Changes between Version 3 and Version 4 of Remote Access to Workstations


Ignore:
Timestamp:
03/31/06 13:57:23 (20 years ago)
Author:
cdelarcuz
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • Remote Access to Workstations

    v3 v4  
    22
    33To access a remote site with [wiki:"ssh public key authentication"]
    4 We highly recommend that for users logging into their Cambridge account from a remote site they use ssh, rather than telnet. As a result of telnet's vulnerability we have we have disabled telnet access from outside Cambridge to any machine in the IoA Science Cluster. Most of the Sun workstations do not accept incoming ssh protocol 1 connections, only ssh protocol 2 connections.
     4We highly recommend that for users logging into their CAL account from a remote site
     5that they use ssh. Please note that both the Linux and Sun workstations do not accept
     6incoming ssh protocol 1 connections, only ssh protocol 2 connections.
    57
    6 
    7 Telnet will send your password in clear text across the Internet, and hence is vulnerable to any network sniffers installed by a hacker on a network through which your telnet connection passes. It is quite certain that this already happened to a number of local users when logging in from Chile or Hawaii. With the sniffed password, the hacker was able to log into our site and place network sniffer on the local network and begin capturing many more passwords.
    88A remote host running ssh can be accessed with:
    99
    1010  ssh remote_host
    1111
    12 where remote_host is the fully qualified host name (e.g. for host mraos this is mraos.ra.phy.cam.ac.uk), or its IP number. This command assumes that you have the same username on both systems, but in the case where this is not so:
     12where remote_host is the fully qualified host name (e.g. for host jewels this is jewels.phys.columbia.edu),
     13or its IP number. This command assumes that you have the same username on both systems,
     14but in the case where this is not so:
    1315
    1416  ssh -l remote_username remote_host
    1517
    1618where remote_username is obviously your username on the remote host.
    17 Note, if this is your first access to the remote host, then you're unlikely to have its public key, and hence ssh will inform you of this e.g.
     19Note, if this is your first access to the remote host, then you're unlikely
     20to have its public key, and hence ssh will inform you of this e.g.
    1821The authenticity of host 'mraos.ra.phy.cam.ac.uk (131.111.48.8)' can't be
    1922established.
     
    2225Warning: Permanently added 'mraos.ra.phy.cam.ac.uk,131.111.48.8' (RSA) to the
    2326list of known hosts.
    24 The public key of the remote host has been added to the file ~/.ssh/known_hosts in your account. As a result this message will not be displayed in future ssh connections to this host.
    25 As shown in a section above, you can generate your own public key(s) between your different accounts using ssh-keygen, and overcome the problem regarding the lack of the public key of the remote host. Copy the newly generated public key from the account on one system to the ~/.ssh/authorized_keys file on the other. Transfering public keys between accounts can simply be done via email, as the public key (e.g. ~/.ssh/identity.pub for ssh 1 protocol) is just a long line of text, which can then be extracted from the mail message (make sure to preserve its line length) and added to the appropriate file.
     27The public key of the remote host has been added to the file ~/.ssh/known_hosts in your account.
     28As a result this message will not be displayed in future ssh connections to this host.
     29As shown in a section above, you can generate your own public key(s)
     30between your different accounts using ssh-keygen, and overcome the problem
     31regarding the lack of the public key of the remote host. Copy the newly generated
     32public key from the account on one system to the ~/.ssh/authorized_keys file on the other.
     33Transfering public keys between accounts can simply be done via email, as the public key
     34(e.g. ~/.ssh/identity.pub for ssh 1 protocol) is just a long line of text, which
     35can then be extracted from the mail message (make sure to preserve its line length)
     36and added to the appropriate file.
    2637
    27 Using sftp
     38== Using sftp ==
    2839sftp, and scp (discussed below) both come into their own for file transfers between user accounts at different institutions.
    2940sftp (Secure File Transfer) is a ftp-like client that runs over an ssh tunnel, and that can be used in file transfer over the network. It does not use the FTP daemon (ftpd or wu-ftpd) for connections, allowing a significant improvement in the system security. sftp does not support anonymous logins. A user account is required on the remote end. sftp and scp do not require any dedicated daemon since the two programs connect to sshd servers.
     
    4455Same as ls, but operates on the local files.
    4556get [ file ... ]
    46 Transfers the specified files from the remote end to the local end. Directories are recursively copied with their contents.
     57Transfers the specified files from the remote end to the local end.
     58Directories are recursively copied with their contents.
    4759put [ file ... ]
    48 Transfers the specified files from the local end to the remote end. Directories are recursively copied with their contents.
     60Transfers the specified files from the local end to the remote end.
     61Directories are recursively copied with their contents.
    4962mkdir dir (rmdir dir)
    5063Tries to create (destroy) the directory specified in dir.
     
    8295message. Agent forwarding is disabled to avoid attacks by corrupted servers.
    8396X11 forwarding is disabled to avoid attacks by corrupted servers.
    84 This indicates that the host public key that your client believes is valid for the server you're trying to connect to doesn't match the host key that the server is using.
    85 As the message indicates, it either means someone is trying to subvert your connection, or that a system administrator has for some reason changed the host key for the server.
    86 You should at this point contact the administrator of the server in question to find out what is happening.
    87 server key not yet known
    88 If you see something like
    89 Host key not found from the list of known hosts.
    90 Are you sure you want to continue connecting (yes/no)?
    91 this just means that your client doesn't yet know a host key for the server you're connecting to. If you believe it is unlikely that anyone is going to choose precisely this time to attempt to intercept and spoof your attempt to connect to the server in question, then saying yes at this point will result in the server host public key being added to your (but not the client machine's) list of known hosts.
     97This indicates that the host public key that your client believes is valid
     98for the server you're trying to connect to doesn't match the host key that
     99the server is using. As the message indicates, it either means someone is
     100trying to subvert your connection, or that a system administrator has for
     101some reason changed the host key for the server. You should at this point contact
     102the administrator of the server in question to find out what is happening.
     103server key not yet known If you see something like Host key not found
     104from the list of known hosts. Are you sure you want to continue connecting (yes/no)?
     105this just means that your client doesn't yet know a host key for the server
     106you're connecting to. If you believe it is unlikely that anyone is going to choose
     107precisely this time to attempt to intercept and spoof your attempt to connect to the
     108server in question, then saying yes at this point will result in the server host public
     109key being added to your (but not the client machine's) list of known hosts.
    92110ssh or sftp connection is closed by remote site after 30-60 minutes
    93 Some sites run a version of ssh that periodically forces another run of the key-exchange phase, and this attempt to rekey kills the connection from Sun's SSH. You may get a message such as:
     111Some sites run a version of ssh that periodically forces another run of the
     112key-exchange phase, and this attempt to rekey kills the connection from Sun's SSH.
     113You may get a message such as:
    94114dispatch protocol error: type 20 plen 140
    95 If you run into this problem, which may prevent you from transferring large files, try using the OpenSSH client (openssh or opensftp), as the rekeying message is not sent to OpenSSH clients.
    96 anything else
    97 If you find any other misfeatures in the installed ssh programs please contact helpdesk, giving as much detail as possible.
     115If you run into this problem, which may prevent you from transferring large files,
     116try using the OpenSSH client (openssh or opensftp), as the
     117rekeying message is not sent to OpenSSH clients.
     118anything else If you find any other misfeatures in the installed
     119ssh programs please contact helpdesk, giving as much detail as possible.