Using Secure Shell (Tasks)

Secure Shell provides secure access between a local shell and a remote shell. For more information, see the ssh_config(4) and ssh(1) man pages.

Using Secure Shell (Task Map)

The following task map points to user procedures for using Secure Shell.

Task	Description	For Instructions
Create a public/private key pair.	Enables access to Secure Shell for sites that require public-key authentication.	How to Generate a Public/Private Key Pair for Use With Secure Shell
Change your passphrase.	Changes the phrase that authenticates your private key.	How to Change the Passphrase for a Secure Shell Private Key
Log in with Secure Shell.	Provides encrypted Secure Shell communication when logging in remotely.	How to Log In to a Remote Host With Secure Shell
Log in to Secure Shell without being prompted for a password.	Enables login by using an agent which provides your password to Secure Shell.	How to Reduce Password Prompts in Secure Shell
Log in to Secure Shell as `root`.	Enables login as `root` for ZFS `send` and `receive` commands.	How to Remotely Administer ZFS With Secure Shell
Use port forwarding in Secure Shell.	Specifies a local port or a remote port to be used in a Secure Shell connection over TCP.	How to Use Port Forwarding in Secure Shell
Copy files with Secure Shell.	Securely copies files between hosts.	How to Copy Files With Secure Shell
Securely connect from a host inside a firewall to a host outside the firewall.	Uses Secure Shell commands that are compatible with HTTP or SOCKS5 to connect hosts that are separated by a firewall.	How to Set Up Default Secure Shell Connections to Hosts Outside a Firewall

How to Generate a Public/Private Key Pair for Use With Secure Shell

Users must generate a public/private key pair when their site implements host-based authentication or user public-key authentication. For additional options, see the ssh-keygen(1) man page.

Before You Begin

Determine from your system administrator if host-based authentication is configured.

Start the key generation program.
```
myLocalHost% ssh-keygen -t rsa
Generating public/private rsa key pair.
…
```
where -t is the type of algorithm, one of rsa, dsa, or rsa1.
Specify the path to the file that will hold the key.
By default, the file name id_rsa, which represents an RSA v2 key, appears in parentheses. You can select this file by pressing the Return key. Or, you can type an alternative file name.
```
Enter file in which to save the key (/home/jdoe/.ssh/id_rsa):<Press Return>
```
The file name of the public key is created automatically by appending the string .pub to the name of the private key file.
Type a passphrase for using your key.
This passphrase is used for encrypting your private key. A null entry is strongly discouraged. Note that the passphrase is not displayed when you type it in.
```
Enter passphrase (empty for no passphrase): <Type passphrase>
```

Retype the passphrase to confirm it.

Enter same passphrase again: <Type passphrase>
Your identification has been saved in /home/jdoe/.ssh/id_rsa.
Your public key has been saved in /home/jdoe/.ssh/id_rsa.pub.
The key fingerprint is:
0e:fb:3d:57:71:73:bf:58:b8:eb:f3:a3:aa:df:e0:d1 jdoe@myLocalHost

Check the results.
Check that the path to the key file is correct.
```
% ls ~/.ssh
id_rsa
id_rsa.pub
```
At this point, you have created a public/private key pair.
Choose the appropriate option:
- If your administrator has configured host-based authentication, you might need to copy the local host's public key to the remote host.
  You can now log in to the remote host. For details, see How to Log In to a Remote Host With Secure Shell.
  1. Type the command on one line with no backslash.
```
% cat /etc/ssh/ssh_host_dsa_key.pub | ssh RemoteHost \
'cat >> ~./ssh/known_hosts && echo "Host key copied"'
```
  2. When you are prompted, supply your login password.
```
Enter password: <Type password>
Host key copied
%
```
- If your site uses user authentication with public keys, populate your authorized_keys file on the remote host.
  1. Copy your public key to the remote host.
    Type the command on one line with no backslash.
```
myLocalHost% cat $HOME/.ssh/id_rsa.pub | ssh myRemoteHost \
'cat >> .ssh/authorized_keys && echo "Key copied"'
```
  2. When you are prompted, supply your login password.
    When the file is copied, the message “Key copied” is displayed.
```
Enter password: Type login password
Key copied
myLocalHost%
```
(Optional) Reduce the prompting for passphrases.
For a procedure, see How to Reduce Password Prompts in Secure Shell. For more information, see the ssh-agent(1) and ssh-add(1) man pages.

How to Change the Passphrase for a Secure Shell Private Key

The following procedure does not change the private key. The procedure changes the authentication mechanism for the private key, the passphrase. For more information, see the ssh-keygen(1) man page.

Change your passphrase.

Type the ssh-keygen command with the -p option, and answer the prompts.

myLocalHost% ssh-keygen -p
Enter file which contains the private key (/home/jdoe/.ssh/id_rsa):<Press Return>
Enter passphrase (empty for no passphrase): <Type passphrase>
Enter same passphrase again:   <Type passphrase>

where -p requests changing the passphrase of a private key file.

How to Log In to a Remote Host With Secure Shell

Start a Secure Shell session.

Type the ssh command, and specify the name of the remote host and your login.

myLocalHost% ssh myRemoteHost -l username

A prompt questions the authenticity of the remote host:

The authenticity of host 'myRemoteHost' can't be established.
RSA key fingerprint in md5 is: 04:9f:bd:fc:3d:3e:d2:e7:49:fd:6e:18:4f:9c:26
Are you sure you want to continue connecting(yes/no)?

This prompt is normal for initial connections to remote hosts.

If prompted, verify the authenticity of the remote host key.
- If you cannot confirm the authenticity of the remote host, type no and contact your system administrator.
```
Are you sure you want to continue connecting(yes/no)? no
```
  The administrator is responsible for updating the global /etc/ssh/ssh_known_hosts file. An updated ssh_known_hosts file prevents this prompt from appearing.
- If you confirm the authenticity of the remote host, answer the prompt and continue to the next step.
```
Are you sure you want to continue connecting(yes/no)? yes
```

Authenticate yourself to Secure Shell.

When prompted, type your passphrase.

Enter passphrase for key '/home/jdoe/.ssh/id_rsa': <Type passphrase>

When prompted, type your account password.

jdoe@myRemoteHost's password: <Type password>
Last login: Wed Sep  7 09:07:49 2011 from myLocalHost
Oracle Corporation      SunOS 5.11       September 2011
myRemoteHost%

Conduct transactions on the remote host.
The commands that you send are encrypted. Any responses that you receive are encrypted.
Close the Secure Shell connection.
When you are finished, type exit or use your usual method for exiting your shell.
```
myRemoteHost% exit
myRemoteHost% logout
Connection to myRemoteHost closed
myLocalHost%
```

Example 15-2 Displaying a Remote GUI in Secure Shell

In this example, jdoe is the initial user on both systems, so is assigned the Software Installation rights profile. jdoe wants to use the Package Manager GUI on the remote system. The default value of the X11Forwarding keyword is still yes, and the xauth package is installed on the remote system.

% ssh -l jdoe -X myRemoteHost
jdoe@myRemoteHost's password: <Type password>
Last login: Wed Sep  7 09:07:49 2011 from myLocalHost
Oracle Corporation      SunOS 5.11       September 2011
myRemoteHost% packagemanager &

How to Reduce Password Prompts in Secure Shell

If you do not want to type your passphrase and your password to use Secure Shell, you can use the agent daemon. Start the daemon at the beginning of the session. Then, store your private keys with the agent daemon by using the ssh-add command. If you have different accounts on different hosts, add the keys that you need for the session.

You can start the agent daemon manually when needed, as described in the following procedure.

Start the agent daemon.

myLocalHost% eval `ssh-agent`
Agent pid 9892

Verify that the agent daemon has been started.
```
myLocalHost% pgrep ssh-agent
9892
```

Add your private key to the agent daemon.

Type the ssh-add command.

myLocalHost% ssh-add
Enter passphrase for /home/jdoe/.ssh/id_rsa: <Type passphrase>
Identity added: /home/jdoe/.ssh/id_rsa(/home/jdoe/.ssh/id_rsa)
myLocalHost%

Start a Secure Shell session.
```
myLocalHost% ssh myRemoteHost -l jdoe
```
You are not prompted for a passphrase.

Example 15-3 Using ssh-add Options

In this example, jdoe adds two keys to the agent daemon. The -l option is used to list all keys that are stored in the daemon. At the end of the session, the -D option is used to remove all the keys from the agent daemon.

myLocalHost% ssh-agent
myLocalHost% ssh-add
Enter passphrase for /home/jdoe/.ssh/id_rsa: <Type passphrase>
Identity added: /home/jdoe/.ssh/id_rsa(/home/jdoe/.ssh/id_rsa)
myLocalHost% ssh-add /home/jdoe/.ssh/id_dsa
Enter passphrase for /home/jdoe/.ssh/id_dsa: <Type passphrase>
Identity added:
/home/jdoe/.ssh/id_dsa(/home/jdoe/.ssh/id_dsa)

myLocalHost% ssh-add -l
md5 1024 0e:fb:3d:53:71:77:bf:57:b8:eb:f7:a7:aa:df:e0:d1
/home/jdoe/.ssh/id_rsa(RSA)
md5 1024 c1:d3:21:5e:40:60:c5:73:d8:87:09:3a:fa:5f:32:53
/home/jdoe/.ssh/id_dsa(DSA)

User conducts Oracle Solaris Secure Shell transactions

myLocalHost% ssh-add -D
Identity removed:
/home/jdoe/.ssh/id_rsa(/home/jdoe/.ssh/id_rsa.pub)
/home/jdoe/.ssh/id_dsa(DSA)

How to Remotely Administer ZFS With Secure Shell

By default, the root role cannot log in remotely with Secure Shell. Historically, root has used Secure Shell for important tasks, such as sending ZFS pool data to storage on a remote system. In this procedure, the root role creates a user who can act as a remote ZFS administrator.

Before You Begin

You must assume the root role. For more information, see How to Use Your Assigned Administrative Rights.

Create the user on the both systems.

For example, create the zfsroot user and provide a password.

source # useradd -c "Remote ZFS Administrator" -u 1201 -d /home/zfsroot zfsroot
source # passwd zfsroot
Enter password:
Retype password:
#

dest # useradd -c "Remote ZFS Administrator" -u 1201 -d /home/zfsroot zfsroot
dest # passwd zfsroot
...

The zfsroot user must be identically defined on both systems.

Create the user's key pair for Secure Shell authentication.

The key pair is created on the source system. Then, the public key is copied to the zfsroot user on the destination system.

Generate the key pair and put it in the file id_migrate.

# ssh-keygen -t rsa -P "" -f ~/id_migrate
Generating public/private rsa key pair.
Your identification has been saved in /root/id_migrate.
Your public key has been saved in /root/id_migrate.pub.
The key fingerprint is:
3c:7f:40:ef:ec:63:95:b9:23:a2:72:d5:ea:d1:61:f0 root@source

Send the public part of the key pair to the destination system.

# scp ~/id_migrate.pub zfsroot@dest:
The authenticity of host 'dest (10.134.76.126)' can't be established.
RSA key fingerprint is 44:37:ab:4e:b7:2f:2f:b8:5f:98:9d:e9:ed:6d:46:80.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'dest,10.134.76.126' (RSA) to the list of known hosts.
Password:
id_migrate.pub 100% |*****************************| 399 00:00

On both systems, assign the ZFS File Management rights profile to zfsroot.

source # usermod -P +'ZFS File System Management' -S files zfsroot
dest # usermod -P +'ZFS File System Management' -S files zfsroot

Verify that the destination system is assigned the rights profile.

dest # profiles zfsroot
zfsroot:
ZFS File System Management
Basic Solaris User
All

On the destination system, move the public part of the key pair to the private /home/zfsroot/.ssh directory.

root@dest # su - zfsroot
Oracle Corporation      SunOS 5.11      11.1    May 2012
zfsroot@dest $ mkdir -m 700 .ssh
zfsroot@dest $ cat id_migrate.pub >> .ssh/authorized_keys

Verify that the configuration works.

root@source# ssh -l zfsroot -i ~/id_migrate dest \
pfexec /usr/sbin/zfs snapshot zones@test
root@source# ssh -l zfsroot -i ~/id_migrate dest \
pfexec /usr/sbin/zfs destroy zones@test

(Optional) Verify that you can create a snapshot and replicate the data.

root@source# zfs snapshot -r rpool/zones@migrate-all
root@source#  zfs send -rc rpool/zones@migrate-all | \
ssh -l zfsroot -i ~/id_migrate dest pfexec /usr/sbin/zfs recv -F zones

(Optional) Remove the ability to use the zfsroot account for ZFS administration.

root@dest# usermod -P -'ZFS File System Management' zfsroot
root@dest#  su - zfsroot
zfsroot@dest#  cp .ssh/authorized_keys .ssh/authorized_keys.bak
zfsroot@dest#  grep -v root@source .ssh/authorized_keys.bak> .ssh/authorized_keys

How to Use Port Forwarding in Secure Shell

You can specify that a local port be forwarded to a remote host. Effectively, a socket is allocated to listen to the port on the local side. The connection from this port is made over a secure channel to the remote host. For example, you might specify port 143 to obtain email remotely with IMAP4. Similarly, a port can be specified on the remote side.

Before You Begin

To use port forwarding, the administrator must have enabled port forwarding on the remote Secure Shell server. For details, see How to Configure Port Forwarding in Secure Shell.

To use secure port forwarding, choose one of the following options:
- To set a local port to receive secure communication from a remote port, specify both ports.
  Specify the local port that listens for remote communication. Also, specify the remote host and the remote port that forward the communication.
```
myLocalHost% ssh -L localPort:remoteHost:remotePort 
```
- To set a remote port to receive a secure connection from a local port, specify both ports.
  Specify the remote port that listens for remote communication. Also, specify the local host and the local port that forward the communication.
```
myLocalHost% ssh -R remotePort:localhost:localPort
```

Example 15-4 Using Local Port Forwarding to Receive Mail

The following example demonstrates how you can use local port forwarding to receive mail securely from a remote server.

myLocalHost% ssh -L 9143:myRemoteHost:143 myRemoteHost

This command forwards connections from port 9143 on myLocalHost to port 143. Port 143 is the IMAP v2 server port on myRemoteHost. When the user launches a mail application, the user specifies the local port number for the IMAP server, as in localhost:9143.

Do not confuse localhost with myLocalHost. myLocalHost is a hypothetical host name. localhost is a keyword that identifies your local system.

Example 15-5 Using Remote Port Forwarding to Communicate Outside of a Firewall

This example demonstrates how a user in an enterprise environment can forward connections from a host on an external network to a host inside a corporate firewall.

myLocalHost% ssh -R 9022:myLocalHost:22 myOutsideHost

This command forwards connections from port 9022 on myOutsideHost to port 22, the sshd server, on the local host.

myOutsideHost% ssh -p 9022 localhost
myLocalHost%

How to Copy Files With Secure Shell

The following procedure shows how to use the scp command to copy encrypted files between hosts. You can copy encrypted files either between a local host and a remote host, or between two remote hosts. The scp command prompts for authentication. For more information, see the scp(1) man page.

You can also use the sftp secure file transfer program. For more information, see the sftp(1) man page. For an example, see Example 15-6.

Note - The audit service can audit sftp transactions through the ft audit class. For scp, the audit service can audit access and exit for the ssh session.

Start the secure copy program.
Specify the source file, the user name at the remote destination, and the destination directory.
```
myLocalHost% scp myfile.1 jdoe@myRemoteHost:~
```
Supply your passphrase when prompted.
```
Enter passphrase for key '/home/jdoe/.ssh/id_rsa': <Type passphrase>
myfile.1       25% |*******                      |    640 KB  0:20 ETA 
myfile.1 
```
After you type the passphrase, a progress meter is displayed. See the second line in the preceding output. The progress meter displays:
- The file name
- The percentage of the file that has been transferred
- A series of asterisks that indicate the percentage of the file that has been transferred
- The quantity of data transferred
- The estimated time of arrival, or ETA, of the complete file (that is, the remaining amount of time)

Example 15-6 Specifying a Port When Using the sftp Command

In this example, the user wants the sftp command to use a specific port. The user uses the -o option to specify the port.

% sftp -o port=2222 guest@RemoteFileServer

How to Set Up Default Secure Shell Connections to Hosts Outside a Firewall

You can use Secure Shell to make a connection from a host inside a firewall to a host outside the firewall. This task is done by specifying a proxy command for ssh either in a configuration file or as an option on the command line. For the command-line option, see Example 15-7.

In general, you can customize your ssh interactions through a configuration file.

You can customize either your own personal file in ~/.ssh/config.
Or, you can use the settings in the administrative configuration file, /etc/ssh/ssh_config.

The files can be customized with two types of proxy commands. One proxy command is for HTTP connections. The other proxy command is for SOCKS5 connections. For more information, see the ssh_config(4) man page.

Specify the proxy commands and hosts in a configuration file.
Use the following syntax to add as many lines as you need:
```
[Host outside-host]
ProxyCommand proxy-command [-h proxy-server] \
[-p proxy-port] outside-host|%h outside-port|%p
```
Host outside-host

Limits the proxy command specification to instances when a remote host name is specified on the command line. If you use a wildcard for outside-host, you apply the proxy command specification to a set of hosts.

proxy-command
Specifies the proxy command.

The command can be either of the following:
- /usr/lib/ssh/ssh-http-proxy-connect for HTTP connections
- /usr/lib/ssh/ssh-socks5-proxy-connect for SOCKS5 connections
-h proxy-server and -p proxy-port

These options specify a proxy server and a proxy port, respectively. If present, the proxies override any environment variables that specify proxy servers and proxy ports, such as HTTPPROXY, HTTPPROXYPORT, SOCKS5_PORT, SOCKS5_SERVER, and http_proxy. The http_proxy variable specifies a URL. If the options are not used, then the relevant environment variables must be set. For more information, see the ssh-socks5-proxy-connect(1) and ssh-http-proxy-connect(1) man pages.

outside-host

Designates a specific host to connect to. Use the %h substitution argument to specify the host on the command line.

outside-port

Designates a specific port to connect to. Use the %p substitution argument to specify the port on the command line. By specifying %h and %p without using the Host outside-host option, the proxy command is applied to the host argument whenever the ssh command is invoked.
Run Secure Shell, specifying the outside host.
For example, type the following:
```
myLocalHost% ssh myOutsideHost
```
This command looks for a proxy command specification for myOutsideHost in your personal configuration file. If the specification is not found, then the command looks in the system-wide configuration file, /etc/ssh/ssh_config. The proxy command is substituted for the ssh command.

Example 15-7 Connecting to Hosts Outside a Firewall From the Secure Shell Command Line

How to Set Up Default Secure Shell Connections to Hosts Outside a Firewall explains how to specify a proxy command in a configuration file. In this example, a proxy command is specified on the ssh command line.

% ssh -o'Proxycommand=/usr/lib/ssh/ssh-http-proxy-connect \
-h myProxyServer -p 8080 myOutsideHost 22' myOutsideHost

The -o option to the ssh command provides a command-line method of specifying a proxy command. This example command does the following:

Substitutes the HTTP proxy command for ssh
Uses port 8080 and myProxyServer as the proxy server
Connects to port 22 on myOutsideHost

Skip Navigation Links
Exit Print View
	Oracle Solaris 11.1 Administration: Security Services Oracle Solaris 11.1 Information Library