Difference between revisions of "SSH"

From Cncz
Jump to: navigation, search
m ([en]SSH tips and settings[/en][nl]SSH Instellingen en tips[/nl])
 
(26 intermediate revisions by 7 users not shown)
Line 1: Line 1:
 +
== SSH Secure Shell ==
 +
[nl]
 +
SSH wordt gebruikt om een beveiligde (niet-afluisterbare) terminal-verbinding te maken met een server. Alle C&CZ [https://wiki.science.ru.nl/cncz/Hardware_servers#Linux_.5Bloginservers.5D.5Blogin_servers.5D Linux loginservers] zijn via SSH te benaderen op de standaard poort 22, maar ook op poorten 80 en 443.
 +
[/nl]
 +
[en]
 +
SSH is used to get a secure terminal-connection to a login server. All [https://wiki.science.ru.nl/cncz/Hardware_servers#Linux_.5Bloginservers.5D.5Blogin_servers.5D Linux loginservers] can be reached with SSH client software, not only on the standard port 22, but also on ports 80 and 443.
 +
[/en]
  
  
== SSH Secure Shell ==
+
=== [en]Recommended ssh client software[/en][nl]Aangeraden SSH client software[/nl] ===
 +
[en]
 +
* Windows:
 +
** [http://mobaxterm.mobatek.net/ MobaXterm]. From the MobaXterm website: "MobaXterm is an enhanced terminal for Windows with an X11 server, a tabbed SSH client and several other network tools for remote computing (VNC, RDP, telnet, rlogin). MobaXterm brings all the essential Unix commands to Windows desktop, in a single portable exe file which works out of the box." The support of OpenGL could also be a reason to start using MobaXterm. If you use it professionally, you should consider subscribing to [http://mobaxterm.mobatek.net/download.html MobaXterm Professional Edition]. MobaXterm is available on the [[S-schijf|S-disc]].
 +
** [https://mosh.org/ Mosh] (mobile Shell) when roaming and intermittent connections.
 +
** [http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html PuTTY].
 +
** The OpenSSH client provided by [https://www.cygwin.com/ Cygwin].
 +
* Linux: Your computer should have ssh installed by default. Otherwise, install the openssh-client package. Install [https://mosh.org/ Mosh] (mobile Shell) when roaming or having intermittent connections.
 +
* OS X: the ssh client should be available on your Mac. For graphical/X11 functionality one can install [http://xquartz.macosforge.org XQuartz]. Install [https://mosh.org/ Mosh] (mobile Shell) when roaming or having intermittent connections.
 +
* Android: [https://juicessh.com/ JuiceSSH] or [https://connectbot.org/ ConnectBot]. Install [https://mosh.org/ Mosh] (mobile Shell) when roaming or having intermittent connections.
 +
[/en]
 +
[nl]
 +
* Windows:
 +
** [http://mobaxterm.mobatek.net/ MobaXterm]. Uit de MobaXterm website: "MobaXterm is een verbeterde terminal voor Windows met een X11 server, een SSH client met tabbladen en bevat een aantal andere netwerktools voor remote computing (VNC, RDP, telnet, rlogin). MobaXterm brengt alle essentiële Unix-commando's naar het Windows bureaublad, in een enkele exe-bestand die werkt uit de doos." Ook de OpenGL-ondersteuning kan een reden zijn om MobaXterm te gaan gebruiken. Bij professioneel gebruik dient men een [http://mobaxterm.mobatek.net/download.html licentie voor de Professional Edition] te overwegen. MobaXterm is ook beschikbaar op de [[S-schijf]].
 +
** [https://mosh.org/ Mosh] (mobile Shell) , speciaal bij roaming en niet-stabiele verbindingen.
 +
** [http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html PuTTY].
 +
** De OpenSSH client van [https://www.cygwin.com/ Cygwin].
 +
* Linux: ssh is standaard geïnstalleerd. Als dat niet zo is, installeer dan het pakket openssh-client. Installeer [https://mosh.org/ Mosh] (mobile Shell) bij niet-stabiele verbindingen.
 +
* OS X: ssh is standaard geïnstalleerd op de Mac. Voor grafische/X11-functionaliteit kan men [http://xquartz.macosforge.org XQuartz] installeren. Installeer [https://mosh.org/ Mosh] (mobile Shell) bij niet-stabiele verbindingen.
 +
* Android: [https://juicessh.com/ JuiceSSH] of [https://connectbot.org/ ConnectBot]. Installeer [https://mosh.org/ Mosh] (mobile Shell) bij niet-stabiele verbindingen.
 +
[/nl]
 +
=== [en]Recommended file transfer clients[/en][nl]Aangeraden software voor bestandsoverdracht[/nl] ===
 +
[en]
 +
* Windows: [http://mobaxterm.mobatek.net/ MobaXterm] or [https://winscp.net WinSCP]
 +
* Linux: scp
 +
* OS X and Windows: [https://cyberduck.io/ Cyberduck]
 +
[/en]
 +
[nl]
 +
* Windows: [http://mobaxterm.mobatek.net/ MobaXterm] of [https://winscp.net WinSCP]
 +
* Linux: scp
 +
* OS X en Windows: [https://cyberduck.io/ Cyberduck]
 +
[/nl]
 +
 
 +
 
 +
=== [en]SSH tips and settings[/en][nl]SSH Instellingen en tips[/nl] ===
 +
 
 +
[nl]
 +
Om waarschuwingen te voorkomen over mogelijk veranderde ssh keys en ook meldingen als 'unknown host' als je een ssh-verbinding met een host
 +
in het science.ru.nl domein maakt, hebben we de publieke sleutel van al onze servers getekend.
 +
Als je de volgende regels toevoegt aan het bestand 'config' in de .ssh directory in je (lokale) home directory
 +
(het kan zijn dat dit file nog niet bestaat)
 +
[/nl]
 +
[en]
 +
To avoid warnings about possibly changed ssh keys and prevent messages with 'unkown host' the first time you connect to a
 +
host in the science.ru.nl domain, we have signed the public keys of all our  servers.
 +
If you add the following lines to the file 'config' in the .ssh directory in your (local) home directory
 +
(maybe this file has to be created)
 +
[/en]
 +
  CanonicalDomains science.ru.nl
 +
  CanonicalizeFallbackLocal no
 +
  CanonicalizeHostname yes
 +
 
 +
[nl]
 +
en de volgende regel aan .ssh/known_hosts
 +
[/nl]
 +
[en]
 +
and the following line to .ssh/known_hosts
 +
[/en]
 +
  @cert-authority *.science.ru.nl ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAHpJveyOrLKFRDsbiW/29OadbCbkmUaIXnWbhVwtytbpftAc7Stj2RYa8yBmgfdm82T/UBVu1tLbeeCYQI8UlCvbAALMx+I60ux+iEGVdDBgIOjeu6LuY12pksVlXy/nKc59+m3AdMXfGHA8cI/O8eFosQLJ+dck7SBcvTT4lPhEcSQxg==
 +
 
 +
[nl]
 +
dan zullen door C&CZ getekende ssh keys van science.ru.nl hosts automatisch geaccepteerd worden. De wijziging van het 'config' bestand zorgt ervoor dat
 +
[/nl]
 +
[en]
 +
then C&CZ signed ssh keys of science.ru.nl hosts will be automatically accepted. The change to the 'config' file ensures that
 +
[/en]
 +
  ssh lilo5
 +
[nl]
 +
automatisch overeenkomt met lilo5.science.ru.nl (dus korte hostnaam volstaat) en de regel in known_hosts zorgt ervoor dat
 +
ssh alleen voor hostnamen die overeenkomen met *.science.ru.nl zal controleren of de publieke sleutel van de host getekend is door C&CZ
 +
en als dat inderdaad het geval is de sleutel zonder meer accepteren. Als je het config bestand niet wilt wijzigen, dan moet je altijd de
 +
volledige hostnaam gebruiken lilo5.science.ru.nl want anders komt de regel in known_hosts niet overeen.
 +
[/nl]
 +
[en]
 +
will match with lilo5.science.ru.nl and the line in known_hosts ensures that only for hostnames matching with *.science.ru.nl
 +
ssh will check whether the public key of the host is signed by C&CZ and if that is indeed the case will accept the host key.
 +
If you do not want to change the config file then you will always have to use the fully qualified hostname lilo5.science.ru.nl.
 +
[/en]
  
 
[nl]
 
[nl]
SSH wordt gebruikt om een beveiligde (niet-afluisterbare) terminal-verbinding te maken met een server. Alle C&amp;CZ Unix loginservers gebruiken de gratis SSH-server software van [http://www.openssh.org/ OpenSSH] of een versie die meekomt met het OS. Als gratis SSH software voor de werkplek raadt C&amp;CZ [http://www.chiark.greenend.org.uk/~sgtatham/putty <tt>PuTTY</tt>] en [http://winscp.sourceforge.net <tt>WinSCP</tt>] aan. Er staan versies van deze programma's op de Install-schijf, ook zijn ze beschikbaar op de door C&amp;CZ [[windows beheerde werkplek_|beheerde werkplek PC's]] (op de <tt>S:</tt> schijf, onder Unix te vinden als <tt>/vol/winxp-software/PuTTY</tt>).
+
Ssh kan gebruikt worden voor
 +
* port forwarding op een andere host
 +
* proxying van bv web verkeer
 +
* bijna volledige VPN functionaleit
 +
 
 +
Zie [http://blogs.perl.org/users/smylers/2011/08/ssh-productivity-tips.html dit artikel] voor enkele geweldige tips hoe je de ssh client kunt gebruiken en instellen.
 
[/nl]
 
[/nl]
 
[en]
 
[en]
SSH is used to get a secure terminal-connection to a login server. All C&amp;CZ Unix loginservers use SSH-server software of [http://www.openssh.org/ OpenSSH] or a version that comes with the OS. For the desktop C&amp;CZ advises to use the free SSH client software [http://www.chiark.greenend.org.uk/~sgtatham/putty <tt>PuTTY</tt>] and [http://winscp.sourceforge.net <tt>WinSCP</tt>] aan. Versions of this software can be found on the Install-disk. Of course they are also available on the C&amp;CZ managed [[windows beheerde werkplek|beheerde werkplek PC's]] (on the <tt>S:</tt> disk. On Unix this disk can be found as <tt>/vol/winxp-software/PuTTY</tt>).
+
Ssh can be used for:
 +
* port forwarding on another host
 +
* proxying for example web traffic
 +
* almost complete vpn functionality
 +
 
 +
Please consult [http://blogs.perl.org/users/smylers/2011/08/ssh-productivity-tips.html this article] for some excellent tips on how to use and configure your ssh client.
 
[/en]
 
[/en]
  
 +
=== [en]Preventing disconnects[/en] [nl]Verbindingsproblemen voorkomen[/nl] ===
 +
[en]
 +
In case you experience connectivity issues using ssh, use the following settings for your ssh-client. This can be done by adding the following lines to the config file .ssh/config (or /etc/ssh/ssh_config):
 +
[/en]
 +
[nl]
 +
Als je ervaart dat de ssh-verbinding zo nu en dan niet meer reageert, gebruik dan de volgende ssh-client instellingen. Zet onderstaande regels in het configuratiebestand .ssh/config (of /etc/ssh/ssh_config):
 +
[/nl]
 +
<nowiki>
 +
TCPKeepAlive no
 +
ServerAliveInterval 60
 +
ServerAliveCountMax 10</nowiki>
  
 
[[Category:Software]]
 
[[Category:Software]]

Latest revision as of 13:54, 20 April 2021

SSH Secure Shell

SSH is used to get a secure terminal-connection to a login server. All Linux loginservers can be reached with SSH client software, not only on the standard port 22, but also on ports 80 and 443.


Recommended ssh client software

  • Windows:
    • MobaXterm. From the MobaXterm website: "MobaXterm is an enhanced terminal for Windows with an X11 server, a tabbed SSH client and several other network tools for remote computing (VNC, RDP, telnet, rlogin). MobaXterm brings all the essential Unix commands to Windows desktop, in a single portable exe file which works out of the box." The support of OpenGL could also be a reason to start using MobaXterm. If you use it professionally, you should consider subscribing to MobaXterm Professional Edition. MobaXterm is available on the S-disc.
    • Mosh (mobile Shell) when roaming and intermittent connections.
    • PuTTY.
    • The OpenSSH client provided by Cygwin.
  • Linux: Your computer should have ssh installed by default. Otherwise, install the openssh-client package. Install Mosh (mobile Shell) when roaming or having intermittent connections.
  • OS X: the ssh client should be available on your Mac. For graphical/X11 functionality one can install XQuartz. Install Mosh (mobile Shell) when roaming or having intermittent connections.
  • Android: JuiceSSH or ConnectBot. Install Mosh (mobile Shell) when roaming or having intermittent connections.

Recommended file transfer clients


SSH tips and settings

To avoid warnings about possibly changed ssh keys and prevent messages with 'unkown host' the first time you connect to a host in the science.ru.nl domain, we have signed the public keys of all our servers. If you add the following lines to the file 'config' in the .ssh directory in your (local) home directory (maybe this file has to be created)

  CanonicalDomains science.ru.nl
  CanonicalizeFallbackLocal no
  CanonicalizeHostname yes

and the following line to .ssh/known_hosts

  @cert-authority *.science.ru.nl ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAHpJveyOrLKFRDsbiW/29OadbCbkmUaIXnWbhVwtytbpftAc7Stj2RYa8yBmgfdm82T/UBVu1tLbeeCYQI8UlCvbAALMx+I60ux+iEGVdDBgIOjeu6LuY12pksVlXy/nKc59+m3AdMXfGHA8cI/O8eFosQLJ+dck7SBcvTT4lPhEcSQxg==

then C&CZ signed ssh keys of science.ru.nl hosts will be automatically accepted. The change to the 'config' file ensures that

  ssh lilo5

will match with lilo5.science.ru.nl and the line in known_hosts ensures that only for hostnames matching with *.science.ru.nl ssh will check whether the public key of the host is signed by C&CZ and if that is indeed the case will accept the host key. If you do not want to change the config file then you will always have to use the fully qualified hostname lilo5.science.ru.nl.

Ssh can be used for:

  • port forwarding on another host
  • proxying for example web traffic
  • almost complete vpn functionality

Please consult this article for some excellent tips on how to use and configure your ssh client.

Preventing disconnects

In case you experience connectivity issues using ssh, use the following settings for your ssh-client. This can be done by adding the following lines to the config file .ssh/config (or /etc/ssh/ssh_config):

TCPKeepAlive no
ServerAliveInterval 60
ServerAliveCountMax 10