Chapter 6. Protecting Outgoing Network Connections

In Chapter 3, we discussed how to protect your computer from unwanted incoming network connections. Now we'll turn our attention to outgoing connections: how to contact remote machines securely on a network. If you naively telnet, ftp, rlogin, rsh, rcp, or cvs to another machine, your password gets transmitted over the network, available to any snooper passing by. [Recipe 9.19] Clearly a better alternative is needed.

Our recipes will primarily use SSH, the Secure Shell, a protocol for secure authentication and encryption of network connections. It's an appropriate technology for many secure networking tasks. OpenSSH, a free implementation of the SSH protocol, is included in most Linux distributions, so our recipes are tailored to work with it. Its important programs and files are listed in Table 6-1.

Table 6-1. Important OpenSSH programs and files for this chapter

Client programs

ssh

Performs remote logins and remote command execution

scp

Copies files between computers

sftp

Copies files between computers with an interactive, FTP-like user interface

Server programs

sshd

Server daemon

Programs for creating and using cryptographic keys

ssh-keygen

Creates and modifies public and private keys

ssh-agent

Caches SSH private keys to avoid typing passphrases

ssh-add

Manipulates the key cache of ssh-agent

Important files and directories

~/.ssh

Directory (per user) for keys and configuration files

/etc/ssh

Directory (systemwide) for keys and configuration files

~/.ssh/config

Client configuration file (per user)

/etc/ssh/ssh_config

Client configuration file (systemwide)

For outgoing connections, the client program ssh initiates remote logins and invokes remote commands:

Do a remote login:
$ ssh -l remoteuser remotehost

Invoke a remote command:
$ ssh -l remoteuser remotehost uptime

and the client scp securely copies files between computers:

Copy local file to remote machine:
$ scp myfile remotehost:remotefile

Copy remote file to local machine:
$ scp remotehost:remotefile myfile

Some of our recipes might work for other implementations of SSH, such as the original SSH Secure Shell from SSH Communication Security (http://www.ssh.com). For a broader discussion see the book SSH, The Secure Shell: The Definitive Guide (O'Reilly).



    Chapter 9. Testing and Monitoring