SSH! 8/8/2014 Keep it secret. Keep it safe Why use SSH?

8/8/2014
SSH!
Keep it secret. Keep it safe
Using Secure Shell to Help Manage Multiple Servers
Don Prezioso
Ashland University
Why use SSH?
•
•
•
•
•
Proliferation of servers
Physical servers now Virtual / Hosted
System management without console
Inter-server processes and file transfers
Less worry about passwords
What is SSH?
•
•
•
•
•
Secure Shell (encrypted connections)
Replaces telnet (ssh)
Secure copy (scp)
Secure file transfers (sftp)
Public/Private key pairs for encryption
– No passwords needed!
1
8/8/2014
Server Software for Linux
OpenSSH
Free ssh for unix based systems
Red Hat Packages:
openssh-4.3p2-82.el5 - Core SSH components used by both client and server
openssh-askpass-4.3p2-82.el5 - Passphrase dialog for X11
openssh-clients-4.3p2-82.el5 - SSH Client components (ssh, scp, sftp, etc...)
openssh-server-4.3p2-82.el5 - SSH Server components (sshd)
/etc/ssh/sshd_config:
UsePAM yes
Subsystem
sftp
/usr/libexec/openssh/sftp-server
AllowGroups sys adm ftpusers staff
Server Software for Windows
freeSSHd
See www.freeSSHd.com to download installation package
Edit C:\Program Files\freeSSHd\FreeSSHDService.ini:
[SSH server]
SSHPublickeyPath=C:\Program Files\freeSSHd\Authorized_Keys
[Users]
UserCount=2
[User0]
Name=datatel
Auth=2
Password=000000000000000000000000000000000000000000
Domain=
Shell=1
SFTP=1
Tunnel=0
[User1]
Name=dprez
Auth=0
Password=000000000000000000000000000000000000000000
Domain=AD
Shell=0
SFTP=1
Tunnel=0
Clients for Linux
• Included in OpenSSH:
– ssh – Secure Shell client
• telnet replacement
• remote command execution
– scp – Secure Copy – Copy files between systems
– sftp – Secure FTP client
• /etc/ssh/ssh_config changes:
Host *
ConnectTimeout 120
StrictHostKeyChecking no
2
8/8/2014
rsync!
• Not part of OpenSSH
• Does not require ssh, but will use it
• Synchronize entire directory trees between
multiple servers
• Delta-transfer algorithm dramatically reduces
the data sent over the network
• Not just a client...
Clients for Windows
http://www.chiark.greenend.org.uk/~sgtatham/putty/
• PuTTY – Terminal emulation
– Saved profiles
– Command line options for shortcuts
• PuTTYgen – Utility to create key pairs
• Plink – Remote command execution (CGI)
• PSCP and PSFTP – Command mode file transfer
Clients for Windows
http://winscp.net
• WinSCP – Graphical file transfer utility
– ‘Live’ editing of remote files!
3
8/8/2014
Public / Private Key Pairs
• Generated automatically if needed
– Password needed for authentication
– Some clients will allow saving passwords (not secure!)
• May be created and exchanged ahead of time
– No password needed
• Public key
– Not secret (May be e-mailed or published)
• Private Key
– Keep it secret – Keep it safe!
Generating Keys on unix
• ssh-keygen (OpenSSH) command:
ssh-keygen -C datatel@datatel.ashland.edu
– Defaults:
• 2048 bit RSA type keys
• ~/.ssh/id_rsa (private key)
• ~/.ssh/id_rsa.pub (public key)
– I don’t use passphrase normally
– Comment – just for your identification
– .ssh directory is private – don’t change
Generating Keys on Windows
• PuTTYgen
– Click ‘Generate’
– Move mouse
– Save private key
– Copy public key and paste
in authorized_keys file
– Load private key file to
see public key
4
8/8/2014
Where to put Public Keys
• On the system you will connect to
– Unix:
~/.ssh/authorized_keys
– Windows:
C:\Program Files\freeSSHd\Authorized_Keys\username
– Each key is one (long) line of text:
ssh‐rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuMqLt5t+lF1W3oz7WtSBQX8zaBFHrD0vG
4B4yyHBC9gLid44Mr3CFwiDAK8YZTtLzqWHHZdjMv90kZ3AKC8O6m+VQbS42Q6jCPN18
kHPKPLt+cJ1rHWYY1IwbEnHTAnIxUW3AMw6FgpjYJgcipJjIBzauk1S5IHUl5agG+AJv
MHa6wsePKJn3jkl3py1kPLz67DitboXvErCVtxBEwFeGzYFTP23MXE6Uwj7I5m0OH5m9
o9TeTFuEF9OvwFMr/qsksaHoGQ3Gjo9mVUumpdTLZzKjVhTdsQ3XelWALj/onFlneHZP
ej0TK0JevJ3Ms3c2xl9BmluP5aS72sw7jk4Rw== datatel@datatel.ashland.edu
– Paste key using any text editor
Using the Private Key
• Unix – Automatic!
• PuTTY
– Command line (-i path)
– Saved Session
• Connection>SSH>Auth
Using the Private Key
• WinSCP
– Command Line (/privatekey path)
– Advanced Site Settings
• SSH>Authentication
5
8/8/2014
Logging in as root!
• No need to give out root password
• Each user generates their own key pair
• If they leave – just remove their public key
(don’t need to change the password!)
• Treat other servers as additional ‘users’
Importing Bookstore Charges (GLIM)
#
RemoteHost="TAO700673@taonlinesys.mbsbooks.com"
RemotePath="FromMBS"
#
ImportPath="/datatel/coll18/production/apphome/DATA/DATA_G/GL.INTERFACES"
DropPath="/home/mbsftp"
DropFile="bks*.TXT"
#
# Get files from the remote server
#
/usr/bin/scp $RemoteHost:$RemotePath/$DropFile "$DropPath/" >> $logfile 2>&1
#
# Now that we have them local, delete them from the remote server
#
for filepath in $DropPath/$DropFile ; do
filename=$(basename $filepath)
RemoteCommand="rm -f $RemotePath/$filename"
ssh $RemoteHost "$RemoteCommand" >> $logfile 2>&1
done
#
Restarting Tomcat (WebAdvisor)
#!/bin/bash
if [[ $( /bin/hostname ) = "datatel.ashland.edu" ]] ; then
/usr/bin/ssh root@webadvisor.ashland.edu service tomcat restart
fi
• Part of Colleague system boot process
• Run as ‘root’ so no need to default key pair is
used
• No password in script
6
8/8/2014
Locking UI
• Users start UI with:
https://ui.ashland.edu
– Normal web.config file redirects to:
https://ui.ashland.edu:8183/Colleague/launch.htm
– Script gets a copy of web.config file using sftp
– Script creates a new web.config that redirects to:
http://ui.ashland.edu/OOS.htm
– Script transfers new web.config to the web server using
sftp
• Users who know the real URL can still use UI
• Unlock just does the reverse
Locking WebAdvisor
• Similar to locking UI
– No files are transferred between systems
– Script uses ssh to copy files on the web server
• Users who know the whole URL can still run
• Doesn’t lock portal access to WebAdvisor • Works in combination with stopping listener
– Better message ☺
File Transfers in UniData
• X.SFTP.SEND
– UniBasic program any user can run
– Builds a temporary script for input to sftp
– Copies ‘datatel’ private key and sets permissions
– Runs sftp with –b option to process the temporary
script and use private key copy
– Deletes copy of private key
X.SFTP.SEND _HOLD_ XEI_Datatel_Membership_S.csv Ashland_XEI fts.angellearning.com
7
8/8/2014
File Transfers in Envision Basic (Studio)
• S.EXECUTE.SFTP (Ellucian provided)
SFTP.GET.FILE:
* Get path to _HOLD_
X.HOLD.PATH = "_HOLD_"
X.PATH.ERROR = ""
X.PATH.MSG = ""
CALL S.GET.ABS.PATH(X.HOLD.PATH, X.PATH.ERROR, X.PATH.MSG)
*
* Call SFTP to transfer the file
X.SCH.IMPORTS.FILE.NAME = "export.csv“
X.SFTP.ERROR = ""
XL.SFTP.RESULT = ""
X.SFTP.CONFIG = "SCHI"
X.SFTP.ACTION = "get"
CALL S.EXECUTE.SFTP(X.SFTP.ERROR, XL.SFTP.RESULT, X.SFTP.CONFIG,
X.SFTP.ACTION, X.SCH.IMPORTS.FILE.NAME, X.HOLD.PATH)
RETURN
Envision SFTP Configuration
• SFTP screen:
Conclusion
• Easy connection to multiple servers
• Automation of system management tasks
• Fewer passwords
• Questions?
Don Prezioso
dprez@ashland.edu
419-289-5077
8