Configuring an OpenSSH Client
To connect to an OpenSSH server from a client machine, you must have the openssh-clients and openssh packages installed on the client machine.
Using the ssh Command
The ssh command is a secure replacement for the rlogin, rsh, and telnet commands. It allows you to log in to and execute commands on a remote machine.
Logging in to a remote machine with ssh is similar to using telnet. To log in to a remote machine named penguin.example.net, type the following command at a shell prompt:
ssh penguin.example.net |
The authenticity of host 'penguin.example.net' can't be established. DSA key fingerprint is 94:68:3a:3a:bc:f3:9a:9b:01:5d:b3:07:38:e2:11:0c. Are you sure you want to continue connecting (yes/no)? |
Warning: Permanently added 'penguin.example.net' (DSA) to the list of known hosts. |
ssh -l username penguin.example.net |
The ssh command can be used to execute a command on the remote machine without logging in to a shell prompt. The syntax is ssh hostname command. For example, if you want to execute the command ls /usr/share/doc on the remote machine penguin.example.net, type the following command at a shell prompt:
ssh penguin.example.net ls /usr/share/doc |
Using the scp Command
The scp command can be used to transfer files between machines over a secure, encrypted connection. It is similar to rcp.
The general syntax to transfer a local file to a remote system is scp localfile username@tohostname:/newfilename. The localfile specifies the source, and the group of username@tohostname:/newfilename specifies the destination.
To transfer the local file shadowman to your account on penguin.example.net, type the following at a shell prompt (replace username with your username):
scp shadowman username@penguin.example.net:/home/username |
The general syntax to transfer a remote file to the local system is scp username@tohostname:/remotefile /newlocalfile. The remotefile specifies the source, and newlocalfile specifies the destination.
Multiple files can be specified as the source files. For example, to transfer the contents of the directory /downloads to an existing directory called uploads on the remote machine penguin.example.net, type the following at a shell prompt:
scp /downloads/* username@penguin.example.net:/uploads/ |
Using the sftp Command
The sftp utility can be used to open a secure, interactive FTP session. It is similar to ftp except that it uses a secure, encrypted connection. The general syntax is sftp username@hostname.com. Once authenticated, you can use a set of commands similar to using FTP. Refer to the sftp manual page for a list of these commands. To read the manual page, execute the command man sftp at a shell prompt. The sftp utility is only available in OpenSSH version 2.5.0p1 and higher.
Generating Key Pairs
If you do not want to enter your password every time you ssh, scp, or sftp to a remote machine, you can generate an authorization key pair.
 | Separate Authorization Key Pairs |
|---|---|
You must have separate authorization key pairs for SSH Protocol 1 (RSA) and SSH Protocol 2 (DSA). |
 | Each User Needs Their Own Key Pair |
|---|---|
Keys must be generated for each user. To generate keys for a user, follow the following steps as the user who wants to connect to remote machines. If you complete the following steps as root, only root will be able to use the keys. |
Generating a DSA Key Pair
Use the following steps to generate a DSA key pair. DSA is used by SSH Protocol 2.
To generate a DSA key pair to work with version 2 of the protocol, type the following command at a shell prompt:
ssh-keygen -t dsa
Accept the default file location of ~/.ssh/id_dsa. Enter a passphrase different from your account password and confirm it by entering it again. [1]
What is a Passphrase? A passphrase is a string of words and characters used to authenticate a user. Passphrases differ from passwords in that you can use spaces or tabs in the passphrase. Passphrases are generally longer than passwords because they are usually phrases instead of just a word.
Change the permissions of your .ssh directory using the command chmod 755 ~/.ssh.
Copy the contents of ~/.ssh/id_dsa.pub to ~/.ssh/authorized_keys2 on the machine to which you want to connect. If the file ~/.ssh/authorized_keys2 doesn't exist, you can copy the file ~/.ssh/id_dsa.pub to the file ~/.ssh/authorized_keys2 on the other machine.[1]
If you are running GNOME, skip to the section called Configuring ssh-agent with GNOME. If you are not running the X Window System, skip to the section called Configuring ssh-agent.
Generating an RSA Key Pair for Version 2
Use the following steps to generate a RSA key pair for version 2 of the SSH protocol. This is the default starting with OpenSSH 2.9.
To generate a RSA key pair to work with version 2 of the protocol, type the following command at a shell prompt:
ssh-keygen -t rsa
Accept the default file location of ~/.ssh/id_rsa. Enter a passphrase different from your account password and confirm it by entering it again. [1]
Change the permissions of your .ssh directory using the command chmod 755 ~/.ssh.
Copy the contents of ~/.ssh/id_rsa.pub to ~/.ssh/authorized_keys2 on the machine to which you want to connect. If the file ~/.ssh/authorized_keys2 doesn't exist, you can copy the file ~/.ssh/id_rsa.pub to the file ~/.ssh/authorized_keys2 on the other machine.[1]
If you are running GNOME, skip to the section called Configuring ssh-agent with GNOME. If you are not running the X Window System, skip to the section called Configuring ssh-agent.
Generating an RSA Key Pair for Version 1.3 and 1.5
Use the following steps to generate an RSA key pair, which is used by version 1 of the SSH Protocol. If you are only connecting between Red Hat Linux 7.2 systems, you do not need an RSA key pair.
To generate an RSA (for version 1.3 and 1.5 protocol) key pair, type the following command at a shell prompt:
Accept the default file location (~/.ssh/identity). Enter a passphrase different from your account password. Confirm the passphrase by entering it again.ssh-keygen
Change the permissions of your .ssh directory and your keys with the commands chmod 755 ~/.ssh and chmod 644 ~/.ssh/identity.pub.
Copy the contents of ~/.ssh/identity.pub to the file ~/.ssh/authorized_keys on the machine to which you wish to connect. If the file ~/.ssh/authorized_keys doesn't exist, you can copy the file ~/.ssh/identity.pub to the file ~/.ssh/authorized_keys on the remote machine. [1]
If you are running GNOME, skip to the section called Configuring ssh-agent with GNOME. If you are not running GNOME, skip to the section called Configuring ssh-agent.
Configuring ssh-agent with GNOME
The ssh-agent utility can be used to save your passphrase so that you do not have to enter it each time you initiate an ssh or scp connection. If you are using GNOME, the openssh-askpass-gnome utility can be used to prompt you for your passphrase when you log in to GNOME and save it until you log out of GNOME. You will not have to enter your password or passphrase for any ssh or scp connection made during that GNOME session. If you are not using GNOME, refer to the section called Configuring ssh-agent.
To save your passphrase during your GNOME session, follow the following steps:
You'll need to have the package openssh-askpass-gnome installed; you can use the command rpm -q openssh-askpass-gnome to determine if it is installed or not. If it is not installed, install it from your Red Hat CD-ROM set, from a Red Hat FTP mirror site, or using Red Hat Network.
If you do not have an ~/.Xclients file, you can run switchdesk to create it. In your ~/.Xclients file, edit the following line:
Change the line so that it instead reads:exec $HOME/.Xclients-default
exec /usr/bin/ssh-agent $HOME/.Xclients-default
Open the GNOME Control Center (GNOME Main Menu Button => Programs => Settings => GNOME Control Center) and go to Session => Startup Programs. Click Add and enter /usr/bin/ssh-add in the Startup Command text area. Set it a priority to a number higher than any existing commands to ensure that it is executed last. A good priority number for ssh-add is 70 or higher. The higher the priority number, the lower the priority. If you have other programs listed, this one should have the lowest priority. Click OK to save your settings, and exit the GNOME Control Center.
Log out and then log back into GNOME; in other words, restart X. After GNOME is started, a dialog box will appear prompting you for your passphrase(s). Enter the passphrase requested. If you have both DSA and RSA key pairs configured, you will be prompted for both. From this point on, you should not be prompted for a password by ssh, scp, or sftp.
Configuring ssh-agent
The ssh-agent can be used to store your passphrase so that you do not have to enter it each time you make a ssh or scp connection. If you are not running the X Window System, follow these steps from a shell prompt. If you are running GNOME but you do not want to configure it to prompt you for your passphrase when you log in (see the section called Configuring ssh-agent with GNOME), this procedure will work in a terminal window, such as an xterm. If you are running X but not GNOME, this procedure will work in a terminal window, such as an xterm. However, your passphrase will only be remembered for that terminal window; it is not a global setting.
At a shell prompt, type the following command:
Then type the commandexec /usr/bin/ssh-agent $SHELL
and enter your passphrase(s). If you have both DSA and RSA key pairs configured, you will be prompted for both.ssh-add
When you log out, your passphrase will be forgotten. You must execute these two commands each time you log in to a virtual console or open a terminal window.