Sunday, October 02, 2005

Using ssh in place of rsh.

Before we could start on this first take a look how authentication is worked in ssh . Authentication varies depending upon the version of protocol.

SSH protocol version 1
The first authentication method is the rhosts or hosts.equiv method combined with RSA-based host authentication. If the machine the user logs in from is listed in /etc/hosts.equiv or /etc/shosts.equiv on the remote machine, and the user names are the same on both sides, or if the files ~/.rhosts or ~/.shosts exist in the user's home directory on the remote machine and contain a line containing the name of the client machine and the name of the user on that machine, the user is considered for log in. Additionally, if the server can verify the client's host key (see /etc/ssh_known_hosts and ~/.ssh/known_hosts in the FILES section), only then is login permitted. This authentication method closes security holes due to IP spoofing, DNS spoofing and routing spoofing. [Note to the administrator: /etc/hosts.equiv, ~/.rhosts, and the rlogin/rsh protocol in general, are inherently insecure and should be disabled if security is desired.] I am call this mechanishm as server authentication mechanism.

As a second authentication method, ssh supports RSA based authenticationThe scheme is based on public-key cryptography: there are cryptosystems.

SSH protocol version 2
When a user connects using protocol version 2, similar authenticationmethods are available. Using the default values for PreferredAuthentications, the client will try to authenticate first using the hostbased method; if this method fails, public key authentication is attempted, and finally if this method fails, keyboard-interactive and password authentication are tried.

The public key method is similar to RSA authentication described in the previous section and allows the RSA or DSA algorithm to be used: The client uses his private key ~/.ssh/id_dsa or ~/.ssh/id_rsa, to sign the session identifier and sends the result to the server. The server checks whether the matching public key is listed in ~/.ssh/authorized_keys and grants access if both the key is found and the signature is correct. The session identifier is derived from a shared Diffie-Hellman value and is only known to the client and the server.

If public key authentication fails or is not available, a password can be sent encrypted to the remote host to prove the user's identity.

Lets go little bit more depth on Server authentication because I am using this.

ssh automatically maintains and checks a database containing identifications for all hosts it has ever been used with. Host keys are stored in ~/.ssh/known_hosts in the user's home directory. Additionally, the file /etc/ssh_known_hosts is automatically checked for known hosts. Any new hosts are automatically added to the user's file. If a host's identification ever changes, ssh warns about this and disables password authentication to prevent a trojan horse from getting the user's password. Another purpose of this mechanism is to prevent man-in-the-middle attacks which could otherwise be used to circumvent the encryption.The StrictHostKeyChecking option can be used to prevent logins to machines whose host key is not known or has changed.

So once every thing is set use following command.

# ssh -t \server\ \command
Ex.
# ssh -t server2.keekar.com ls -ltr

Output will come on the calling screen not on remote screen. Also their is no login shell is allocated means once the command finished it itself colsed.

8 comments:

Anonymous said...

Bloggers beware
Heather Armstrong and daughter, Leta, 14 months, pose for a self portrait. Armstrong was fired for blogging about work.
Find out how you can buy and sell anything, like things related to music on interest free credit and pay back whenever you want! Exchange FREE ads on any topic, like music!

Anonymous said...

Corporate Blogging On the Nigh
Well, that's cause many people got into blogging for the wrong reasons. They got in cause it was hot PR wise.
Find out how you can buy and sell anything, like things related to music on interest free credit and pay back whenever you want! Exchange FREE ads on any topic, like music!

Anonymous said...

On Google Search Tabs
When running a Google web search from the Google home page or the Google Personalized home page, you can quickly rerun your search in another Google database by simply clicking one or more of the tabs labeled .
Hey, you have a very informative blog here! Great job. I have a free hearing aids site. It pretty much
covers free hearing aids related stuff.

Come and check it out when you get time :-)

Anonymous said...

Collected from around the Network, this is the Best of Weblogs, Inc.
The Weblogs, Inc. network features over 100 independent, unfiltered bloggers producing over 1,000 blog posts a week across over 75 industry-leading blogs.
Find out how to buy and sell anything, like things related to music on interest free credit and pay back whenever you want! Exchange FREE ads on any topic, like music!

Anonymous said...

Scobleizing Microsoft's corporate culture
Microsoft's chief blogger Robert Scoble goes directly to the top. Corporate bloggers take note.
Find out how you can buy and sell anything, like things related to music on interest free credit and pay back whenever you want! Exchange FREE ads on any topic, like music!

Anonymous said...

Nice Blog!!!   I thought I'd tell you about a site that will let give you places where
you can make extra cash! I made over $800 last month. Not bad for not doing much. Just put in your
zip code and up will pop up a list of places that are available. I live in a small area and found quite
a few. MAKE MONEY NOW

Anonymous said...

Hi, I was just blog surfing and found you! If you are interested, go see my work from home related site. It isnt anything special but you may still find something of interest.

Anonymous said...

09003d86910cbd79 event