2Apr il 2003, 17:00:47 The Complete FreeBSD (netclient.mm), page 415
24
Basic network
access: clients
In this chapter:
• The Wor ld Wide Web
• Webbrowsers
• ssh
• Access without a
password
• ssh tunnels
• Configur ing ssh
• Troubleshooting ssh
connections
• telnet
• Copying files
• scp
• ftp
• sftp
• rsync
• Using an rsync
ser ver
• The Networ k File
System
• NFS client
• NFS strangenesses
In this chapter:
• The Wor ld Wide Web
• Webbrowsers
• ssh
• Access without a

the primary service for sending mail round the Internet. There’salso the Post Office
Protocol or POP,which is used by systems unable to run SMTP.This topic is so
important that we’ll devote Chapters 26 and 27 to it.
To use a remote machine effectively,you need better access than such specialized servers
can give you. The most powerful access is obviously when you can execute a shell on the
remote machine; that givesyou effectively the same control overthe machine as you have
overyour local machine. Anumber of services are available to do this. In the olden
days, you would use telnet or rlogin to log into another machine. These programs are
netclient.mm,v v4.12 (2003/04/02 03:42:50) 415
The Complete FreeBSD 416
2April 2003, 17:00:47 The Complete FreeBSD (../tools/tmac.Mn), page 416
still with us, but security concerns makethem effectively useless outside a trusted local
network. We’ll look at them briefly on page 428.
The preferred replacement is ssh,which stands for secureshell.Infact, it’snot a shell at
all, it’saservice to communicate with a remote shell. It encrypts the data sent overthe
network, thus making it more difficult for crackers to abuse. We’ll look at it in detail on
page 417.
Another important service is the ability to move data from one system to another.There
are a number of ways of doing this. The oldest programs are rcp and ftp.These
programs have the same security concerns as telnet and rlogin,though ftp still has some
uses. More modern copying programs use scp,which is based on ssh.We’ll look at file
copyprograms on page 429. In addition, rsync is a useful program for maintaining
identical copies files on different systems. We’lllook at it on page 435.
Asomewhat different approach is the Network File System or NFS,which mounts file
systems from another machine as if theywere local. We’lllook at NFS clients on page
438.
The World Wide Web
Forthe vast majority of the public, the Internet and the World Wide Web are the same
thing. FreeBSD is an important contender in this area. Some of the world’slargest web
sites, including Yahoo! (http://www.yahoo.com/ )run FreeBSD. Even Microsoft runs

In addition to these browsers, StarOffice and OpenOffice include integrated browsers.
Youmay find you prefer them.
This book does not deal with howtouse a web browser: just about everybody knows how
to use one. Youcan also get help from just about anybrowser; just click on the text or
icon marked Help or ?.
ssh
ssh is a secureshell,ameans of executing programs remotely using encrypted data
transfers. There are a number of different implementations of ssh:there are twodifferent
protocols, and the implementations are complicated both by bugs and license conditions.
FreeBSD comes with an implementation of ssh called OpenSSH,originally developed as
part of the OpenBSD project.
Using ssh is simple:
$ ssh freebie
The authenticity of host ’freebie.example.org (223.147.37.1)’ can’t be established.
DSA key fingerprint is 08:f7:c4:14:48:0b:14:06:0e:2c:93:4b:1f:f6:ce:b5.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ’freebie.example.org’ (DSA) to the list of known hosts.
[email protected]’s password: as usual, doesn’techo
Last login: Mon May 13 14:21:11 2002
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 5.0-RELEASE (FREEBIE) #3: Sun Jan 513:25:02 CST 2003
Welcome to FreeBSD!
$ tty
/dev/ttyp3
$
Once you get this far,you are connected to the machine in almost the same manner as if
you were directly connected. This is particularly true if you are running X. As the output
of the tty command shows, your ‘‘terminal’’isapseudo-tty or pty (pronounced ‘‘pity’’).
This is the same interface that you have with an xterm.

password. Toaddress this issue, ssh has an access method that doesn’trequire
passwords: instead it uses a technique called public key cryptography.You have two
keys, one of which you can give away freely,and the other of which you guard carefully.
Youcan encrypt or decrypt with either key:data encrypted with the public key can be
decrypted with the private key,and data encrypted with the private key can be decrypted
with the public key.
Once you have these keysinplace, you can use the challenge-response method for
authentication. Toinitiate an ssh connection, ssh sends your public key tothe sshd
process on the remote system. The remote system must already have a copyofthis key.
It uses it to encrypt a random text, a challenge,which it sends back to your system. The
ssh process on your system decrypts it with your private key,which is not stored
anywhere else, and sends the decrypted key back to the remote sshd.Only your system
can decode the challenge, so this is evidence to the remote sshd that it’sreally you.
netclient.mm,v v4.12 (2003/04/02 03:42:50)
419 Chapter 24: Basic networ k access: clients
2April 2003, 17:00:47 The Complete FreeBSD (../tools/tmac.Mn), page 419
By default, the private key for Version 1 of the protocol is stored in the file ˜/.ssh/identity,
and the public key isstored in the file ˜/.ssh/identity_pub.For Version 2, you have a
choice of twodifferent encryption schemes, DSA and RSA.The corresponding private
and public keysare stored in the files ˜/.ssh/id_dsa, ˜/.ssh/id_dsa.pub, ˜/.ssh/id_rsa and
˜/.ssh/id_rsa.pub respectively.Ifyou have the choice between DSA keysand RSA keys
for protocol Version 2, use DSA keys, which are considered somewhat more secure. You
still should have anRSA key pair in case you want to connect to a system that doesn’t
support DSA keys.
There’sstill an issue of unauthorized local access, of course. To ensure that somebody
doesn’tcompromise one system and then use it to compromise others, you need a kind of
password for your private keys. Toavoid confusion, ssh refers to it as a passphrase.If
ssh finds keysinthe ˜/.ssh directory,itattempts to use them:
$ ssh hub
Enter passphrase for key ’/home/grog/.ssh/id_rsa’: (no echo)

Enter same passphrase again: (no echo)
Your identification has been saved in /home/grog/.ssh/id_dsa.
Your public key has been saved in /home/grog/.ssh/id_dsa.pub.
The key fingerprint is:
53:53:af:22:87:07:10:e4:5a:2c:21:31:ec:29:1c:5f [email protected]
Before you can use these keys, you need to get the public keysonthe remote site in the
file ˜/.ssh/authorized_keys.Older versions of ssh used a second file, ˜/.ssh/autho-
rized_keys2,for protocol Version 2, but modern versions store all the keysinthe one file
netclient.mm,v v4.12 (2003/04/02 03:42:50)
Access without a password 420
2April 2003, 17:00:47 The Complete FreeBSD (../tools/tmac.Mn), page 420
˜/.ssh/authorized_keys.There are a number of ways to get the keysinthese files. If you
already have access to the machine (via password-based authentication, for example), you
can put them there yourself. Typically,though, you’ll have toget somebody else
involved. Tomakeiteasier,the public keysare in ASCII, so you can send them by mail.
The three public keysgenerated above look likethis:
1024 35 1101242842742748033454498238668225412306578450520406221165673293206460199556
751223553035331118710873315456577313425763305854786629592671460454493321979564518976
839276314768175285909667395039795936492323578351726210382756436676090411475643317216
92291413130012157442638303275673247163400686283060339457790686649 [email protected]
e.org
ssh-dss AAAAB3NzaC1kc3MAAACBAIltWeRXnqD9HqOLn5kugPSWHicJiu1r0I9dHg8F5m2PpmupyRYSmDzs
cAcsxifo50+1yXk3Vf4P1+EDsAwkyqFlujuMVeKoTYcOi1yrnLDWIDiAeIzt1BQ6ONwbXqxwWKCq1eo1tXxO
rTxw84VboHUuq4XFdt+yPJs8QdxLhj+jAAAAFQC1JL+tU19+UR+c45JGom6ae29d7wAAAIAvNgdN6rTitMjD
CglN7Rq3/8WgI1kzh20XURbCe1n2yYsFifcImKb0sUYD2qsB5++gogzsse2IxyIECRCuyCOOFXIQ7WqkvjTp
/T+fuwGPIlho8eeNDRKKABUhHjkuApnoYLIC1O5uyciJ+dIbGaRtGFJr0da7KlkjOLkiv3sR1gAAAIAwgKfW
sRSQJyRZTkKGIHxn3EWTvSicnIRYza+HTaMuMFHMTkNMZBjhei6EoCFpV9B1QB9MlIZgf6WXM2DlmtdUbpm7
KFA669/LZT2LvxbtGP/B++7s0PMs0AgKrKgUxnhVweufMZlPvPPPOz4QS1ZZ5kYhN+lu0S8yuioXYNlDtA==
[email protected]
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA1/W3oa1ZEs58KRWMzsrZWMXzPfwoqQ+Z59p6SJlzhevsXG1P

Identity added: /home/grog/.ssh/id_rsa (/home/grog/.ssh/id_rsa)
Identity added: /home/grog/.ssh/id_dsa (/home/grog/.ssh/id_dsa)
Identity added: /home/grog/.ssh/identity ([email protected])
Youcan use ssh-add’s -l flag to list which keysthe authentication agent currently knows
about:
$ ssh-add -l
1024 02:20:1d:50:78:c5:7c:56:7b:1d:e3:54:02:2c:99:76 [email protected] (RSA1)
1024 95:d5:01:ca:90:04:7d:84:f6:00:32:7a:ea:a6:57:2d /home/grog/.ssh/id_rsa (RSA)
1024 53:53:af:22:87:07:10:e4:5a:2c:21:31:ec:29:1c:5f /home/grog/.ssh/id_dsa (DSA)
If you’re using a Bourne-style shell such as bash,you can automate a lot of this by
putting the following commands in your .bashrc or .profile file:
if tty >/dev/null
ssh-add -l > /dev/null
if [ $? -ne 0 ]; then
eval ‘ssh-agent‘
fi
fi
This first uses the tty command to check if this is an interactive shell, then checks if you
already have anauthentication agent. If it doesn’t, it starts one. Don’tstart a new
authentication agent if you already have one: you’dlose anykeysthat the agent already
knows. This script doesn’tadd keys, because this requires your intervention and could be
annoying if you had to do it every time you start a shell.
Setting up X to use ssh
If you work with X, you have the opportunity to start a large number of concurrent ssh
sessions. It would be annoying to have toenter keysfor each session, so there’san
alternative method: start X with an ssh-agent,and it will pass the information on to any
xtermsthat it starts. Add the following commands to your .xinitrc:
eval ‘ssh-agent‘
ssh-add < /dev/null
When you run ssh-add in this manner,without an input file, it runs a program to prompt

150.101.248.57
22
127.1
80
The ssh connection is shown in fixed italic font. It looks just likeany other ssh
connection. The difference are the local connections at each end: instead of talking to
presto port 80 (http), you talk to port 4096 on your local machine. Why4096? It’syour
choice; you can use anyport above 1024. If you’re on andante,you can set up this tunnel
with the command:
$ ssh -L 4096:presto.example.org:80 presto.example.org
To dothe same thing from the presto end, you’dset up a re verse tunnel with the -R
option:
$ ssh -R 4096:presto.example.org:80 andante.example.org
These commands both set up a tunnel from port 4096 on andante to port 80 on the host
presto.example.org.You still need to supply the name of the system to connect to; it
doesn’thav e to be the same. Forexample, you might not be able to log in to the web
server,but you could access your machine back home, and it has access to the web server.
In this case, you could connect to your machine at home:
$ ssh -L 4096:presto.example.org:80 freebie.example.org
In addition to setting up the tunnel, ssh creates a normal interactive session. If you don’t
want this, you can use the -f option tell ssh to go into the background after
authentication. You also need a command to execute; in case of doubt, use sleep,which
netclient.mm,v v4.12 (2003/04/02 03:42:50)
423 Chapter 24: Basic networ k access: clients
2April 2003, 17:00:47 The Complete FreeBSD (netclient.mm), page 423
simply sleeps for a specified time. If this is what you want to do, you could enter a
command like:
$ ssh -L 4096:presto.example.org:80 presto.example.org -f sleep 3600
The command sleep 3600 suspends execution for an hour (3600 seconds) and then
exits. At this point, your tunnel also shuts down, so you should choose the time to be

2April 2003, 17:00:47 The Complete FreeBSD (netclient.mm), page 424
programs, options found in a configuration file read in later do not replace the options
found in an earlier file. Options on the command line replace those givenin
configuration files.
In practice, such conflicts happen less often than you might expect. The file
/etc/ssh/ssh_config,the main configuration file for the system, normally contains only
comments, and by default you don’tevenget a local ˜/.ssh/config.
ssh_config can contain a large number of options. They’re all described in the man page
ssh_config(8),but it’sworth looking at some of the more common ones. In this section
we’ll look at some of the more common configuration options.
• The entry Host is special: the options that follow, uptothe end of the file or the next
following Host argument, relate only to hosts that match the arguments on the Host
line.
• Optionally, ssh can compress the data streams. This can save a lot of traffic, but it
can also increase CPU usage, so by default it is disabled. Youcan do this by passing
the -C flag to ssh,but you can also do so by setting Compression yes in the
configuration file.
• Youcan escape out of an ssh session to issue commands to ssh with the
EscapeChar.Bydefault it’sthe tilde character, ˜.Other programs, notably rlogin,
use this character as well, so you may want to change it. Youcan set this value from
the ssh command line with the -e option.
• To forward an X11 connection, as shown above,you can also set the ForwardX11
variable to yes.This may be useful if you frequently access a remote machine and
require X forwarding. This also sets the DISPLAY environment variable correctly to
go overthe secure channel.
• By default, ssh sends regular messages to the remote sshd server to check if the
remote system has gone down. This can cause connections to be dropped on a flaky
connection. Set the KeepAlive option to no to disable this behaviour.
• Use the LocalForward parameter to set up a tunnel. The syntax is similar to that of
the -L option above:onandante,instead of the command line:

you can add this line to your configuration file:
StrictHostKeyChecking no
This doesn’tstop the warnings, but ssh continues:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the DSA host key has just been changed.
The fingerprint for the DSA key sent by the remote host is
95:80:4c:fb:cc:96:1b:36:c5:c9:2b:cb:d1:d4:16:68.
Please contact your system administrator.
Add correct host key in /home/grog/.ssh/known_hosts2 to get rid of this message.
Offending key in /home/grog/.ssh/known_hosts2:39
• ssh assumes that your user name on the remote system is the same as the name on
the local system. If that’snot the case, you can use the User keyword to specify the
remote user name. Alternatively,you can use the format:
$ ssh [email protected]
netclient.mm,v v4.12 (2003/04/02 03:42:50)