Linux System Administration

Public key authentication allows you to login to a remote host via the SSH protocol without a password and is more secure than password-based authentication. Try creating a passwordless connection from linuxconfig.local to linuxconfig.org using public-key authentication.

Create key

Press ENTER at every prompt.

linuxconfig.local$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
b2:ad:a0:80:85:ad:6c:16:bd:1c:e7:63:4f:a0:00:15 user@host
The key's randomart image is:
+--[ RSA 2048]----+
| E. |
| . |
|. |
|.o. |
|.ooo o. S |
|oo+ * .+ |
|++ +.+... |
|o. ...+. |
| . .. |
+-----------------+
linuxconfig.local$
Read more ...

SSH Port Forwarding allows us to create a very simple "VPN" which lets you to secure insecure protocols such us telnet or ftp. When creating encrypted ssh connections a client needs to be connected to a ssh server on a remote host, thus creating a ssh tunnel via which an insecure information will travel. In this scenario, we are going to use ssh port forwarding to create an encrypted tunnel for telnet connection.

Enable telnet server on remote host

Let us first confirm that the telnet server is running on a remote host:

$ netstat -ant | grep 23 

remote server port 23

Create ssh tunnel to remote host

In this example you will open port 4500 on your local host and tunnel it to the port 23 on your remote host. You do not have to do this as a root. Since we are using a port higher than 1024 a ordinary user is able to create this port forward connection. Keep in mind that a tunnel is erected only when the ssh connection is running.

# ssh -L 4500:127.0.0.1:23 linuxconfig.org 

create tunnel
At this point, every connection which uses port 4500 on the localhost will be redirected to remote port 23.

Telnet to remote host via ssh port forwarding

Before we attempt to telnet to a remote host via tunnel, we need to ensure that the tunnel is still running:

# netstat -ant | grep 4500 

ssh port forwarding
Once we know that the tunnel is still running we can attempt to telnet on local port 4500.

# telnet localhost 4500 

Telnet to remote host via ssh port forwarding

If you have tried everything to stop this error message appearing on your terminal try to look into /etc/hosts.deny file on your sshd destination server to make sure that your external IP address is not black listed there to be denied ssh access.You can do this only by using a ssh client on different server which has an external IP address different from your own. So ssh somewhere else and from there to your desired destination ( this is temporary workaround for this problem ). First get your external IP address. If you have a access to a browser navigate to ipchicken.com or use a following bash script:

#!/bin/bash

# NOTE: this script only works if your external IP address
# is listed on 35th line of ipchicken's output file.

wget -q http://ipchicken.com
echo My external IP address is: $( cat index.html | sed -n '35p' | awk '{ print $1 }')
rm index.html

Make the get-external-ip.sh bash script executable and execute:

chmod +x get-external-ip.sh
./get-external-ip.sh
My external IP address is: 113.194.30.111

Login to a destination server and execute a following command:

$ cat /etc/hosts.deny | grep 113.194.30.111

The output will look same or similar to the one below:

# DenyHosts: Fri Sep 24 14:58:17 2010 | sshd: 113.194.30.111
sshd: 113.194.30.111

Remove both lines form /etc/hosts.deny file and you are ready to go. If you do not have a write access to this file ask someone with write access to do it for you. Your IP address can be listed in /etc/hosts.deny file due to the paranoid settings of TCP_WRAPPERS ( multiple authentication denied etc. ) or it can be added deliberately by a system admin.

Page 60 of 72



Free Linux eBooks

Go to top