SSH
m (→Dropbear: add maemo.org/packages link) |
(→Server) |
||
(10 intermediate revisions not shown) | |||
Line 3: | Line 3: | ||
#Administrating remote computers such as servers by using the device over a secure connection instead of plain-text. | #Administrating remote computers such as servers by using the device over a secure connection instead of plain-text. | ||
#When performing console operations one may stumble upon limits such as text-input, battery life, raw horsepower, or available software. | #When performing console operations one may stumble upon limits such as text-input, battery life, raw horsepower, or available software. | ||
- | #Some applications require a better network connection than device provides. E.g. a colocated 100 | + | #Some applications require a better network connection than device provides. E.g. a colocated 100 Mbit server running 24/7 is usually both faster as well as more reliable than a device on WiFi or 3G. |
#Combined with a terminal emulator supporting detaching such as screen or dtach an application remains running after network connection is gone, device is unpowered. | #Combined with a terminal emulator supporting detaching such as screen or dtach an application remains running after network connection is gone, device is unpowered. | ||
#SSH protocol can be used for remote X11, forwarding, tunneling, [[:wikipedia:Virtual private network|VPN]], port knocking alternative. These are intermediate-advanced topics requiring sufficient background knowledge. | #SSH protocol can be used for remote X11, forwarding, tunneling, [[:wikipedia:Virtual private network|VPN]], port knocking alternative. These are intermediate-advanced topics requiring sufficient background knowledge. | ||
== Flavours to install on your device == | == Flavours to install on your device == | ||
+ | |||
=== OpenSSH === | === OpenSSH === | ||
Line 15: | Line 16: | ||
=== Dropbear === | === Dropbear === | ||
+ | |||
[http://maemo.org/packages/view/dropbear/ Dropbear] is an alternative ssh client/server package which uses less disk/memory. | [http://maemo.org/packages/view/dropbear/ Dropbear] is an alternative ssh client/server package which uses less disk/memory. | ||
+ | |||
+ | If you need SFTP server functionality with Dropbear, slight manual installation work is needed. Dropbear doesn't come with an SFTP server, so we're going to use OpenSSH's. You cannot install both packages simultaneously, that's why we're doing it by hand. | ||
+ | |||
+ | Find latest openssh-server armel package (Fremantle for N900) from http://maemo.org/packages/view/openssh-server, then fire up Terminal: | ||
+ | |||
+ | $ root | ||
+ | # wget http://repository.maemo.org/pool/maemo5.0/free/o/openssh/openssh-server_<latest-version-here>_armel.deb | ||
+ | # dpkg-deb --extract openssh-server_<latest-version-here>_armel.deb ./openssh-server | ||
+ | # cp -av ./openssh-server/usr/lib /usr | ||
+ | # rm -rf ./openssh-server | ||
== On-device Usage == | == On-device Usage == | ||
=== Client === | === Client === | ||
- | |||
- | You can connect to a remote machine from the tablet by running | + | To allow you to use your tablet/phone to connect to other machines. You can connect to a remote machine from the tablet by running |
+ | |||
+ | ssh user@server ip | ||
+ | |||
+ | which will give you a remote shell on the server machine. | ||
=== Server === | === Server === | ||
- | |||
- | If you wish to access a shell on the tablet from a remote machine (to edit a local file with a real keyboard, perhaps), then all that you need to do is make sure OpenSSH server is installed on the tablet and | + | To allow other machines to connect to your tablet/phone. If you wish to access a shell on the tablet from a remote machine (to edit a local file with a real keyboard, perhaps), then all that you need to do is make sure OpenSSH server is installed on the tablet and |
+ | |||
+ | ssh root@tablet ip | ||
Note that N900's are called "Nokia-N900-41-10" if allocated an IP address via DHCP (see [https://bugs.maemo.org/show_bug.cgi?id=2758 this bug]) | Note that N900's are called "Nokia-N900-41-10" if allocated an IP address via DHCP (see [https://bugs.maemo.org/show_bug.cgi?id=2758 this bug]) | ||
+ | |||
+ | Wi-Fi power-management leads to annoying input lags and can be turned off using a long Settings applet dialog only. There is a dirty [http://talk.maemo.org/showthread.php?t=80529 workaround]. | ||
+ | |||
+ | === SCP === | ||
+ | |||
+ | To copy a file from one host to another over an SSH connection, use [[:wikipedia:Secure_copy#SCP_program|scp]]: | ||
+ | |||
+ | scp user@server-ip:/home/user/file /home/user/ | ||
== PuTTY == | == PuTTY == | ||
- | PuTTY is a client for the SSH | + | PuTTY is a client for the SSH and Telnet protocols. It is a popular client for Microsoft Windows, *Nix Operating Systems with ports even existing for Symbian phones, Windows Mobile and even the internet tablet itself. It can be used to connect to a tablet running OpenSSH to get a remote shell. |
=== Usage === | === Usage === | ||
- | # Load up PuTTY on the machine you want to connect to the tablet from. | + | # Load up PuTTY on the machine you want to connect to the tablet from. You should see the window titled "PuTTY Configuration" and the "Session" category selected. |
- | + | # Ensure "SSH" is selected as the "Connection type:" and enter the tablet's IP address in the "Host Name (or IP address)" section. | |
- | # Ensure "SSH" is selected as the "Connection type:" and enter | + | |
# ''If'' you need to change any other settings out of necessity or personal preference for example, go and change settings as required. | # ''If'' you need to change any other settings out of necessity or personal preference for example, go and change settings as required. | ||
# If you want to save these settings for future use to connect to the tablet quickly, add a name in "Saved Sessions" and press Save. | # If you want to save these settings for future use to connect to the tablet quickly, add a name in "Saved Sessions" and press Save. | ||
- | # Press Open and enter the name of the user you wish to connect as when prompted. (root is commonly used) | + | # Press Open and enter the name of the user you wish to connect as when prompted. (<code>root</code> is commonly used) |
+ | |||
+ | |||
+ | PuTTY may be downloaded from http://www.chiark.greenend.org.uk/~sgtatham/putty/. | ||
=== Extra security AND convenience === | === Extra security AND convenience === | ||
+ | |||
It is fairly easy to generate a secure key to allow key-based authentication to the device. Provided you keep the key secure this is more secure than using a UNIX password (PAM). | It is fairly easy to generate a secure key to allow key-based authentication to the device. Provided you keep the key secure this is more secure than using a UNIX password (PAM). | ||
Line 50: | Line 77: | ||
On the device you need to create a directory in the appropriate users home directory: | On the device you need to create a directory in the appropriate users home directory: | ||
- | + | cd | |
- | + | mkdir .ssh | |
- | + | chmod 700 .ssh | |
Back on the remote *NIX computer run the following command: | Back on the remote *NIX computer run the following command: | ||
- | + | ssh-keygen -t rsa | |
- | You'll find a file in your home directory called .ssh/id_rsa.pub and .ssh/id_rsa | + | You'll find a file in your home directory called <code>.ssh/id_rsa.pub</code> and <code>.ssh/id_rsa</code>. The .pub one is allowed out in public - you give it to other machines. The other one must be kept private. |
- | The .pub one is allowed out in public - you give it to other machines. The other one must be kept private. | + | |
- | In the case your private key is stolen (ie. device stolen) the perpetrator has access to your machine without requiring a password. It is therefore recommended to use a password when issuing ssh-keygen command. Note this password | + | In the case your private key is stolen (ie. device stolen) the perpetrator has access to your machine without requiring a password. It is therefore recommended to use a password when issuing the <code>ssh-keygen</code> command. Note this password should ''not'' be the same as your UNIX password. |
Then if you use OpenSSH: | Then if you use OpenSSH: | ||
su -c "scp .ssh/id_rsa.pub <user>@<hostname_or_ip_address:/home/user/.ssh/authorized_keys2" | su -c "scp .ssh/id_rsa.pub <user>@<hostname_or_ip_address:/home/user/.ssh/authorized_keys2" | ||
- | alternatively, use ssh-copy-id (it makes sure all permissions are correct on the receiving end): | + | alternatively, use <code>ssh-copy-id</code> (it makes sure all permissions are correct on the receiving end): |
ssh-copy-id -i .ssh/id_rsa.pub <user>@<hostname_or_ip_address> | ssh-copy-id -i .ssh/id_rsa.pub <user>@<hostname_or_ip_address> | ||
For dropbear: | For dropbear: | ||
Line 71: | Line 97: | ||
Now try: | Now try: | ||
ssh <user>@<hostname_or_ip_address> | ssh <user>@<hostname_or_ip_address> | ||
- | and you should just get a shell login. If usernames on local and remote machine match you can omit the | + | and you should just get a shell login. If usernames on local and remote machine match you can omit the <code>user@</code> part. |
+ | |||
+ | A more step-by-step stupid-proof howto is here: http://talk.maemo.org/showthread.php?t=41547 | ||
=== VPN, tunneling === | === VPN, tunneling === | ||
- | Please see howto [http://www.undeadly.org/cgi?action=article&sid=20090903183235 Tunneling out of corporate networks (Part 1)]. | + | |
+ | Please see howto [http://www.undeadly.org/cgi?action=article&sid=20090903183235 Tunneling out of corporate networks (Part 1)]. Alternatively, [[reverse ssh]] may be useful. | ||
+ | |||
+ | == WinSCP == | ||
+ | |||
+ | WinSCP is an open source client (SCP, SFTP & FTP) for Windows. Its main function is the secure file transfer between a local and a remote computer. It uses Secure Shell (SSH) and supports, in addition to Secure FTP, also legacy SCP protocol. | ||
+ | |||
+ | WinSCP simplifies file transfer between your desktop and N900 by providing a graphical frontend (similar to many FTP progams). Login via SSH is performed in exactly the same way as PuTTY. | ||
+ | |||
+ | WinSCP may be downloaded from http://sourceforge.net/projects/winscp/. | ||
[[Category:Users]] | [[Category:Users]] | ||
[[Category:Connectivity]] | [[Category:Connectivity]] | ||
[[Category:Power users]] | [[Category:Power users]] |
Latest revision as of 22:08, 1 December 2011
SSH (Secure SHell) is a network protocol that allows you to access a terminal shell remotely. The following use-cases are common:
- Administrating remote computers such as servers by using the device over a secure connection instead of plain-text.
- When performing console operations one may stumble upon limits such as text-input, battery life, raw horsepower, or available software.
- Some applications require a better network connection than device provides. E.g. a colocated 100 Mbit server running 24/7 is usually both faster as well as more reliable than a device on WiFi or 3G.
- Combined with a terminal emulator supporting detaching such as screen or dtach an application remains running after network connection is gone, device is unpowered.
- SSH protocol can be used for remote X11, forwarding, tunneling, VPN, port knocking alternative. These are intermediate-advanced topics requiring sufficient background knowledge.
Contents |
[edit] Flavours to install on your device
[edit] OpenSSH
OpenSSH is the most common client and server package. It is available in Extras. You can install either only the client or server, or both depending on your particular use-case. Be aware that the installation may take a while and appear frozen, as SSH keys have to be generated during the install.
Also the server install asks you to set a new password.
[edit] Dropbear
Dropbear is an alternative ssh client/server package which uses less disk/memory.
If you need SFTP server functionality with Dropbear, slight manual installation work is needed. Dropbear doesn't come with an SFTP server, so we're going to use OpenSSH's. You cannot install both packages simultaneously, that's why we're doing it by hand.
Find latest openssh-server armel package (Fremantle for N900) from http://maemo.org/packages/view/openssh-server, then fire up Terminal:
$ root # wget http://repository.maemo.org/pool/maemo5.0/free/o/openssh/openssh-server_<latest-version-here>_armel.deb # dpkg-deb --extract openssh-server_<latest-version-here>_armel.deb ./openssh-server # cp -av ./openssh-server/usr/lib /usr # rm -rf ./openssh-server
[edit] On-device Usage
[edit] Client
To allow you to use your tablet/phone to connect to other machines. You can connect to a remote machine from the tablet by running
ssh user@server ip
which will give you a remote shell on the server machine.
[edit] Server
To allow other machines to connect to your tablet/phone. If you wish to access a shell on the tablet from a remote machine (to edit a local file with a real keyboard, perhaps), then all that you need to do is make sure OpenSSH server is installed on the tablet and
ssh root@tablet ip
Note that N900's are called "Nokia-N900-41-10" if allocated an IP address via DHCP (see this bug)
Wi-Fi power-management leads to annoying input lags and can be turned off using a long Settings applet dialog only. There is a dirty workaround.
[edit] SCP
To copy a file from one host to another over an SSH connection, use scp:
scp user@server-ip:/home/user/file /home/user/
[edit] PuTTY
PuTTY is a client for the SSH and Telnet protocols. It is a popular client for Microsoft Windows, *Nix Operating Systems with ports even existing for Symbian phones, Windows Mobile and even the internet tablet itself. It can be used to connect to a tablet running OpenSSH to get a remote shell.
[edit] Usage
- Load up PuTTY on the machine you want to connect to the tablet from. You should see the window titled "PuTTY Configuration" and the "Session" category selected.
- Ensure "SSH" is selected as the "Connection type:" and enter the tablet's IP address in the "Host Name (or IP address)" section.
- If you need to change any other settings out of necessity or personal preference for example, go and change settings as required.
- If you want to save these settings for future use to connect to the tablet quickly, add a name in "Saved Sessions" and press Save.
- Press Open and enter the name of the user you wish to connect as when prompted. (
root
is commonly used)
PuTTY may be downloaded from http://www.chiark.greenend.org.uk/~sgtatham/putty/.
[edit] Extra security AND convenience
It is fairly easy to generate a secure key to allow key-based authentication to the device. Provided you keep the key secure this is more secure than using a UNIX password (PAM).
First, make sure you can use SSH to log in to your remote *NIX computer's user account.
On the device you need to create a directory in the appropriate users home directory:
cd mkdir .ssh chmod 700 .ssh
Back on the remote *NIX computer run the following command:
ssh-keygen -t rsa
You'll find a file in your home directory called .ssh/id_rsa.pub
and .ssh/id_rsa
. The .pub one is allowed out in public - you give it to other machines. The other one must be kept private.
In the case your private key is stolen (ie. device stolen) the perpetrator has access to your machine without requiring a password. It is therefore recommended to use a password when issuing the ssh-keygen
command. Note this password should not be the same as your UNIX password.
Then if you use OpenSSH:
su -c "scp .ssh/id_rsa.pub <user>@<hostname_or_ip_address:/home/user/.ssh/authorized_keys2"
alternatively, use ssh-copy-id
(it makes sure all permissions are correct on the receiving end):
ssh-copy-id -i .ssh/id_rsa.pub <user>@<hostname_or_ip_address>
For dropbear:
su -c "scp .ssh/id_rsa.pub <user>@<hostname_or_ip_address:/home/user/.ssh/authorized_keys2"
This will ask for your UNIX password to copy across the key.
Now try:
ssh <user>@<hostname_or_ip_address>
and you should just get a shell login. If usernames on local and remote machine match you can omit the user@
part.
A more step-by-step stupid-proof howto is here: http://talk.maemo.org/showthread.php?t=41547
[edit] VPN, tunneling
Please see howto Tunneling out of corporate networks (Part 1). Alternatively, reverse ssh may be useful.
[edit] WinSCP
WinSCP is an open source client (SCP, SFTP & FTP) for Windows. Its main function is the secure file transfer between a local and a remote computer. It uses Secure Shell (SSH) and supports, in addition to Secure FTP, also legacy SCP protocol.
WinSCP simplifies file transfer between your desktop and N900 by providing a graphical frontend (similar to many FTP progams). Login via SSH is performed in exactly the same way as PuTTY.
WinSCP may be downloaded from http://sourceforge.net/projects/winscp/.
- This page was last modified on 1 December 2011, at 22:08.
- This page has been accessed 94,673 times.