APPENDIX A ■ SSH CLIENT ALTERNATIVES256 After configuring the connection, click the network icon to select your connection. FileZilla provides messages and log information at the top, remote file listing on the right, and local file listing on the left. The bottom of the window is the transfer queue. Files are transferred via double-click or drag and drop. A connection screen via FileZilla is shown in Figure A-21. Figure A-20. A Site Manager window in FileZilla configured for a remote SFTP connection 4762chAppA.qxd 9/16/05 12:07 PM Page 256 APPENDIX A ■ SSH CLIENT ALTERNATIVES 257 Figure A-21. An established SFTP connection via FileZilla SSH Tectia Client The SSH Tectia Client from SSH Communications Security is a commercial SSH client that has some nice features. As with the rest of the clients mentioned in this appendix, the Tectia Client can be used in conjunction with both OpenSSH and commercial SSH implementations. Installing the Tectia Client is a straightforward process. Run the TectiaClient-4.x.x.xx.msi file where the x characters are replaced with the version of the client you are running. An installation wizard will begin. After accepting the license agreement, clicking Next and accept- ing the defaults will complete the installation. The SSH Tectia Client is shown in Figure A-22. Connections can be saved in profiles inside of the client. Additionally, ad hoc connection setups can be created using the Quick Connect button. Once a connection is established to a remote system via the Quick Connect option, it can be saved into a profile. By default, the SSH Tectia Client will warn the user if it is making an SSH Protocol 1 connection. 4762chAppA.qxd 9/16/05 12:07 PM Page 257 APPENDIX A ■ SSH CLIENT ALTERNATIVES258 After establishing a connection, the SSH Tectia Client has several very nice options. If you find the need to have more than one connection open to a system, perhaps to edit source in one window and compile/run the source in another, the SSH Tectia Client has the ability to simply open new terminal connections without additional authentication. This is similar to the func- tionality of ControlMaster and ControlPath with the command-line OpenSSH ssh client. If you are connected to a system and need to transfer files to it, you can click the New File Transfer Window icon to create a new window with drag-and-drop file transfers, very similar to WinSCP or FileZilla. Session options similar to those found in the ssh_config can be made for the entire SSH Tectia Client by clicking Edit ➤ Settings. Settings can also be made per connection profile, similar to a $HOME/.ssh/config file using the edit profiles option shown in Figure A-23. Most often, editing the Tunneling tab is enough to make this connectivity client very usable. Check the box for X11 forwarding if that is desired. Figure A-24 shows a configuration with a tunnel already created for Telnet to my remote system www via a localhost connection on port 12345. Figure A-22. The SSH Tectia Client window 4762chAppA.qxd 9/16/05 12:07 PM Page 258 APPENDIX A ■ SSH CLIENT ALTERNATIVES 259 Figure A-23. Editing Profiles setting in the SSH Tectia Client Figure A-24. Creating and removing tunnels is easy via the SSH Tectia Client. 4762chAppA.qxd 9/16/05 12:07 PM Page 259 APPENDIX A ■ SSH CLIENT ALTERNATIVES260 Public key authentication is also very easy to set up, if you are using the SSH Tectia Server with the Tectia Client. Edit your settings once again, and generate a key. Then create a connec- tion to a system running SSH Tectia Server. Once connected, click Settings ➤ Global Setting ➤ User Authentication ➤ Keys. Then click the Upload button. This will automatically upload your key, as shown in Figure A-25, and place it in the .ssh2 directory with proper permissions. Then next time a connection is attempted to the remote system, you should be prompted for a passphrase and connect via public key authentication. If you are utilizing OpenSSH private keys, the key can be converted to the SecSH format by using the OpenSSH utility ssh-keygen as in this example, run from a command line: stahnma@rack:~> ssh-keygen -i -f .ssh2/SecSH_rsa Figure A-25. Configuring the public key to be uploaded The SSH Tectia Client can be a very useful utility, although your personal choice will ultimately come down to personal preference and price. I like certain features of PuTTY more than the SSH Tectia Client, such as the ability to create a full-screen session, and I like some features of the SSH Tectia Client more, such as multiple connections at the click of a button and the ease of tunneling. In the end, the choice for connectivity tools is yours. ■Tip The SSH Tectia Client also installs binaries for clients that can be used from the Windows command line. The connectivity binary is called ssh2. 4762chAppA.qxd 9/16/05 12:07 PM Page 260 Summary There are several other options available, both freely and for purchase; however, the software packages introduced in this chapter seem to be the most popular. Improvements will be made on all of these clients over time, and new clients may be developed that leave these looking like legacy connectivity options. Connection tool choices are up to you. Remember that if you are using SSH, regardless of the connectivity tools, you are more secure than when you started. APPENDIX A ■ SSH CLIENT ALTERNATIVES 261 4762chAppA.qxd 9/16/05 12:07 PM Page 261 4762chAppA.qxd 9/16/05 12:07 PM Page 262 263 APPENDIX B ■ ■ ■ OpenSSH on Windows Information technology architects, integrators, and system administrators often require a multiplatform environment in order to most effectively do their jobs. However, in today’s computing world, many home network and data centers alike rely on a blend of Microsoft Windows and UNIX/Linux platforms. As you learned in Appendix A, OpenSSH clients are available for the Windows operating system, making cross-platform communications a trivial matter. Sometimes, however, running an OpenSSH server on Windows can be quite convenient. While other cross-platform communication solutions are available—Samba (http:// www.samba.org), for instance—my experience has shown that such solutions require a UNIX administrator to have a wealth of Windows knowledge to make them work efficiently and securely. Thankfully, the SSH protocol works in the same manner regardless of what platform hosts the SSH daemon. This makes working with SSH on Windows systems easier because of the previ- ous understanding of SSH that has been developed on UNIX systems. OpenSSH via Cygwin The official OpenSSH website does not offer an OpenSSH binary for Microsoft Windows. It does, however, provide a Cygwin (http://www.cygwin.com) implementation. There have been other attempts, most of which are no longer maintained, of porting OpenSSH to Windows, but they relied on Cygwin in some respect. Introduction to Cygwin Cygwin provides a UNIX/Linux-type environment inside of a Windows system. It allows for installation of many common UNIX/Linux utilities, including OpenSSH, rsync, perl, bash, vi, and many more. The core of Cygwin is implemented as a Windows DLL file with other files included for support. Programs can then be compiled against the Cygwin DLL and libraries to work in a Cygwin environment. Traditional UNIX/Linux binaries will not run on Cygwin with- out recompiling them from their source inside the Cygwin environment. Downloading and Installing Cygwin The first step to installing Cygwin is of course to download it. The Cygwin package is a network- based installer that is only 280K. The installer has hundreds of packages that can be selected for installation. To download the installer, click on a link to the Cygwin setup.exe file found throughout the Cygwin home page. 4762chAppB.qxd 9/16/05 12:08 PM Page 263 APPENDIX B ■ OPENSSH ON WINDOWS264 Figure B-1. Cygwin installation via a direct Internet connection To install Cygwin, run the downloaded setup.exe file by double-clicking on it. The installer will ask if you would like to install from the Internet, download without installing the files, or install from local files. The default Install from Internet option, shown in Figure B-1, is fine for most situations. Once the package metadata information has been downloaded, you will be presented with a screen that allows for package selection. There are hundreds of packages to choose from. If you are particularly fond of a package, feel free to install it, as it should not conflict with OpenSSH. OpenSSH is not installed by default. To install it, click the View button. The package selection view will then change to a full package listing. From there, navigate down to openssh under the Package heading, as shown in Figure B-2. The installation value will toggle if the Skip icon is clicked. Click it, and the OpenSSH version will appear. The dependencies for OpenSSH, such as zlib and OpenSSL, will automatically be selected. 4762chAppB.qxd 9/16/05 12:08 PM Page 264 APPENDIX B ■ OPENSSH ON WINDOWS 265 Figure B-2. Cygwin package selection Figure B-3. A bash shell launched from Cygwin Click Next, and the package download will begin. This may require a considerable amount of time depending on network speed and the amount of packages you selected. ■Tip The vi editor is not installed by default, and I find that to accomplish almost anything in a UNIX-type environment, an editor is required. You might want to install the editor of your choosing. Once installed, click the Cygwin icon that has been placed on your Desktop or in the Start Menu. It will launch a bash shell session, as shown in Figure B-3. 4762chAppB.qxd 9/16/05 12:08 PM Page 265 [...]... starting and stopping 28 manually starting and stopping 27 support 170 types of authentication 142–143 OpenSSH client 69 client commands 70 scp command 80–84 sftp command 84–91 ssh command 70–80 order of precedence 69 ssh_config file 92 debugging 92 documenting 105 – 110 keywords 92 105 scenarios 110 112 OpenSSH secure gateway alternatives to 179 ad hoc administration 180 no keys allowed 180 introduction... SSH_AUTH_SOCK variable 132 ssh_config file 42, 92 debugging 92 documenting 105 – 110 keywords 92 105 PreferredAuthentications keyword 116 PubkeyAuthentication keyword 116 scenarios 110 agent forwarding 110 dealing with administrators 112 dealing with users 111 host-based authentication 111 StrictHostKeyChecking, BatchMode, and ConnectTimeout 110 StrictHostKeyChecking 221 ssh_host_key file 38 ssh_host_key.pub... NoHostAuthenticationForLocalhost keyword ssh_config file 100 nologin directive patching OpenSSH 185 nologin file 40 NumberOfPasswordPrompts keyword ssh_config file 101 ■ O OpenSSH See also SSH checking host keys 187 compared to SSH Tectia Server 227–230, 231–235 configuration files checking changes 186 checking versions 186 4762IDX.qxd 9/16/05 3 :10 PM Page 279 ■INDEX creating masters 185 distributing... an ssh command 209 stream ciphers 13 StrictHostKeyChecking 221 StrictHostKeyChecking keyword ssh_config file 103 104 scenarios 110 StrictModes directive 120 sshd_config file 61 enabling in sshd_config file 190 Subsystem directive sshd_config file 61 sum command 10 SUSE Linux system removing OpenSSH from 231 symlink command sftp command 91 symmetric ciphers block ciphers 12–13 introduction 11–12 stream... CAST 13 cd command sftp command 88 ChallengeResponseAuthentication directive sshd_config file 53 ssh_config file 93 CheckHostIP keyword ssh_config file 94 checksums 10 MACs 11 md5 hash function 10 SHA-1 hash function 10 11 sum command 10 chgrp command sftp command 89 chmod command sftp command 89 chown command sftp command 89 Cipher keyword ssh_config file 94 Ciphers directive sshd_config file 53 Ciphers... keyword ssh_config file 104 UsePrivilegeSeparation directive sshd_config file 63 User keyword ssh_config file 105 user restrictions OpenSSH secure gateway 175 UserKnownHostsFile keyword ssh_config file 105 ■ V verbosity levels choosing what level is required 168 VerifyHostKeyDNS keyword ssh_config file 105 version command sftp command 91 VNC (Virtual Network Computing) 152–153 VPN (Virtual Private Network)... managing 185 managing environment 165 OpenSSH secure gateway 170–180 planning 165–170 monitoring SSH 187 portable version 25 removing from Red Hat/SUSE Linux system 231 replacing legacy protocols 14 securing 180–185 authentication methods 180 patching OpenSSH 184–185 root account 181–183 ssh-keygen command 117 SSHFP storing public host keys in DNS 196–198 starting OpenSSH server 27 automatically starting... 186 creating masters 185 distributing 186 Connection hijacking prevented through OpenSSH 21 Connection Settings dialog box Manual proxy configuration 158 ConnectionAttempts keyword ssh_config file 95 275 4762IDX.qxd 276 9/16/05 3 :10 PM Page 276 ■INDEX ConnectTimeout keyword ssh_config file 95 ssh_config file scenarios 110 ConnectTimeout option 209, 211 ControlMaster keyword ssh_config file 95 ControlPath... Key Infrastructure) OpenSSH security 181 supported by SSH Tectia Server 228 plink tool introduction 246 Port directive sshd_config file 59 port forwarding restriction no-port-forwarding option 123 Port keyword ssh_config file 101 Practical Unix & Internet Security, 3rd Edition Garfinkel, Simson, Spafford, Gene and Schwartz, Alan 8 PreferredAuthentications keyword ssh_config file 101 , 116 PrintLastLog... 90 Protocol directive sshd_config file 60 Protocol keyword ssh_config file 101 protocols See also legacy protocols replacing legacy protocols with SSH 3 ProxyCommand keyword ssh_config file 101 PSCP utility 250 PSFTP utility 250 PubkeyAuthentication directive sshd_config file 60 PubkeyAuthentication keyword ssh_config file 102 , 116 public key authentication 113 compared to password authentication 115 . has been developed on UNIX systems. OpenSSH via Cygwin The official OpenSSH website does not offer an OpenSSH binary for Microsoft Windows. It does, however, provide a Cygwin (http://www.cygwin.com). 53 ssh_config file 93 CheckHostIP keyword ssh_config file 94 checksums 10 MACs 11 md5 hash function 10 SHA-1 hash function 10 11 sum command 10 chgrp command sftp command 89 chmod command sftp command 89 chown. conflict with OpenSSH. OpenSSH is not installed by default. To install it, click the View button. The package selection view will then change to a full package listing. From there, navigate down to openssh