SSH

Last modified by Yunhao Wu on 2024/04/18 13:40

SSH Zugriff

0. Fingerprints

A key fingerprint for SSH is a hash of the host's public key and is used to verify and identify the server. This can be used, for example, to check whether a host has changed (e.g. if the DNS server has been hacked and lxhalle.in.tum.de would suddenly point to a malicious server).

The ECDSA keys have been deactivated for security reasons.

lxhalle.in.tum.de

The following table lists the fingerprints for lxhalle.in.tum.de.

 lxhalle MD5-Fingerprint SHA256-Fingerprint
 Ed25519  MD5:f8:73:a4:f9:47:8e:a2:ba:11:59:19:35:bf:d6:c7:c4  SHA256:dSj0mkyuOXEdpKGGJmXkvhDnvbjGmGCYQXA0pV8Pe4s 
 RSA  MD5:4b:84:7e:c4:cf:b7:ff:fb:eb:d0:0c:7b:c3:97:05:54  SHA256:xJrFkhNs9pwibJFZZB5LvcrltWxfAIovk/UjKAXkIW4
Diese Fingerprints wurden zuletzt am 04.04.2019 verifiziert.

ssh.ma.tum.de

The following table lists the fingerprints for ssh.ma.tum.de.

 ssh.ma.tum.de MD5-Fingerprint SHA256-Fingerprint
 Ed25519  MD5:70:5d:b8:5f:51:69:60:07:22:a4:45:65:7b:c5:99:b9  SHA256:EbNhVTkW+74PX0tQNb9bai0HXAVcQLC9lOeS+BgatPM 
 RSA  MD5:f0:07:65:2b:45:83:19:15:d9:fa:96:e4:5e:bc:8c:43  SHA256:4J5P9HV9KrmMS6aKWYukNjVpaSFBrea2iQvXZOCQ7sQ 

1. OpenSSH

SSH (Secure Shell) is a tool for secure system administration, file transfer and other communication via the Internet or another untrusted network. It encrypts identities, passwords and transmitted data so that they cannot be intercepted and stolen. OpenSSH is an open source implementation of the SSH protocol.

OpenSSH comes with the following tools:

  • SSH (Secure Shell Client, login auf einem remote System, Aufbau von Tunnel)
  • SCP (Secure Copy Protocol, cp über einen SSH Tunnel)
  • SFTP (Secure File Transfer Protocol, ftp über einen SSH Tunnel)
  • ssh-add, ssh-keysign, ssh-keyscan, ssh-keygen und ssh-agent (Keymanagement)
  • sshd (SSH Server)
  • sftp-server (SFTP Server)

Auf Linux und MacOS ist OpenSSH in der Regel vorinstalliert und es exisitert auch eine Implementierung für Windows, die auf Windows 10 seit dem “Windows 10 fall creators update” mitgeliefert wird.

Unter Programme und Features lässt es sich seitdem aktivieren und seit etwa April 2018 sollte es standardmäßig aktiviert sein, wenn man auf dem aktuellstem Updatestand ist.

1.1. SSH Verbindung mit Passwort

Open the terminal (MacOS / Linux) or the PowerShell (Windows). In this you can now use

$> ssh CIT-username@hostname

to establish an SSH connection.

So in our case, for example

$> ssh musterma@lxhalle.in.tum.de

$> ssh musterma@ssh.ma.tum.de

If the server is unknown, i.e. the connection is being established for the first time or the known_hosts file has been deleted, confirmation of the server's public key fingerprint is required.

> The authenticity of host ‘<i>server (serverip)</i>’ can’t be established.
> ECDSA key fingerprint is <i>server fingerprint</i>
> Are you sure you want to continue connecting (yes/no)?

If the fingerprint is correct, the query can be confirmed. Now you will be asked for your password and you should be logged in to the server.

1.2. SSH-Verbindgung ohne Passwort (OpenSSH Konfiguration)

The OpenSSH configuration files can be used to create aliases for SSH hosts and set options, among other things. More information can be found at https://www.ssh.com/ssh/config/

If the OpenSSH configuration file is not yet available, you can simply create it with

touch ~/.ssh/config

to create. Then open the configuration file (config) with a text editor, e.g. vi or vim in the terminal.

vim ~/.ssh/config

An example host entry looks like this:

1677665498294-467.png

To extend an SSH connection to the Lxhalle without a password, you need a configuration file like the one below

1677665518714-502.png

1.3. SSH Key

1.3.1. Generate key pairSchlüsselpaar generieren (Private und Public)

To generate an SSH key, execute the following command.

ssh-keygen -t rsa -b 4096 

– b stands for the number of bits with which the length of the key can be determined.

– t stands for the type of key.

If you specify this, you will be asked for a path where the generated key should be stored.

$> ssh-keygen -t rsa -b 4096
> Generating public/private rsa key pair.
> Enter file in which to save the key (/home/"$USER"/.ssh/id_rsa): <path_to_directory_to_store_key>
> Enter passphrase (empty for no passphrase):
> Enter same passphrase again:
> Your identification has been saved in <path>
> Your public key has been saved in <path>
> The key fingerprint is:
> SHA256:LtcxHv0vIgzbV/udUgBLQQ8ayBl10DzwLP0LtUC97mQ <username>@<hostname>
> The key's randomart image is:
> +---[RSA 2048]----+
> | ..==**o |
> | + O*o. |
> | o.=+o. |
> | .o+o. |
> | S +.oo. |
> | ..o +.Eo. |
> | . o=o +oo. |
> | o. + ooo.o|
> | o ..++|
> +----[SHA256]-----+

1.3.2. Transfer public key to server

The public key must be transferred to the server. This can usually be done simply via ssh-copy-id.

$> ssh-copy-id ITO-username@hostname
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: <path_to_directory_where_key_is_stored>
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
username@hostname password:

Number of key(s) added: 1

Now try logging into the machine, with: "ssh 'username@hostname'"
and check to make sure that only the key(s) you wanted were added.

The key should now have been installed on the server as an authorized key and a login with

ssh -i PfadZumKeyfile username@hostname

should be possible. Alternatively, you can enter the identity file as specified above in the SSH configuration and connect with ssh alias.

1.3.3. SSH-Keygen Manpages

If you execute the following command in the terminal, you can find out more about SSH-Keygen

$> ssh-keygen man

usage: ssh-keygen [-q] [-b bits] [-C comment] [-f output_keyfile] [-m format]
                  [-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa]
                  [-N new_passphrase] [-O option] [-w provider]
       ssh-keygen -p [-f keyfile] [-m format] [-N new_passphrase]
                   [-P old_passphrase]
       ssh-keygen -i [-f input_keyfile] [-m key_format]
       ssh-keygen -e [-f input_keyfile] [-m key_format]
       ssh-keygen -y [-f input_keyfile]
       ssh-keygen -c [-C comment] [-f keyfile] [-P passphrase]
       ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile]
       ssh-keygen -B [-f input_keyfile]
       ssh-keygen -D pkcs11
       ssh-keygen -F hostname [-lv] [-f known_hosts_file]
       ssh-keygen -H [-f known_hosts_file]
       ssh-keygen -K [-w provider]
       ssh-keygen -R hostname [-f known_hosts_file]
       ssh-keygen -r hostname [-g] [-f input_keyfile]
       ssh-keygen -M generate [-O option] output_file
       ssh-keygen -M screen [-f input_file] [-O option] output_file
       ssh-keygen -I certificate_identity -s ca_key [-hU] [-D pkcs11_provider]
                  [-n principals] [-O option] [-V validity_interval]
                  [-z serial_number] file ...
       ssh-keygen -L [-f input_keyfile]
       ssh-keygen -A [-f prefix_path]
       ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]
                  file ...
       ssh-keygen -Q -f krl_file file ...
       ssh-keygen -Y find-principals -s signature_file -f allowed_signers_file
       ssh-keygen -Y check-novalidate -n namespace -s signature_file
       ssh-keygen -Y sign -f key_file -n namespace file ...
       ssh-keygen -Y verify -f allowed_signers_file -I signer_identity
             -n namespace -s signature_file [-r revocation_file]

1.4. Filetransfer with SFTP

The Secure File Transfer Protocol (SFTP) can be used to transfer data to or from a remote system.

$> sftp                                                                                                                                                                           
usage: sftp [-46aCfpqrv] [-B buffer_size] [-b batchfile] [-c cipher]
          [-D sftp_server_path] [-F ssh_config] [-i identity_file]
          [-J destination] [-l limit] [-o ssh_option] [-P port]
          [-R num_requests] [-S program] [-s subsystem | sftp_server]
          destination

You can simply use the sftp tool supplied with the OpenSSH implementation. Simply enter sftp in the terminal/powershell. The parameters are analogous to the ssh command, except that some flags are missing, such as X11 forwarding. You can also use the hosts defined in the SSH-Config.

For example:

 $> sftp CIT-username@lxhalle.in.tum.de 

Here you can now use interactive commands to navigate to the desired files/location in the file system (e.g.: ls, cd). Here you can now use get/put to download or upload files or folders (specify the -r flag so that the folder is transferred recursively).

More about the SFTP tool of the OpenSSH implementation can be found in the Manual.

1.5. X11 Forwarding

On most Linux systems, the X Windows system is used to display a graphical user interface. The current version is X version 11, or X11 for short. With X11 Forwarding, you can now start an application on a remote system and transfer the graphical display to a local X11 server.

To be able to use X11 Forwarding, you only need to set the X11 Forwarding flag in the ssh command (i.e. simply add an -X). Alternatively, you can also activate X11 forwarding in the SSH config.

On most Linux systems with a graphical user interface, an X11 server should be supplied by default, otherwise you will have to install it from the package sources (e.g. pacman -S xorg or apt install xorg).

Since Mac OS X 10.5 you need additional libraries. More details on the Apple page:Informationen zu X11 für Mac.

An X11 server is also required under Windows. Under Windows 10, the Linux subsystem for Windows can be used for this (see below for setup). In this Linux it now works as under Linux natively. Simply install the corresponding xorg package and start the xorg server.

2. Remote Desktop

Screenshot (28)ed.png

Enter lxhalle.in.tum.de as the server name for the computer and click Connect.

Screenshot (29)ed.png

click Yes.

30ed.png

Enter CIT ID and password, click OK.

Screenshot (31)ed.png

3. Linux Subsystem for Windows 10

You can also install a Linux subsystem on Windows 10 that integrates into the Windows kernel and the Windows file system. It is a complete Linux that runs in the Windows kernel.

3.1. Install

Open the direct link menu with the Windows logo key + X or right-click on the Windows flag and open Windows PowerShell (Administrator):

linux00.png

The user account control will now ask for administrator authorizations:

linux01.png

Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux

and run it. If the feature is not found, the system is probably not up to date and should be updated.

linux02.png

linux03.png

After completing the feature activation, restart the computer.

linux04.png

After restarting the computer, open the Microsoft Store (e.g.: open the Start menu and search for Microsoft Store).

linux05.png

Now search for Ubuntu in the Microsoft Store. Alternatively, there are OpenSUSE Leap, SUSE Linux Enterprise Server, Debian and Kali subsystems for Windows, which can also be used and installed via the Microsoft Store.

linux06.png

Dann auf Herunterladen klicken, um das gewählte Subsystem zu installieren.

linux07.png

After completing the installation, start the subsystem (can also be done via the start menu, e.g. simply search for Ubuntu)

linux08.png

The subsystem is now set up at the first start. This will take some time.

linux09.png

To complete the setup, you will be asked for a user name and password for the Linux subsystem. You can choose freely here and should choose a secure password.

linux10.png

3.2. Configuration

OpenSSH can now be used as under Linux.

linux11.png

linux12.png

linux13.png