Security

Using SSH to connect to another lan computer 🔼

workflow description/semantics 🔼

We want to connect to another computer in our lan (local area network).

history 🔼

ssh is a most secured version or oldest rlogin. Both allow a user to log in on a remote computer but ssh does it more securely (among other ways by encrypting tha data transfered).

history / rlogin (1982) 🔼

rlogin (remote-login) is part of the so called Berkeley r-commands (@w) and according to wikipedia they were first released in 1982 along the BSD v4.1a @ which was a beta edition incorporating among other facilities an implementation of TCP/IP by Bill Joy which was an optimized version (a rewrite ?) of a BBN preliminary TCPIP implementation created by Rob Gurwitz and Jack Haverty . The latest had created more older TCP/IP implementations for Unix version 6 ( @) . ( @),( @) ( @). BBN was from the initial small group of companies that were contracted by ARPA to develop TCP/IP implementations on TENEX/PDP-10 and also a company that first implementanted ARPANET's packet switching routers (IMP).

history / telnet (1969) 🔼

deb package name: inetutils-telnet
devuan package (binary) : @
debian tracker @ (source package)

telnet( w)(rfc15) is even older than rlogin' and also offered similar funtionality or remote login.

Telnet is one of the oldest internet application (1969) and can still be used for some very interesting workflows like accessing still existing BBSs or accessing NASA's JPL on-line ephemeris Horizon for finding data on devuan release names used like Daedalus,Excalibur and other:

$ telnet horizons.jpl.nasa.gov 6775
Horizons> NAME= Daedalus
JPL/HORIZONS               1864 Daedalus (1971 FA)         2024-Dec-24 07:35:17
Horizons> name=excalibur
*******************************************************************************
JPL/HORIZONS              9499 Excalibur (1269 T-2)        2024-Dec-24 07:41:27

devuan packages 🔼

  • package name : ssh
  • pkginfo.devuan ( @ )
$ apt-cache show  ssh
Package: ssh
...
Depends: openssh-client , openssh-server 
Description-en: secure shell client and server (metapackage)
 This metapackage is a convenient way to install both the OpenSSH client
 and the OpenSSH server. It provides nothing in and of itself, so you
 may remove it if nothing depends on it.

install ssh (clien and server) 🔼

Deadalus 🔼

Before installing we can query the Devun repo (which repo? the one that is set by default or the admin has setup and it in /etc/apt/sources.list) with :

$ sudo apt-cache show ssh

$ sudo apt-get install ssh
   ...openssh-client openssh-server openssh-sftp-server...

configure sshd (ssh server) 🔼

# cd /etc/ssh
# cp sshd_config sshd_config_initial
# nano sshd_config

checking and validate sshd's configuration 🔼

WARNING! If you changed the sshd server config file, test the OpenSSH server for errors. Otherwise you may be locked out of the system by tying the following command:

   $ sudo sshd -T   / Extended test mode.   Check the validity of the
                    / configuration file, output the effective configuration to
                    / stdout and then exit

   $ sudo sshd -t   / Test mode.   Only check the validity of the
                    / configuration file and sanity of the keys.   / This
                    / is useful for updating sshd reliably as
                    / configuration options may change.

configuration options to check first 🔼

PermitRootLogin

Specifies whether root can log in using ssh(1). The argument must be yes, prohibit-password,

             forced-commands-only, or no.   The default is prohibit-password.

control sshd service 🔼

with runit control interface 🔼

$ sudo sv status ssh
$ sudo sv restart ssh
ok: run: ssh: (pid 10426) 0s

example of changing sshd configuration. 🔼

WARNING: This examples are meant for learning purposes and by no mean recommendationsfor work enviroments.

$ sudo sshd -T | grep root
permitrootlogin yes

connect to a sshd server 🔼

pre:

  • home lan
  • known static ip of the 'server'
  • sshd installed in the server (deb package ssh)

with password 🔼

pre:

  • sshd configured to accept password login
$ ssh root@<SERVER IP>
The authenticity of host '192.168.1.76 (192.168.1.76)' can't be established.
ED25519 key fingerprint is SHA256:GfclluVRVjhpu75N6v24IVkbyjIsQS141cqH9mtjROw.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])?  &nbsp;yes
Warning: Permanently added '192.168.1.76' (ED25519) to the list of known hosts.

After accepting the remote host as trustworthy we see that locally ~/.ssh is created

:~/.ssh$ ls
known_hosts  known_hosts.old