Solaris Secure Shell enables a user to securely access a remote host over an unsecured network. The shell provides commands for remote login and remote file transfer. The following is a list of topics in this chapter.Solaris Secure Shell (Overview) Solaris Secure Shell Enhancements in the Solaris 10 Release Configuring Solaris Secure Shell (Task Map) Using Solaris Secure Shell (Task Map) For reference information, see Chapter 20, Solaris Secure Shell (Reference). encryptingnetwork traffic between hosts accesssecurityremote systemsSolaris Secure ShelldescriptionIn Solaris Secure Shell, authentication is provided by the use of passwords, public keys, or both. All network traffic is encrypted. Thus, Solaris Secure Shell prevents a would-be intruder from being able to read an intercepted communication. Solaris Secure Shell also prevents an adversary from spoofing the system.Solaris Secure Shell can also be used as an on-demand virtual private network (VPN). A VPN can forward X Window system traffic or can connect individual port numbers between the local machines and remote machines over an encrypted network link.With Solaris Secure Shell, you can perform these actions:Log in to another host securely over an unsecured network. Copy files securely between the two hosts. Run commands securely on the remote host. Solaris Secure Shellprotocol versionsv1 protocolSolaris Secure Shellv2 protocolSolaris Secure ShellSolaris Secure Shell supports two versions of the Secure Shell protocol. Version 1 is the original version of the protocol. Version 2 is more secure, and it amends some of the basic security design flaws of version 1. Version 1 is provided only to assist users who are migrating to version 2. Users are strongly discouraged from using version 1.Hereafter in this text, v1 is used to represent version 1, and v2 is used to represent version 2. Solaris Secure Shellauthenticationrequirements for authenticationSolaris Secure Shellmethods Solaris Secure Shellauthentication methods authentication methodsSolaris Secure Shell Solaris Secure Shell provides public key and password methods for authenticating the connection to the remote host. Public key authentication is a stronger authentication mechanism than password authentication, because the private key never travels over the network.The authentication methods are tried in the following order. When the configuration does not satisfy an authentication method, the next method is tried.public key authenticationSolaris Secure ShellGSS-APIauthentication in Solaris Secure ShellSolaris Secure Shellpublic key authenticationGSS-API – Uses credentials for GSS-API mechanisms such as mech_krb5 (Kerberos V) and mech_dh (AUTH_DH) to authenticate clients and servers. For more information on GSS-API, see Introduction to GSS-API in Solaris Security for Developers Guide. host-based authenticationdescriptionHost-based authentication – Uses host keys and rhosts files. Uses the client's RSA and DSA public/private host keys to authenticate the client. Uses the rhosts files to authorize clients to users. Public key authentication – Authenticates users with their RSA and DSA public/private keys. passwordsauthentication in Solaris Secure Shellpassword authenticationSolaris Secure ShellPassword authentication – Uses PAM to authenticate users. Keyboard authentication method in v2 allows for arbitrary prompting by PAM. For more information, see the SECURITY section in the sshd1M man page. hostsSolaris Secure Shell hostsThe following table shows the requirements for authenticating a user who is trying to log into a remote host. The user is on the local host, the client. The remote host, the server, is running the sshd daemon. The table shows the Solaris Secure Shell authentication methods, the compatible protocol versions, and the host requirements.Authentication Method (Protocol Version) Local Host (Client) Requirements Remote Host (Server) Requirements authentication methodsGSS-API credentials in Solaris Secure ShellGSS-API (v2) Initiator credentials for the GSS mechanism. Acceptor credentials for the GSS mechanism. For more information, see Acquiring GSS Credentials in Solaris Secure Shell. authentication methodshost-based in Solaris Secure ShellHost-based (v2) User accountLocal host private key in /etc/ssh/ssh_host_rsa_key or /etc/ssh/ssh_host_dsa_keyHostbasedAuthentication yes in /etc/ssh/ssh_config User accountLocal host public key in /etc/ssh/known_hosts or ~/.ssh/known_hostsHostbasedAuthentication yes in /etc/ssh/sshd_configIgnoreRhosts no in /etc/ssh/sshd_configLocal host entry in /etc/ssh/shosts.equiv, /etc/hosts.equiv, ~/.rhosts, or ~/.shosts authentication methodspublic keys in Solaris Secure ShellRSA or DSA public key (v2) User accountPrivate key in ~/.ssh/id_rsa or ~/.ssh/id_dsaUser's public key in ~/.ssh/id_rsa.pub or ~/.ssh/id_dsa.pub User accountUser's public key in ~/.ssh/authorized_keys RSA public key (v1) User accountPrivate key in ~/.ssh/identityUser's public key in ~/.ssh/identity.pub User accountUser's public key in ~/.ssh/authorized_keys authentication methodskeyboard-interactive in Solaris Secure ShellKeyboard-interactive (v2) User account User accountSupports PAM, including arbitrary prompting and password changing when password aging is triggered. authentication methodspassword in Solaris Secure ShellPassword-based (v1 or v2) User account User accountSupports PAM. .rhosts only (v1) User account User accountIgnoreRhosts no in /etc/ssh/sshd_configLocal host entry in /etc/ssh/shosts.equiv, /etc/hosts.equiv, ~/.shosts, or ~/.rhosts .rhosts with RSA (v1) on server only User accountLocal host public key in /etc/ssh/ssh_host_rsa1_key User accountLocal host public key in /etc/ssh/ssh_known_hosts or ~/.ssh/known_hostsIgnoreRhosts no in /etc/ssh/sshd_configLocal host entry in /etc/ssh/shosts.equiv, /etc/hosts.equiv, ~/.shosts, or ~/.rhosts For a comprehensive discussion of Secure Shell on a Solaris system, see Secure Shell in the Enterprise, by Jason Reid, ISBN 0-13-142900-0, June 2003. The book is part of the Sun BluePrints Series, which is published by Sun Microsystems Press.For online information, navigate to Sun's BigAdmin System Administration Portal web site, http://www.sun.com/bigadmin. Click Docs, then Sun BluePrints under Misc./Comprehensive. Click Sun BluePrints OnLine, then Archives by Subject, then Security. The archives include the following articles:Role Based Access Control and Secure Shell – A Closer Look At Two Solaris Operating Environment Security Features Integrating the Secure Shell Software Configuring the Secure Shell Software new featuresSolaris Secure Shell enhancements OpenSSHSolaris Secure Shell Solaris Secure Shellchanges in current release Solaris Secure Shellbasis from OpenSSH Since the Solaris 9 release, the following changes have been introduced to Solaris Secure Shell:Solaris Secure Shell is based on OpenSSH 3.5p1. The Solaris implementation also includes features and bug fixes from versions up to OpenSSH 3.8p1. The default value of X11Forwarding is yes in the /etc/ssh/sshd_config file. The following keywords have been introduced:GSSAPIAuthentication GSSAPIKeyExchange GSSAPIDelegateCredentials GSSAPIStoreDelegatedCredentials KbdInteractiveAuthentication The GSSAPI keywords enable Solaris Secure Shell to use GSS credentials for authentication. The KbdInteractiveAuthentication keyword supports arbitrary prompting and password changing in PAM. For a complete list of keywords and their default values, see Keywords in Solaris Secure Shell. The ARCFOUR and AES128-CTR ciphers are now available. ARCFOUR is also known as RC4. The AES cipher is AES in counter mode. The sshd daemon uses the variables in /etc/default/login and the login command. The /etc/default/login variables can be overridden by values in the sshd_config file. For more information, see Solaris Secure Shell and Login Environment Variables and the sshd_config4 man page. task mapsSolaris Secure Shell Solaris Secure Shelladministrator task map configuringSolaris Secure Shell The following task map points to task maps for configuring Solaris Secure Shell and for using Solaris Secure Shell.Task Description For Instructions Configure Solaris Secure Shell Guides administrators in configuring Solaris Secure Shell for users. Configuring Solaris Secure Shell (Task Map) Use Solaris Secure Shell Guides users in using Solaris Secure Shell. Using Solaris Secure Shell (Task Map) task mapsconfiguring Solaris Secure Shell Solaris Secure Shelladministrator task map administeringSolaris Secure Shelltask map configuringSolaris Secure Shell task map The following task map points to procedures for configuring Solaris Secure Shell.Task Description For Instructions Configure host-based authentication Configures host-based authentication on the client and server. How to Set Up Host-Based Authentication for Solaris Secure Shell Configure a host to use v1 and v2 Creates public key files for hosts that use v1 and v2 protocols. How to Enable Solaris Secure Shell v1 Configure port forwarding Enables users to use port forwarding. How to Configure Port Forwarding in Solaris Secure Shell By default, host-based authentication and the use of both protocols are not enabled in Solaris Secure Shell. Changing these defaults requires administrative intervention. Also, for port forwarding to work requires administrative intervention.configuringhost-based authentication for Solaris Secure Shell authentication methodshost-based in Solaris Secure Shell host-based authenticationconfiguring in Solaris Secure Shell The following procedure sets up a public key system where the client's public key is used for authentication on the server. The user must also create a public/private key pair.In the procedure, the terms client and local host refer to the machine where a user types the ssh command. The terms server and remote host refer to the machine that the client is trying to reach. &rolePAstep;On the client, enable host-based authentication.In the client configuration file, /etc/ssh/ssh_config, type the following entry:HostbasedAuthentication yes On the server, enable host-based authentication.In the server configuration file, /etc/ssh/sshd_config, type the same entry:HostbasedAuthentication yes On the server, configure a file that enables the client to be recognized as a trusted host.For more information, see the FILES section of the sshd1M man page.Add the client as an entry to the server's /etc/ssh/shosts.equiv file.client-host Or, you can instruct users to add an entry for the client to their ~/.shosts file on the server.client-host On the server, ensure that the sshd daemon can access the list of trusted hosts.Set IgnoreRhosts to no in the /etc/ssh/sshd_config file.# sshd_config IgnoreRhosts no Ensure that users of Solaris Secure Shell at your site have accounts on both hosts. Do one of the following to put the client's public key on the server.Modify the sshd_config file on the server, then instruct your users to add the client's public host keys to their ~/.ssh/known_hosts file.# sshd_config IgnoreUserKnownHosts noFor user instructions, see How to Generate a Public/Private Key Pair for Use With Solaris Secure Shell. Copy the client's public key to the server.The host keys are stored in the /etc/ssh directory. The keys are typically generated by the sshd daemon on first boot.Add the key to the /etc/ssh/ssh_known_hosts file on the server.On the client, type the command on one line with no backslash.# cat /etc/ssh/ssh_host_dsa_key.pub | ssh RemoteHost \ 'cat >> /etc/ssh/ssh_known_hosts && echo "Host key copied"' When you are prompted, supply your login password.When the file is copied, the message “Host key copied” is displayed.Each line in the /etc/ssh/ssh_known_hosts file consists of fields that are separated by spaces:hostnames algorithm-name publickey comment Edit the /etc/ssh/ssh_known_hosts file and add RemoteHost as the first field in the copied entry.## /etc/ssh/ssh_known_hosts File RemoteHost <copied entry> In the following example, each host is configured as a server and as a client. A user on either host can initiate an ssh connection to the other host. The following configuration makes each host a server and a client:On each host, the Solaris Secure Shell configuration files contain the following entries:# /etc/ssh/ssh_config HostBasedAuthentication yes # # /etc/ssh/sshd_config HostBasedAuthentication yes IgnoreRhosts no On each host, the shosts.equiv file contains an entry for the other host:# /etc/ssh/shosts.equiv on machine2 machine1# /etc/ssh/shosts.equiv on machine1 machine2 The public key for each host is in the /etc/ssh/ssh_known_hosts file on the other host:# /etc/ssh/ssh_known_hosts on machine2 … machine1# /etc/ssh/ssh_known_hosts on machine1 … machine2 Users have an account on both hosts:# /etc/passwd on machine1 jdoe:x:3111:10:J Doe:/home/jdoe:/bin/sh# /etc/passwd on machine2 jdoe:x:3111:10:J Doe:/home/jdoe:/bin/sh This procedure is useful when a host interoperates with hosts that run v1 and v2. &rolePAstep;Configure the host to use both Solaris Secure Shell protocols.Edit the /etc/ssh/sshd_config file.# Protocol 2 Protocol 2,1 Provide a separate file for the host key for v1.Add a HostKey entry to the /etc/ssh/sshd_config file.HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_rsa1_key Generate a host key for v1.# ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_rsa1_key -N ''t rsa1Indicates the RSA algorithm for v1. fIndicates the file that holds the host key. N ''Indicates that no passphrase is required. Restart the sshd daemon.# svcadm restart network/ssh:defaultYou can also reboot the system. configuringport forwarding in Solaris Secure Shell port forwardingconfiguring in Solaris Secure Shell Solaris Secure Shellconfiguring port forwarding Port forwarding enables a local port be forwarded to a remote host. Effectively, a socket is allocated to listen to the port on the local side. Similarly, a port can be specified on the remote side.Solaris Secure ShellTCP andUDPSolaris Secure Shell andUDPport forwarding andTCPSolaris Secure Shell andSolaris Secure Shell port forwarding must use TCP connections. Solaris Secure Shell does not support UDP connections for port forwarding. &rolePAstep;Configure a Solaris Secure Shell setting on the remote server to allow port forwarding.AllowTcpForwarding keywordchangingChange the value of AllowTcpForwarding to yes in the /etc/ssh/sshd_config file.# Port forwarding AllowTcpForwarding yes restartingssh servicerestartingsshd daemonsvcadm commandrestarting Solaris Secure Shellservice management facilityrestarting Solaris Secure ShellRestart the Solaris Secure Shell service.remoteHost# svcadm restart network/ssh:defaultFor information on managing persistent services, see Chapter 15, Managing Services (Overview), in System Administration Guide: Basic Administration and the svcadm1M man page. Verify that port forwarding can be used.remoteHost# /usr/bin/pgrep -lf sshd 1296 ssh -L 2001:remoteHost:23 remoteHost task mapsusing Solaris Secure Shell usingSolaris Secure Shell task map user proceduresusing Solaris Secure Shell Solaris Secure Shelluser procedures The following task map points to user procedures for using Solaris Secure Shell.Task Description For Instructions Create a public/private key pair Enables access to Solaris Secure Shell for sites that require public-key authentication. How to Generate a Public/Private Key Pair for Use With Solaris Secure Shell Change your passphrase Changes the phrase that authenticates your private key. How to Change the Passphrase for a Solaris Secure Shell Private Key Log in with Solaris Secure Shell Provides encrypted Solaris Secure Shell communication when logging in remotely. The process is similar to using the rsh command. How to Log In to a Remote Host With Solaris Secure Shell Log in to Solaris Secure Shell without being prompted for a password Enables login by using an agent which provides your password to Solaris Secure Shell. How to Reduce Password Prompts in Solaris Secure Shell How to Set Up the ssh-agent Command to Run Automatically in CDE Use port forwarding in Solaris Secure Shell Specifies a local port or a remote port to be used in a Solaris Secure Shell connection over TCP. How to Use Port Forwarding in Solaris Secure Shell Copy files with Solaris Secure Shell Securely copies files between hosts. How to Copy Files With Solaris Secure Shell Securely connect from a host inside a firewall to a host outside the firewall Uses Solaris Secure Shell commands that are compatible with HTTP or SOCKS5 to connect hosts that are separated by a firewall. How to Set Up Default Connections to Hosts Outside a Firewall Solaris Secure Shell provides secure access between a local shell and a remote shell. For more information, see the ssh_config4 and ssh1 man pages.generatingkeys for Solaris Secure Shell Solaris Secure Shellgenerating keys public keysgenerating public-private key pair keysgenerating for Solaris Secure Shell Solaris Secure Shellcreating keys creatingSolaris Secure Shell keys generatingSolaris Secure Shell keys keyscreating for Solaris Secure Shell ssh-keygen commandusing administeringremote logins with Solaris Secure Shell Users must generate a public/private key pair when their site implements host-based authentication or user public-key authentication. For additional options, see the ssh-keygen1 man page. Determine from your system administrator if host-based authentication is configured. Start the key generation program.myLocalHost% ssh-keygen -t rsa Generating public/private rsa key pair. …where t is the type of algorithm, one of rsa, dsa, or rsa1. Specify the path to the file that will hold the key.By default, the file name id_rsa, which represents an RSA v2 key, appears in parentheses. You can select this file by pressing the Return key. Or, you can type an alternative file name.Enter file in which to save the key (/home/jdoe/.ssh/id_rsa):<Press Return>The file name of the public key is created automatically by appending the string .pub to the name of the private key file. Type a passphrase for using your key.This passphrase is used for encrypting your private key. A null entry is strongly discouraged. Note that the passphrase is not displayed when you type it in.Enter passphrase (empty for no passphrase): <Type passphrase> Retype the passphrase to confirm it.Enter same passphrase again: <Type passphrase> Your identification has been saved in /home/jdoe/.ssh/id_rsa. Your public key has been saved in /home/jdoe/.ssh/id_rsa.pub. The key fingerprint is: 0e:fb:3d:57:71:73:bf:58:b8:eb:f3:a3:aa:df:e0:d1 jdoe@myLocalHost Check the results.Check that the path to the key file is correct.% ls ~/.ssh id_rsa id_rsa.pubAt this point, you have created a public/private key pair. Choose the appropriate option:If your administrator has configured host-based authentication, you might need to copy the local host's public key to the remote host.You can now log in to the remote host. For details, see How to Log In to a Remote Host With Solaris Secure Shell.Type the command on one line with no backslash.% cat /etc/ssh/ssh_host_dsa_key.pub | ssh RemoteHost \ 'cat >> ~./ssh/known_hosts && echo "Host key copied"' When you are prompted, supply your login password.Enter password: <Type password> Host key copied % If your site uses user authentication with public keys, populate your authorized_keys file on the remote host.Copy your public key to the remote host.Type the command on one line with no backslash.myLocalHost% cat $HOME/.ssh/id_rsa.pub | ssh myRemoteHost \ 'cat >> .ssh/authorized_keys && echo "Key copied"' When you are prompted, supply your login password.When the file is copied, the message “Key copied” is displayed.Enter password: Type login password Key copied myLocalHost% Reduce the prompting for passphrases.For a procedure, see How to Reduce Password Prompts in Solaris Secure Shell. For more information, see the ssh-agent1 and ssh-add1 man pages. passphrasesusing in Solaris Secure ShellIn the following example, the user can contact hosts that run v1 of the Solaris Secure Shell protocol. To be authenticated by v1 hosts, the user creates a v1 key, then copies the public key portion to the remote host.myLocalHost% ssh-keygen -t rsa1 -f /home/jdoe/.ssh/identity Generating public/private rsa key pair. … Enter passphrase (empty for no passphrase): <Type passphrase> Enter same passphrase again: <Type passphrase> Your identification has been saved in /home/jdoe/.ssh/identity. Your public key has been saved in /home/jdoe/.ssh/identity.pub. The key fingerprint is: … myLocalHost% ls ~/.ssh id_rsa id_rsa.pub identity identity.pub myLocalHost% cat $HOME/.ssh/identity.pub | ssh myRemoteHost \ 'cat >> .ssh/authorized_keys && echo "Key copied"' changingpassphrase for Solaris Secure Shell Solaris Secure Shellchanging passphrase public keyschanging passphrase passphraseschanging for Solaris Secure Shell The following procedure does not change the private key. The procedure changes the authentication mechanism for the private key, the passphrase. For more information, see the ssh-keygen1 man page. Change your passphrase.Type the ssh-keygen command with the p option, and answer the prompts.myLocalHost% ssh-keygen -p Enter file which contains the private key (/home/jdoe/.ssh/id_rsa):<Press Return> Enter passphrase (empty for no passphrase): <Type passphrase> Enter same passphrase again: <Type passphrase>where p requests changing the passphrase of a private key file. logging inwith Solaris Secure Shell Solaris Secure Shelllogging in to remote host secure connectionlogging in ssh commandusing Start a Solaris Secure Shell session.Type the ssh command, and specify the name of the remote host.myLocalHost% ssh myRemoteHostA prompt questions the authenticity of the remote host:The authenticity of host 'myRemoteHost' can't be established. RSA key fingerprint in md5 is: 04:9f:bd:fc:3d:3e:d2:e7:49:fd:6e:18:4f:9c:26 Are you sure you want to continue connecting(yes/no)? This prompt is normal for initial connections to remote hosts. If prompted, verify the authenticity of the remote host key.If you cannot confirm the authenticity of the remote host, type no and contact your system administrator.Are you sure you want to continue connecting(yes/no)? noThe administrator is responsible for updating the global /etc/ssh/ssh_known_hosts file. An updated ssh_known_hosts file prevents this prompt from appearing. If you confirm the authenticity of the remote host, answer the prompt and continue to the next step.Are you sure you want to continue connecting(yes/no)? yes passphrasesexampleAuthenticate yourself to Solaris Secure Shell.When prompted, type your passphrase.Enter passphrase for key '/home/jdoe/.ssh/id_rsa': <Type passphrase> When prompted, type your account password.jdoe@myRemoteHost's password: <Type password> Last login: Fri Jul 20 14:24:10 2001 from myLocalHost myRemoteHost% encryptingcommunications between hostsConduct transactions on the remote host.The commands that you send are encrypted. Any responses that you receive are encrypted. Close the Solaris Secure Shell connection.When you are finished, type exit or use your usual method for exiting your shell.myRemoteHost% exit myRemoteHost% logout Connection to myRemoteHost closed myLocalHost% usingssh-agent daemon daemonsssh-agent Solaris Secure Shelllogging in fewer prompts ssh-add commandstoring private keys passphrasesusing in Solaris Secure Shell usingssh-add command Solaris Secure Shellusing without password ssh-agent commandfrom command line passwordseliminating in Solaris Secure Shell ssh-add commandexample agent daemonSolaris Secure Shell accesslogin authentication with Solaris Secure Shell accesssecuritylogin authentication If you do not want to type your passphrase and your password to use Solaris Secure Shell, you can use the agent daemon. Start the daemon at the beginning of the session. Then, store your private keys with the agent daemon by using the ssh-add command. If you have different accounts on different hosts, add the keys that you need for the session.You can start the agent daemon manually when needed, as described in the following procedure. Or, you can set the agent daemon to run automatically at the start of every session as described in How to Set Up the ssh-agent Command to Run Automatically in CDE. Start the agent daemon.myLocalHost% ssh-agent Verify that the agent daemon has been started.myLocalHost% eval `ssh-agent` Agent pid 9892 Add your private key to the agent daemon.Type the ssh-add command.myLocalHost% ssh-add Enter passphrase for /home/jdoe/.ssh/id_rsa: <Type passphrase> Identity added: /home/jdoe/.ssh/id_rsa(/home/jdoe/.ssh/id_rsa) myLocalHost% Start a Solaris Secure Shell session.myLocalHost% ssh myRemoteHostYou are not prompted for a passphrase. ssh-add commandexample In this example, jdoe adds two keys to the agent daemon. The l option is used to list all keys that are stored in the daemon. At the end of the session, the D option is used to remove all the keys from the agent daemon.myLocalHost% ssh-agent myLocalHost% ssh-add Enter passphrase for /home/jdoe/.ssh/id_rsa: <Type passphrase> Identity added: /home/jdoe/.ssh/id_rsa(/home/jdoe/.ssh/id_rsa) myLocalHost% ssh-add /home/jdoe/.ssh/id_dsa Enter passphrase for /home/jdoe/.ssh/id_dsa: <Type passphrase> Identity added: /home/jdoe/.ssh/id_dsa(/home/jdoe/.ssh/id_dsa) myLocalHost% ssh-add -l md5 1024 0e:fb:3d:53:71:77:bf:57:b8:eb:f7:a7:aa:df:e0:d1 /home/jdoe/.ssh/id_rsa(RSA) md5 1024 c1:d3:21:5e:40:60:c5:73:d8:87:09:3a:fa:5f:32:53 /home/jdoe/.ssh/id_dsa(DSA) User conducts Solaris Secure Shell transactionsmyLocalHost% ssh-add -D Identity removed: /home/jdoe/.ssh/id_rsa(/home/jdoe/.ssh/id_rsa.pub) /home/jdoe/.ssh/id_dsa(DSA) configuringssh-agent daemon ssh-agent commandconfiguring for CDE user scriptsconfiguring for ssh-agent daemon in CDE ssh-agent commandin scripts passwordseliminating in Solaris Secure Shell in CDE .dtprofile scriptuse in Solaris Secure Shell If you use CDE, you can avoid providing your passphrase and password whenever you use Solaris Secure Shell by automatically starting an agent daemon, ssh-agent. You can start the agent daemon from the .dtprofile script. To add your passphrase and password to the agent daemon, see Example 19–3.If you use the Sun Java Desktop System (Java DS), do not set up the ssh-agent command to run automatically. Because the killing of the ssh-agent process is controlled by a CDE interface, when you exit the Java DS, the daemon continues to run. For example, if you start the daemon in a CDE session, move to a Java DS session, and then log out, the daemon continues to run.A running daemon uses system resources. Although no known issues are associated with leaving the ssh-agent daemon running, the daemon contains a password, which could create a security risk. Start the agent daemon automatically in a user startup script.Add the following lines to the end of the $HOME/.dtprofile script:if [ "$SSH_AUTH_SOCK" = "" -a -x /usr/bin/ssh-agent ]; then eval `/usr/bin/ssh-agent` fi Terminate the agent daemon when you exit the CDE session.Add the following lines to the $HOME/.dt/sessions/sessionexit script:if [ "$SSH_AGENT_PID" != "" -a -x /usr/bin/ssh-agent ]; then /usr/bin/ssh-agent -k fiThis entry ensures that no one can use the Solaris Secure Shell agent after a CDE session is terminated. Because the script uses a CDE-specific interface, sessionexit, this procedure does not terminate the agent daemon in a Sun Java Desktop System session. Solaris Secure Shellusing port forwarding L optionssh command R optionssh command ssh commandport forwarding options You can specify that a local port be forwarded to a remote host. Effectively, a socket is allocated to listen to the port on the local side. The connection from this port is made over a secure channel to the remote host. For example, you might specify port 143 to obtain email remotely with IMAP4. Similarly, a port can be specified on the remote side. To use port forwarding, the administrator must have enabled port forwarding on the remote Solaris Secure Shell server. For details, see How to Configure Port Forwarding in Solaris Secure Shell. To use secure port forwarding, choose one of the following options:To set a local port to receive secure communication from a remote port, specify both ports.Specify the local port that listens for remote communication. Also, specify the remote host and the remote port that forward the communication.myLocalHost% ssh -L localPort:remoteHost:remotePort To set a remote port to receive a secure connection from a local port, specify both ports.Specify the remote port that listens for remote communication. Also, specify the local host and the local port that forward the communication.myLocalHost% ssh -R remotePort:localhost:localPort mailusing with Solaris Secure Shell Solaris Secure Shelllocal port forwarding Solaris Secure Shellforwarding mail port forwardingSolaris Secure Shell The following example demonstrates how you can use local port forwarding to receive mail securely from a remote server.myLocalHost% ssh -L 9143:myRemoteHost:143 myRemoteHost This command forwards connections from port 9143 on myLocalHost to port 143. Port 143 is the IMAP v2 server port on myRemoteHost. When the user launches a mail application, the user needs to specify the local port number, as shown in the following dialog box. Dialog box titled Mailer - Login. The IMAP Server field shows the server name followed by a colon and the port number. Do not confuse localhost in the dialog box with myLocalHost. myLocalHost is a hypothetical host name. localhost is a keyword that identifies your local system. Solaris Secure Shellremote port forwarding port forwardingSolaris Secure Shell Solaris Secure Shelllocal port forwarding This example demonstrates how a user in an enterprise environment can forward connections from a host on an external network to a host inside a corporate firewall.myLocalHost% ssh -R 9022:myLocalHost:22 myOutsideHostThis command forwards connections from port 9022 on myOutsideHost to port 22, the sshd server, on the local host.myOutsideHost% ssh -p 9022 localhost myLocalHost% copyingfiles using Solaris Secure Shell filescopying with Solaris Secure Shell scp commandcopying files with Solaris Secure Shellscp command Solaris Secure Shellcopying files The following procedure shows how to use the scp command to copy encrypted files between hosts. You can copy encrypted files either between a local host and a remote host, or between two remote hosts. The command operates similarly to the rcp command, except that the scp command prompts for authentication. For more information, see the scp1 man page.You can also use the sftp, a more secure form of the ftp command. For more information, see the sftp1 man page. For an example, see Example 19–6. Start the secure copy program.Specify the source file, the user name at the remote destination, and the destination directory.myLocalHost% scp myfile.1 jdoe@myRemoteHost:~ Supply your passphrase when prompted.Enter passphrase for key '/home/jdoe/.ssh/id_rsa': <Type passphrase> myfile.1 25% |******* | 640 KB 0:20 ETA myfile.1 After you type the passphrase, a progress meter is displayed. See the second line in the preceding output. The progress meter displays:The file name The percentage of the file that has been transferred A series of asterisks that indicate the percentage of the file that has been transferred The quantity of data transferred The estimated time of arrival, or ETA, of the complete file (that is, the remaining amount of time) sftp commandcopying files with In this example, the user wants the sftp command to use a specific port. The user uses the o option to specify the port.% sftp -o port=2222 guest@RemoteFileServer Solaris Secure Shellconnecting outside firewallfrom configuration file firewall systemsoutside connections with Solaris Secure Shellfrom configuration file firewall systemssecure host connectionssecure connectionacross a firewallsecurityacross insecure networkSolaris Secure Shellconnecting across a firewallYou can use Solaris Secure Shell to make a connection from a host inside a firewall to a host outside the firewall. This task is done by specifying a proxy command for ssh either in a configuration file or as an option on the command line. For the command-line option, see Example 19–7.In general, you can customize your ssh interactions through a configuration file.You can customize either your own personal file in ~/.ssh/config. Or, you can use the settings in the administrative configuration file, /etc/ssh/ssh_config. The files can be customized with two types of proxy commands. One proxy command is for HTTP connections. The other proxy command is for SOCKS5 connections. For more information, see the ssh_config4 man page. Specify the proxy commands and hosts in a configuration file.Use the following syntax to add as many lines as you need:[Host outside-host] ProxyCommand proxy-command [h proxy-server] \ [p proxy-port] outside-host|%h outside-port|%pHost outside-hostwildcard charactersfor hosts in Solaris Secure ShellLimits the proxy command specification to instances when a remote host name is specified on the command line. If you use a wildcard for outside-host, you apply the proxy command specification to a set of hosts. proxy-commandSpecifies the proxy command.The command can be either of the following:/usr/lib/ssh/ssh-http-proxy-connect for HTTP connections /usr/lib/ssh/ssh-socks5-proxy-connect for SOCKS5 connections h proxy-server and p proxy-portenvironment variablesoverriding proxy servers and portsvariablesfor proxy servers and portsThese options specify a proxy server and a proxy port, respectively. If present, the proxies override any environment variables that specify proxy servers and proxy ports, such as HTTPPROXY, HTTPPROXYPORT, SOCKS5_PORT, SOCKS5_SERVER, and http_proxy. The http_proxy variable specifies a URL. If the options are not used, then the relevant environment variables must be set. For more information, see the ssh-socks5-proxy-connect1 and ssh-http-proxy-connect1 man pages. outside-hostDesignates a specific host to connect to. Use the %h substitution argument to specify the host on the command line. outside-portDesignates a specific port to connect to. Use the %p substitution argument to specify the port on the command line. By specifying %h and %p without using the Host outside-host option, the proxy command is applied to the host argument whenever the ssh command is invoked. Run Solaris Secure Shell, specifying the outside host.For example, type the following:myLocalHost% ssh myOutsideHostThis command looks for a proxy command specification for myOutsideHost in your personal configuration file. If the specification is not found, then the command looks in the system-wide configuration file, /etc/ssh/ssh_config. The proxy command is substituted for the ssh command. Solaris Secure Shellconnecting outside firewallfrom command line ssh commandusing a proxy command firewall systemsoutside connections with Solaris Secure Shellfrom command line firewall systemsconnecting from outside How to Set Up Default Connections to Hosts Outside a Firewall explains how to specify a proxy command in a configuration file. In this example, a proxy command is specified on the ssh command line.% ssh -o'Proxycommand=/usr/lib/ssh/ssh-http-proxy-connect \ -h myProxyServer -p 8080 myOutsideHost 22' myOutsideHostThe o option to the ssh command provides a command-line method of specifying a proxy command. This example command does the following:Substitutes the HTTP proxy command for ssh Uses port 8080 and myProxyServer as the proxy server Connects to port 22 on myOutsideHost