Showing posts with label linux. Show all posts
Showing posts with label linux. Show all posts

Monday, September 12, 2011

Using openSSH

Ssh/scp is more secure than telnet/rsh/rcp due to encryption and server verification through certificates. In this blog we will discuss 3 issues: how to verify that you connect to the genuine server, how to create new keys in case that your keys have been compromised and a handy method to do ssh/scp without password.

1. How to verify a server connection
The first time you tried to connect to a server using ssh, you will be asked to verify the public key of the server:
> ssh auser@aserver
The authenticity of host 'auser(ip address)' can't be established.
RSA key fingerprint is bla:16:ee:ec:0b:19:5e:0b:33:c7:9f:ef:bla:bla:bla
Are you sure you want to continue connecting (yes/no)?

Once you say yes, the public key will be saved in your ~/.ssh/known_hosts file. Bear in mind of the man in the middle attack, how can you be sure that you communicate with the genuine server? A way to check by comparing the fingerprint of the server's public key with the fingerprint stated above. The server public key is located in the /etc/ssh/ssh_host_algorithm_pub.key file. Having this file (perhaps mailed by the admin of the server) you can generate the fingerprint using 'ssh-keygen -l -f public_key_file' and compare the values with the fingerprint above.

2. How to create new keys
If you're in a situation where your server keys have been compromised, you can generate a new pair of ssh public & private keys in the server, using ssh-keygen or open-ssl for example: 'ssh-keygen -t algorithmname', substitute the algorithmname with RSA or DSA. Use ' Hostkey keyfilename' to assign this key as the new ssh key. It's a good habit to regularly renew your keys just in case that the current key has been compromised.

3. Ssh/scp without password (authentication via PKI / X.509 certificate)
It will be handy to avoid being asked to type password everytime you use scp/ssh. Here are the steps to accomplish this: generate client keys using ' ssh-keygen -t algorithmname' in ~/.ssh directory. Substitute the algorithmname with RSA or DSA. Then copy the public key to ~/.ssh/authorized_keys in the server.


Source: Steve's blog http://soa-java.blogspot.com

References:
Foundations of CentOS Linux by Chivas Sicam and Ryan Baclit


Man in the middle attack http://en.wikipedia.org/wiki/Man-in-the-middle_attack
Convert keys between OpenSsh and OpenSSL http://www.sysmic.org/dotclear/index.php?post/2010/03/24/Convert-keys-betweens-GnuPG%2C-OpenSsh-and-OpenSSL
Posted by Steve Djajasaputra at 7:08 AM 0 comments
Labels: ,

Friday, April 15, 2011

Using unix scripts or tools (e.g. sed , awk, find) in Windows

Suppose you work in Windows platforms but you miss the power of sed, awk, find, grep, or other handy tools in Unix, or you want to reuse your Linux scripts? Just install cygwin, it's a kind of Linux terminal for Windows (a simplified explanation.)

In cygwin, your Windows drives are located in the /cygdrive. For example if you want to delete all ".svn" directories in D:/My Workspace/ in cygwin you can type:
cd /cygdrive/d/My\ Workspace
rm -rf $(find . -type d -name .svn)
Posted by Steve Djajasaputra at 6:12 AM 0 comments
Labels: , ,
Subscribe to: Posts (Atom)