another machine as if they were local.. 419 Chapter 24: Basic networ k access: clientsBy d

Trang 1

Basic network access: clients

Finally we have set up the network connections, and everything is working What can we

do with the network? In this part of the book, we’ll take a look at some of the moreimportant services that make up the application layer

The Internet protocols perform most services with a pair of processes: a client at one end

of the link that actively asks for services, and a server at the other end of the link that

responds to requests and performs the requested activity These terms are also used todescribe computer systems, but here we’re talking about processes, not systems In this

chapter, we’ll look at the client side of things, and in Chapter 25, Basic network access:

servers we’ll look at the corresponding servers.

Probably the single most important network service is the Hypertext Transfer Protocol or

HTTP, the service that web browsers use to access the Web We’ll look at web browsers

in the next section

The next most important service is probably the Simple Mail Transfer Protocol or SMTP, the primary service for sending mail round the Internet There’s also the Post Office

Protocol or POP, which is used by systems unable to run SMTP This topic is so

important that we’ll devote Chapters 26 and 27 to it

To use a remote machine effectively, you need better access than such specialized serverscan give you The most powerful access is obviously when you can execute a shell on theremote machine; that gives you effectively the same control over the machine as you haveover your local machine A number of services are available to do this In the olden

days, you would use telnet or rlogin to log into another machine These programs are

Trang 2

The Complete FreeBSD 416still with us, but security concerns make them effectively useless outside a trusted localnetwork We’ll look at them briefly on page 428.

The preferred replacement is ssh, which stands for secure shell In fact, it’s not a shell at

all, it’s a service to communicate with a remote shell It encrypts the data sent over thenetwork, thus making it more difficult for crackers to abuse We’ll look at it in detail onpage 417

Another important service is the ability to move data from one system to another There

are a number of ways of doing this The oldest programs are rcp and ftp These programs have the same security concerns as telnet and rlogin, though ftp still has some uses More modern copying programs use scp, which is based on ssh We’ll look at file copy programs on page 429 In addition, rsync is a useful program for maintaining

identical copies files on different systems We’ll look at it on page 435

A somewhat different approach is the Network File System or NFS, which mounts file

systems from another machine as if they were local We’ll look at NFS clients on page438

The World Wide Web

For the vast majority of the public, the Internet and the World Wide Web are the same

thing FreeBSD is an important contender in this area Some of the world’s largest web

sites, including Yahoo! (http://www.yahoo.com/ ) run FreeBSD Even Microsoft runs FreeBSD on its Hotmail service (http://www.hotmail.com/ ), though they hav e frequently

denied it, and for image reasons they are moving to their own software

Web bro wsers

A web browser is a program that retrieves documents from the Web and displays them.

The base FreeBSD system does not include a web browser, but a large number areavailable in the Ports Collection All web browsers seem to have one thing in common:they are buggy They frequently crash when presented with web pages designed forMicrosoft, and in other cases they don’t display the page correctly In many cases this isdue to poorly designed web pages, of course

Currently, the most important web browsers are:

• netscape was once the only game in town, but it’s now showing its age In addition,

many web sites only test their software with Microsoft, and their bugs cause problems

with netscape.

• mozilla is derived from the same sources as netscape, but comes in source form It

has now reached the stage where it is less buggy than netscape A number of other browsers, such as galeon and skipstone, are based on mozilla They’re all available

in the Ports Collection galeon is included in the instant-workstation port described

Trang 3

417 Chapter 24: Basic networ k access: clients

in Chapter 6

• konqueror is included with the KDE port.

• Opera is a new browser that some people like The version in the Ports Collection is

free, but it makes up for it by giving you even more advertisements than the webpages give you anyway You can buy a version that doesn’t display the advertise-ments

• lynx is a web browser for people who don’t use X It displays text only.

You may note two omissions from this list Microsoft’s Internet Explorer is not available for FreeBSD Not many people have missed it Also, mosaic, the original web browser,

is now completely obsolete, and it has been removed from the Ports Collection

In addition to these browsers, StarOffice and OpenOffice include integrated browsers.

You may find you prefer them

This book does not deal with how to use a web browser: just about everybody knows how

to use one You can also get help from just about any browser; just click on the text oricon markedHelpor?

ssh

ssh is a secure shell, a means of executing programs remotely using encrypted data

transfers There are a number of different implementations of ssh: there are two different

protocols, and the implementations are complicated both by bugs and license conditions

FreeBSD comes with an implementation of ssh called OpenSSH, originally developed as

part of the OpenBSD project

Using ssh is simple:

$ ssh freebie

The authenticity of host ’freebie.example.org (223.147.37.1)’ can’t be established DSA key fingerprint is 08:f7:c4:14:48:0b:14:06:0e:2c:93:4b:1f:f6:ce:b5.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added ’freebie.example.org’ (DSA) to the list of known hosts grog@freebie.example.org’s password: as usual, doesn’t echo

Last login: Mon May 13 14:21:11 2002

FreeBSD 5.0-RELEASE (FREEBIE) #3: Sun Jan 5 13:25:02 CST 2003

Trang 4

ssh 418It’s worth looking in more detail at how the connection is established:

• The first line (The authenticity ) appears once ssh has established preliminary

contact with the remote system It indicates that you’re connected, but that the localsystem has no information about the remote system Theoretically you could beconnected to a different machine masquerading as the machine you want to connect

to ssh saves the fingerprint in ˜/.ssh/known_hosts and checks it every time you

connect to that machine thereafter

• The reference to DSA keys indicates that ssh is using the ssh Version 2 protocol.

We’ll look at the differences between the protocols below

• The password prompt is for the same password as you would see locally Theslightly different format is to clarify exactly which password you should enter.Again, a number of exploits are possible where you might find yourself giving away apassword to an intruder, so this caution is justified

When you log in via ssh, there’s a chance that yourTERMenvironment variable is setincorrectly See table 7-3 on page 130 for more details Remember thatTERMdescribesthe display at your end of the link There is no display at the other end, but the other end

needs to know the termcap parameters for your display If you’re running an xterm, this

shouldn’t be a problem: the namextermpropagates to the other end If you’re using a

character-oriented display (/dev/ttyvx), however, your TERMvariable is probably set to

cons25, which many systems don’t know If you have problems where systems refuse tostart full-screen modes when you connect from a virtual terminal, try setting theTERM

variable toansi

To exit ssh, just log out If you run into problems, however, like a hung network, you can

also hit the combination Enter ˜ Enter, which always drops the connection.

Access without a password

Sending passwords across the Net, even if they’re encrypted, is not a complete guaranteethat nobody else can get in: there are a number of brute-force ways to crack an encrypted

password To address this issue, ssh has an access method that doesn’t require passwords: instead it uses a technique called public key cryptography You have two

keys, one of which you can give away freely, and the other of which you guard carefully.You can encrypt or decrypt with either key: data encrypted with the public key can bedecrypted with the private key, and data encrypted with the private key can be decryptedwith the public key

Once you have these keys in place, you can use the challenge-response method for authentication To initiate an ssh connection, ssh sends your public key to the sshd

process on the remote system The remote system must already have a copy of this key

It uses it to encrypt a random text, a challenge, which it sends back to your system The

ssh process on your system decrypts it with your private key, which is not stored

anywhere else, and sends the decrypted key back to the remote sshd Only your system can decode the challenge, so this is evidence to the remote sshd that it’s really you.

Trang 5

By default, the private key for Version 1 of the protocol is stored in the file ˜/.ssh/identity, and the public key is stored in the file ˜/.ssh/identity_pub For Version 2, you have a choice of two different encryption schemes, DSA and RSA The corresponding private and public keys are stored in the files ˜/.ssh/id_dsa, ˜/.ssh/id_dsa.pub, ˜/.ssh/id_rsa and

˜/.ssh/id_rsa.pub respectively If you have the choice between DSA keys and RSA keys

for protocol Version 2, use DSA keys, which are considered somewhat more secure Youstill should have an RSA key pair in case you want to connect to a system that doesn’tsupport DSA keys

There’s still an issue of unauthorized local access, of course To ensure that somebodydoesn’t compromise one system and then use it to compromise others, you need a kind of

password for your private keys To avoid confusion, ssh refers to it as a passphrase If

ssh finds keys in the ˜/.ssh directory, it attempts to use them:

$ ssh hub

Enter passphrase for key ’/home/grog/.ssh/id_rsa’:(no echo)

Last login: Sat Jul 13 17:27:33 2002 from wantadilla.lemis

FreeBSD 5.0-STABLE (HUB) #7: Thu Jun 26 12:44:34 PDT 2003

(etc)

Creating and distributing keys

You create keys with the program ssh-keygen Here’s an example of generating all three

keys:

$ ssh-keygen -t rsa1

Generating public/private rsa1 key pair.

Enter file in which to save the key (/home/grog/.ssh/identity): (ENTER pressed)

Enter passphrase (empty for no passphrase): (no echo)

Enter same passphrase again: (no echo)

Your identification has been saved in /home/grog/.ssh/identity.

Your public key has been saved in /home/grog/.ssh/identity.pub.

The key fingerprint is:

02:20:1d:50:78:c5:7c:56:7b:1d:e3:54:02:2c:99:76 grog@bumble.example.org

$ ssh-keygen -t rsa

Generating public/private rsa key pair.

Enter file in which to save the key (/home/grog/.ssh/id_rsa): (ENTER pressed)

Your identification has been saved in /home/grog/.ssh/id_rsa.

Your public key has been saved in /home/grog/.ssh/id_rsa.pub.

95:d5:01:ca:90:04:7d:84:f6:00:32:7a:ea:a6:57:2d grog@bumble.example.org

$ ssh-keygen -t dsa

Generating public/private dsa key pair.

Enter file in which to save the key (/home/grog/.ssh/id_dsa): (ENTER pressed)

Your identification has been saved in /home/grog/.ssh/id_dsa.

Your public key has been saved in /home/grog/.ssh/id_dsa.pub.

53:53:af:22:87:07:10:e4:5a:2c:21:31:ec:29:1c:5f grog@bumble.example.org

Before you can use these keys, you need to get the public keys on the remote site in the

file ˜/.ssh/authorized_keys Older versions of ssh used a second file,

˜/.ssh/autho-rized_keys2, for protocol Version 2, but modern versions store all the keys in the one file

netclient.mm,v v4.12 (2003/04/02 03:42:50)

Trang 6

Access without a password 420

˜/.ssh/authorized_keys There are a number of ways to get the keys in these files If you

already have access to the machine (via password-based authentication, for example), youcan put them there yourself Typically, though, you’ll have to get somebody elseinvolved To make it easier, the public keys are in ASCII, so you can send them by mail.The three public keys generated above look like this:

1024 35 1101242842742748033454498238668225412306578450520406221165673293206460199556 751223553035331118710873315456577313425763305854786629592671460454493321979564518976 839276314768175285909667395039795936492323578351726210382756436676090411475643317216

92291413130012157442638303275673247163400686283060339457790686649 grog@bumble.exampl e.org

ssh-dss AAAAB3NzaC1kc3MAAACBAIltWeRXnqD9HqOLn5kugPSWHicJiu1r0I9dHg8F5m2PpmupyRYSmDzs cAcsxifo50+1yXk3Vf4P1+EDsAwkyqFlujuMVeKoTYcOi1yrnLDWIDiAeIzt1BQ6ONwbXqxwWKCq1eo1tXxO rTxw84VboHUuq4XFdt+yPJs8QdxLhj+jAAAAFQC1JL+tU19+UR+c45JGom6ae29d7wAAAIAvNgdN6rTitMjD CglN7Rq3/8WgI1kzh20XURbCe1n2yYsFifcImKb0sUYD2qsB5++gogzsse2IxyIECRCuyCOOFXIQ7WqkvjTp /T+fuwGPIlho8eeNDRKKABUhHjkuApnoYLIC1O5uyciJ+dIbGaRtGFJr0da7KlkjOLkiv3sR1gAAAIAwgKfW sRSQJyRZTkKGIHxn3EWTvSicnIRYza+HTaMuMFHMTkNMZBjhei6EoCFpV9B1QB9MlIZgf6WXM2DlmtdUbpm7 KFA669/LZT2LvxbtGP/B++7s0PMs0AgKrKgUxnhVweufMZlPvPPPOz4QS1ZZ5kYhN+lu0S8yuioXYNlDtA== grog@bumble.example.org

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA1/W3oa1ZEs58KRWMzsrZWMXzPfwoqQ+Z59p6SJlzhevsXG1P AVWra2wcRz1utKFBjkDpJfEe+09L7h8VAx1aYCHji50tKI8F8YT8OuWGH+UqF/37Wl292SsXsb8g80yyymSf xgOM/HegvOuHQu46MfaPj9ddfcgY06z3ufcmXts= grog@bumble.example.org

In the original, each key is on a single line

Obviously you don’t want anybody messing with your authorized_keys files, so ssh

requires that the files belong to you and are only writeable by you These two filestypically contain multiple keys; to add a new one, just append it to the end of the file For

example, if you receive a new key and store it in the file newkey, copy it like this:

$ cat newkey >> ˜/.ssh/authorized_keys

Authenticating automatically

Having to supply the passphrase can become a nuisance and even a serious problem If

you want to run ssh from scripts, it may not even be possible to supply the passphrase.

ssh has another feature available here: it has an authentication agent that keeps track of

the keys

The authentication agent is called ssh-agent, and you add keys with ssh-add Due to the manner in which it is started, ssh-agent needs to be the ancestor of the shell you are running, and of the ssh-add command Otherwise you see error messages like this:

$ ssh-agent

SSH_AUTH_SOCK=/tmp/ssh-cwT9aBbV/agent.42902; export SSH_AUTH_SOCK;

SSH_AGENT_PID=42903; export SSH_AGENT_PID;

echo Agent pid 42903;

$ ssh-add

Could not open a connection to your authentication agent.

Trang 7

To solve this problem, execute the agent in your current environment with eval, then run

ssh-add:

$ eval ‘ssh-agent‘

$ ssh-add

Enter passphrase for /home/grog/.ssh/id_rsa:(enter the passphrase)

Identity added: /home/grog/.ssh/id_rsa (/home/grog/.ssh/id_rsa)

Identity added: /home/grog/.ssh/id_dsa (/home/grog/.ssh/id_dsa)

Identity added: /home/grog/.ssh/identity (grog@zaphod.example.org)

You can use ssh-add’s-lflag to list which keys the authentication agent currently knowsabout:

$ ssh-add -l

1024 02:20:1d:50:78:c5:7c:56:7b:1d:e3:54:02:2c:99:76 grog@zaphod.example.org (RSA1)

1024 95:d5:01:ca:90:04:7d:84:f6:00:32:7a:ea:a6:57:2d /home/grog/.ssh/id_rsa (RSA)

1024 53:53:af:22:87:07:10:e4:5a:2c:21:31:ec:29:1c:5f /home/grog/.ssh/id_dsa (DSA)

If you’re using a Bourne-style shell such as bash, you can automate a lot of this by putting the following commands in your bashrc or profile file:

This first uses the tty command to check if this is an interactive shell, then checks if you

already have an authentication agent If it doesn’t, it starts one Don’t start a newauthentication agent if you already have one: you’d lose any keys that the agent alreadyknows This script doesn’t add keys, because this requires your intervention and could beannoying if you had to do it every time you start a shell

Setting up X to use ssh

If you work with X, you have the opportunity to start a large number of concurrent ssh

sessions It would be annoying to have to enter keys for each session, so there’s an

alternative method: start X with an ssh-agent, and it will pass the information on to any

xterms that it starts Add the following commands to your xinitrc:

eval ‘ssh-agent‘

ssh-add < /dev/null

When you run ssh-add in this manner, without an input file, it runs a program to prompt for the passphrase By default it’s /usr/X11R6/bin/ssh-askpass, but you can change it by

setting the SSH_ASKPASS environment variable /usr/X11R6/bin/ssh-askpass opens a

window and prompts for a passphrase From then on, anything started under the Xsession will automatically inherit the keys

netclient.mm,v v4.12 (2003/04/02 03:42:50)

Trang 8

Access without a password 422

ssh tunnels

Tunneling is a technique for encapsulating an IP connection inside another IP connection.

Why would you want to do that? One reason is to add encryption to an otherwise

unencrypted connection, such as telnet or POP Another is to get access to a service on a

system that does not generally supply this service to the Internet

Let’s consider using http first Assume you are travelling, and you want to access your

private web server back home Normally a connection to thehttpport of

presto.exam-ple.com might have the following parameters:

Port9132

IP223.147.37.2

Port80But what if the server is firewalled from the global Internet, so you can’t access it

directly? That’s when you need the ssh tunnel The ssh tunnel creates a local

connection at each end and a separate secure connection across the Internet:

150.101.248.57

22

127.1 80

The ssh connection is shown in fixed italic font It looks just like any other ssh

connection The difference are the local connections at each end: instead of talking topresto port 80 (http), you talk to port 4096 on your local machine Why 4096? It’s your

choice; you can use any port above 1024 If you’re on andante, you can set up this tunnel

with the command:

$ ssh -L 4096:presto.example.org:80 presto.example.org

To do the same thing from the presto end, you’d set up a re verse tunnel with the -R

option:

$ ssh -R 4096:presto.example.org:80 andante.example.org

These commands both set up a tunnel from port 4096 on andante to port 80 on the host

presto.example.org You still need to supply the name of the system to connect to; it

doesn’t hav e to be the same For example, you might not be able to log in to the webserver, but you could access your machine back home, and it has access to the web server

In this case, you could connect to your machine at home:

$ ssh -L 4096:presto.example.org:80 freebie.example.org

In addition to setting up the tunnel, ssh creates a normal interactive session If you don’t

want this, you can use the -f option tell ssh to go into the background after authentication You also need a command to execute; in case of doubt, use sleep, which

Trang 9

423 Chapter 24: Basic networ k access: clientssimply sleeps for a specified time If this is what you want to do, you could enter acommand like:

$ ssh -L 4096:presto.example.org:80 presto.example.org -f sleep 3600

The command sleep 3600suspends execution for an hour (3600 seconds) and thenexits At this point, your tunnel also shuts down, so you should choose the time to belong enough

Tunneling X

Running X clients on the remote machine is special enough that ssh provides a special form of tunneling to deal with it To use it, you must tell ssh the location of an

.Xauthority file Do this by adding the following line to the file ˜/.ssh/environment:

XAUTHORITY=/home/yourname/.Xauthority

The name must be in fully qualified form: ssh does not understand the shortcut ˜/ to represent your home directory You don’t need to create ˜/.Xauthority, though: ssh can

do that for you

Once you have this in place, you can set up X tunneling in two different ways To start itfrom the command line, enter something like:

$ ssh -X -f website xterm

As before, the-foption tells ssh to go into the background The-Xoption specifies X

tunneling, and ssh runs an xterm on the local machine The DISPLAY environmentvariable points to the (remote) local host:

$ echo $DISPLAY

localhost:13.1

Other uses of tunnels

Tunneling has many other uses Another interesting one is bridging networks For

example, http://unix.za.net/gateway/documentation/networking/vpn/fbsd.html describes how to set up a VPN (Virtual Private Network) using User PPP and an ssh tunnel.

Configuring ssh

It can be a bit of a nuisance to have to supply all these parameters to ssh, but you don’t

have to: you can supply information for frequently accessed hosts in a configuration file

On startup, ssh checks for configuration information in a number of places It checks for them first in the command-line options, then in you configuration file ˜/.ssh/config, and finally in the system-wide configuration file /etc/ssh/ssh_config The way it treats

duplicate information is pretty much the opposite of what you’d expect: unlike most othernetclient.mm,v v4.12 (2003/04/02 03:42:50)

Trang 10

Configur ing ssh 424

programs, options found in a configuration file read in later do not replace the options

found in an earlier file Options on the command line replace those given inconfiguration files

In practice, such conflicts happen less often than you might expect The file

/etc/ssh/ssh_config, the main configuration file for the system, normally contains only

comments, and by default you don’t even get a local ˜/.ssh/config.

ssh_config can contain a large number of options They’re all described in the man page ssh_config(8), but it’s worth looking at some of the more common ones In this section

we’ll look at some of the more common configuration options

• The entryHostis special: the options that follow, up to the end of the file or the nextfollowingHostargument, relate only to hosts that match the arguments on theHost

line

• Optionally, ssh can compress the data streams This can save a lot of traffic, but it

can also increase CPU usage, so by default it is disabled You can do this by passingthe -C flag to ssh, but you can also do so by setting Compression yes in theconfiguration file

• You can escape out of an ssh session to issue commands to ssh with the

EscapeChar By default it’s the tilde character,˜ Other programs, notably rlogin,

use this character as well, so you may want to change it You can set this value from

the ssh command line with the-eoption

• To forward an X11 connection, as shown above, you can also set theForwardX11

variable toyes This may be useful if you frequently access a remote machine andrequire X forwarding This also sets theDISPLAYenvironment variable correctly to

go over the secure channel

• By default, ssh sends regular messages to the remote sshd server to check if the

remote system has gone down This can cause connections to be dropped on a flakyconnection Set theKeepAliveoption tonoto disable this behaviour

• Use theLocalForwardparameter to set up a tunnel The syntax is similar to that ofthe-Loption above: on andante, instead of the command line:

Trang 11

• Similarly, you can set up a reverse tunnel with theRemoteForwardparameter On

presto, instead of the command line:

$ ssh -R 4096:presto.example.org:80 andante.example.org

you would put the following in your ˜/.ssh/config:

host andante.example.org

RemoteForward 4096 presto.example.org:80

• By default, ssh uses password authentication if it can’t negotiate a key pair Set

PasswordAuthenticationtonoif you don’t want this

• Normally ssh connects to the server on port 22 (ssh) If the remote server uses adifferent port, specify it with thePortkeyword You can also use the-poption on

the ssh command line.

• By default, ssh attempts to connect using protocol 2, and if that doesn’t work, it tries

to connect using protocol 1 You can override this default with the Protocol

keyword For example, to reverse the default and try first protocol 1, then protocol 2,you would write:

Protocol 1,2

• By default, ssh refuses to connect to a known host if its key fingerprint changes.

Instead, you must manually remove the entry for the system from the

˜/.ssh/known_hosts or ˜/.ssh/known_hosts2 file This can indicate that somebody is

faking the remote machine, but more often it’s because the remote machine has reallychanged its host key, which it might do at every reboot If this gets on your nerves,you can add this line to your configuration file:

IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!

Someone could be eavesdropping on you right now (man-in-the-middle attack)!

It is also possible that the DSA host key has just been changed.

The fingerprint for the DSA key sent by the remote host is

95:80:4c:fb:cc:96:1b:36:c5:c9:2b:cb:d1:d4:16:68.

Please contact your system administrator.

Add correct host key in /home/grog/.ssh/known_hosts2 to get rid of this message Offending key in /home/grog/.ssh/known_hosts2:39

• ssh assumes that your user name on the remote system is the same as the name on

the local system If that’s not the case, you can use theUserkeyword to specify theremote user name Alternatively, you can use the format:

$ ssh newuser@remotehost.org

netclient.mm,v v4.12 (2003/04/02 03:42:50)

Trang 12

Configur ing ssh 426

Summar y of files in ˜/.ssh

In addition to the files we have discussed, you will find two other files in the ˜/.ssh

directory:

• known_hosts contains the key fingerprints of all hosts to which you have connected.

The example on page 417 shows how ssh adds a key.

• random_seed is a seed used to generate the keys.

In summary, then, you can expect the following files in your ˜/.ssh:

-rw-r r 1 grog grog 1705 Oct 26 1999 authorized_keys keys

-rw-r r 1 grog grog 844 Jan 27 22:18 authorized_keys2 keys, Version 2 only

-rw-r r 1 grog grog 25 Oct 20 01:35 environment environment for sshd

-rw - 1 grog grog 736 Jul 19 15:40 id_dsa DSA private key

-rw-r r 1 grog grog 611 Jul 19 15:40 id_dsa.pub DSA public key

-rw - 1 grog grog 951 Jul 19 15:40 id_rsa RSA private key

-rw-r r 1 grog grog 231 Jul 19 15:40 id_rsa.pub RSA public key

-rw - 1 grog grog 536 Jul 19 15:39 identity RSA1 private key

-rw-r r 1 grog grog 340 Jul 19 15:39 identity.pub RSA1 public key

-rw - 1 grog grog 1000 Jul 25 1999 known_hosts list of known hosts

-rw - 1 grog grog 512 Jul 25 1999 random_seed for key generation

Note particularly the permissions and the ownership of the files If they are wrong, ssh

won’t work, and it won’t tell you why not

Tr oubleshooting ssh connections

A surprising number of things can go wrong with setting up ssh connections Here are

some of the more common ones:

• After some delay, you get the message:

ssh: connect to address 223.147.37.76 port 22: Operation timed out

This probably means that the remote host is down, or that you can’t reach it due tonetwork problems

• You get the message:

ssh: connect to address 223.147.37.65 port 22: Connection refused

This means that the remote host is up, but no sshd is running.

• You hav e set up keys, but you still get a message asking for a password

This can mean a number of things: your ssh-agent isn’t running, you haven’t added

the keys, the other end can’t find them, or the security on the keys at the other end isincorrect You can check the first two like this:

$ ssh-add -l

Could not open a connection to your authentication agent.

Trang 13

This means that you haven’t run ssh-agent Do it like this:

Enter passphrase for /home/grog/.ssh/id_rsa:no echo

Identity added: /home/grog/.ssh/id_rsa (/home/grog/.ssh/id_rsa)

Identity added: /home/grog/.ssh/id_dsa (/home/grog/.ssh/id_dsa)

Identity added: /home/grog/.ssh/identity (grog@freebie.lemis.com)

$ ssh-add -l

1024 02:20:1d:50:78:c5:7c:56:7b:1d:e3:54:02:2c:99:76 grog@zaphod.example.org (RSA1)

1024 95:d5:01:ca:90:04:7d:84:f6:00:32:7a:ea:a6:57:2d /home/grog/.ssh/id_rsa (RSA)

1024 53:53:af:22:87:07:10:e4:5a:2c:21:31:ec:29:1c:5f /home/grog/.ssh/id_dsa (DSA)

This shows that all three keys are set correctly If you have, say, only an RSA1(protocol Version 1) key, and the other end doesn’t support protocol Version 1, you’llget this kind of message

• You get a message like this:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!

Someone could be eavesdropping on you right now (man-in-the-middle attack)!

It is also possible that the DSA host key has just been changed.

The fingerprint for the DSA key sent by the remote host is

95:80:4c:fb:cc:96:1b:36:c5:c9:2b:cb:d1:d4:16:68.

Please contact your system administrator.

Add correct host key in /home/grog/.ssh/known_hosts2 to get rid of this message Offending key in /home/grog/.ssh/known_hosts2:39

There are two possible reasons for this message As the message states, one is thatsomebody is trying to intercept the connection, and the other one is that the remotesystem has changed its host key The latter is by far the more common To fix thisproblem, you have two choices:

1 Edit your ˜/.ssh/known_hosts2 file and remove references to the remote system.

The message suggests changing line 39, but you might have more than one keyfor this system in this file If one is wrong, there’s a good chance that any otherswill be too, so you should remove all references

2 Add the following line to your ˜/.ssh/config file:

StrictHostKeyChecking no

This won’t remove the warning, but at least you don’t hav e to attend to itimmediately

ssh includes debugging options that may help debug problems setting up connections.

Use the -v option, up to three times, to get ssh to display largely undocumented

information about what is going on The output is pretty verbose; with three-voptionsyou get nearly 200 lines of information

netclient.mm,v v4.12 (2003/04/02 03:42:50)

Trang 14

Troubleshooting ssh connections 428

telnet

As mentioned above, telnet is an older, unencrypted program that connects to a shell on a

remote system You might find it of use when connecting to a system that doesn’t hav e

ssh Be very careful not to use valuable passwords, since they are transmitted in the

clear Apart from that, you use it pretty much in the same way as ssh:

Password: (no echo)

FreeBSD/i386 (wantadilla.example.org) (ttypj)

Last login: Mon Oct 14 17:51:57 from sydney.example.org

FreeBSD 5.0-RELEASE (FREEBIE) #0: Tue Dec 31 19:08:24 CST 2002

You have new mail.

If I have seen farther than others, it is because I was standing on the

shoulders of giants.

Isaac Newton

In the sciences, we are now uniquely privileged to sit side by side

with the giants on whose shoulders we stand.

It’s worth looking in more detail at how the connection is established:

• The first line (Trying ) appears as soon as telnet has resolved the IP address.

• The next three lines appear as soon as it has a reply from the other end At this point,

there can be a marked delay before telnet continues telnet performs a reverse DNS

lookup to find the name of your system If you get a delay here, it could be anindication that your reverse lookup is not working correctly After DNS times out, itwill continue normally, but the delay is a nuisance

Định dạng
Số trang	29
Dung lượng	321,31 KB

Tiêu đề	Basic network access: clients
Thể loại	Chapter
Năm xuất bản	2003