ssh and scp

From: Garrett Gaston 
------------------------------------------------------

I'M trying to move files from my Ubuntu Laptop to my Fedora desktop and thi=
s is the first time I have ever tried to use ssh. When I try to use ssh gar=
rett@FedoraDesktop I get "name or service unknown". I finally got in with j=
ust ssh ipaddress. But why did I get this strange message.

developer@garrett-laptop:~$ ssh 192.168.1.5
The authenticity of host '192.168.1.5 (192.168.1.5)' can't be established.
RSA key fingerprint is e7:b2:05:39:9d:e5:84:14:d0:99:ee:8d:55:85:73:d6.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.5' (RSA) to the list of known hosts.

What's all that about?
I was unable to login because I kept getting the password wrong=2C I finall=
y got in with "garrett@192.168.1.5"  and was logged in successfully.

Now that I'M connected I don't really know what to do. I know the command I=
 need is scp but that's about it. If I'M on one computer but logged onto an=
other=2C how do I point the file to the right location since the according =
to the prompt=2C everything I'M actually doing is on another computer? Does=
 anyone know a good website that will educate me on how to use ssh=2C the f=
ew I found did a pretty lousy job? Thanks.
 		 	   		  =

=============================================================== From: wes ------------------------------------------------------ "man scp" will get you a heck of a long way in the right direction. even just putting scp into google will get you started. you should read these and then come back to us if you have any more specific questions. -wes

=============================================================== From: Ralph Edge ------------------------------------------------------ "name or service unknown" Your Ubuntu laptop doesn't know what computer 'FedoraDesktop' is. Create a file ~/.ssh/config and put this in it: Host FedoraDesktop User garrett Hostname 192.168.1.5 ServerAliveInterval 60 and you should be able to use 'ssh FedoraDesktop' to get in. The authenticity/RSA key fingerprint stuff will always show up the first time you ssh to a new machine. It will also show up if the key on the machine is changed, or if another machine is trying to impersonate that machine. As far as scp goes..once you have the ssh config setup, you should be able to do this from the ubuntu laptop: scp /path/to/file FedoraDesktop:/path/to/destination -Ralph

=============================================================== From: Dan Lyke ------------------------------------------------------ On Tue, 5 Jun 2012 17:40:03 -0500 Garrett Gaston wrote: In order to protect against Man-In-The-Middle attacks, you have to have some assurance that the server you're connecting to is the server you *think* you're connecting to. Otherwise someone could spoof 192.168.1.5, pass traffic through to the real FedoraDesktop machine, and log all the keystrokes in the middle. So SSH keeps around a list of servers it's connected to previously, and their server IDs. If one of those IDs ever changes, you'll get a message that, among other things, warns you that someone is doing something nasty (you can see this message by re-using an IP address, you might run into this if someone is re-using DHCP addresses on an intranet). However, the first time SSH connects to a server, all it knows is that you're connecting to the server at 192.168.1.5, and so it says "I've exchanged keys with the remote server, and it has told me that the fingerprint of its key (which can be verified by asking it to do some funky math questions) is e7:b2:..., does this match what you think it should be?" If you were really security conscious, you'd go check that machine through a secure connection (which could be walking over to the other machine and typing "ssh-keygen -l -f /etc/ssh/ssh

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Or sudo vi /etc/hosts add fedoradesktop and it's IP address there: 192.168.1.5 fedoradesktop Then every service on the machine should be able to find FedoraDesktop, not just SSH. Regards, dtb - -- "Some things in life can never be fully appreciated nor understood unless experienced firsthand. Some things in networking can never be fully understood by someone who neither builds commercial networking equipment nor runs an operational network." RFC1925 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/OoegACgkQABP1RO+tr2QicwCeJSOK9+1sk+KRbOp22DHBwr1H I/cAn3zOILhoK8o5PHI11ZljJ4yiiNl2 =k+lh -----END PGP SIGNATURE-----

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 assuming you have the same username/password on both machines, otherwise you will need something along the lines of: scp /path/to/local/file remoteuser@FedoraDesktop:/path/to/destination which will prompt you for remoteuser@FedoraDesktop's password. Regards, dtb - -- "Some things in life can never be fully appreciated nor understood unless experienced firsthand. Some things in networking can never be fully understood by someone who neither builds commercial networking equipment nor runs an operational network." RFC1925 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/OoncACgkQABP1RO+tr2TrsgCgixzZE7DLuRTw+tXUpJMsALj+ gI4AnRzW/V6aJGsTHdhy1WIM7bx7xHut =ca88 -----END PGP SIGNATURE-----

=============================================================== From: cynicalgeek@gmail.com ------------------------------------------------------ You could install FileZilla for the client side.=20 Sent from my iPhone ust putting scp into google will get you started. ic questions. te: is is the first time I have ever tried to use ssh. When I try to use ssh gar= rett@FedoraDesktop I get "name or service unknown". I finally got in with ju= st ssh ipaddress. But why did I get this strange message. got in with "garrett@192.168.1.5" and was logged in successfully. need is scp but that's about it. If I'M on one computer but logged onto ano= ther, how do I point the file to the right location since the according to t= he prompt, everything I'M actually doing is on another computer? Does anyone= know a good website that will educate me on how to use ssh, the few I found= did a pretty lousy job? Thanks.

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

=============================================================== From: Sean Brewer ------------------------------------------------------ And more convenient, especially if you have several different accounts on several different servers you need access to at any given time.

=============================================================== From: Mike Harrison ------------------------------------------------------ Or both. Problem with certs only is if a trusted machine gets nailed, they all do.

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Don't give your accounts any sudo love. Make yourself use su to gain root access and don't let your regular accounts do maintenance. Oops, I just pissed off the entire *buntu admin philosophy..... Regards, dtb - -- "Some things in life can never be fully appreciated nor understood unless experienced firsthand. Some things in networking can never be fully understood by someone who neither builds commercial networking equipment nor runs an operational network." RFC1925 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/PZ00ACgkQABP1RO+tr2TrxwCffAEpRQ0LLS3kG92bCDAtetcz g9wAnRvpzMHFMMNWY5MUTEB+/g4IbnXA =OVbU -----END PGP SIGNATURE-----

=============================================================== From: wes ------------------------------------------------------ you can easily tell sudo to require root's password instead of the user's. I think this is a much better plan than using su. -wes

=============================================================== From: Lynn Dixon ------------------------------------------------------ Only switch to root in the most dire of situations. As Wes pointed out, setting up sudo properly is the safest way of doing things. I don't know how many people take advantage of it, but you can get super granular with what a user can/can't do with the sudoer file. Besides when you work in a large environment, you WANT to be able to check logs to see which account sudo'd what command from where that caused a machine to blow up.

=============================================================== From: Ralph Edge ------------------------------------------------------ I've been meaning to set up the granular sudo control on my work servers for a while, just never get around to it... -Ralph

=============================================================== From: Dave Brockman ------------------------------------------------------ Su requires root pwd on my box? -- Sent from my mobile device, please excuse brevity and grammar. I think this is a much better plan than using su.

=============================================================== From: Stephen Haywood ------------------------------------------------------ Read this: http://www.linuxquestions.org/linux/answers/Networking/Public

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I actually have to expand and clarify for the record, not all of you know when I'm being a smart-ass, and this did start off with someone asking for help furthering their knowledge. With that being said, I learned Unix on machines that did not have sudo, that was BSD land, if it was in ATT SYSV/MP-RAS, it wasn't loaded on what went out to customer sites that I supported. Can't say I remember it in OSF or RH3 either. So, you won't actually find me sitting in the "OMG don't ever use REWT!" crowd. There will come a time when something you want to do won't work right with sudo, or you don't want to spend the half-hour debugging shell escaping, etc., just to run this one command that you will never run again and need to run to fix whatever. Treat a root shell like the very powerful *tool* it is, and respect your tool. Now, what I actually recommend you do is: 1) Only use ssh with a dummy account that can login, issue "su realusername", prompt for realusername password and that's about it. No sudo love. 2) As mentioned, you can do a *lot* of creative things with your sudoers. Do so with your real user account, but as suggested, have it prompt for root's password. I do the same thing for clients basically. The VPN account I use has no privileges other than the VPN, because the accounts I use to access the Windows servers *are* privileged. It's all about layers, there is no magic perfect setup. Quite honestly, in this day and age, you're first just trying to make yourself more difficult than the guy a few numbers up in the subnet range from you. That's the easy stuff :) Do not allow root to SSH directly, I think most distros set this by default now, but it's worth verifying. Your logs should capture what root did as well, and since it's a large environment, you are using a remote syslog server that requires different credentials to access to prevent tampering, yes? Regards, dtb - -- "Some things in life can never be fully appreciated nor understood unless experienced firsthand. Some things in networking can never be fully understood by someone who neither builds commercial networking equipment nor runs an operational network." RFC1925 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/P/5IACgkQABP1RO+tr2TU1wCcCHBUOn6d/gUQaeXr8LQR1/s3 x6gAoIIF/15EKvg+alucpVfbR4QCRTrb =dEhK -----END PGP SIGNATURE-----

=============================================================== From: Ralph Edge ------------------------------------------------------ Thanks for the tips Dave -Ralph

=============================================================== From: "Alex Smith (K4RNT)" ------------------------------------------------------ For when I *have* to use sudo, I've discovered the -i flag, depending on your access will spawn a shell and allow you the same advantages people like using sudo for. I started on Linux in 1999 and Solaris in 2001. I also played a little bit with Digital UNIX when I was in junior high and high school. I've used both sudo and su, and I prefer su most of the time, but since sudo is creeping up and cutting off access to su, I just run 'sudo -i' to get the equivalent functionality.

=============================================================== From: Dan Lyke ------------------------------------------------------ On Wed, 6 Jun 2012 11:36:19 -0500 Garrett Gaston wrote: If you run ssh-keygen, you end up with two files in your ~/.ssh, either id

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

=============================================================== From: Dan Lyke ------------------------------------------------------ On Wed, 06 Jun 2012 22:25:42 -0400 Dave Brockman wrote: You win the "good idea of the day!" award.