Fedora Linux

Last login: Tue Oct 25 23:13:40 2005 from london-office
$

The question about the authenticity of the remote host will be asked only the first time you connect. The fingerprint value displayed can be used to verify the identify of the remote host and ensure that you're not being conned by a computer located between you and the computer you're trying to connect to; if you're really paranoid, you can check this value, but for most normal applications this isn't necessary. The fingerprint is cached, though, so if it changes in the future you will be warned. It's necessary to type in yes to confirm that you want to continue connecting; y won't suffice.

Once you are connected to the remote machine, you can use the shell as you normally would.

4.10.1.1. Reducing the use of passwords

It's possible to configure ssh to enable you to connect from your account on one machine to your account on another machine using public-key cryptography instead of a password. Unfortunately, this means that if your account on one machine is compromised, your account on the other machine will be compromised, too; to prevent this, you can use a passphrase , a master password that you enter once per session that permits you to connect multiple times to remote systems without entering a password each time.

To set this up, enter these commands on the client machine (i.e., the machine from which you will be connecting to the remote host):

$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/chris/.ssh/id_dsa):
Enter
Enter passphrase (empty for no passphrase):
BigSecret
Enter same passphrase again:
BigSecret
Your identification has been saved in /home/chris/.ssh/id_dsa.
Your public key has been saved in /home/chris/.ssh/id_dsa.pub.
The key fingerprint is:
3a:f7:e8:88:59:fb:56:f7:0f:55:6b:fe:f6:ec:e2:2c chris@super
$ ssh jon@remoteMachine 'cat > ~/.ssh/authorized_keys' <~/.ssh/id_dsa.pub
jon@remoteMachine's password:
AnotherSecret

The entire SSH security model revolves around the fact that the private key is private. If you permit access to your private key, the security is completely compromised.

This generates a public key and installs it on the remote system. If you will be connecting to multiple host systems, distribute your key to all of the systems by repeating the previous ssh command for each host.

Once the public key is installed on the remote host, you can use the ssh-add command to enter your passphrase:

$ ssh-add
Enter passphrase for /home/jon/.ssh/id_dsa:
BigSecret
Identity added: /home/jon/.ssh/id_dsa (/home/jon/.ssh/id_dsa)

If you're not logged in to your Fedora system through the GUI, you will need to enter this command before using ssh-add:

$ eval $(ssh-agent)
Agent pid 15431

When you log in using the GUI, Fedora starts the ssh-agent program automatically. 

You can now connect to remote hosts without logging in:

$ ssh jon@remoteMachine
Last login: Wed Oct 26 00:20:29 2005 from toronto-office

If you wish to run just a single command, you can enter it on the ssh command line instead of logging in:

$ ssh jon@remoteMachine cal 3 1967
March 1967
Su Mo Tu We Th Fr Sa
          1  2  3  4
 5  6  7  8  9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31

4.10.1.2. Using graphical applications remotely

The -X option (uppercase) causes ssh to set up an encrypted tunnel for graphical X connections alongside the shell connection. This permits you to start graphical apps on the remote machine and display the output on the local machine (assuming that you're connecting from a graphical session):

$ ssh -C -X [email protected]
Last login: Wed Oct 26 00:31:42 2005 from parisoffice
$
oowriter

In order for this to work, the remote host must have X11Forwarding set to yes in its /etc/ssh/sshd_config file.

The -X option may cause remote X clients to be counted as untrusted from the point of view of the X server. This is perfect for most purposes, but if you want the remote client to be able to do screen captures (for example, if the remote application is the GIMP and you want to acquire a screenshot), substitute -Y for -X to configure the remote client as trusted.