Colorado BSD Users Group

What is OpenSSH?

“A cryptographic network protocol for secure data communication, remote command-line login, remote command execution, and other secure network services between two networked computers.” -Wikipedia

###Why would I want to use ssh?

Because it’s awesome!


About SSH


Getting started with OpenSSH in OpenBSD

To check to make sure that the OpenSSH server (the ssh daemon, or sshd) is running, log into the system and do something like the following:

pgrep -lf sshd

And you should see soemthing like this:

7656 sshd

If you do, sshd is running.


The first SSH

If you have an OpenBSD box with a user account, you can ssh into it.

ssh yourUser@theBoxYouWantToSshInto 

Enter your password and that’s it!


Managing sshd

To stop the daemon (must command as root):

/etc/rc.d/sshd stop
/etc/rc.d/sshd start

There is also restart, reload, and check.

If a user is already ssh’d in the box, stopping the daemon will not stop active connections. It only stops new connections from initiating!

If you want to stop all ssh activity, you must also kill active ssh sessions in addition to stopping the daemon. “pgrep -lf sshd” will show active ssh connections.


Locking down SSH

In the ssh_config file there are many options available to tighten security. For example, you could do something like this:

Ciphers 3des
PasswordAuthentication no
Protocol 2 
AllowUsers zamicol kur0
PermitRootLogin no
Port 7070

Some of these settings may not be a good idea, but it might help keep the baddies away.

You must restart sshd for these changes to take effect.

/etc/rc.d/sshd restart

Passwords are lame. Save us ssh-keygen!

Passwords are lame. That is why there is ssh-keygen, enabling passwordless logins.


Passwords are lame continued


Secret tunnels

Secret Tunnel

Is your work place blocking that sweet, sweet ASCII porn? Use a ssh tunnel!


Secret tunnels: Port Forwarding

Here’s an example of port forwarding.

ssh -L localPort:hostYouAreRoutingThrough:hostPort destinationHost

So if your workplace was blocking reddit, this is how you get around that:

ssh -L 7070:reddit.com:80 homeIpAddress

Now in your browser, use the following URL to browse!

http://localhost:7070

There’s Reddit! Weeeee!


Moar tunnels!

What if you want to send all web browser traffic over a proxy?

ssh -D 7070 user@host 

Then configure your browser to use the proxy on the local port 7070. Now you can browse anywhere over the proxy!

-D still does not tunnel DNS lookups. If you need all traffic to go through a tunnel, you can use vpn or ssh vpn!


###More Resources OpenBSD man page

RFC 4253

VPN’s on OpenBSD