SSH Compression

This next section will cover when to use compression and when to not use compression with SSH connections.

The two biggest reasons to use compression are when you are connecting through a slow connection, similar to a dial-up or when you have to move a large amount of data form one machine to another machine and the compression will make the data transfer move faster.

There are some reasons not to use compression also, any time one of the systems has a slow processor you want to avoid compression due to the time spent uncompressing or compressing the data. Also if the data is already compressed, using compression will only add the time to compress and uncompress to the process.

SSH uses GNU ZLIB (LZ777) for compression. By default compression is turned off in the /etc/ssh/ssh_config file, but can be turned on at the command line with the command ssh +C username@hostname. additionally the user can request a compression level at the command line from anywhere 1 to 9, with 1 being the fastest and 6 is the default.

Two good sites for SSH compression are the ssh.com site and the University of Cambridge site.
I know this is a short piece this time but this pretty much covers the compression discussion, remember to look at your environment and what is actually happening before you enable cmpression due to the fact that it doesn't save time all the time.

To return to the main directory for the SSH tutorials.

SSH Configuration Files

Continueing on the SSH topics, the next topic is to look at the configuration files for the SSH program. The global settings for the program can be found in the /etc/ssh directory. The two main files for global settings are /etc/ssh/ssh_config and /etc/ssh/sshd_config.

The ssh_config file allows you to set options to modify the client programs, some of the more important settings are as follows:

• Forward Agent specifies which conection authentication agent if any should be forwarded default is no there are some nstances where this should be yes though.
• Forward X11 automatically redirects x11 sessions to the remote machine, since this should be a server set up this should be left at the default of no.
• Password Authentication specifies to use password authentication. For strong security this should be set to yes.
• Batchmode used when scripts are used and you don;t want to be supplying a password through the script.
• Compression controls wether compression is used or not, the default is NO.
  

The next file is the sshd_config file which allows you to set options which modify the behaviour of the SSH daemon.

• PermitRootLogin specifies whether root can log in through SSH. This option should always be set to NO.
• StrictModes specifies whetheter SSH should check the user's permissions in their home directory and rhosts files before accepting logins. this option should always be set to YES.
• X11Forwarding specifies whether X11 forwarding should be allowed on the remote amchine, since this is a server this option should be set to NO.
• Password Authentication specifies whetehr password authentication should be used. This should be set to YES.
• PermitEmptyPasswords specifies wether the server will allow logging in with null passwords, if you will be using the SCP utility this option must be set to YES.
• AllowUsers specifies which users are allowed to use SSH services, multiple users can be specified.

If you are interested in some of the other features which can be adjusted you can check the man pages which were referrenced earlier in this post.

To return to the main directory for the SSH tutorials.

SSH Public Keys

Continuing on the SSH topics, the next topic is the use of public/ private keys to enable passwordless logins.

One of the benefits of SSH is the ability for passwordless logins. This is done through public key exchange. the ssh-keygen program can be used to generate either an RSA or DSA key. The -t option allows you to select either RSA or DSA encryption. The -b option selects the number of bits in the key to create, the default is 1024. The default location for the files created is in the ~Home/.ssh directory. Stick with the default directory due to the fact that other SSH tools will look for keys in this same directory.

After typing in the command ssh-keygen -t (rsa/dsa) you'll be given an option to select a password. The reason to use a password is to protect your key from theft from someone outside your network. If your system is in a protected environment usign a password can be tedious.

After the ssh-keygen program generates your key it will then ask you where to store the key, the default will be in the ~HOME/.ssh/ directory. Then it will ask you for a pass phrase, remember what kind of environment your system is in. Leaving the passphrase blank will leave the private key unencrypted so you have to secure the file from unauthorized access, on your local machine the permissions should be 0600. SSH is very strict about the file permissions which are used on your system and on the remote system.

When the ssh-keygen program completes, two new files will have been created ~HOME/.ssh/id_(rsa or dsa) and ~HOME/.ssh/id_(rsa or dsa).pub the exact file name will depend on wether you selected rsa or dsa encryption.

The final step is to get the keys to the remote system. the first step is to log back into the remote system and create an .ssh directory in your home directory and verify the file permissions are set up properly. The command ssh user@hostname "mkdir .ssh; chmod 0700 .ssh" does this. The next step is to copy the file ~HOME/.ssh/id_(rsa or dsa).pub to the remote sytem. The command scp .ssh/id_(rsa or dsa).pub hostname: .ssh/authorized_keys2 does this.

The next time you want to log into the remote sytem all that is needed is the command ssh hostname. This also works for the scp command.

If there are any problems check the file permissions on both ~HOME/.ssh/* and hostname:~HOME/.ssh.*. The id.(rsa or dsa) file should be 0600 and only on your local machine an everything else should be 0655 or better.

Kimmo Suominen has a good overview of the ssh process. Also the Deadman.org has a decent overview of the SSH agent.

To return to the main directory for the SSH tutorials.