SSH, The Secure Shell 174
| SSH, The Secure Shell | |
| author | Daniel J. Barrett, Richard E. Silverman |
| pages | 540 |
| publisher | O'Reilly & Associates |
| rating | 8 |
| reviewer | Danny Yee |
| ISBN | 0-596-00011-1 |
| summary | Comprehensive look at the ubiquitous SSH protocol, from installation to advanced uses. |
A comprehensive study of what is now a key part of many network systems, SSH, The Secure Shell is a valuable resource for system administrators and users. Its explanations are clear and thorough: I'm not sure about the "definitive" claim, but Barrett and Silverman do go into considerable detail, often to the limits of "if you want to play with this you really ought to look at the source code." Perhaps most importantly, The Secure Shell is organised so one can easily skip unwanted detail and find just those portions that are relevant. As a result, it can be used in different ways -- read through to learn about ssh and what it can be used for, or just consulted as necessary to answer particular questions or solve particular problems.
Chapter one puts ssh in context, looking at its history and related technologies, and chapter two introduces basic client operation. Anyone who uses ssh and scp as simple telnet and ftp replacements and isn't curious about how they work can stop reading here -- and doesn't really need their own copy of The Secure Shell. Chapter three is an "under the covers" look at ssh. After a three-page introduction to cryptography (not really suitable for the reader with absolutely no background), it explains the ssh1 protocol and then how ssh2 differs from that and the extra features it offers. There is also a brief overview of the cryptographic algorithms commonly used in ssh implementations, and an explanation what ssh secures and what it doesn't.
The rest of the book is more implementation-specific: the primary implementations covered are SSH, SSH2, and OpenSSH. Being a lazy user of packages, I skipped chapter four, on installation and compile-time configuration. Chapter five is a guide to server configuration, working systematically through the sshd configuration file options.
The next four chapters are aimed at power users, covering client use in much greater depth. Chapter six explains key management: what identities are, how to create them, how to manage them with ssh agents, and how they can be used (to automate logons, most obviously, but fancy things can be done with multiple identities). Chapter seven goes through client configuration in detail, working through the configuration file options, chapter eight covers account configuration on the server-side (including forced commands), and chapter nine looks at port and X11 forwarding.
For those overwhelmed by all of this, chapter ten describes a sample "recommended setup" for everything from compilation to client configuration. Chapter eleven covers some special topics -- unattended SSH, FTP forwarding, mail over SSH, Kerberos, using SSH through a gateway host -- and chapter twelve is a troubleshooting FAQ.
Chapter thirteen is an overview of other implementations, with a table of products, and four short chapters then cover specific Windows and Mac clients. Of the three Windows clients covered here, two are proprietary and the third is only distributed as a bzipped tar file: it would have been good to have a chapter on one of the free and more user-friendly Windows clients, perhaps PuTTY or TTSSH, both of which get a "recommended" tag in the table of products.
You might want to purchase SSH, The Secure Shell from Barnes and Noble or read some of Danny's 600+ other book reviews. Want to be a famous book reviewer? You can read your own book reviews in this space by submitting your reviews after reading the book review guidelines.
a more affordable alternative already exists (Score:2, Funny)
O'Reilly strikes again... (Score:1)
PuTTY (Score:5, Informative)
Re:PuTTY (Score:3, Informative)
Re:PuTTY (Score:1)
Re:PuTTY (Score:2)
Five Putty Sessions, or just 1 Putty Session with 1 instance of Screen?
Re:Get a real app! Re:PuTTY (Score:2)
Huh? 99.9% of the time all you see is characters in a window. Can't complain about a terminal doing that.
No it's not. Except for hobbyist and educational use.
Re:PuTTY (Score:4, Informative)
Re:PuTTY (Score:3, Informative)
Re:PuTTY (Score:2)
The nice thing about mindterm was that it didn't require Java 2 so you could even launch it from a crappy box with only netscape 4 on it. However, with netscape 4 (nearly) burried and MS no longer shipping a jvm, the days of jdk 1.1 seem numbered and it is entirely understandable that people adopt the much better 1.3+ generation of JVMs.
BTW. a google search for mindterm applet still reveals some sites offering old applet versions of mindterm
Re:PuTTY (Score:1)
Re:PuTTY (Score:1)
Re:PuTTY (Score:2)
Re:PuTTY (Score:2)
I just add this line to my
rxvt -bg black -fg grey -cr white +ls -sr -sl 10000 -e /bin/bash
Re:PuTTY (Score:2)
PuTTY Liscense (Score:2)
An essential tome in any sysadmin's library (Score:4, Informative)
I'd also check out the following books for great sysadmin knowledge:
"The Practice of System and Network Administration", Limoncelli & Hogan
"UNIX System Administration Handbook", Nemeth, Snyder, Seebass, & Hein
"Programming Perl", Wall, Christiansen, and Orwant
"Essential System Administration", Frisch
Umm...no (Score:2, Informative)
Re:Umm...no (Score:1)
Rule #1...check your references.
Rule #2...double check them.
Darn it...February 2001, 1st ed. My bad. Guess it just seems like longer.
Re:Umm...no (Score:1)
The biggest problem is that ssh has changed rapidly enough that this book is fairly outdated. It is good if you are an sysadmin with no ssh experience, but don't expect it to cover the latest and greatest.
Posting a review now seems untimely as this book should be in a revision cycle.
And this book provides what extra value? (Score:3, Interesting)
Re:And this book provides what extra value? (Score:2, Interesting)
For the most part I agree with you, it's not necessary for most Unix admins in order to get up and running with SSH. The man page and readme work just fine for that.
For those who want do more esoteric things (or are interested in learning HOW it works, it provides good, clear explanations of what is done or what CAN be done and how to do it.
While it's probably not the first O'Reilly book I'd recommend, it's still quite useful.
Re:And this book provides what extra value? (Score:5, Informative)
People might find the default installation to be fine for basic use, but installation is only the first step of a journey. If all you want is "ssh -l user host" and "scp myfile foo@example.com:", that's great, but SSH has many other interesting uses and subtle behaviors.
Re:And this book provides what extra value? (Score:1)
Re:And this book provides what extra value? (Score:1)
Re:And this book provides what extra value? (Score:1)
Re:And this book provides what extra value? (Score:2)
I'm probably an average admin. (Possibly below-average--I only admin a couple boxes at work and about five at home.) I found the book to be quite interesting. I learned far more about the underlying SSH protocol than I had known previously, as well as numerous other things like all of the possibilities available with RSA keys. (I've subsequently used RSA-key-based forced commands for a couple things at work.) Since reading the book through, I've referred back to it a number of times. I find it to be a handier reference than the man pages sometimes and the constant comparisons of OpenSSH, SSH1, and SSH2 are nice--most of the computers I deal with are OpenSSH, but there are a couple running SSH2.
--Phil (Very satisfied ssh user.)
Re:And this book provides what extra value? (Score:2)
PuTTY rules (Score:5, Informative)
the free and more user-friendly Windows clients, perhaps PuTTY or TTSSH,
I have to second that opinion of PuTTY. Every time I am forced to use a windoze boxen to log into my server, I always use putty. It is very small (less than floppy size), is a standalone executable so it doesn't touch your registry, and it handles YAST just fine. You can get it from versiontracker. I highly recoment it.
Re:PuTTY rules (Score:4, Informative)
Assuming Windows 2000, check HKCU\Software\Simon Tatham
Since it is a single file, where do you think it stores the session information? However, Putty is a wondeful program and is my Windows SSH client to home.Re:PuTTY rules (Score:4, Insightful)
It is very small (less than floppy size), is a standalone executable so it doesn't touch your registry, and it handles YAST just fine.
As was mentioned by someone else, it does touch your registry, but only if it can. What I like about it most is I can put it in my network drive at school and use it from all the computer labs without installing anything. Before I found putty I had to resort to a slow, ugly, broken java applet.
Just remember, unless you memorize the fingerprint, ssh doesn't protect against man-in-the-middle attacks when you switch client computers.
Fingerprints (Score:2)
Get in the habit of remembering just the first few bits of the fingerprint for frequently-accessed sites - it just takes a second or two and *greatly* increases your security. (I have a little mnemonic I use for my home server, the IP of which frequently changes...)
But then again, I'm paranoid and only use SSH to connect two machines, both of which are on my desk...)
Cheers,
Jim in Tokyo
Re:PuTTY rules (Score:2)
I threw it up on my webserver. I can punch the URL into IE on a random public system, tell it to run instead of save, and it'll fire right up. It's never failed to run on any public system I've run across. (You'd think they'd set up some sort of security to keep people from running downloaded EXEs, but I haven't seen it happen yet.)
Re:PuTTY rules (Score:1)
I threw it up on my webserver. I can punch the URL into IE on a random public system, tell it to run instead of save, and it'll fire right up.
You're using https, I hope.
Re:PuTTY rules (Score:2)
Why? All my webserver is doing is sending a file, which is the same thing that it does if you visit my website. PuTTY doesn't exactly run too well under Linux, so the worst that can happen is that a bunch of people access it at once and use up all my outbound bandwidth. That could happen with anything else on the server (as happened with this slashdotting [slashdot.org]). The systems that ought to be secured are other people's publically-accessible Windows boxen on which I run PuTTY to access my Linux server at home. Someone else could easily come along and download & run some particularly nasty malware that could do substantial damage. That those systems aren't secured is a common occurence that works to my advantage.
(Actually, since most of my website is made up of server-parsed HTML, there's a bit more processing going on to send out this [dyndns.org] than is involved in sending out this [dyndns.org].)
Re:PuTTY rules (Score:2)
So you're sure that the program your client receives is the same as the program your server sends, not a trojaned version which turns off encryption, for example.
Re:PuTTY rules (Score:2)
So you're sure that the program your client receives is the same as the program your server sends, not a trojaned version which turns off encryption, for example.
(Now that I've thought about it a bit, though, I suppose an end-run around such an attack would be to use the IP address instead of the name. It's easy enough to remember. Someone who's determined could crack these guys [cox.com] and reassign my IP address to another system...but then that basically knocks my machine off the net (so no harm will come to it), and (again) who would care enough to want to bother doing that?)
FWIW, the PuTTY download page [greenend.org.uk] isn't running on a secure server. It supplies various checksums for the files which you can use for verification, but (as Simon Tatham points out) the programs that do that verification aren't themselves verifiable. There is a point beyond which an eye for security turns into paranoia...nothing is ever 100% secure. At some point, you need to weigh the odds of something bad happening against the measures needed to protect against that something.
One final note: Keeping a copy of PuTTY on a secure site would entail getting a certificate from someone like Verisign, and they don't exactly have the best reputation [slashdot.org] in the world.
Re:PuTTY rules (Score:2)
But Internet Explorer doesn't check that the domain named by a certificate is the domain name that it used to contact the host. So anyone with a certificate from one of the 'trusted' CAs can use it for a hijacked domain name, and IE users won't know any better.
If PuTTY itself was signed with MS SignCode, that might help a bit, as IE will show you the name on the certificate, but I dare say it would be possible for the wrong people to get a certificate with the same name as that on the certificate used for the real PuTTY - which is what happened to Microsoft last year.
Re:PuTTY rules (Score:2)
Re:PuTTY rules (Score:2)
http://www.proweb.co.uk/~matt/putty.exe
Re:PuTTY rules (Score:2)
Re:PuTTY rules (Score:2)
got to be a pretty good job to pre-emptively dns hijack *before* i got me client from my own web server
Re:PuTTY rules (Score:2)
my point was that the guy kept a coppy of putty on a share on hi slan. my contention is that I keep a copy of putty on a known url so wherever I am I can get to it if i need to.
I've also written a little script that will determine my DHCP ISP assigned IP from behind my firewall and post it to my co-lo so if my IP changes I can find out.
PuTTY rules (Score:4, Informative)
The forcible-keying and cipher selection options in 0.52 play nicely with OpenSSH 3.0+, which in my opinion elevates PuTTY above ttssh. The only competition is the Mac version, 'Nifty Telnet-SSH'.
Of course, nothing is as convenient as my ssh-agent process that spawns my X sessions at home. Since all my machines are RSA-keyed, and most are ONLY RSA-key accessible, access is transparent for me and damn near impossible for Bad Guys. (I allow an internally-usable backdoor for staff at the office without using RSA keys, but only on a couple machines necessary for their work... it's funny that now, if I screw up an OpenBSD upgrade, I get complaints about mutt not working. Everyone assumes Outlook is a POS, but they know I'm responsible if they can't use Mutt from a PuTTY session at some Kinko's or DoD machine!)
Re:PuTTY rules (Score:1)
AFAICT, NiftyTelnet [lysator.liu.se] only does SSH1. Which sucks, because MacSSH [macssh.com] (fc2 anyway; I just found out fc3 was out!) hasn't been real reliable on my Quadra 840AV. And it only does SSH2.
Re:PuTTY rules (Score:1, Informative)
Re:PuTTY rules (Score:1)
Get a new version (Score:4, Informative)
Putty feels nice, but putty is ssh v1 only
Either you are using an old version, or you havent figured out how to use a "menu system". Let me refer you to the developers FAQ page:
A.1.1 Does PuTTY support SSH v2? [greenend.org.uk]
I hope that clears that up
Re:PuTTY rules (Score:4, Insightful)
I beg to differ. It saves its information in HKEY_CURRENT_USER\SimonTatham\PuTTY (at least it does on my Win2000 Pro box).
And yes, PuTTY does rock. At any given time I have about half a dozen PuTTY sessions open on my desktop, with various connections to my development servers and home box. Not quite as good as having a Linux box to work on, unfortunately, but about as close as you can reasonably get. Like the man says, it's called PuTTY because it makes Windows usable.
Re:PuTTY rules (Score:1)
Re:PuTTY rules (Score:2)
Re:PuTTY rules (Score:1)
Re:PuTTY rules (Score:2)
export registry branch to file (Score:1)
transfer all your configuration details just export
the entire PuTTY registry branch into a file.
I had to help another developer setup an ssh session
with a bunch of tunnels setup and it was easiest for
me to just export the branch (in this case, just for
the particular session) for them to import into their
own registry.
Woohoo! (Score:4, Funny)
A snail for my O'Reilly zoo! Lets hope he can get along with all the other animals... or maybe he'll get eaten. Ah, who knows!
Re:Woohoo! (Score:2)
Damn Mandrake [mandrakelinux.com] users!
Cheers,
Jim in Tokyo
Re:Woohoo! (Score:2)
Re:Woohoo! (Score:1)
Re:Woohoo! (Score:2)
http://oracle.oreilly.com/news/oraclebest_0301.
If so, then those aren't ants
Top Gun SSH (Score:2, Funny)
Admittedly using vi with Graffiti is a bit of a challenge...
Re:Top Gun SSH (Score:2)
Try ed with TGSSH, much easier.
My favourite OpenSSH feature (Score:5, Informative)
My *own* favourite OpenSSH feature (Score:3, Informative)
X connections over ssh are braindead easy, secure and quite simply kick ass.
Cheers,
Jim in Tokyo
Re:My *own* favourite OpenSSH feature (Score:2)
VNC works pretty well over SSH as well. I can log into my home server, power up my home workstation from the server, wait a couple of minutes for it to start up, and use VNC-over-SSH to access my Win2K box at home from anything that can run a VNC client. I have VNCviewer and the Cygwin port of OpenSSH on an 8MB DiskOnKey with room to spare. (You don't need the complete Cygwin environment...put ssh.exe and cygwin1.dll in the same directory (maybe some more files that I don't recall offhand), open a command window, and then run SSH in the usual manner.)
Re:My favourite OpenSSH feature (Score:2)
ALLOW FROM TO port 2222
FORWARD from port 2222 TO port 22
DENY FROM ALL port 2222
And voila, only connections from your work IP are allowed in. Of course, you may have to go through more rigorious methods if your work has masquerading going, and you don't trust your work-mates to not try to hax0r your system
Re:My favourite OpenSSH feature (Score:2)
ALLOW FROM <work ip> TO port 2222
FORWARD from <external ip> port 2222 TO <home internal workstaion ip> port 22
DENY FROM ALL port 2222
Next time I'll check the preview properly
Ah SSH... (Score:2)
Re:Ah SSH... (Score:2)
Re:Ah SSH... (Score:2)
Hee (Score:1)
What, RTFS? Or was a full too long and they decided to remove all the whitespace? </sarcasm>
Oh well... it might be interesting. Though, I'm not adverse to reading C either. :-)
Buy it cheaper at half.com or bookpool.com (Score:5, Interesting)
half.com - $23.00 ... $31.96
bookpool.com - $24.50
Barnes and Noble
Sig: What Happened To The Censorware Project (censorware.org) [sethf.com]
Re:Buy it cheaper at half.com or bookpool.com (Score:1)
Not necessarily (Score:2)
Most online sites I know make up for low prices by nailing you with high shipping and handling charges (per item) when you check out.
A better price comparison would take this into account too.
Re:Not necessarily (Score:2)
i happily recommend them for buying books, etc, when you dont care that the author receive a cut on a used book (when you do, find the publisher and order there).
books were meant to be free (Score:2)
Re:Buy it cheaper at half.com or bookpool.com (Score:1)
Re:Buy it cheaper at half.com or bookpool.com (Score:1)
The Tattered Cover - $39.95 [tatteredcover.com]
-Steve
Re:Buy it cheaper at half.com or bookpool.com (Score:1)
The shipping is timely and at a good rate.
Got the book.... (Score:5, Informative)
I've found the book to be extremely useful, but then I'm working on a multiplatform GUI SSH2 client myself so my opinion may be a bit skewed.
Re:Got the book.... (Score:3, Insightful)
... top off with SSH Agent for fit & finish! (Score:1, Insightful)
And next from O'Reilly (Score:5, Funny)
The ifconfig bible
/etc/aliases in a nutshell
The System Administrator's guide to "ls"
find - the command that finds things
Plus, for Windows users:
Notepad for power-users
The DOS "cd" command - navigating directories from the command line
format - making unformatted discs usable for the storage of files.
Start->Shut Down - Switching off your computer for dummies.
Web mail popping ssl (Score:1)
Re:Web mail popping ssl (Score:2, Informative)
Re:Web mail popping ssl (Score:1)
Re:Web mail popping ssl (Score:1)
Re:Web mail popping ssl (Score:1)
Rinso
ssh.com's SSH Secure Shell for Windows (Score:3, Interesting)
I am quite pleased with the latest version for workstations (3.1) in that they have finally implemented somewhat-intelligent URL handling (i.e. clicking on a URL brings up the link in a new window in your default browser) and the look of the app can match the XP look with the click o' a checkbox, for those who care about such things.
Additionally, the Explorer-like secure file transfer window is a godsend for folks like me who:
are too paranoid to have an ftpd running on their servers, and
appreciate how it Just Works.
If you, say, use your Windows gaming machine to occasionally ssh in and mutt or pine through your mail on your *nix server, I'd recommend checking it out. (No, I have no affiliation with ssh.com, I just like the product.)
Glazes over the topic (Score:1, Insightful)
Read the O'Reilly book if you want to know how to set up specific SSH implementations.
Re:Glazes over the topic (Score:1)
Our book's stated goal about protocol information is "to teach you enough about SSH to make an intelligent, technically sound decision about using it." [41]
We heartily welcome any specific criticisms of our explanation of SSH internals, so we can update the book as needed. Our email addresses are dbarrett@oreilly.com and res@oreilly.com, as given on the last page of the book under "About The Authors."
A great use for ORA's safari (Score:3, Informative)
It's really easy to use basic SSH, but managing keys and using the more advanced forms of authentication is more of a hassle. You can read the docs, search the web for tutorials, or you can spend a safari point (a couple of bucks) to get full access to the book online.
I haven't read the book, but I imagine that it would be helpful for people who want to do things like run automatic backups over the network through a SSH tunnel.
False sense of security... (Score:1, Interesting)
http://ettercap.sourceforge.net/
If you build it they will crack it.
Got it- love it (Score:1)
I didn't like it. (Score:2)
What really irritated me was the authors' handling of timeouts and keepalives. It's quite common to be stuck behind a firewall that closes all idle TCP connections. The ssh keepalive functionality does not address this - it's for disconnecting dead sessions, not keeping sessions alive. You need to send some "filler" packets through the TCP connection when it's idle.
This is a frequently asked question. The answer of this book is that you shouldn't send keepalive packets because if "the sysadmin" configured a firewall to kill idle connections, you should just accept this restriction. I hope I don't have to explain how completely wrong this is. Increasingly big organizations have a firewall configured by people who are totally unresponsive.
Anyway, I solved the problem by applying this patch [ex-parrot.com].
One of the book's authors responds to this question on Usenet with the same unhelpful answer found in the book.
Re:I didn't like it. (Score:2)
You cite volume of sales as a figure of merit. So which do you believe is typical of a person who purchased the book?
- He looked at the book before buying, in enough depth that he was fairly sure he liked the book. Implication: the typical purchaser had "astounding mental powers" - or is it less astounding to form a positive opinion?
- He did not read much of the book before buying. Implication: the purchase was based on other factors than the content of the book; therefore the book's standing as a best-selling book is not relevant to its merits.
I don't have the book - you presumably do. Instead of complaining about my bad paraphrase and offering your paraphrase, you could have (and still can) set the record straight with the actual text.Certainly that's a good idea, and you've been helpful in another sense - merely having the patience to answer this type of question repeatedly. However, what I meant by "unhelpful" is not helping the querent reach his goal. Browsing again through your posts on the topic, I realize that most of them may have been made before any keepalive[1] patch was available - so you were probably correct in writing "There is no good way around this at the moment."
However there are good ways around this today, and I think they should be the first answer to someone experiencing mysterious connection failures. There is an accelerating assumption that "the internet" == "the web" and this affects how businesses adopt firewalls. Microsoft is both reacting to and strengthening this mindset with SOAP, which uses pseudo-web traffic. I think ssh clients should be distributed with keepalives enabled. They do no harm when there is no firewall/NAT involved, and they circumvent an increasingly frequent problem. I find the "NAT shortage" theory fairly removed from current reality, given that ssh users are generally a tiny minority. I realize that you may have seen environments where it applies.
Anyhow, my reaction to the book was highly colored by this issue.
[1] The useful kind, that actually keeps the connection alive.
SSH = VPN on the cheap! OR cheat the firewall... (Score:2)
Everyone else was struggling with the VPN and were having trouble getting stuff working.
I started screwing around with port forwarding and now I work from home a lot.
I am in charge of the Unix/Windows systems. TightVNC [tightvnc.org] and rdesktop [rdesktop.org] are my friends...
Here are a few examples for people confused by SSH port forwarding:
TightVNC
ssh -l username -C -L 7777:internal.vnc.box:5900 ssh.gateway.box
vncviewer -compresslevel 7 -quality 1 -depth 8 127.0.0.1:7777
(On Windows the VNC port starts at 5900 on Unix it is 5901 or 5902 or whatever your desktop says it was set to for vncserver...)
Rdesktop
ssh -l username -C -L 3389:nt.termserver.box:3389 ssh.gateway.box
rdesktop localhost
To forward X from a remote host
ssh -l username -C -L 8811:internal.unix.box:22 ssh.gateway.com
ssh -l username -p 8811 127.0.0.1
To punch a hole in a restrictive firewall (i.e. don't allow ssh gateways...)
From your workstation that you want to reach from the internet:
ssh -C -l root -R 22111:your.work.station:22 your.fire.wall
From your firewall: (Make sure you open the port on the firewall...)
ssh -p 22111 localhost
You can run the command every 15 min from cron or whatever on your workstation at work, or put a sleep statement in,
so you can access it from home.
Re:feh (Score:2, Interesting)
Timely or not, I appreciate most of the book reviews here because I don't have time to read each and every one of the books that come out, nor could I affoard all of them that I would like to read.
Being a teacher who is multi-tasked into system administration by the powers-that-be, I have enough on my plate already, and if a review is strikingly important to what I already do, and can shed some light on the topic, then I make an effort to get acquainted with that book and use it's insight.
Late for some is more than timely for others.
--Huck
nice skillz captain optimist (Score:1, Funny)
8)
Re:feh (Score:2)
Re:feh (Score:1)
See this is were that little place in town called a library comes into play. You don't have to pay for the books just return them on time.