24.5 Using the OpenSSH Utilities

24.5.1 Using ssh to Connect to Another System
24.5.2 Using scp and sftp to Copy Files Between Systems
24.5.3 Using ssh-keygen to Generate Pairs of Authentication Keys
24.5.4 Enabling Remote System Access Without Requiring a Password

By default, each time you use the OpenSSH utilities to connect to a remote system, you must provide your user name and password to the remote system. When you connect to an OpenSSH server for the first time, the OpenSSH client prompts you to confirm that you are connected to the correct system. In the following example, the ssh command is used to connect to the remote host host04:

$ ssh host04
The authenticity of host ‘host04 (192.0.2.104)’ can’t be
established.
RSA key fingerprint is 65:ad:38:b2:8a:6c:69:f4:83:dd:3f:8f:ba:b4:85:c7.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘host04,192.0.2.104’ (RSA) to the
list of known hosts.

When you enter yes to accept the connection to the server, the client adds the server’s public host key to the your ~/.ssh/known_hosts file. When you next connect to the remote server, the client compares the key in this file to the one that the server supplies. If the keys do not match, you see a warning such as the following:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@       WARNING: POSSIBLE DNS SPOOFING DETECTED!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The RSA host key for host has changed,
and the key for the according IP address IP_address
is unchanged. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
Offending key for IP in /home/user/.ssh/known_hosts:10
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is fingerprint
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
Offending key in /home/user/.ssh/known_hosts:53
RSA host key for host has changed and you have requested strict checking.
Host key verification failed.

Unless there is a reason for the remote server’s host key to have changed, such as an upgrade of either the SSH software or the server, you should not try to connect to that machine until you have contacted its administrator about the situation.

24.5.1 Using ssh to Connect to Another System

The ssh command allows you to log in to a remote system, or to execute a command on a remote system:

$ ssh [options] [user@]host [command]

host is the name of the remote OpenSSH server to which you want to connect.

For example, to log in to host04 with the same user name as on the local system, enter:

$ ssh host04

The remote system prompts you for your password on that system.

To connect as a different user, specify the user name and @ symbol before the remote host name, for example:

$ ssh joe@host04

To execute a command on the remote system, specify the command as an argument, for example:

$ ssh joe@host04 ls ~/.ssh

ssh logs you in, executes the command, and then closes the connection.

For more information, see the ssh(1) manual page.

24.5.2 Using scp and sftp to Copy Files Between Systems

The scp command allows you to copy files or directories between systems. scp establishes a connection, copies the files, and then closes the connection.

To upload a local file to a remote system:

$ scp [options] local_file [user@]host[:remote_file]

For example, copy testfile to your home directory on host04:

$ scp testfile host04

Copy testfile to the same directory but change its name to new_testfile:

$ scp testfile host04:new_testfile

To download a file from a remote system to the local system:

$ scp [options] [user@]host[:remote_file] local_file

The -r option allows you to recursively copy the contents of directories. For example, copy the directory remdir and its contents from your home directory on remote host04 to your local home directory:

$ scp -r host04:~/remdir ~

The sftp command is a secure alternative to ftp for file transfer between systems. Unlike scp, sftp allows you to browse the file system on the remote server before you copy any files.

To open an FTP connection to a remote system over SSH:

$ sftp [options] [user@]host

For example:

$ sftp host04
Connecting to host04...
guest@host04’s password: password
sftp>

Enter sftp commands at the sftp> prompt. For example, use put to upload the file newfile from the local system to the remote system and ls to list it:

sftp> put newfile
Uploading newfile to /home/guest/newfile
foo                                           100% 1198     1.2KB/s   00:01    
sftp> ls foo
foo        

Enter help or ? to display a list of available commands. Enter bye, exit, or quit to close the connection and exit sftp.

For more information, see the ssh(1) and sftp(1) manual pages.

24.5.3 Using ssh-keygen to Generate Pairs of Authentication Keys

The ssh-keygen command generate a public and private authentication key pair. Such authentication keys allow you to connect to a remote system without needing to supply a password each time that you connect. Each user must generate their own pair of keys. If root generates key pairs, only root can use those keys.

To create a public and private SSH2 RSA key pair:

$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/guest/.ssh/id_rsa): <Enter>
Created directory '/home/guest/.ssh'.
Enter passphrase (empty for no passphrase): password
Enter same passphrase again: password
Your identification has been saved in /home/guest/.ssh/id_rsa.
Your public key has been saved in /home/guest/.ssh/id_rsa.pub.
The key fingerprint is:
5e:d2:66:f4:2c:c5:cc:07:92:97:c9:30:0b:11:90:59 guest@host01
The key's randomart image is:
+--[ RSA 2048]----+
|      .=Eo++.o   |
|      o  ..B=.   |
|          o.= .  |
|         o + .   |
|        S * o    |
|       . = .     |
|        .        |
|       .         |
|                 |
+-----------------+

To generate an SSH1 RSA or SSH2 DSA key pair, specify the -t rsa1 or -t dsa options.

For security, in case an attacker gains access to your private key, you can specify an passphrase to encrypt your private key. If you encrypt your private key, you must enter this passphrase each time that you use the key. If you do not specify a passphrase, you are not prompted.

ssh-keygen generates a private key file and a public key file in ~/.ssh (unless you specify an alternate directory for the private key file):

$ ls -l ~/.ssh
total 8
-rw-------. 1 guest guest 1743 Apr 13 12:07 id_rsa
-rw-r--r--. 1 guest guest  397 Apr 13 12:07 id_rsa.pub

For more information, see the ssh-keygen(1) manual page.

24.5.4 Enabling Remote System Access Without Requiring a Password

To be able to use the OpenSSH utilities to access a remote system without supplying a password each time that you connect:

  1. Use ssh-keygen to generate a public and private key pair, for example:

    $ ssh-keygen
    Generating public/private rsa key pair.
    Enter file in which to save the key (/home/user/.ssh/id_rsa): <Enter>
    Created directory '/home/user/.ssh'.
    Enter passphrase (empty for no passphrase): <Enter>
    Enter same passphrase again: <Enter>
    ...

    Press Enter each time that the command prompts you to enter a passphrase.

  2. Use the ssh-copy-id script to append the public key in the local ~/.ssh/id_rsa.pub file to the ~/.ssh/authorized_keys file on the remote system, for example:

    $ ssh-copy-id remote_user@host
    remote_user@host's password: remote_password
    Now try logging into the machine, with "ssh 'remote_user@host'", and check in:
    
      .ssh/authorized_keys
    
    to make sure we haven't added extra keys that you weren't expecting.

    When prompted, enter your password for the remote system.

    The script also changes the permissions of ~/.ssh and ~/.ssh/authorized_keys on the remote system to disallow access by your group.

    You can now use the OpenSSH utilities to access the remote system without supplying a password. As the script suggests, you should use ssh to log into the remote system to verify that the ~/.ssh/authorized_keys file contains only the keys for the systems from which you expect to connect. For example:

    $ ssh remote_user@host
    Last login: Thu Jun 13 08:33:58 2013 from local_host
    host$ cat .ssh/authorized_keys
    ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6OabJhWABsZ4F3mcjEPT3sxnXx1OoUcvuCiM6fg5s/ER
    ... FF488hBOk2ebpo38fHPPK1/rsOEKX9Kp9QWH+IfASI8q09xQ== local_user@local_host
    host$ logout
    Connection to host closed.
    $
  3. Verify that the permissions on the remote ~/.ssh directory and ~/.ssh/authorized_keys file allow access only by you:

    $ ssh remote_user@host ls -al .ssh
    total 4
    drwx------+ 2 remote_user group   5 Jun 12 08:33 .
    drwxr-xr-x+ 3 remote_user group   9 Jun 12 08:32 ..
    -rw-------+ 1 remote_user group 397 Jun 12 08:33 authorized_keys
    $ ssh remote_user@host getfacl .ssh
    # file: .ssh
    # owner: remote_user
    # group: group
    user::rwx
    group::---
    mask::rwx
    other::---
    
    $ ssh remote_user@host getfacl .ssh/authorized_keys
    # file: .ssh/authorized_keys
    # owner: remote_user
    # group: group
    user::rw-
    group::---
    mask::rwx
    other::---

    If necessary, correct the permissions:

    $ ssh remote_user@host 'umask 077; /sbin/restorecon .ssh'
    $ ssh remote_user@host 'umask 077; /sbin/restorecon .ssh/authorized_keys'
    Note

    If your user names are the same on the client and the server systems, you do not need to specify your remote user name and the @ symbol.

  4. If your user names are different on the client and the server systems, create a ~/.ssh/config file with permissions 600 on the remote system that defines your local user name, for example:

    $ ssh remote_user@host echo -e "Host *\\\nUser local_user" '>>' .ssh/config
    $ ssh remote_user@host cat .ssh/config
    Host *
    User local_user
    $ ssh remote_user@host 'umask 077; /sbin/restorecon .ssh/config'

    You should now be able to access the remote system without needing to specify your remote user name, for example:

    $ ssh host ls -l .ssh/config
    -rw-------+ 1 remote_user group 37 Jun 12 08:34 .ssh/config
    $ ssh host getfacl .ssh/config
    # file: .ssh/config
    # owner: remote_user
    # group: group
    user::rw-
    group::---
    mask::rwx
    other::---

For more information, see the ssh-copy-id(1), ssh-keygen(1), and ssh_config(5) manual pages.