CMPT 214 Programming Principles and Practice Lecture 18 PDF
Document Details
Uploaded by SumptuousBaroque
University of Saskatchewan
2024
Noah Orensa
Tags
Summary
This document is a lecture on computer networking, covering OpenSSH utilities and configuration files. The lecture is part of a programming course offered at the University of Saskatchewan in Fall 2024. Topics include security, and practical aspects of networking.
Full Transcript
CMPT 214 Programming Principles and Practice Lecture 18: The OpenSSH utilities (and rsync) / BASH scripting (cont.) Reading: Sobell: Chapter 16, 17 1 Original Sli...
CMPT 214 Programming Principles and Practice Lecture 18: The OpenSSH utilities (and rsync) / BASH scripting (cont.) Reading: Sobell: Chapter 16, 17 1 Original Slides Noah Orensa Modified by Jon Lovering/Lauresa Stilling/Alexander Dumais/Dwight Makaroff CMPT 214 2024 Fall OpenSSH OpenSSH is a suite of secure network connectivity tools It replaces a number of older utilities (telnet, rcp, rsh, rlogin, and ftp) Unlike the tools they replace, OpenSSH tools encrypt all traffic, including passwords. In this way they can thwart attackers who attempt to eavesdrop, hijack connections, and steal passwords. 2 Original Slides Noah Orensa Modified by Jon Lovering/Lauresa Stilling/Alexander Dumais/Dwight Makaroff CMPT 214 2024 Fall OpenSSH So far, you have used the ssh utility and others to log in on a remote system over a network The OpenSSH suite could be used to do a number of other interesting things: forward a graphical user interface (GUI) tunnel network ports copy files... 3 Original Slides Noah Orensa Modified by Jon Lovering/Lauresa Stilling/Alexander Dumais/Dwight Makaroff CMPT 214 2024 Fall OpenSSH: security client contacts OpenSSH server; first it establishes an encrypted connection and then authenticates the user When these two tasks are complete, OpenSSH allows the two systems to send information back and forth The first time an OpenSSH client connects with an OpenSSH server, OpenSSH asks you to verify that the client is connected to the correct server The authenticity of host 'plum (192.168.206.181)' can't be established. ECDSA key fingerprint is af:18:e5:75:ea:97:f9:49:2b:9e:08:9d:01:f3:7b:d9. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'plum,192.168.206.181' (ECDSA) to the list of known hosts. 4 Original Slides Noah Orensa Modified by Jon Lovering/Lauresa Stilling/Alexander Dumais/Dwight Makaroff CMPT 214 2024 Fall OpenSSH: security This verification helps prevent an MITM (man-in-the-middle) attack If an attacker is able to impersonate some server (e.g., alter the IP a certain domain name like usask.ca resolves to) they will forward all traffic to the real server, while eavesdropping (and recording) on the data being transmitted. However, that attacker will have a different IP (and fingerprint) than the real server, and you get the warning above. You also get this warning the first time you connect to a server. Before you respond to the preceding query, make sure you are logging in on the correct system and not on an imposter. 5 Original Slides Noah Orensa Modified by Jon Lovering/Lauresa Stilling/Alexander Dumais/Dwight Makaroff CMPT 214 2024 Fall The OpenSSH suite ssh Runs a command on or logs in on a remote system scp Copies files to and from a remote system sftp Copies files to and from a remote system (a secure replacement for ftp) sshd The OpenSSH daemon (runs on the server) ssh-agent Holds your private keys ssh-add Adds a passphrase for a private key for use by ssh-agent. ssh-copy-id Appends your public key to ~/.ssh/authorized_keys on a remote system so you do not need a password to log in ssh-keygen Creates, manages, and converts authentication keys 6 Original Slides Noah Orensa Modified by Jon Lovering/Lauresa Stilling/Alexander Dumais/Dwight Makaroff CMPT 214 2024 Fall OpenSSH: an overview configuration files OpenSSH clients and servers rely on many configuration files. Global configuration files are kept in /etc/ssh User configuration files are kept in ~/.ssh The following is an overview of the client and server configurations both have global configurations and user configurations no need to memorize the exact details 7 Original Slides Noah Orensa Modified by Jon Lovering/Lauresa Stilling/Alexander Dumais/Dwight Makaroff CMPT 214 2024 Fall OpenSSH: server configuration files /etc/ssh/sshd_config The main configuration file for the sshd server ~/.ssh/authorized_keys Holds user public keys and enables a user to log in on or copy files to and from another system without supplying a user login password.' ~/.ssh/environment Contains assignment statements that define environment variables on a server when a user logs in using ssh. /etc/ssh/moduli Contains key exchange information that OpenSSH uses to establish a secure connection. Do not modify this file. 8 Original Slides Noah Orensa Modified by Jon Lovering/Lauresa Stilling/Alexander Dumais/Dwight Makaroff CMPT 214 2024 Fall OpenSSH: server configuration files /etc/ssh/ssh_host_xxx_key and /etc/ssh/ssh_host_xxx_key.pub Hold the xxx host key pair where xxx is dsa for DSA keys, ecdsa for ECDSA (elliptic curve digital signature algorithm) keys, ed25519 for ed25519 (a variant ECDSA) keys, or rsa for RSA keys. Both files should be owned by root. ssh_host_xxx_key.pub public file should be readable by anyone but writable only by its owner (644 permissions). ssh_host_xxx_key private file should not be readable or writable by anyone except its owner (600 permissions). 9 Original Slides Noah Orensa Modified by Jon Lovering/Lauresa Stilling/Alexander Dumais/Dwight Makaroff CMPT 214 2024 Fall OpenSSH: client configuration files /etc/ssh/ssh_config The global OpenSSH client configuration file set by the administrator ~/.ssh/config A user’s private OpenSSH configuration file. Entries here override those in /etc/ssh/ssh_config ~/.ssh/id_xxx and ~/.ssh/id_xxx.pub Hold the user authentication keys generated by ssh-keygen /etc/ssh/moduli Contains key exchange information that OpenSSH uses to establish a secure connection. Do not modify this file. 10 Original Slides Noah Orensa Modified by Jon Lovering/Lauresa Stilling/Alexander Dumais/Dwight Makaroff CMPT 214 2024 Fall OpenSSH: client configuration files /etc/ssh/ssh_known_hosts Holds the public keys of known hosts that users on the local system can connect to safely. This file contains information similar to that found in ~/.ssh/known_hosts but is set up by the administrator and is available to all users This file should be owned by root and should be readable by anyone but writable only by its owner (644 permissions). ~/.ssh/known_hosts Contains public keys of hosts the user has connected to. OpenSSH automatically adds entries each time the user connects to a new server. 11 Original Slides Noah Orensa Modified by Jon Lovering/Lauresa Stilling/Alexander Dumais/Dwight Makaroff CMPT 214 2024 Fall The ssh (secure shell) utility ssh [options] [user@]host [command] The host can be a local system name, the name of a system on the Internet, or an IP address. it is the only required argument. With the command ssh host , you log in on the remote system host with the same user-name you are using on the local system to specify a different user-name, you use user@host When you include command , ssh logs in on host, executes command , closes the connection to host, and returns control to the local system. 12 Original Slides Noah Orensa Modified by Jon Lovering/Lauresa Stilling/Alexander Dumais/Dwight Makaroff CMPT 214 2024 Fall The ssh utility: port forwarding You can forward arbitrary ports using the –L and –R options The –L option forwards a local port to a remote system, so a program that tries to connect to the forwarded port on the local system transparently connects to the remote system. The –R option does the reverse: It forwards remote ports to the local system. Generally, the –N option, which prevents ssh from executing remote commands, is used with the –L and –R. An ssh command line using the –L or –R option has the format ssh –N –L | –R local-port:remote-host:remote-port target e.g., ssh -N -L 1550:pophost:110 pophost 13 Original Slides Noah Orensa Modified by Jon Lovering/Lauresa Stilling/Alexander Dumais/Dwight Makaroff CMPT 214 2024 Fall The ssh utility: X11 forwarding When you turn on trusted X11 forwarding on an ssh client, you can run a graphical program over an ssh connection to a server that has X11 forwarding enabled. Run ssh (using the either the -X or -Y option) from a terminal emulator and give an X11 command such as gnome-calculator ; the graphical output appears on the local display Note: this doesn't work with the Windows ssh client Permits running something remotely. DON'T DO THIS ON TUXWORLD 14 Original Slides Noah Orensa Modified by Jon Lovering/Lauresa Stilling/Alexander Dumais/Dwight Makaroff CMPT 214 2024 Fall The scp utility The scp (secure copy) utility copies ordinary and directory files from one system to another both systems can be remote This utility uses ssh to transfer files and employs the same authentication mechanism as ssh thus, it provides the same security as ssh 15 Original Slides Noah Orensa Modified by Jon Lovering/Lauresa Stilling/Alexander Dumais/Dwight Makaroff CMPT 214 2024 Fall The scp utility scp [[user@]from-host:]source-file [[user@]to-host:][destination-file] from-host is the name of the system you are copying files from to-host is the system you are copying to The from-host and to-host arguments can be local system names, remote systems on the Internet, or IP addresses. When you do not specify a host, scp assumes the local system. The user on either system defaults to the user on the local system who is giving the command you can use user to specify a different user. 16 Original Slides Noah Orensa Modified by Jon Lovering/Lauresa Stilling/Alexander Dumais/Dwight Makaroff CMPT 214 2024 Fall The scp utility The source-file is the file you are copying, and the destination-file is the resulting copy. Make sure you have read permission for the file you are copying and write permission for the directory you are copying it into. You can specify plain or directory files as relative or absolute pathnames. a relative pathname is relative to the specified directory or to the implicit user’s home directory When the source-file is a directory, you must use the –r option to copy its contents. When the destination-file is a directory, each of the source files maintains its simple filename. When the destination-file is missing, scp assumes the user’s home directory. 17 Original Slides Noah Orensa Modified by Jon Lovering/Lauresa Stilling/Alexander Dumais/Dwight Makaroff CMPT 214 2024 Fall OpenSSH: man pages ssh scp sftp ssh-copy-id ssh-keygen ssh-agent ssh-add ssh_config sshd sshd_config 18 Original Slides Noah Orensa Modified by Jon Lovering/Lauresa Stilling/Alexander Dumais/Dwight Makaroff CMPT 214 2024 Fall Tmux tmux or "terminal multiplexer" is a tool that creates a terminal you can connect and disconnect from This differs from ssh because the terminal is persistent and the programs it runs will stay alive ensure that you don't leave these alilve indefinitely 19 Original Slides Noah Orensa Modified by Jon Lovering/Lauresa Stilling/Alexander Dumais/Dwight Makaroff CMPT 214 2024 Fall Tmux You can list running tmux sessions with tmux ls You can attach to a running session with tmux at -t where is the session number You can detach from a session in tmux with d Lots more features: man tmux 20 Original Slides Noah Orensa Modified by Jon Lovering/Lauresa Stilling/Alexander Dumais/Dwight Makaroff CMPT 214 2024 Fall The rsync utility The rsync (remote synchronization) utility copies an ordinary file or directory hierarchy locally or from the local system to or from another system on a network By default, rsync uses OpenSSH to transfer files and the same authentication mechanism as OpenSSH; it therefore provides the same security as OpenSSH 21 Original Slides Noah Orensa Modified by Jon Lovering/Lauresa Stilling/Alexander Dumais/Dwight Makaroff CMPT 214 2024 Fall The rsync utility rsync [options] [[user@]from-host:]source-file [[user@]to-host:][destination-file] The syntax for rsync is similar to scp However, rsync is more powerful and flexible than scp This is owed to the vast collection of options that can be used For example, the --delete option causes rsync to delete from destination- file files that are not in source-file i.e., "synchronizing" the two directories 22 Original Slides Noah Orensa Modified by Jon Lovering/Lauresa Stilling/Alexander Dumais/Dwight Makaroff CMPT 214 2024 Fall The rsync utility You can also use options to update only the files with newer timestamps The --dry-run and --verbose options report on what an rsync command would do, without rsync taking any action As usual, what is presented here is only a very brief introduction to the tool. full details can be found by using man rsync 23 Original Slides Noah Orensa Modified by Jon Lovering/Lauresa Stilling/Alexander Dumais/Dwight Makaroff CMPT 214 2024 Fall Next File I/O, system calls, and C library overview Reading: Kochan: Chapter 15 24 Original Slides Noah Orensa Modified by Jon Lovering/Lauresa Stilling/Alexander Dumais/Dwight Makaroff CMPT 214 2024 Fall
