OpenSSH is a suite of secure network tool

scpCopies files to and from a remote system

sftpCopies files to and from a remote system (a secure replacement for ftp)
(secure file transfer protocol)
sshRuns a command on or logs in on a remote system
(secure shell)
sshdThe OpenSSH daemon (runs on the server)
ssh-keygenCreates, manages and converts RSA or DSA host/user authentication
keys

Ssh,scp,sftp-port 22
Highlight p. 676
securely copy a file to or from a remote system, the following criteria must be met:
The remote system must be running the OpenSSH daemon (sshd), you must have
an account on the remote system, and the server must positively identify itself to
the client. ssh
The following example shows Zach using ssh to log in on the
remote host named plum, running who, and finally giving an exit command to
return to the shell on the local sys- tem. The who utility displays the IP address of
the system Zach logged in from.
$ ssh zach@plum
zach@plums password: [zach@plum ~]$ who am i zach
pts/2 2010-12-03 11:43 (172.16.192.150) [zach@plum ~]$ exit logout Connection
to plum closed. You can omit user@ (zach@ in the preceding example) from the
command line if you want to log in as yourself and you have the same username on
both systems. The first time you connect to a remote OpenSSH server, ssh or scp
asks you to confirm that you are connected to the right system. Refer to First-time
authentication on page 679. scp
The following example uses scp to copy ty1 from the working directory on the local
system to Zachs home directory on plum:
$ scp ty1 zach@plum:
zach@plum's password: ty1
100% 162 0.2KB/s 00:00

AllowUsers userlist -The userlist is a SPACE-separated list of

usernames that specifies which users are allowed to log in using sshd. This
list can include * and ? wildcards. You can specify a user as user or
user@host. If you use the second format, make sure you specify the host as
returned by hostname. Without this declaration, any user who can log in
locally can log in using an OpenSSH client. Does not work with numeric user
IDs.
ClientAliveCountMax n The n specifies the number of client-alive messages
that can be sent without receiving a response before sshd disconnects from the
client. See ClientAliveInterval. Default is 3.
ClientAliveInterval n Sends a message through the encrypted channel after n
seconds of not receiving a message from the client. See ClientAliveCountMax. The
default is 0, meaning that no messages are sent. This declaration passes messages
over the encrypted channel (application layer; page 371) and is not susceptible to IP
spoofing (page 1171). It differs from TCPKeepAlive, which uses the TCP keepalive
option (transport layer; page 371) and is susceptible to IP spoofing.
DeenyUsers userlist The userlist is a SPACE-separated list of usernames that
specifies users who are not allowed to log in using sshd. This list can include * and ?
wildcards. You can specify a user as user or
user@host. If you use the second format, make sure you specify the host as
returned by hostname. Does not work with numeric user IDs. ForceCommand
command Executes command, ignoring commands specified by the client and
commands in the optional ~/.ssh/ssh/rc file.
HostbasedAuthentication yes | no Tries rhosts and /etc/hosts.equiv
authentication when set to yes. For a more secure system, set this declaration to
no. Default is no. IgnoreRhosts yes | no
Ignores .rhosts and .shosts files for authentication. Does not affect the use of
/etc/hosts.equiv and /etc/ssh/shosts.equiv files for authentication. For a more secure
system, set this declaration to yes. Default is yes.
LoginGraceTime n Waits n seconds for a user to log in on the server before
disconnecting. A value of 0 means there is no time limit. Default is 120 seconds.
LogLevel val Specifies how detailed the log messages are. Choose val from QUIET,
FATAL, ERROR, INFO, and VERBOSE. Default is INFO.
PasswordAuthentication yes | no Permits a user to use a password for
authentication. For a more secure system, set up automatic login (page 689) and
set this declaration to no. Default is yes.

PermitRootLogin yes | without-password | forced-commands-only | no Permits

root to log in using an OpenSSH client. Default is yes. Setting this declaration to yes

allows a user to log in as a privileged user by suppling the root password. This setup
allows the root password to be sent over the network, although it is encrypted, so it
is not a big security risk. It also requires all users con- necting as a privileged user
to know the root password.
Setting this declaration to no does not allow root to authenticate directly;
privilege must come from sudo or su after a user has logged in. Given the number
of brute- force attacks on a typical system connected to the Internet, this is a good
choice. Setting this declaration to without-password means the only way for a user
to authenticate as root is by using an authorized key (page 689). This choice
eliminates the need for a group of people to know the root password. However, one
user must be able to run with root privileges so new keys can be added as needed.
Setting this declaration to forced-commands works with an authorized key but
forces a specific command after authentication instead of starting an interactive
shell.
The command is specified by ForceCommand (page 693).
PermitUserEnvironment yes | no Permits a user to modify the environment
he logs in to on the remote system. Default is no. See environment on page 676.
Port num Specifies that the sshd server listen on port num. It might improve
security to change num to a nonstandard port. Default is 22.
StrictModes yes | no Checks modes and ownership of the users home
directory and files. Login fails for users other than the owner if the directories
and/or files can be written to by anyone other than the owner. For a more
secure system, set this declaration to yes. Default is yes. SyslogFacility val
Specifies the facility name (page 624) sshd uses when logging messages. Set
val to daemon, user, auth, authpriv, local0, local1, local2, local3, local4,
local5, local6, or local7. Default is auth.
TCPKeepAlive yes | no Periodically checks whether a connection is
alive when set to yes. Checking causes the ssh or scp connection to be
dropped when the client crashes or the connection dies for another reason,
even if it is only temporary. Setting this parameter to no causes the server
not to check whether the connection is alive. Default is yes.
X11Forwarding yes | no Allows X11 forwarding when set to yes. For
trusted X11 forwarding to work, the ForwardX11 or the ForwardX11Trusted
declaration must also be set to yes in either the ~/.ssh/config or
/etc/ssh/ssh_config client configuration file (page 686).

# grep sshd /var/log/secure | tail -6 guava sshd[10244]: Server

listening on :: port 22.
guava sshd[10248]: User sam from 172.16.192.150 not allowed
because not listed in AllowUsers

guava sshd[10249]: input_userauth_request: invalid user sam

guava sshd[10248]:
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=172.16.192.150 user=sam
guava sshd[10248]: Failed password for invalid user sam from
172.16.192.150 port 59088 ssh2 guava sshd[10249]: Connection closed by
172.16.192.150
Check the configuration file Debug the client You can use the sshd t
option to check the syntax of the server configuration file. If entries in these
files do not help solve the problem, try connecting with the v option (either
ssh or scpthe results should be the same). OpenSSH displays a lot of
debugging messages, one of which might help you figure out what the
problem is. You can use a maximum of three v options to increase the
number of messages that OpenSSH display

ssh -v plum OpenSSH_5.6p1, OpenSSL 1.0.0d-fips 8 Feb 2011

debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to plum [172.16.192.151] port 22.
debug1: Connection established. debug1: identity file
/home/sam/.ssh/id_rsa type 1
debug1: identity file /home/sam/.ssh/id_rsa-cert type -1 ...
debug1: Host plum is known and matches the RSA host key.
debug1: Found key in /home/sam/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct ...
debug1: Authentications that can continue: publickey,gssapikeyex,gssapi-with-mic,password ...
debug1: Next authentication method: publickey debug1: Offering
public key: /home/sam/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapikeyex,gssapi-with-mic,password
debug1: Trying private key: /home/sam/.ssh/id_dsa debug1: Next
authentication method: password sam@plums password:
Debug the server You can debug from the server side by running sshd
with the de options. The server will run in the foreground, and its display
might help you solve the problem.

IPP internet printing protocal