Using Solaris Secure Shell

How to Create a Public/Private Key Pair

The standard procedure for creating a Solaris Secure Shell public/private key pair follows. For additional options, see the ssh-keygen(1) man page.

1. Start the key generation program.

   myLocalHost% ssh-keygen Generating public/private rsa key pair. …

2. Enter the path to the file that will hold the key.

   By default, the file name id_rsa, which represents an RSA v2 key, appears in parentheses. You can select this file by pressing the Return key. Or, you can type an alternative filename.

   Enter file in which to save the key (/home/johndoe/.ssh/id_rsa): <Return>

   The public key name is created automatically. The string .pub is appended to the private key name.

3. Enter a passphrase for using your key.

   This passphrase is used for encrypting your private key. A good passphrase is 10-30 characters long, mixes alphabetic and numeric characters, and avoids simple English prose and English names. A null entry means no passphrase is used. A null entry is strongly discouraged for user accounts. Note that the passphrase is not displayed when you type it in.

   Enter passphrase (empty for no passphrase): <Type the passphrase>

4. Re-enter the passphrase to confirm it.

   Enter same passphrase again: <Type the passphrase> Your identification has been saved in /home/jdohnoe/.ssh/id_rsa. Your public key has been saved in /home/johndoe/.ssh/id_rsa.pub. The key fingerprint is: 0e:fb:3d:57:71:73:bf:58:b8:eb:f3:a3:aa:df:e0:d1 johndoe@myLocalHost

5. Check the results.

   The key fingerprint, which is a colon-separated series of 2-digit hexadecimal values, is displayed. Check that the path to the key is correct. In the example, the path is /home/johndoe/.ssh/id_rsa.pub. At this point, you have created a public/private key pair.

6. Set up the authorized_keys file on the destination host.

   1. Copy the id_rsa.pub file to the destination host. Type the command on one line with no backslash.

      myLocalHost% cat $HOME/.ssh/id_rsa.pub | ssh myRemoteHost \ 'cat >> .ssh/authorized_keys && echo "Key uploaded successfully."'

   2. When you are prompted, supply your login password.

      When the file is copied, the phrase “Key uploaded successfully.” is displayed.

How to Log In to Another Host With Solaris Secure Shell

1. Use the ssh command, specifying the name of the remote host.

   myLocalHost% ssh myRemoteHost

   The first time that you run the ssh command, a prompt questions the authenticity of the remote host:

   The authenticity of host 'myRemoteHost' can't be established. RSA key fingerprint in md5 is: 04:9f:bd:fc:3d:3e:d2:e7:49:fd:6e:18:4f:9c:26 Are you sure you want to continue connecting(yes/no)?

   This prompt is normal. You should type yes and continue. If you have used ssh in the past on this remote host, then the prompt is not normal. You should check for a breach in your security.

2. Enter the Solaris Secure Shell passphrase and the account password when you are prompted for them.

   Enter passphrase for key '/home/johndoe/.ssh/id_rsa': <Return> johndoe@myRemoteHost's password: <Return> Last login: Fri Jul 20 14:24:10 2001 from myLocalHost myRemoteHost%

   Conduct transactions on the remote host. The commands that you send are encrypted. Any responses that you receive are encrypted.

   ---

   Note –

   If you want to subsequently change your passphrase, use the ssh-keygen command with the -p option.

   ---

3. When you are finished with your remote session, type exit or use your usual method for exiting your shell.

   myRemoteHost% exit myRemoteHost% logout Connection to myRemoteHost closed myLocalHost%

How to Log In With No Password With the ssh-agent Command

If you want to omit passphrase and password entry when you are using Solaris Secure Shell, you can use the agent daemon. Use the ssh-agent command at the beginning of the session. Then, store your private keys with the agent by using the ssh-add command. If you have different accounts on different hosts, add those keys that you intend to use in the session.

You can start the agent manually when needed as described in the following procedure. Or, you can set the agent to run automatically at the start of every session as described in How to Set Up the ssh-agent Command to Run Automatically.

1. Start the agent daemon.

   The ssh-agent command starts the agent daemon and displays its process ID.

   myLocalHost% eval `ssh-agent` Agent pid 9892 myLocalHost%

2. Add your private key to the agent daemon.

   The ssh-add command adds your private key to the agent daemon so that subsequent Secure Shell activity does not prompt you for the passphrase.

   myLocalHost% ssh-add Enter passphrase for /home/johndoe/.ssh/id_rsa: Identity added: /home/johndoe/.ssh/id_rsa(/home/johndoe/.ssh/id_rsa) myLocalHost%

3. Start a Solaris Secure Shell session.

   myLocalHost% ssh myRemoteHost

Example—Using ssh-add Options

You can use ssh-add to add other keys to the daemon as well. For example, you might concurrently have DSA v2, RSA v2, and RSA v1 keys. To list all keys that are stored in the daemon, use the -l option. To delete a single key from the daemon, use the -d option. To delete all keys, use the -D option.

myLocalHost% eval `ssh-agent`
Agent pid 3347
myLocalHost% ssh-add
Enter passphrase for /home/johndoe/.ssh/id_rsa:
Identity added: /home/johndoe/.ssh/id_rsa(/home/johndoe/.ssh/id_rsa)
myLocalHost% ssh-add /home/johndoe/.ssh/id_dsa
Enter passphrase for /home/johndoe/.ssh/id_dsa: <type passphrase>
Identity added:
/home/johndoe/.ssh/id_dsa(/home/johndoe/.ssh/id_dsa)
myLocalHost% ssh-add -l
md5 1024 0e:fb:3d:53:71:77:bf:57:b8:eb:f7:a7:aa:df:e0:d1
/home/johndoe/.ssh/id_rsa(RSA)
md5 1024 c1:d3:21:5e:40:60:c5:73:d8:87:09:3a:fa:5f:32:53
/home/johndoe/.ssh/id_dsa(DSA)
myLocalHost% ssh-add -d
Identity removed:
/home/johndoe/.ssh/id_rsa(/home/johndoe/.ssh/id_rsa.pub)
/home/johndoe/.ssh/id_dsa(DSA)

How to Set Up the ssh-agent Command to Run Automatically

You can avoid providing your passphrase and password whenever you use Secure Shell by starting an agent daemon, ssh-agent. You can start the agent daemon from the .dtprofile script.

1. To start the agent daemon automatically, add the following lines to the end of the $HOME/.dtprofile script:

   if [ "$SSH_AUTH_SOCK" = "" -a -x /usr/bin/ssh-agent ]; then eval `/usr/bin/ssh-agent` fi

2. To terminate the Secure Shell agent daemon when you exit the CDE session, add the following to the $HOME/.dt/sessions/sessionexit script:

   if [ "$SSH_AGENT_PID" != "" -a -x /usr/bin/ssh-agent ]; then /usr/bin/ssh-agent -k fi

   This entry ensures that no one can use the Secure Shell agent after the CDE session is terminated.

3. Start a Solaris Secure Shell session.

   myLocalHost% ssh myRemoteHost

   There is no prompt for a passphrase.

How to Use Solaris Secure Shell Port Forwarding

You can specify that a local port be forwarded to a remote host. Effectively, a socket is allocated to listen to the port on the local side. The connection from this port is made over a secure channel to the remote host. For example, you might specify port 143 to obtain email remotely with IMAP4. Similarly, a port can be specified on the remote side.

Secure Shell port forwarding must use TCP connections. Secure Shell does not support UDP connections.

To set a local port to be forwarded, specify two ports. Specify the local port to listen to, and specify the remote host and port to forward to.

myLocalHost% ssh -L localPort:remoteHost:remotePort

To set a remote port to receive a secure connection, specify two ports. Specify the remote port to listen to, and specify the local host and port to forward to.

myLocalHost% ssh -R remotePort:localHost:localPort

Example—Using Local Port Forwarding to Receive Mail

The following example demonstrates how you can use local port forwarding to receive mail securely from a remote server.

myLocalHost% ssh -L 9143:myRemoteHost:143 myRemoteHost 

This command forwards connections to port 9143 on myLocalHost to port 143, which is the IMAP v2 server port on myRemoteHost. When the user launches a mail application, the user needs to specify the local port number. An example that uses the dtmail command is shown in Figure 11–1.

Note that the term localhost in this case and in Example—Using Remote Port Forwarding to Communicate Outside of a Firewall refers to the keyword that designates the user's local host. The localhost keyword should not be confused with myLocalHost. The myLocalHost variable is the hypothetical host name that identifies a local host in the examples in this chapter.

Figure 11–1 Specifying Port Forwarding for Email

Example—Using Remote Port Forwarding to Communicate Outside of a Firewall

This example demonstrates how a user in an enterprise environment can forward connections from a host on an external network to a host inside a corporate firewall.

myLocalHost% ssh -R 9022:myLocalHost:22 myOutsideHost

This command forwards connections to port 9022 on myOutsideHost to port 22, the sshd server, on the local host.

myOutsideHost% ssh -p 9022 localhost
myLocalHost%

This command demonstrates how after the remote forwarding connection has been established, the user can use the ssh command to connect securely from the remote host.

How to Copy Files With Solaris Secure Shell

Use the scp command to copy encrypted files between hosts. You can copy encrypted files between either a local and remote host, or between two remote hosts. The command operates similarly to the rcp command except that the scp command prompts for passwords. See scp(1) for more information.

1. Start the secure copy program.

   Specify the source file, user name at remote destination, and destination directory.

   myLocalHost% scp myfile.1 johndoe@myRemoteHost:~

2. Type the Solaris Secure Shell passphrase when prompted.

   Enter passphrase for key '/home/johndoe/.ssh/id_rsa': <Return> myfile.1 25% |******* | 640 KB 0:20 ETA myfile.1

   After you type the passphrase, the progress meter is displayed. See the second line in the preceding output. The progress meter displays:

   • The file name

   • The percentage of the file that has been transferred at this point

   • A series of asterisks that are analogous to the percentage transferred

   • The quantity of data transferred

   • The estimated time of arrival, or ETA, of the complete file (that is, the remaining amount of time)

How to Transfer Files Remotely With the sftp Command

The sftp command works similarly to ftp, but uses a different set of subcommands. The following table lists some representative subcommands.

How to Set Up Default Connections to Hosts Outside a Firewall

You can use Solaris Secure Shell to make a connection from a host inside a firewall to a host on the other side of the firewall. This task is done by specifying a proxy command for ssh either in a configuration file or as an option on the command line. For more information, see Example—Connecting to Hosts Outside a Firewall From the Command Line.

In general, you can customize your ssh interactions through a configuration file, either your own personal file $HOME/.ssh/config or an administrative configuration file in /etc/ssh/ssh_config. See ssh_config(4). There are two types of proxy commands. One proxy command is for HTTP connections. The other proxy command is for SOCKS5 connections.

1. Specify the proxy commands and hosts in a configuration file.

   Use the following syntax to add as many lines as you need:

   [Host outside_host] ProxyCommand proxy_command [-h proxy_server] \ [-p proxy_port] outside_host|%h outside_port|%p

   where

   Host outside_host

   Limits the proxy command specification to instances when a remote host name is specified on the command line. If you use a wildcard for outside_host, you apply the specification to a set of hosts.

   proxy_command

   Specifies the proxy command. The command can be either of the following:

   • /usr/lib/ssh/ssh-http-proxy-connect for HTTP connections

   • /usr/lib/ssh/ssh-socks5-proxy-connect for SOCKS5 connections

   -h proxy_server and -p proxy_port

   These options specify a proxy server and a proxy port, respectively. If present, the proxies override any environment variables that specify proxy servers and proxy ports, such as HTTPPROXY, HTTPPROXYPORT, SOCKS5_PORT, SOCKS5_SERVER, and http_proxy. The http_proxy variable specifies a URL. If the options are not used, then the relevant environment variables must be set. See the ssh-socks5-proxy-connect(1) and ssh-http-proxy-connect(1) man pages.

   outside_host

   Designates a specific host to connect to. You can use %h to specify the host on the command line.

   outside_port

   Designates a specific port to connect to. You can use %p to specify the port on the command line. By specifying %h and %p without using the Host outside_host option, the proxy command is applied to the host argument whenever the ssh command is invoked.

2. Run Solaris Secure Shell, specifying the outside host.

   For example, type the following:

   myLocalHost% ssh myOutsideHost

   This command looks for a proxy command specification for myOutsideHost in your personal configuration file. If the specification is not found, then the command looks in the system-wide configuration file, ssh_config. The proxy command is substituted for ssh.

Example—Connecting to Hosts Outside a Firewall From the Command Line

The -o option to the ssh command lets you type any line that is permitted in an ssh configuration file. In this case, the proxy command specification from the previous task is used.

1. Specify the proxy commands and hosts in a configuration file.

2. Run the ssh command. Include a proxy command specification as an argument to the -o option. For example, type the following:

   % ssh -o'Proxycommand=/usr/lib/ssh/ssh-http-proxy-connect \ -h myProxyServer -p 8080 myOutsideHost 22' myOutsideHost

   This command substitutes the HTTP proxy command for ssh, uses port 8080 and myProxyServer as the proxy server, and connects to port 22 on myOutsideHost.