home       inleiding       sysadmin       services       links       bash       werk       nothing      

ssh-server (inleiding)

Als je de oefening ssh-client uitvoert, dan heb je ook al een ssh-server geïnstalleerd. En hem getest, misschien zelfs laten testen door een lesgenoot. In deze web-pagina gebruiken we de ssh-service ook om alle linux services even van dichter bij te bekijken.
 
We maken kennis met installatie, versies, executables, configuratie files en service beheer.
 
In de inleiding op linux maken we meestal gebruik van linuxmint en van ubuntu-server. Linuxmint is een afgeleide distro van ubuntu, en ubuntu is zelf debian based. In linux advanced gebruiken we ookRedhat based distro's, zoals CentOS. Die verschilt in mindere mate van ubuntu, vooral qua software administratie.

  1. zoeken van ssh-server
     
    Hoe vinden we welk pakket we moeten installeren ...
    Met aptitude search kunnen we zoeken op keywords:
    user@mint18-srv ~ $ aptitude search gdisk
    i   gdisk                           - GPT fdisk text-mode partitioning tool  
    p   gdisk:i386                      - GPT fdisk text-mode partitioning tool  

    Maar als we zoeken op ssh vinden we te veel. Zoeken op 2 zoektermen doen we als volgt:

    user@mint18-srv ~ $ aptitude search "ssh server"
     
    p   aolserver4-nssha1               - AOLserver4 module: performs SHA1 hashes Pr
    p   aolserver4-nssha1:i386          - AOLserver4 module: performs SHA1 hashes Pr
    p   openssh-server                  - secure shell (SSH) server, for secure acce
    p   openssh-server:i386             - secure shell (SSH) server, for secure acce
    p   openssh-sftp-server             - secure shell (SSH) sftp server module, for
    p   openssh-sftp-server:i386        - secure shell (SSH) sftp server module, for
    v   ssh-server                      -                                           
    v   ssh-server:i386 
    • p aan het begin van een resultaat betekent dat een packet niet geinstalleerd is
    • i betekent geïnstalleerd
    • v betekent virtueel packet
      A virtual package is a generic name that applies to any one of a group of packages, all of which provide similar basic functionality. For example, both the konqueror and firefox-esr programs are web browsers, and should therefore satisfy any dependency of a program that requires a web browser on a system, in order to work or to be useful. They are therefore both said to provide the "virtual package" called www-browser.
       
  2. installatie van ssh-server
     
    Nu we weten dat we openssh-server moeten installeren, doen we dit als volgt:
    $ sudo apt-get install openssh-server
    Reading package lists... Done
    Building dependency tree       
    Reading state information... Done
    The following additional packages will be installed:
    openssh-sftp-server
    Suggested packages:
    rssh molly-guard monkeysphere
    Recommended packages:
    ncurses-term ssh-import-id
    The following NEW packages will be installed:
    openssh-server openssh-sftp-server
    0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
    Need to get 376 kB of archives.
    After this operation, 1.021 kB of additional disk space will be used.
    Do you want to continue? [Y/n] y
    Get:1 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 openssh-sftp-server amd64 1:7.2p2-4ubuntu2.2 [38,7 kB]
    Get:2 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 openssh-server amd64 1:7.2p2-4ubuntu2.2 [338 kB]
    Fetched 376 kB in 0s (1.969 kB/s)   
    Preconfiguring packages ...
    Selecting previously unselected package openssh-sftp-server.
    (Reading database ... 225998 files and directories currently installed.)
    Preparing to unpack .../openssh-sftp-server_1%3a7.2p2-4ubuntu2.2_amd64.deb ...
    Unpacking openssh-sftp-server (1:7.2p2-4ubuntu2.2) ...
    Selecting previously unselected package openssh-server.
    Preparing to unpack .../openssh-server_1%3a7.2p2-4ubuntu2.2_amd64.deb ...
    Unpacking openssh-server (1:7.2p2-4ubuntu2.2) ...
    Processing triggers for man-db (2.7.5-1) ...
    Processing triggers for ufw (0.35-0ubuntu2) ...
    Processing triggers for systemd (229-4ubuntu17) ...
    Processing triggers for ureadahead (0.100.0-19) ...
    Setting up openssh-sftp-server (1:7.2p2-4ubuntu2.2) ...
    Setting up openssh-server (1:7.2p2-4ubuntu2.2) ...
    Creating SSH2 RSA key; this may take some time ...
    2048 SHA256:Ryo0GopuAf8pOEFJstkkEW5TeBNbiyjhYH1P8NtcoUo root@mint18-srv (RSA)
    Creating SSH2 DSA key; this may take some time ...
    1024 SHA256:F56CpIaNaELDaLSIKQQrzZnd+LCDWlD8UF2mk5ZWniI root@mint18-srv (DSA)
    Creating SSH2 ECDSA key; this may take some time ...
    256 SHA256:6f+dLmtd7PpJhmDs38FRYfFY/ELXjsYhYED5d/wD/EM root@mint18-srv (ECDSA)
    Creating SSH2 ED25519 key; this may take some time ...
    256 SHA256:gFpJg/mAqM3lCN/xcd93OOeCfWFYSNP7twFyRqXVzPc root@mint18-srv (ED25519)
    Processing triggers for systemd (229-4ubuntu17) ...
    Processing triggers for ureadahead (0.100.0-19) ...
    Processing triggers for ufw (0.35-0ubuntu2) ...

    We kunnen ssh-server testen met het commando
    $ ssh localhost
     
    vergeet niet exit te tikken als je klaar bent.
     

  3. versie van openssh-server
     
    tik het volgende in:
     
    $ dpkg -l | grep openssh
    ii  openssh-client                              1:7.2p2-4ubuntu2.2                         amd64        secure shell (SSH) client, for secure access to remote machines
    ii  openssh-server                              1:7.2p2-4ubuntu2.2                         amd64        secure shell (SSH) server, for secure access from remote machines
    ii  openssh-sftp-server                         1:7.2p2-4ubuntu2.2                         amd64        secure shell (SSH) sftp server module, for SFTP access from remote machines

     

  4. inhoud van openssh-server
     
    Met dpkg -L kunnen we alle files van een pakket op scherm brengen:
     
    user@mint18-srv ~ $ dpkg -L openssh-server
    /lib
    /lib/systemd
    /lib/systemd/system
    /lib/systemd/system/ssh.service
    /lib/systemd/system/ssh@.service
    /lib/systemd/system/ssh.socket
    /etc
    /etc/ufw
    /etc/ufw/applications.d
    /etc/ufw/applications.d/openssh-server
    /etc/default
    /etc/default/ssh
    /etc/network
    /etc/network/if-up.d
    /etc/network/if-up.d/openssh-server
    /etc/init.d
    /etc/init.d/ssh
    /etc/init
    /etc/init/ssh.conf
    /etc/pam.d
    /etc/pam.d/sshd
    /usr
    /usr/lib
    /usr/lib/tmpfiles.d
    /usr/lib/tmpfiles.d/sshd.conf
    /usr/sbin
    /usr/sbin/sshd
    /usr/share
    /usr/share/lintian
    /usr/share/lintian/overrides
    /usr/share/lintian/overrides/openssh-server
    /usr/share/apport
    /usr/share/apport/package-hooks
    /usr/share/apport/package-hooks/openssh-server.py
    /usr/share/doc
    /usr/share/doc/openssh-client
    /usr/share/doc/openssh-client/examples
    /usr/share/doc/openssh-client/examples/sshd_config
    /usr/share/man
    /usr/share/man/man5
    /usr/share/man/man5/sshd_config.5.gz
    /usr/share/man/man8
    /usr/share/man/man8/sshd.8.gz
    /usr/share/doc/openssh-server
    /usr/share/man/man5/authorized_keys.5.gz
    • libraries staan in /lib en/of /usr/lib
    • system binary executables staan in /sbin of /usr/sbin (services staan altijd in /usr/sbin)
    • in /usr/share staan docs, manpages, pictogrammen e.a.
    • in /etc staan config-files
       
      a) Voor openssh-server is de binary daemon /usr/sbin/sshd
      wikipedia: In multitasking computer operating systems, a daemon (/ˈdiːmən/ or /ˈdeɪmən/)[1] is a computer program that runs as a background process, rather than being under the direct control of an interactive user. Traditionally, the process names of a daemon end with the letter d, for clarification that the process is, in fact, a daemon, and for differentiation between a daemon and a normal computer program. For example, syslogd is the daemon that implements the system logging facility, and sshd is a daemon that serves incoming SSH connections.
       
      b) De config-file van openssh-server is /etc/ssh/sshd_config
       
      c) oefeningen:
       
      • zoek met aptitude search alle pakketten met vim op
      • zoek met aptitude search het pakket vim nox op (twee argumenten)
      • kijk met dpkg -l en grep of het pakket mc (Midnight Commander) geinstalleerd is, zoniet, installeer het
      • onderzoek het pakket mc en zijn dependency mc-data met dpkg -L
      • wat is een dependency
         
  5. daemon administratie: systemctl
     
    Sedert 2016 gebruiken redhat, debian, ubuntu en linux mint het pakket systemd voor service beheer
    Een uitgebreide uitleg vind je hier: digital ocean systemd.
     
    We tonen kort de belangrijkste funkties:
     
    a) status van openssh tonen: [systemctl status naam.service]
     
    user@mint18-srv ~ $ sudo systemctl status ssh.service

    ● ssh.service - OpenBSD Secure Shell server
    Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enab
    Active: active (running) since Wed 2017-05-31 15:19:38 CEST; 1h 8min ago
    Main PID: 2620 (sshd)
    CGroup: /system.slice/ssh.service
           └─2620 /usr/sbin/sshd -D
     
    May 31 15:19:38 mint18-srv systemd[1]: Starting OpenBSD Secure Shell server...
    May 31 15:19:38 mint18-srv sshd[2620]: Server listening on 0.0.0.0 port 22.
    May 31 15:19:38 mint18-srv sshd[2620]: Server listening on :: port 22.
    May 31 15:19:38 mint18-srv systemd[1]: Started OpenBSD Secure Shell server.
    May 31 15:55:57 mint18-srv sshd[2924]: Accepted password for bert from 127.0.0.1
    May 31 15:55:57 mint18-srv sshd[2924]: pam_unix(sshd:session): session opened ..

     
    b) ssh-daemon stoppen: [systemctl stop naam.service]
     
    user@mint18-srv ~ $ sudo systemctl stop ssh.service
    (de command line zegt niets we moeten de status opvragen ...)
    user@mint18-srv ~ $ systemctl status ssh.service

    ● ssh.service - OpenBSD Secure Shell server
    Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enab
    Active: inactive (dead) since Wed 2017-05-31 16:31:10 CEST; 4s ago
    Main PID: 2620 (code=exited, status=0/SUCCESS)
    ...
    May 31 16:31:10 mint18-srv systemd[1]: Stopping OpenBSD Secure Shell server...
    May 31 16:31:10 mint18-srv systemd[1]: Stopped OpenBSD Secure Shell server.

     
    c) ssh-daemon starten: [systemctl start naam.service]
     
    user@mint18-srv ~ $ sudo systemctl start ssh.service
    user@mint18-srv ~ $ systemctl status ssh.service

    ● ssh.service - OpenBSD Secure Shell server
    Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
    Active: active (running) since Wed 2017-05-31 16:36:19 CEST; 5s ago
    Main PID: 3046 (sshd)
    CGroup: /system.slice/ssh.service
           └─3046 /usr/sbin/sshd -D
    May 31 16:36:19 mint18-srv systemd[1]: Starting OpenBSD Secure Shell server...
    May 31 16:36:19 mint18-srv sshd[3046]: Server listening on 0.0.0.0 port 22.
    May 31 16:36:19 mint18-srv sshd[3046]: Server listening on :: port 22.
    May 31 16:36:19 mint18-srv systemd[1]: Started OpenBSD Secure Shell server.

     
    d) ssh-daemon herstarten: [systemctl restart naam.service]
     
    herstarten is een stop gevolgd door een start
     
    user@mint18-srv ~ $ sudo systemctl restart ssh.service
    user@mint18-srv ~ $ systemctl status ssh.service

    ● ssh.service - OpenBSD Secure Shell server
    Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
    Active: active (running) since Wed 2017-05-31 16:40:56 CEST; 1s ago
    Main PID: 3055 (sshd)
    CGroup: /system.slice/ssh.service
           └─3055 /usr/sbin/sshd -D
    May 31 16:40:56 mint18-srv systemd[1]: Starting OpenBSD Secure Shell server...
    May 31 16:40:56 mint18-srv sshd[3055]: Server listening on 0.0.0.0 port 22.
    May 31 16:40:56 mint18-srv sshd[3055]: Server listening on :: port 22.
    May 31 16:40:56 mint18-srv systemd[1]: Started OpenBSD Secure Shell server.

    Merk op dat de PID veranderd is van 3046 naar 3055
     
    e) ssh-daemon reloaden: [systemctl reload naam.service]
     
    reloaden is een herinladen van de config-file (meestal na aanpassingen)
     
    user@mint18-srv ~ $ sudo systemctl reload ssh.service
    user@mint18-srv ~ $ systemctl status ssh.service

    ● ssh.service - OpenBSD Secure Shell server
    Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
    Active: active (running) since Wed 2017-05-31 16:40:56 CEST; 4min 21s ago
    Process: 3064 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
    Main PID: 3055 (sshd)
    CGroup: /system.slice/ssh.service
           └─3055 /usr/sbin/sshd -D
    May 31 16:40:56 mint18-srv systemd[1]: Starting OpenBSD Secure Shell server...
    May 31 16:40:56 mint18-srv sshd[3055]: Server listening on 0.0.0.0 port 22.
    May 31 16:40:56 mint18-srv sshd[3055]: Server listening on :: port 22.
    May 31 16:40:56 mint18-srv systemd[1]: Started OpenBSD Secure Shell server.
    May 31 16:45:16 mint18-srv systemd[1]: Reloading OpenBSD Secure Shell server.
    May 31 16:45:16 mint18-srv sshd[3055]: Received SIGHUP; restarting.
    May 31 16:45:16 mint18-srv systemd[1]: Reloaded OpenBSD Secure Shell server.
    May 31 16:45:16 mint18-srv sshd[3055]: Server listening on 0.0.0.0 port 22.

    De PID is nu gelijk gebleven ... 
     
    f) ssh-daemon dis-ablen: [systemctl disable naam.service]
     
    disable, betekent dat de service niet meer automatisch wordt opgestart bij booten van je server
     
    user@mint18-srv ~ $ sudo systemctl disable ssh.service

    Synchronizing state of ssh.service with SysV init with /lib/systemd/systemd-sysv-install...
    Executing /lib/systemd/systemd-sysv-install disable ssh
    insserv: warning: current start runlevel(s) (empty) of script `ssh' overrides LSB defaults (2 3 4 5).
    insserv: warning: current stop runlevel(s) (2 3 4 5) of script `ssh' overrides LSB defaults (empty).
    Removed symlink /etc/systemd/system/sshd.service.

    user@mint18-srv ~ $ systemctl status ssh.service

    ● ssh.service - OpenBSD Secure Shell server
    Loaded: loaded (/lib/systemd/system/ssh.service; disabled; vendor preset: enabled)
    Active: active (running) since di 2017-06-06 12:32:52 CEST; 6h ago

    Hoewel bij de volgende system restart de service niet meer automatisch zal opstarten, wordt die nu met rust gelaten, en blijft de ssh.service draaien.
     
    We herstarten de machine:
    user@mint18-srv ~ ~$ sudo init 6
    Connection to 192.168.5.240 closed by remote host. Connection to 192.168.5.240 closed.
     
    ... en proberen nadien terug in te loggen:
    frank@system3 ~ $ ssh user@192.168.5.240
    ssh: connect to host 192.168.5.240 port 22: Connection refused
     
    g) ssh-daemon en-ablen: [systemctl enable naam.service]

    enable, betekent dat de service automatisch zal worden opgestart bij elke boot van je server.
    bij het installeren van een service met apt wordt een service normaal gezien automatisch ge-enabled.
     
    user@mint18-srv ~ $ sudo systemctl enable ssh.service

    Synchronizing state of ssh.service with SysV init with /lib/systemd/systemd-sysv-install...
    Executing /lib/systemd/systemd-sysv-install enable ssh
    insserv: warning: current start runlevel(s) (empty) of script `ssh' overrides LSB defaults (2 3 4 5).
    insserv: warning: current stop runlevel(s) (2 3 4 5) of script `ssh' overrides LSB defaults (empty).
    Created symlink from /etc/systemd/system/sshd.service to /lib/systemd/system/ssh.service.

     
    h) oefening: probeer de voorbeelden van hierboven met systemctl op je eigen mint-systeem en/of op je ubuntu server
     

  6. configuratie file
     
    We bekijken de config file:
    $ cat /etc/ssh/sshd_config
    # Package generated configuration file
    # See the sshd_config(5) manpage for details
    #
    # What ports, IPs and protocols we listen for
    Port 22
    # Use these options to restrict which interfaces/protocols sshd will bind to
    #ListenAddress ::
    #ListenAddress 0.0.0.0
    Protocol 2
    # HostKeys for protocol version 2
    HostKey /etc/ssh/ssh_host_rsa_key
    HostKey /etc/ssh/ssh_host_dsa_key
    HostKey /etc/ssh/ssh_host_ecdsa_key
    HostKey /etc/ssh/ssh_host_ed25519_key
    #Privilege Separation is turned on for security
    UsePrivilegeSeparation yes
    #
    # Lifetime and size of ephemeral version 1 server key
    KeyRegenerationInterval 3600
    ServerKeyBits 1024
    #
    # Logging
    SyslogFacility AUTH
    LogLevel INFO
    #
    # Authentication:
    LoginGraceTime 120
    PermitRootLogin prohibit-password
    StrictModes yes
    #
    RSAAuthentication yes
    PubkeyAuthentication yes
    #AuthorizedKeysFile %h/.ssh/authorized_keys
    #
    # Don't read the user's ~/.rhosts and ~/.shosts files
    IgnoreRhosts yes
    # For this to work you will also need host keys in /etc/ssh_known_hosts
    RhostsRSAAuthentication no
    # similar for protocol version 2
    HostbasedAuthentication no
    # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
    #IgnoreUserKnownHosts yes
    #
    # To enable empty passwords, change to yes (NOT RECOMMENDED)
    PermitEmptyPasswords no
    #
    # Change to yes to enable challenge-response passwords (beware issues with
    # some PAM modules and threads)
    ChallengeResponseAuthentication no
    #
    # Change to no to disable tunnelled clear text passwords
    #PasswordAuthentication yes
    #
    # Kerberos options
    #KerberosAuthentication no
    #KerberosGetAFSToken no
    #KerberosOrLocalPasswd yes
    #KerberosTicketCleanup yes
    #
    # GSSAPI options
    #GSSAPIAuthentication no
    #GSSAPICleanupCredentials yes
    #
    X11Forwarding yes
    X11DisplayOffset 10
    PrintMotd no
    PrintLastLog yes
    TCPKeepAlive yes
    #UseLogin no
    #
    #MaxStartups 10:30:60
    #Banner /etc/issue.net
    #
    # Allow client to pass locale environment variables
    AcceptEnv LANG LC_*
    #
    Subsystem sftp /usr/lib/openssh/sftp-server
    #
    # Set this to 'yes' to enable PAM authentication, account processing,
    # and session processing. If this is enabled, PAM authentication will
    # be allowed through the ChallengeResponseAuthentication and
    # PasswordAuthentication.  Depending on your PAM configuration,
    # PAM authentication via ChallengeResponseAuthentication may bypass
    # the setting of "PermitRootLogin without-password".
    # If you just want the PAM account and session checks to run without
    # PAM authentication, then enable this but set PasswordAuthentication
    # and ChallengeResponseAuthentication to 'no'.
    UsePAM yes

    Port laat ons toe de service ssh te laten luisteren naar een ander poort nummer dan de standaard TCP-poort 22.
     
    PermitRootLogin moet geplaatst worden op no of op without-password. De laatste mogelijkheid werkt met een uitgewisseld sleutelpaar
     
    XForwarding is er voor wie grafische programma's wil overhalen naar een lokale desktop, met het commando ssh -X -f
     
    Meer weten, vraag dan maar de manpagina's op van sshd_config.
     
    $ man sshd_config

    SSHD_CONFIG(5)                 BSD File Formats Manual                 SSHD_CONFIG(5)
    NAME
     sshd_config — OpenSSH SSH daemon configuration file
    SYNOPSIS
     /etc/ssh/sshd_config
    DESCRIPTION
     sshd(8) reads configuration data from /etc/ssh/sshd_config (or the file speci‐
     fied with -f on the command line).  The file contains keyword-argument pairs,
     one per line.  Lines starting with ‘#’ and empty lines are interpreted as com‐
     ments.  Arguments may optionally be enclosed in double quotes (") in order to
     represent arguments containing spaces.
    ...

     
    oefening:

    • kun je met filezilla via sftp op je mint-ssh-server (zet hem zo nodig in bridged network modus)
    • kun je het poortnummer veranderen naar 10022
      (test of het werkt met ssh -p 10022 localhost)
    • kun je er voor zorgen dat zowel poort 22 als 10022 werken
      werkt filezilla nu ook op poort 10022
    • kun je het poortnummer op je ubuntu-server aanpassen naar 22 en 20022
      kun je daar ook op met filezilla (ubuntu-server moest al bridged staan)