os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Add information about using ssh tunnelling. Reword a couple of things

Browse source 
while I'm here.

Submitted by:	Chern Lee <chern.lee@windriver.com>
This commit is contained in:
Murray Stokely 2001-06-01 07:22:39 +00:00
parent f18c320aaf
commit 6cf4457d9f
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=9517
2 changed files with 214 additions and 102 deletions
en_US.ISO8859-1/books/handbook/security
chapter.sgml
en_US.ISO_8859-1/books/handbook/security
chapter.sgml

158
en_US.ISO8859-1/books/handbook/security/chapter.sgml
View file

@ -1,7 +1,7 @@
<!--
The FreeBSD Documentation Project
$FreeBSD: doc/en_US.ISO_8859-1/books/handbook/security/chapter.sgml,v 1.43 2001/05/08 17:53:31 murray Exp $
$FreeBSD: doc/en_US.ISO_8859-1/books/handbook/security/chapter.sgml,v 1.44 2001/05/14 03:08:01 murray Exp $
-->
<chapter id="security">
@ -2683,41 +2683,29 @@ spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
2001.</emphasis>
</para>
<para>Secure shell is a secure set of programs used to access a remote
machine. It can be used as a secure medium in place of rlogin, rsh,
rcp, etc. X11 connections, as well as other TCP/IP connections can
be tunnelled/forwarded securely through OpenSSH. Utilizing, RSA
public key cryptography, OpenSSH is a powerful secure alternative
over traditional utilities.
</para>
<para>Secure shell is a set of network connectivity tools used to
access remote machines securely. It can be used as a direct
replacement for <command>rlogin</command>,
<command>rsh</command>, <command>rcp</command>, and
<command>telnet</command>. Additionaly, any other TCP/IP
connections can be tunnelled/forwarded securely through ssh.
ssh encrypts all traffic to effectively eliminate eavesdropping,
connection hijacking, and other network-level attacks.</para>
<para>The package provides secure alternatives to many <command>r*
*nix</command> commands. Namely, <command>rlogin, rcp, and
rsh</command>.
</para>
<para>OpenSSH is maintained by the OpenBSD project, and is based upon
SSH v1.2.12 with all the recent bug fixes and updates.
</para>
<para>The OpenSSH client is compatible with both SSH protocols 1 and
2.
</para>
<para>OpenSSH is maintained by the OpenBSD project, and is based
upon SSH v1.2.12 with all the recent bug fixes and updates. It
is compatible with both SSH protocols 1 and 2. OpenSSH has been
in the base system since FreeBSD 4.0.</para>
<sect2>
<title>Advantages of using OpenSSH</title>
<para>Normally, when using <command>telnet</command> or <command>
rlogin</command>, data is sent over the network in an clear,
un-encrypted form. Network sniffers on either side, the server
or the client, or any route in between, can steal your
user/password information, and data transferred in your session.
Attackers can even hijack an existing TCP/IP connection and gain
control of your login session.
</para>
<para>With the SSH protocol, all this data is sent encrypted,
making the above impossible.
</para>
<para>Normally, when using &man.telnet.1; or &man.rlogin.1;,
data is sent over the network in an clear, un-encrypted form.
Network sniffers anywhere in between the client and server can
steal your user/password information or data transferred in
your session. OpenSSH offers a variety of authentication and
encryption methods to prevent this from happening.</para>
</sect2>
<sect2>
@ -2726,17 +2714,18 @@ spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
<filename>rc.conf</filename> file:
</para>
<screen>sshd_enable="YES"</screen>
<para>This will load the ssh daemon the next time your system inits.
</para>
<para>This will load the ssh daemon the next time your system
inializes. Alternatively, you can simply run the
<command>sshd</command> daemon.</para>
</sect2>
<sect2>
<title>SSH client</title>
<para>The <command>ssh</command> utility works similarly to
<command>rlogin</command>.
<para>The &man.ssh.1; utility works similarly to
&man.rlogin.1;.
</para>
<screen>&prompt.root <userinput>ssh user@foobardomain.com</userinput>
<screen>&prompt.root <userinput>ssh <replaceable>user@foobardomain.com</replaceable></userinput>
Host key not found from the list of known hosts.
Are you sure you want to continue connecting (yes/no)? <userinput>yes</userinput>
Host 'foobardomain.com' added to the list of known hosts.
@ -2758,9 +2747,9 @@ user@foobardomain.com's password: <userinput>*******</userinput>
<sect2>
<title>Secure copy</title>
<para>The <command>scp</command> command works similarly to rcp; it copies a
file off a remote machine, except in a secure fashion.</para>
file to or from a remote machine, except in a secure fashion.</para>
<screen>&prompt.root <userinput> scp user@foobardomain.com:/COPYRIGHT COPYRIGHT</userinput>
<screen>&prompt.root <userinput> scp <replaceable>user@foobardomain.com:/COPYRIGHT COPYRIGHT</replaceable></userinput>
user@foobardomain.com's password:
COPYRIGHT 100% |*****************************| 4735
00:00
@ -2787,11 +2776,11 @@ COPYRIGHT 100% |*****************************| 4735
<sect2>
<title>ssh-keygen</title>
<para>Instead of using passwords, <command>ssh-keygen</command> can
<para>Instead of using passwords, &man.ssh-keygen.1; can
be used to generate RSA keys to authenticate a user.
</para>
<screen>&prompt.user<userinput> ssh-keygen</userinput>
<screen>&prompt.user <userinput>ssh-keygen</userinput>
Initializing random number generator...
Generating p: .++ (distance 66)
Generating q: ..............................++ (distance 498)
@ -2804,7 +2793,7 @@ Your identification has been saved in /home/user/.ssh/identity.
...
</screen>
<para><command>ssh-keygen</command> will create a public and private
<para>&man.ssh-keygen.1; will create a public and private
key pair for use in authentication. The private key is stored in
<filename>~/.ssh/identity</filename>, whereas the public key is
stored in <filename>~/.ssh/identity.pub</filename>. The public
@ -2813,25 +2802,92 @@ Your identification has been saved in /home/user/.ssh/identity.
</para>
<para>This will allow connection to the remote machine based upon
RSA authentication, not password.
</para>
RSA authentication instead of passwords.</para>
<para>If a passphrase is used in <command>ssh-keygen</command>, the user
<para>If a passphrase is used in &man.ssh-keygen.1;, the user
will be prompted for a password each time in order to use the private
key.
</para>
key.</para>
<para><command>ssh-agent</command> and <command>ssh-add</command> are
<para>&man.ssh-agent.1; and &man.ssh-add.1; are
utilities used in managing multiple passworded private keys.
</para>
</sect2>
<sect2>
<title>SSH Tunneling</title>
<para>OpenSSH has the ability to create a tunnel to encapsulate
another protocol in an encrypted session.</para>
<para>The following command tells &man.ssh.1; to create a tunnel
for telnet.</para>
<screen>&prompt.user; <userinput>ssh -2 -N -f -L <replaceable>5023:localhost:23 user@foo.bar.com</replaceable></userinput>
&prompt.user;
</screen>
<itemizedlist>
<listitem>
<para><emphasis>-2</emphasis> this forces &man.ssh.1 to use version
2 of the protocol. (Do not use if you are working with older ssh
servers)</para>
</listitem>
<listitem>
<para><emphasis>-N</emphasis> indicates no command, or tunnel only.
If ommitted, &man.ssh.1; would initiate a normal session.</para>
</listitem>
<listitem><para><emphasis>-f</emphasis> forces &man.ssh.1; to run
in the background.</para>
</listitem>
<listitem>
<para><emphasis>-L</emphasis> indicates a local tunnel in
<replaceable>localport:localhost:remoteport</replaceable> fashion.
</para>
</listitem>
<listitem>
<para><replaceable>foo.bar.com</replaceable> is the remote/target
SSH server.
</para>
</listitem>
</itemizedlist>
<para>An SSH tunnel works by creating a listen socket on the specified
local host and port. It then forwards any connection to the local
host/port via the SSH connection to the remote machine on the
specified remote port.
</para>
<para>In the example, port <replaceable>5023</replaceable> on localhost
is being forwarded to port <replaceable>23</replaceable> on the remote
machine. Since <replaceable>23</replaceable> is telnet, this would
create a secure telnet session through an SSH tunnel.
</para>
<para>This can be used to wrap any number of insecure TCP protocols
such as smtp, pop3, ftp, etc.
</para>
<para>A typical SSH Tunnel</para>
<screen>&prompt.user; <userinput>ssh -2 -N -f -L <replaceable>5025:localhost:25 user@mailserver.foobar.com</replaceable></userinput>
user@mailserver.foobar.com's password: <userinput>*****</userinput>
&prompt.user; <userinput>telnet localhost 5025</userinput>
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mailserver.foobar.com ESMTP
</screen>
<para>This can be used in conjunction with an &man.ssh-keygen.1;
and additional user accounts to create a more seamless/hassle-free
SSH tunneling environment. Keys can be used in place of typing
a password, and the tunnels can be run as a seperate user.
</para>
</sect2>
<sect2>
<title>Further Reading</title>
<para><ulink url="http://www.openssh.com">OpenSSH</ulink></para>
<para>&man.ssh.1 &man.scp.1 &man.ssh-keygen.1
&man.ssh-agent.1 &man.ssh-add.1</para>
<para>&man.sshd.8 &man.sftp-server.8</para>
<para>&man.ssh.1; &man.scp.1; &man.ssh-keygen.1;
&man.ssh-agent.1; &man.ssh-add.1;</para>
<para>&man.sshd.8; &man.sftp-server.8;</para>
</sect2>
</sect1>

158
en_US.ISO_8859-1/books/handbook/security/chapter.sgml
View file

@ -1,7 +1,7 @@
<!--
The FreeBSD Documentation Project
$FreeBSD: doc/en_US.ISO_8859-1/books/handbook/security/chapter.sgml,v 1.43 2001/05/08 17:53:31 murray Exp $
$FreeBSD: doc/en_US.ISO_8859-1/books/handbook/security/chapter.sgml,v 1.44 2001/05/14 03:08:01 murray Exp $
-->
<chapter id="security">
@ -2683,41 +2683,29 @@ spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
2001.</emphasis>
</para>
<para>Secure shell is a secure set of programs used to access a remote
machine. It can be used as a secure medium in place of rlogin, rsh,
rcp, etc. X11 connections, as well as other TCP/IP connections can
be tunnelled/forwarded securely through OpenSSH. Utilizing, RSA
public key cryptography, OpenSSH is a powerful secure alternative
over traditional utilities.
</para>
<para>Secure shell is a set of network connectivity tools used to
access remote machines securely. It can be used as a direct
replacement for <command>rlogin</command>,
<command>rsh</command>, <command>rcp</command>, and
<command>telnet</command>. Additionaly, any other TCP/IP
connections can be tunnelled/forwarded securely through ssh.
ssh encrypts all traffic to effectively eliminate eavesdropping,
connection hijacking, and other network-level attacks.</para>
<para>The package provides secure alternatives to many <command>r*
*nix</command> commands. Namely, <command>rlogin, rcp, and
rsh</command>.
</para>
<para>OpenSSH is maintained by the OpenBSD project, and is based upon
SSH v1.2.12 with all the recent bug fixes and updates.
</para>
<para>The OpenSSH client is compatible with both SSH protocols 1 and
2.
</para>
<para>OpenSSH is maintained by the OpenBSD project, and is based
upon SSH v1.2.12 with all the recent bug fixes and updates. It
is compatible with both SSH protocols 1 and 2. OpenSSH has been
in the base system since FreeBSD 4.0.</para>
<sect2>
<title>Advantages of using OpenSSH</title>
<para>Normally, when using <command>telnet</command> or <command>
rlogin</command>, data is sent over the network in an clear,
un-encrypted form. Network sniffers on either side, the server
or the client, or any route in between, can steal your
user/password information, and data transferred in your session.
Attackers can even hijack an existing TCP/IP connection and gain
control of your login session.
</para>
<para>With the SSH protocol, all this data is sent encrypted,
making the above impossible.
</para>
<para>Normally, when using &man.telnet.1; or &man.rlogin.1;,
data is sent over the network in an clear, un-encrypted form.
Network sniffers anywhere in between the client and server can
steal your user/password information or data transferred in
your session. OpenSSH offers a variety of authentication and
encryption methods to prevent this from happening.</para>
</sect2>
<sect2>
@ -2726,17 +2714,18 @@ spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
<filename>rc.conf</filename> file:
</para>
<screen>sshd_enable="YES"</screen>
<para>This will load the ssh daemon the next time your system inits.
</para>
<para>This will load the ssh daemon the next time your system
inializes. Alternatively, you can simply run the
<command>sshd</command> daemon.</para>
</sect2>
<sect2>
<title>SSH client</title>
<para>The <command>ssh</command> utility works similarly to
<command>rlogin</command>.
<para>The &man.ssh.1; utility works similarly to
&man.rlogin.1;.
</para>
<screen>&prompt.root <userinput>ssh user@foobardomain.com</userinput>
<screen>&prompt.root <userinput>ssh <replaceable>user@foobardomain.com</replaceable></userinput>
Host key not found from the list of known hosts.
Are you sure you want to continue connecting (yes/no)? <userinput>yes</userinput>
Host 'foobardomain.com' added to the list of known hosts.
@ -2758,9 +2747,9 @@ user@foobardomain.com's password: <userinput>*******</userinput>
<sect2>
<title>Secure copy</title>
<para>The <command>scp</command> command works similarly to rcp; it copies a
file off a remote machine, except in a secure fashion.</para>
file to or from a remote machine, except in a secure fashion.</para>
<screen>&prompt.root <userinput> scp user@foobardomain.com:/COPYRIGHT COPYRIGHT</userinput>
<screen>&prompt.root <userinput> scp <replaceable>user@foobardomain.com:/COPYRIGHT COPYRIGHT</replaceable></userinput>
user@foobardomain.com's password:
COPYRIGHT 100% |*****************************| 4735
00:00
@ -2787,11 +2776,11 @@ COPYRIGHT 100% |*****************************| 4735
<sect2>
<title>ssh-keygen</title>
<para>Instead of using passwords, <command>ssh-keygen</command> can
<para>Instead of using passwords, &man.ssh-keygen.1; can
be used to generate RSA keys to authenticate a user.
</para>
<screen>&prompt.user<userinput> ssh-keygen</userinput>
<screen>&prompt.user <userinput>ssh-keygen</userinput>
Initializing random number generator...
Generating p: .++ (distance 66)
Generating q: ..............................++ (distance 498)
@ -2804,7 +2793,7 @@ Your identification has been saved in /home/user/.ssh/identity.
...
</screen>
<para><command>ssh-keygen</command> will create a public and private
<para>&man.ssh-keygen.1; will create a public and private
key pair for use in authentication. The private key is stored in
<filename>~/.ssh/identity</filename>, whereas the public key is
stored in <filename>~/.ssh/identity.pub</filename>. The public
@ -2813,25 +2802,92 @@ Your identification has been saved in /home/user/.ssh/identity.
</para>
<para>This will allow connection to the remote machine based upon
RSA authentication, not password.
</para>
RSA authentication instead of passwords.</para>
<para>If a passphrase is used in <command>ssh-keygen</command>, the user
<para>If a passphrase is used in &man.ssh-keygen.1;, the user
will be prompted for a password each time in order to use the private
key.
</para>
key.</para>
<para><command>ssh-agent</command> and <command>ssh-add</command> are
<para>&man.ssh-agent.1; and &man.ssh-add.1; are
utilities used in managing multiple passworded private keys.
</para>
</sect2>
<sect2>
<title>SSH Tunneling</title>
<para>OpenSSH has the ability to create a tunnel to encapsulate
another protocol in an encrypted session.</para>
<para>The following command tells &man.ssh.1; to create a tunnel
for telnet.</para>
<screen>&prompt.user; <userinput>ssh -2 -N -f -L <replaceable>5023:localhost:23 user@foo.bar.com</replaceable></userinput>
&prompt.user;
</screen>
<itemizedlist>
<listitem>
<para><emphasis>-2</emphasis> this forces &man.ssh.1 to use version
2 of the protocol. (Do not use if you are working with older ssh
servers)</para>
</listitem>
<listitem>
<para><emphasis>-N</emphasis> indicates no command, or tunnel only.
If ommitted, &man.ssh.1; would initiate a normal session.</para>
</listitem>
<listitem><para><emphasis>-f</emphasis> forces &man.ssh.1; to run
in the background.</para>
</listitem>
<listitem>
<para><emphasis>-L</emphasis> indicates a local tunnel in
<replaceable>localport:localhost:remoteport</replaceable> fashion.
</para>
</listitem>
<listitem>
<para><replaceable>foo.bar.com</replaceable> is the remote/target
SSH server.
</para>
</listitem>
</itemizedlist>
<para>An SSH tunnel works by creating a listen socket on the specified
local host and port. It then forwards any connection to the local
host/port via the SSH connection to the remote machine on the
specified remote port.
</para>
<para>In the example, port <replaceable>5023</replaceable> on localhost
is being forwarded to port <replaceable>23</replaceable> on the remote
machine. Since <replaceable>23</replaceable> is telnet, this would
create a secure telnet session through an SSH tunnel.
</para>
<para>This can be used to wrap any number of insecure TCP protocols
such as smtp, pop3, ftp, etc.
</para>
<para>A typical SSH Tunnel</para>
<screen>&prompt.user; <userinput>ssh -2 -N -f -L <replaceable>5025:localhost:25 user@mailserver.foobar.com</replaceable></userinput>
user@mailserver.foobar.com's password: <userinput>*****</userinput>
&prompt.user; <userinput>telnet localhost 5025</userinput>
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mailserver.foobar.com ESMTP
</screen>
<para>This can be used in conjunction with an &man.ssh-keygen.1;
and additional user accounts to create a more seamless/hassle-free
SSH tunneling environment. Keys can be used in place of typing
a password, and the tunnels can be run as a seperate user.
</para>
</sect2>
<sect2>
<title>Further Reading</title>
<para><ulink url="http://www.openssh.com">OpenSSH</ulink></para>
<para>&man.ssh.1 &man.scp.1 &man.ssh-keygen.1
&man.ssh-agent.1 &man.ssh-add.1</para>
<para>&man.sshd.8 &man.sftp-server.8</para>
<para>&man.ssh.1; &man.scp.1; &man.ssh-keygen.1;
&man.ssh-agent.1; &man.ssh-add.1;</para>
<para>&man.sshd.8; &man.sftp-server.8;</para>
</sect2>
</sect1>