Subtitles of the Movie

Exam objective 1.113.7 has a weight of 4, and verifies that candidates are able to contain and configure OpenSSH. This includes OpenSSH installation and troubleshooting, and configuring the server to start at boot. OpenSSH encrypts all traffic including passwords to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks. OpenSSH consists of several programs. SSHD is a program run as a server. It listens for connection requests coming in from clients and authenticates or denies them. SSH is a client program, which works like rlogin in Telnet and is used to login to a machine running SSHD. This program is also called SLogin. SCP copies files from one computer to another. SSHKeygen is used to generate encryption keys. SSAgent is an authentication agent. It holds the RSA keys. SSHAdd puts the keys in the authentication agent. SFTPserver is the server for secure handling of file transfer protocol. SFTP is the file transfer protocol program for secure file transfers. Keyscan and Keysign are helper programs for gathering keys and authentication. There are two distributions of OpenSSH. It originated with BSD, so there is one distribution named OpenBSD. But that's not the one you want. For Linux, you want to get the one named Portable, and at this Web site, you can get a list of download sites for both FTP and HTTP. You will also find installation instructions, an FAQ and some other information. If you have a problem, you can report that and maybe get some help at this Web site. The default configuration should be instantly usable, but you will want to review the configuration to make sure it fits your needs. The configuration files will be stored in this directory unless you specified another location during installation. In this directory, you should create the RSA and DSA host keys. You can do that with commands like these using SSHKeygen. There are some other configuration files you need to know about. SSH, the client program, obtains configuration information from the config file first in the dot ssh subdirectory of the home directory, and then from the SSHconfig file in the etcSSH directory which contains defaults for values not defined in that user's file. The files contain lines which consist of keywords followed by values, and they have lots of possible entries. SSHD, the daemon process, obtains its configuration at startup from the SSHD config file. These two files can be used to deny or to grant access by remote hosts. If a host's name is in the allow file, it is granted access, otherwise, if a host's name is in the deny file, it is denied access. Otherwise, access is granted. If the file, Nologin exists, only the root can login. This file contains a message that is displayed to the users attempting to login. If the rc file in the dot ssh directory. of a user exists, it is executed when the user logs in. It can be used to specify machine-specific settings. This is the global rc file that works like a local rc file, and will be executed if the rc file in the home directory does not exist. Of course, this file may not exist either. When you first make a connection to a secured host, you'll be asked to accept its key, and that key is stored in the knownhost file. If it's already in the file, it's used for verification and no question will be asked. Also, it could be stored in the global knownhost file, and if so, the one there will be used for verification, so no question will be asked. This is what the SSHKeyscan program is for: to gather keys and store them in this global file. You will need some background before you can understand the workings of SSH. RSA and DSA are different encryption key algorithms and they can be used for different purposes. You need to have a general knowledge of what they are and how they work. The Internet has lots of information on both. Every program, and most of the files, have a MAN page that installs when you install OpenSSH. This is a large software system, but you need to understand how it works. You can get a good sense of how it all works by reading through these MAN pages.