lsh.texinfo 54.8 KB
Newer Older
Niels Möller's avatar
Niels Möller committed
1 2 3 4 5 6 7
\input texinfo          @c -*-texinfo-*-

@c %**start of header
@setfilename lsh.info
@settitle lsh
@c %**end of header

8 9 10 11 12
@dircategory GNU Packages
@direntry
* LSH: (lsh).           Secure Shell and related utilities.
@end direntry

13
@set UPDATED-FOR 1.4
14

15 16 17 18
@c Latin-1 doesn't work with tex output.
@c Also lookout for é characters.

@set AUTHOR Niels Möller
Niels Möller's avatar
Niels Möller committed
19
@ifinfo
20 21
Draft manual for LSH. This manual corresponds to @command{lsh} version
@value{UPDATED-FOR}. 
Niels Möller's avatar
Niels Möller committed
22

23
Copyright 2000 @value{AUTHOR}
Niels Möller's avatar
Niels Möller committed
24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55

Permission is granted to make and distribute verbatim
copies of this manual provided the copyright notice and
this permission notice are preserved on all copies.

@ignore
Permission is granted to process this file through TeX
and print the results, provided the printed document
carries a copying permission notice identical to this
one except for the removal of this paragraph (this
paragraph not being relevant to the printed manual).

@end ignore
Permission is granted to copy and distribute modified
versions of this manual under the conditions for
verbatim copying, provided also that the sections
entitled ``Copying'' and ``GNU General Public License''
are included exactly as in the original, and provided
that the entire resulting derived work is distributed
under the terms of a permission notice identical to this
one.

Permission is granted to copy and distribute
translations of this manual into another language,
under the above conditions for modified versions,
except that this permission notice may be stated in a
translation approved by the Free Software Foundation.

@end ifinfo

@titlepage
@sp 10
56 57 58 59
@c @center @titlefont{LSH Manual}

@title LSH Manual
@subtitle For @command{lsh} version @value{UPDATED-FOR}
Niels Möller's avatar
Niels Möller committed
60

61
@author @value{AUTHOR}
Niels Möller's avatar
Niels Möller committed
62 63 64 65

@c The following two commands start the copyright page.
@page
@vskip 0pt plus 1filll
66
Copyright @copyright{} 2000 @value{AUTHOR}
Niels Möller's avatar
Niels Möller committed
67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88

Permission is granted to make and distribute verbatim
copies of this manual provided the copyright notice and
this permission notice are preserved on all copies.

Permission is granted to copy and distribute modified
versions of this manual under the conditions for
verbatim copying, provided also that the sections
entitled ``Copying'' and ``GNU General Public License''
are included exactly as in the original, and provided
that the entire resulting derived work is distributed
under the terms of a permission notice identical to this
one.

Permission is granted to copy and distribute
translations of this manual into another language,
under the above conditions for modified versions,
except that this permission notice may be stated in a
translation approved by the Free Software Foundation.

@end titlepage

89 90
@contents

91
@ifnottex
92
@node     Top, Introduction, (dir), (dir)
Niels Möller's avatar
Niels Möller committed
93
@comment  node-name,  next,  previous,  up
94
@ifinfo
95
@top
96
@end ifinfo
97

98 99 100 101 102
This document describes @command{lsh} and related programs. The
@command{lsh} suite of programs is intended as a free replacement for
the @command{ssh} suite of programs. In turn, @command{ssh} was intended
as a secure replacement for the @command{rsh} and @command{rlogin}
programs for remote login over the Internet.
Niels Möller's avatar
Niels Möller committed
103

104
@command{lsh} is a component of the @acronym{GNU} system.
105

106 107
This manual explains how to use and hack @command{lsh}; it corresponds to
@command{lsh} version @value{UPDATED-FOR}.
Niels Möller's avatar
Niels Möller committed
108

109 110
@menu
* Introduction::                
111 112 113 114
* Installation::                
* Getting started::             
* Invoking lsh::                
* Invoking lshd::               
115
* Files and environment variables::  
116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134
* Terminology::                 
* Concept Index::               

@detailmenu
 --- The Detailed Node Listing ---

Introduction

* Threats::                     
* Features::                    
* Related techniques::          

Related programs and techniques

* ssh1::                        SSH version 1
* ssh2::                        SSH version 2
* Kerberos::                    Kerberos
* ipsec::                       IP Sec

135 136
Getting started

Niels Möller's avatar
Niels Möller committed
137
* lsh-make-seed ::              
138 139 140 141 142
* lsh basics::                  Connection with lsh
* tcpip forwarding::            Forwarding @acronym{TCP/IP} ports
* lshd basics::                 Starting the lshd deamon
* public-key::                  Using public-keys
* srp::                         Using SRP authentication
Niels Möller's avatar
Niels Möller committed
143
* sexp::                        Examining keys and other S-exp files
144
* Converting keys::             
145 146

Invoking @command{lsh}
147

148 149 150 151 152
* Algorithms: Algorithm options.  Selecting algorithms.
* Hostauth options::            
* Userauth options::            
* Actions: Action options.      What to do after login.
* Messages: Verbosity options.  Tuning the amount of messages.
153

154 155 156
@end detailmenu
@end menu

157 158
@end ifnottex

159
@node Introduction, Installation, Top, Top
Niels Möller's avatar
Niels Möller committed
160 161 162 163
@comment  node-name,  next,  previous,  up
@chapter Introduction

What is this thing called computer security anyway? Why would you want
164
to use a program like @command{lsh}?
Niels Möller's avatar
Niels Möller committed
165

166
This chapter explains the threats @command{lsh} tries to protect you from,
Niels Möller's avatar
Niels Möller committed
167
and some of the threats that remain. It also describes some of the
168
technologies used in @command{lsh}.
Niels Möller's avatar
Niels Möller committed
169 170 171 172 173 174

From time to time in this manual, I will speak about the @dfn{enemy}.
This means anybody who is trying to eavesdrop or disturb your private
communication. This usage is technical, and it does not imply that the
enemy is somehow morally inferior to you: The enemy may be some awful
criminals trying to eavesdrop on you, or it may be the police trying to
175
eavesdrop on the same criminals.
Niels Möller's avatar
Niels Möller committed
176 177 178

The enemy can be a criminal, or a competitor, or your boss who's trying
to find out how much you tell collegues at competing firms. It may be
179
your own or somebody else's national security officials. Or your
Niels Möller's avatar
Niels Möller committed
180 181 182
ex-boyfriend who happens to be too curious.

So what can the enemy do to your communications and your privacy?
183
Remember that just because you're paranoid that doesn't mean that nobody
184
is trying to get you@dots{}
Niels Möller's avatar
Niels Möller committed
185 186


187 188 189 190 191 192 193
@menu
* Threats::                     
* Features::                    
* Related techniques::          
@end menu

@node Threats, Features, Introduction, Introduction
Niels Möller's avatar
Niels Möller committed
194 195 196
@comment  node-name,  next,  previous,  up
@section Threats

197 198
When logging in to some other machine via the Internet, either in the
same building or a few continents away, there are several things that
Niels Möller's avatar
Niels Möller committed
199 200
may be under enemy attack.

201 202
@table @dfn
@item Local attacks
203
The enemy controls your local environment. He or she may be looking over
Niels Möller's avatar
Niels Möller committed
204 205 206 207 208 209
your shoulder. Your local machine might be cracked. Or there may be some
device planted inside your keyboard transmitting everything you type to
the attacker. About the same problems occur if the attacker has taken
control over your target machine, i.e. the remote machine you have
logged in to.

210
@item Denial-of-service attacks
Niels Möller's avatar
Niels Möller committed
211 212 213
The enemy has cut your network cable, effectively stopping your
communication. Even without doing physical damage, the enemy may be able
to flood and overload computers or network equipment. Or disrupt network
214
traffic by sending fake packets to hangup your @acronym{TCP/IP}
Niels Möller's avatar
Niels Möller committed
215 216
connections.

217
@item Passive eavesdropping
Niels Möller's avatar
Niels Möller committed
218
The enemy may be able to listen to your communication somewhere along
219
its path. With the global Internet, it's difficult to predict who might
Niels Möller's avatar
Niels Möller committed
220 221 222 223 224 225 226 227 228
be able to listen. Internet traffic between buildings just a few hundred
meters apart have been observed temporarily being routed through half a
dozen countries, perhaps a few thousand kilometers.

And even without routing anomalies, it is possible that the enemy has
been able to take control of some nearby machine, and can listen in from
there. Of course, passive eavesdropping is most dangerous if you
transmit cleartext passwords. This is the main reason not to use vanilla
telnet to login to remote systems. Use a telnet with support for
229 230
@acronym{SSL} or Kerberos, or use a program like @command{lsh} or
@command{ssh}. 
Niels Möller's avatar
Niels Möller committed
231 232 233 234 235 236 237 238 239 240 241 242 243

A passive eavesdropper is assumed not to do anything nasty with your
packets beyond listening to them.

@item Name resolution attacks
The translation from symbolic @acronym{DNS} names to numeric
ip-addresses may be controlled by the attacker. In this case, you may
think that you are connecting to a friendly machine, when in fact you
are connecting somewhere else.

@item Fake packets
It is fairly easy to fake the source address of an @acronym{IP}-packet,
although it is more difficult to get hold on the replies to the faked
244
packets. But even without any replies, this can cause serious
Niels Möller's avatar
Niels Möller committed
245 246
problems. 

247
@item Man-in-the-middle attack
Niels Möller's avatar
Niels Möller committed
248 249 250 251 252 253 254 255 256 257 258
In this attack, the enemy sits between you and the target. When
communicating with you, he pretends to be the target. When communicating
with the target, he pretends to be you. He also passes all information
on more or less unmodified, so that he is invisible to you and the
target. To mount this attack, the enemy either needs physical access to
some network equipment on the path between you and the target, or he has
been able to fool you to connect to him rather than to the target, for
example by manipulating the @acronym{DNS}-system.

@end table

259
@command{lsh} makes no attempt to protect you from local attacks. You have
Niels Möller's avatar
Niels Möller committed
260 261 262
to trust the endpoint machines. It seems really difficult to uphold any
security if the local machine is compromised. This is important to keep
in mind in the ``visitor''-scenario, where you visit a friend or perhaps an
263
Internet café and want to connect to some of the machines at home or at
Niels Möller's avatar
Niels Möller committed
264 265 266
work. If the enemy has been able to compromize your friend's or the
café's equipment, you may well be in trouble.

267 268
Protection from denial-of-service attacks is also a very difficult
problem, and @command{lsh} makes no attempt to protect you from that.
Niels Möller's avatar
Niels Möller committed
269

270
Instead, the aim of @command{lsh}, and most serious tools for cryptographic
271
protection of communications across the net, is to isolate the
Niels Möller's avatar
Niels Möller committed
272
vulnerabilities to the communication endpoints. If you know that the
273
endpoints are safe, the enemy should not be able to compromize your
274
privacy or communications. Except for denial-of-service attacks (which
Niels Möller's avatar
Niels Möller committed
275 276
at least can't be performed without you noticing it).

277
First of all, @command{lsh} provides protection against passive
Niels Möller's avatar
Niels Möller committed
278
eavesdropping. In addition, if you take the appropriate steps to make
279
sure that hostkeys are properly authenticated, @command{lsh} also protects
Niels Möller's avatar
Niels Möller committed
280 281 282 283
against man-in-the-middle attacks and in particular against attacks on
the name resolution. In short, you need only trust the security at the
end points: Even if the enemy controls all other network equipment, name
resolution and routing infrastructure, etc, he can't do anything beyond
284
the denial-of-service attack.
Niels Möller's avatar
Niels Möller committed
285 286 287 288 289 290 291

And at last, remember that there is no such thing as absolute security.
You have to estimate the value of that which you are protecting, and
adjust the security measures so that your enemies will not find it worth
the effort to break them.


292
@node Features, Related techniques, Threats, Introduction
Niels Möller's avatar
Niels Möller committed
293
@comment  node-name,  next,  previous,  up
294
@section Features
Niels Möller's avatar
Niels Möller committed
295

296
@command{lsh} does not only provide more secure replacements for
297 298 299 300 301 302
@command{telnet}, @command{rsh} and @command{rlogin}, it also provides
some other features to make it convenient to communicate securely. This
section is expected to grow with time, as more features from the
wish-list are added to lsh. One goal for @command{lsh} is to make it
reasonable easy to extend it, without messing with the core security
functionality.
Niels Möller's avatar
Niels Möller committed
303

304
@command{lsh} can be configured to allow login based on a personal key-pair
Niels Möller's avatar
Niels Möller committed
305
consisting of a private and a public key, so that you can execute remote
306
commands without typing your password every time. You can also use
307
Thomas Wu's Secure Remote Password Protocol (@acronym{SRP}). Kerberos support is
308
on the wish list but not yet supported (@pxref{Kerberos}).
Niels Möller's avatar
Niels Möller committed
309

310
The public-key authentication methods should also be extended to support
311
Simple Public Key Infrastructure (@acronym{SPKI}) certificates, including some
Niels Möller's avatar
Niels Möller committed
312 313
mechanism to delegate restricted logins.

314 315 316
Forwarding of arbitrary @acronym{TCP/IP} connections is provided. This
is useful for tunneling otherwise insecure protocols, like telnet and
pop, through an encrypted @command{lsh} connection.
Niels Möller's avatar
Niels Möller committed
317

318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333
Convenient tunneling of @acronym{X} was one of the most impressive
features of the original @command{ssh} programs. The current version of
@command{lsh} implements @acronym{X}-forwarding, although the
@command{lshd} server doesn't provide that service yet.

Whan @acronym{X} forwarding is in effect, the remote process is started
in an environment where the @env{DISPLAY} variable in the environment
points to a fake @acronym{X} server, connection to which are forwarded
to the @acronym{X} server in your local environment. @command{lsh} also
creates a new ``fake'' @samp{MIT-MAGIC-COOKIE-1} for controlling access
control. Your real @acronym{X} authentication data is never sent to the
remote machine.

Other kinds of tunneling that may turn out to be useful include
authentication (i.e. @command{ssh-agent}), general forwarding of
@acronym{UDP}, and why not also general @acronym{IP}-tunneling.
Niels Möller's avatar
Niels Möller committed
334 335


336
@node Related techniques,  , Features, Introduction
Niels Möller's avatar
Niels Möller committed
337 338 339 340
@comment  node-name,  next,  previous,  up
@section Related programs and techniques

This sections describes some other programs and techniques related to
341 342
@command{lsh}. The ssh family of programs use mostly the same kind of
security as @command{lsh}. Kerberos and @acronym{IPSEC} operate quite
Niels Möller's avatar
Niels Möller committed
343
differently, in particular when it comes to protection against
344
man-in-the-middle attacks.
Niels Möller's avatar
Niels Möller committed
345

346 347 348 349 350 351 352 353
@menu
* ssh1::                        SSH version 1
* ssh2::                        SSH version 2
* Kerberos::                    Kerberos
* ipsec::                       IP Sec
@end menu

@node ssh1, ssh2, Related techniques, Related techniques
Niels Möller's avatar
Niels Möller committed
354
@comment  node-name,  next,  previous,  up
355
@subsection @code{ssh-1.x}
Niels Möller's avatar
Niels Möller committed
356

357
The first of the Secure shell programs was Tatu Ylönen's @command{ssh}.
Niels Möller's avatar
Niels Möller committed
358 359
The latest of the version 1 series is @code{ssh-1.33} which speaks
version 1.5 of the protocol. The ``free'' version of @code{ssh-1.33}
360
does not allow commercial use without additional licensing, which makes
Niels Möller's avatar
Niels Möller committed
361
@code{ssh-1.33} non-free software according to Debian's Free Software
362
Guidelines and the Open Source Definition.
Niels Möller's avatar
Niels Möller committed
363 364 365 366 367

The version 1 protocol has some minor weaknesses, in particular, all
support for using stream ciphers was disabled by default a few versions
back, for security reasons.

368 369
There also exists free implementations of @code{ssh-1}, for both Unix
and Windows. @command{ossh} and later OpenSSH are derived from earlier
370
version av Tatu Ylönen's @command{ssh}, and are free software.
Niels Möller's avatar
Niels Möller committed
371

372
@node ssh2, Kerberos, ssh1, Related techniques
Niels Möller's avatar
Niels Möller committed
373
@comment  node-name,  next,  previous,  up
374
@subsection @code{ssh-2.x}
Niels Möller's avatar
Niels Möller committed
375

376
@command{ssh2} implements the next generation of the Secure Shell
Niels Möller's avatar
Niels Möller committed
377
protocol, the development of which is supervised by the @acronym{IETF}
378 379
secsh Working Group. @command{lsh} implements the required subset of
this protocol. It is intended to be compatible with the @command{ssh2}
380
series of programs distributed by F-Secure Corporation.
Niels Möller's avatar
Niels Möller committed
381

382
However, the existing versions of @command{ssh2} gets some details of the
Niels Möller's avatar
Niels Möller committed
383 384 385
protocol wrong (probably because it predates the protocol
specification), so there is some amount of bug-compatibility required.

386 387
Interoperability between independently developed implementations is one
necessary condition for the @code{ssh-2} protocol to become a Proposed
Niels Möller's avatar
Niels Möller committed
388 389
Standard.

390
The license for F-Secure's @command{ssh2} programs is similar to that
391
for recent versions of @command{ssh1}, but with a narrower definition of
Niels Möller's avatar
Niels Möller committed
392 393
``non-commercial use''.

394
Besides @command{lsh} there are few free implementations of the
395
@code{ssh-2} protocols. Since May 2000 it is supported also by
396 397 398
OpenSSH.


399
@node Kerberos, ipsec, ssh2, Related techniques
Niels Möller's avatar
Niels Möller committed
400 401 402 403 404 405 406 407 408 409 410 411 412 413
@comment  node-name,  next,  previous,  up
@subsection Kerberos

Kerberos is a key distribution system originally developed in the late
1980:s as a part of Project Athena at @acronym{MIT}. Recent development
have been done at The Royal Institute of Technology, Stockholm
(@acronym{KTH}).

Kerberos uses a central trusted ticket-granting server, and requires
less trust on the local machines in the system. It does not use
public-key technology.

Usually, Kerberos support is compiled into applications such as telnet,
ftp and X-clients. The ssh family of programs, on the other hand, tries
414
to do all needed magic, for instance to forward @acronym{X} securely, and then
415
provides general @acronym{TCP/IP} forwarding as a kitchen sink.
Niels Möller's avatar
Niels Möller committed
416

417 418
I believe Kerberos' and lsh's protection against passive eavesdropping
are mostly equivalent. The difference is in the set of machines and
419 420
assumptions you have to trust in order to be safe from a
man-in-the-middle attack.
Niels Möller's avatar
Niels Möller committed
421

422
I think the main advantage of @command{lsh} over Kerberos is that it is
Niels Möller's avatar
Niels Möller committed
423 424 425
easier to install and use for on ordinary mortal user. In order to set
up key exchange between two different Kerberos systems (or @dfn{Kerberos
realms}), the respective system operators need to exchange keys. In the
426
case of two random users at two random sites, setting up @command{lsh} or
427
some other program in the ssh family is likely easier than to get the
428 429
operators to spend time and attention. So @command{lsh} should be easier to
use in an anarchistic grass-roots environment.
Niels Möller's avatar
Niels Möller committed
430

431
Another perspective is to combine ssh features like @acronym{X} and
432 433 434
@acronym{TCP/IP} forwarding with authentication based on Kerberos. Such
an arrangement may provide the best of two worlds for those who happen
to have an account at a suitable ticket-granting server.
Niels Möller's avatar
Niels Möller committed
435

436
@node ipsec,  , Kerberos, Related techniques
Niels Möller's avatar
Niels Möller committed
437 438 439
@comment  node-name,  next,  previous,  up
@subsection @acronym{IPSEC}

440 441 442
@acronym{IPSEC} is a set of protocols for protecting general
@acronym{IP} traffic. It is developed by another @acronym{IETF} working
group, and is also a required part of @acronym{IP} version 6.
Niels Möller's avatar
Niels Möller committed
443

444
Again, the main difference between @acronym{IPSEC} and Kerberos and ssh
Niels Möller's avatar
Niels Möller committed
445
is the set of machines that have to be secure and the keys that have to
446
be exchanged in order to avoid man-in-the-middle attacks.
Niels Möller's avatar
Niels Möller committed
447 448 449 450 451 452 453 454 455 456 457 458 459 460

Current protocols and implementations of @acronym{IPSEC} only provide
authentication of machines; there's nothing analogous to the user
authentication in ssh or Kerberos.

On the other hand, @acronym{IPSEC} provides one distinct advantage over
application level encryption. Because @acronym{IP} and @acronym{TCP}
headers are authenticated, it provides protection against some
denial-of-service attacks. In particular, it makes attacks that cause
hangup of a @acronym{TCP} connection considerably more difficult.

So it makes sense to use both @acronym{IPSEC} and some application
level cryptographic protocol.

461 462 463 464 465
Also note that it is possible to use the @dfn{Point-to-Point Protocol}
(@acronym{PPP}) to tunnel arbitrary @acronym{IP} traffic accross an ssh
connection. This arrangement provides some of the functionality of
@acronym{IPSEC}, and is sometimes referred to as ``a poor man's Virtual
Private Network''.
Niels Möller's avatar
Niels Möller committed
466

467 468 469 470
@node Installation, Getting started, Introduction, Top
@comment  node-name,  next,  previous,  up
@chapter Installation

471
You install @command{lsh} with the usual @code{./configure && make &&
472
make install}. For a full listing of the options you can give to
473
@command{configure}, use @code{./configure --help}. For example, use
474 475 476 477
@option{--without-pty} to disable pty-support.

The most commonly used option is @option{--prefix}, which tells
configure where lsh should be installed. Default prefix is
478
@file{/usr/local}. The @command{lshd} server is installed in
479 480 481
@file{$prefix/sbin}, all other programs and scripts are installed in
@file{$prefix/bin}. 

482
The configure script tries to figure out if the linker needs any special
483 484
flags specifying where to find dynamically linked libraries at run time
(one case where this matters is if you have a dynamic libz.so installed
Niels Möller's avatar
Niels Möller committed
485
in a non-standard place). Usually, you can use
486

487 488 489
@example
./configure --with-lib-path=/opt/lib:/other/place
@end example
490

491
@noindent
492 493
to specify extra library directories, and the configure script should do
the right thing. If it doesn't work, or you believe that you know your
494
system better than @command{./configure}, just set LDFLAGS and/or
495
LD_LIBRARY_PATH to the right values instead.
496 497 498 499


@node Getting started, Invoking lsh, Installation, Top
@comment  node-name,  next,  previous,  up
500 501
@chapter Getting started
This section tells you how to perform some common tasks using the
502
@command{lsh} suite of programs, without covering all options and
503 504 505
possibilities.

@menu
Niels Möller's avatar
Niels Möller committed
506
* lsh-make-seed ::              
507 508 509 510 511
* lsh basics::                  Connection with lsh
* tcpip forwarding::            Forwarding @acronym{TCP/IP} ports
* lshd basics::                 Starting the lshd deamon
* public-key::                  Using public-keys
* srp::                         Using SRP authentication
Niels Möller's avatar
Niels Möller committed
512
* sexp::                        Examining keys and other S-exp files
513
* Converting keys::             
514 515
@end menu

Niels Möller's avatar
Niels Möller committed
516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539
@node lsh-make-seed , lsh basics, Getting started, Getting started
@comment  node-name,  next,  previous,  up
@section Initializing the randomness generator

Several of the lsh programs requires a good pseudorandomness generator
for secure operation. The first thing you need to do is to create a
seed file for the generator. To create a personal seed file, stored as
@file{~/.lsh/yarrow-seed-file}, run

@example
lsh-make-seed
@end example

To create a seed file for use by @command{lshd}, run

@example
lsh-make-seed --server
@end example

as root. The seed file is stored as
@file{/var/spool/lsh/yarrow-seed-file}.


@node lsh basics, tcpip forwarding, lsh-make-seed , Getting started
540 541 542 543 544 545
@comment  node-name,  next,  previous,  up
@section @command{lsh} basics

@command{lsh} is the program you use for connection to a remote machine. A
few examples are:

546 547 548
@example
lsh sara.lysator.liu.se
@end example
549

550
@noindent
551 552 553 554 555 556
Connects to @samp{sara.lysator.liu.se} and starts an interactive shell.
In this example, and in the rest of the examples in this section, lsh
will ask for your password, unless you have public-key user
authentication set up.

The first time you try to connect between two machines, @command{lsh}
557 558
typically complains about an ``unknown host key''. This is because it
has no reason to believe that it was the right machine that answered,
559 560
and not a machine controlled by the enemy (@pxref{Threats}). The default
behaviour is to never ever accept a server that is not properly
561
authenticated. A machine is considered authentic if it follows the
562 563 564 565
protocol and has its public hostkey listed in @file{~/.lsh/known_hosts}.

To make lsh less paranoid, use

566 567 568
@example
lsh --sloppy-host-authentication sara.lysator.liu.se
@end example
569

570
@noindent
571 572 573 574 575 576 577 578
Then @command{lsh} will display a @dfn{fingerprint} of the host key of the
remote machine, and ask you if it is correct. If so, the machine is
considered authentic and its key is appended to the file
@file{~/.lsh/captured_keys}. You can copy keys you have verified to
@file{~/.lsh/known_hosts}.

You can even use

579 580 581
@example
lsh --sloppy-host-authentication --capture-to ~/.lsh/known_hosts
@end example
582

583
@noindent
584 585 586 587 588
to get @command{lsh} to behave more like the traditional @command{ssh} program.

You can create fingerprints for the hostkeys you need regularly, and
keep with you (@pxref{sexp}).

589 590 591
@example
lsh -l omar sara.lysator.liu.se
@end example
592

593
@noindent
594 595
Connects, like above, but tries to log in as the user ``omar''.

596 597 598
@example
lsh sara.lysator.liu.se tar cf - some/dir | (cd /target/dir && tar -xf -)
@end example
599 600 601 602

Copies a directory from the remote machine, by executing one remote and
one local @command{tar} process and piping them together.

603
@example
604
CVS_RSH=lsh cvs -d cvs.lysator.liu.se:/cvsroot/lsh co lsh
605
@end example
606

607 608 609
@noindent
Checks out the @command{lsh} source code from the @acronym{CVS}
repository.
610 611 612 613 614 615 616 617 618 619 620 621


@node  tcpip forwarding, lshd basics, lsh basics, Getting started
@comment  node-name,  next,  previous,  up
@section Port forwarding

One useful feature of @command{lsh} and other ssh-like programs is the
ability to forward arbitrary connections inside the encrypted
connection. There are two flavors: ``local'' and ``remote'' forwarding.

An example of local forwarding is

622 623 624
@example
lsh -L 4000:kom.lysator.liu.se:4894 sara.lysator.liu.se
@end example
625

626
@noindent
627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657
This makes @command{lsh} listen on port 4000 on the @emph{local} machine. When
someone connects, @command{lsh} asks the server to open a connection from
the @emph{remote} machine (i.e. @samp{sara}) to port 4894 on another machine
(i.e. @samp{kom}). The two connections are piped together using an
encrypted channel.

There are a few things that should be noted here:

@itemize @bullet
@item
By default, @command{lsh} only listens on the loopback interface, so only
clients on the same machine can use the tunnel. To listen on all
interfaces, use the @option{-g} flag.

@item
A connection through the tunnel consists of three parts:

@enumerate
@item
From a client socket to the local port (4000 in this example) that
@command{lsh} listens on.

@item
The tunnel itself, from the local machine to the tunnel endpoint,
which is @samp{sara} in this example.

@item
The connection from the tunnel endpoint to the ultimate target, in this
example from @samp{sara} to @samp{kom}.

@end enumerate
658

659 660 661 662 663 664
Only the middle part is protected by @command{lsh}: all data flowing
through the tunnel is sent across the first and last part @emph{in the
clear}. So forwarding doesn't offer much protection unless the tunnel
endpoint and the ultimate target machine are close to eachother. They
should usually be either the same machine, or two machines connected by
a local network that is trusted.
665 666 667 668 669 670 671 672

@item
Port forwarding is very useful for traversing firewalls. Of course, you
don't need to use lsh-style forwarding just to get out, there are other
tools like HTTPTunnel for that. But @command{lsh} helps you get out through
the firewall in a secure way.

@item
673 674
Port forwarding is done in addition to anything else @command{lsh} is
doing. In the example above, a tunnel is set up, but @command{lsh} will
675 676 677
also start an interactive shell for you. Just as if the @option{-L}
option was not present. If this is not what you want, the @option{-N} or
@option{-B} option is for you (@pxref{Invoking lsh})
678 679 680 681 682
@end itemize

Remote forwarding is similar, but asks the @emph{remote} machine to
listen on a port. An example of remote forwarding is

683 684 685
@example
lsh -g -R 8080:localhost:80 sara.lysator.liu.se
@end example
686

687
@noindent
688
This asks the remote machine to listen on port 8080 (note that you are
689 690 691 692 693 694 695 696 697 698 699 700 701 702 703
probably not authorized to listen on port 80). Whenever someone
connects, the connection is tunnelled to your local machine, and
directed to port 80 on the same machine. Note the use of @option{-g};
the effect is to allow anybody in the world to use the tunnel to connect
to your local webserver.

The same considerations that apply to forwarded local ports apply also to
forwarded remote ports.

At last, you can use any number of @option{-L} and @option{-R} options
on the same command line.


@node lshd basics, public-key, tcpip forwarding, Getting started
@comment  node-name,  next,  previous,  up
704
@section @command{lshd} basics
705
There are no global configuration files for @command{lshd}; all
706
configuration is done with command line options (@pxref{Invoking lshd}).
707

708
To run @command{lshd}, you must first create a hostkey, usually stored in
709 710
@file{/etc/lsh_host_key}. To do this, run

711
@example
712
lsh-keygen --server | lsh-writekey --server
713
@end example
714

715
@noindent
716
This will also create a file @file{/etc/lsh_host_key.pub},
717
containing the corresponding public key. 
718 719 720

A typical command line for starting lshd in daemon mode is simply

721 722 723
@example
lshd --daemonic
@end example
724

725 726 727 728
You can find init script for @command{lshd} tailored for Debian's and
RedHat's GNU/Linux systems in the @file{contrib} directory. 

It is also possible to let @command{init} start @command{lshd}, by adding it in
729 730
@file{/etc/inittab}.

731 732 733 734 735 736 737 738 739 740 741 742

@node public-key, srp, lshd basics, Getting started
@comment  node-name,  next,  previous,  up
@section Using public-key user authentication

Public-key user authentication is a way to authenticate for login,
without having to type any passwords. There are two steps: Creating a
key pair, and authorizing the public key to the systems where you want
to log in.

To create a keypair, run

743
@example
744
lsh-keygen | lsh-writekey
745
@end example
746

747
@noindent
748 749 750 751 752 753
This can take some time, but in the end it creates two files
@file{~/.lsh/identity} and @file{~/.lsh/identity.pub}.

If you want to use the key to login to some other machine, say
@samp{sara}, you can do that by first copying the key,

754 755 756
@example
lsh sara.lysator.liu.se '>my-key.pub' <~/.lsh/identity.pub
@end example
757

758
@noindent
759 760
then authorizing it by executing, on @samp{sara},

761 762 763
@example
lsh-authorize my-key.pub
@end example
764 765 766 767 768 769

For security reasons, you should keep the private key
@file{~/.lsh/identity} secret. Anybody who can read that file will be
able to login in your name to any machine where the corresponding public
key is registered as an authorized key.

770
Naturally, you should also make sure not to authorize any keys but your
771 772 773 774 775 776
own. For instance, it is inappropriate to use an insecure mechanism such
as unauthenticated email, @code{ftp} or @code{http} to transfer your
public key to the machines where you want to authorize it.

If you have accounts on several systems, you usually create a single
keypair on each of the systems, and on each system you authorize some or
777
all of your other public keys for login.
778

779 780 781 782 783
Note that @command{lsh-writekey} does @emph{not} currently encrypt your
private key in any way. That means that you can lose it if a backup tape
gets into the wrong hands, and if you use NFS it will likely be sent in
the clear across your local network. To encrypt the key using a pass
phrase, give the @option{-c 3des} option to @command{lsh-writekey}.
784 785 786 787


@node srp, sexp, public-key, Getting started
@comment  node-name,  next,  previous,  up
788
@section Using @acronym{SRP} authentication
789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804

The Secure Remote Password protocol is a fairly new protocol that
provides mutual authentication based on a password. To use it, you must
first choose a secret password. Next, you create a @dfn{password
verifier} that is derived from the password. The verifier is stored on
the target machine (i.e. the machine you want to log in to).

To create a verifier, you run the @command{srp-gen} program and type
your new password. You have to do it on either the target machine,
redirecting the output to ~/.lsh/srp-verifier, or you can generate it on
some other machine and copy it to the target.

The main advantage of using @acronym{SRP} is that you use the password
not only to get access to the remote machine, but you also use it to
authenticate the remote machine. I.e. you can use it to connect
securely, @emph{without} having to know any hostkeys or fingerprints
805
beforehand!
806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840

For instance, you could connect using @acronym{SRP} to fetch the hostkey
fingerprint for the remote machine, as a kind of bootstrapping
procedure, and then use traditional authentication methods for further
connections.

For this to work, the verifier @emph{must} be kept @emph{secret}. If the
enemy gets your verifier, he can mount some attacks:

@itemize @bullet
@item
He can mount a @dfn{dictionary attack} on your password, i.e. generate a large
list of likely password and check if any of them matches yours.

@item
He can impersonate the server. That means that if you try to connect to
the remote machine using @acronym{SRP}, and the attacker can intercept
your connection (e.g. by attacking the name resolution or routing
system) he can successfully pretend to be the real server.
@end itemize

If you use @acronym{SRP} to get the hostkey or fingerprint for the
remote machine, as outlined above, the impersonation attack destroys
security, you could just as well connect the hostkey presented by the
remote server without verifying it at all.

If you use @acronym{SRP} exclusively, the situation seems somewhat
different. As far as I can see, an attacker knowing your verifier can
not mount a traditional man-in-the-middle-attack: He can play the
server's part when talking to you, but in order to play your part when
talking to the real server, he needs to know your password as well.

@acronym{SRP} support is disabled by default, but can be enabled by the
@option{--srp-keyexchange} option to @command{lshd} and @command{lsh}
(naturally, it won't be used unless enabled on both sides). At the time
841 842 843
of this writing, @acronym{SRP} is too new to be trusted by conservative
cryptographers (and remember that conservatism is a virtue when it comes
to security).
844 845

And even if @acronym{SRP} in itself is secure, the way @command{lsh}
846
integrates it into the @code{ssh} protocol has not had much peer review.
847 848 849
The bottom line of this disclaimer is that the @acronym{SRP} support in
@command{lsh} should be considered experimental.

850 851 852 853 854
As far as I know, using @acronym{SRP} as a host authentication mechanism
is not supported by any other @code{ssh} implementation. The protocol
@command{lsh} uses is described in the @file{doc/srp-spec.txt}.
Implementations that use @acronym{SRP} only as a user authentication
mechanism are not compatible with @command{lsh}.
855

856
@node sexp, Converting keys, srp, Getting started
857
@comment  node-name,  next,  previous,  up
858
@section Examining keys and other sexp files
859 860

Keys and most other objects @command{lsh} needs to store on disk are
861
represented as so called S-expressions or @dfn{sexps} for short.
862
S-expressions have their roots in the Lisp world, and a variant of them
863
in used in the Simple Public Key Infrastructure (@acronym{SPKI}).
864 865 866
Currently, @command{lsh}'s support for @acronym{SPKI} is quite limited,
but it uses @acronym{SPKI}'s formats for keys and Access Control Lists
(@acronym{ACL}:s).
867 868 869 870 871 872 873 874 875 876 877 878 879 880 881

There are several flavours of the sexp syntax:

@itemize @bullet
@item
The canonical syntax is somewhere between a text and a binary format,
and is extremely easy for programs to read and write.

@item
The transport syntax, which is suitable when embedding sexps in text
files. It is essentially the canonical representation, encoded using
base64.

@item
The advanced syntax, which is intended for humans to read and write, and
882
bears some resemblance to Lisp expressions.
883 884 885 886
@end itemize

To see what your @file{~/.lsh/known_hosts} file really contains, try

887 888 889
@example
sexp-conv -i advanced < ~/.lsh/known_hosts
@end example
890 891 892 893 894

The @command{sexp-conv} program can also be used to computes
fingerprints. The fingerprint of a key (or any sexp, for that matter) is
simply the hash of its canonical representation. For example,

895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913
@example
sexp-conv --raw-hash </etc/lsh_host_key.pub
@end example


@node  Converting keys,  , sexp, Getting started
@comment  node-name,  next,  previous,  up
@section Converting keys from @command{ssh2} and OpenSSH

If you are already using @command{ssh2} or OpenSSH, and have creating
one or more personal keypairs, you need to convert the public keys to
@command{lsh}'s format before you can authorize them. Use the supplied
@command{ssh-conv} script,

@example
ssh-conv <openssh-key.pub >new-key.pub
@end example

You can then use the usual @command{lsh-authorize} on the converted
914
keys. @command{ssh-conv} supports both @acronym{DSA} and @command{RSA} keys.
915

Niels Möller's avatar
Niels Möller committed
916 917 918 919 920
Conversion of keys the other way is also possible, by using the
@command{lsh-export-key} program. It reads a public key in
@command{lsh}'s @acronym{SPKI} format on stdin, and writes the key in
@command{ssh2}/OpenSSH format on stdout.

921
There are currently no tools for converting private keys.
922 923


924 925
@node Invoking lsh, Invoking lshd, Getting started, Top
@comment  node-name,  next,  previous,  up
926
@chapter Invoking @command{lsh}
927
@anchor{lsh-usage}
928

929
You use @command{lsh} to login to a remote machine. Basic usage is
930 931 932 933

@samp{lsh [-p @var{port number}] sara.lysator.liu.se}

which attempts to connect, login, and start an interactive shell on the
934
remote machine. Default @var{port number} is whatever your system's
935
@file{/etc/services} lists for @command{ssh}. Usually, that is port 22.
936

937
There is a plethora of options to @command{lsh}, to let you configure where
938
and how to connect, how to authenticate, and what you want to do once
939 940 941
properly logged in to the remote host. Many options have both long and
short forms. This manual does not list all variants; for a full listing
of supported options, use @samp{lsh --help}.
942

943 944 945
Note that for many of the options to @command{lsh}, the ordering of the
options on the command line is important.

946
@c FIXME: Say something about the escape char mechanism here
947
@menu
948 949 950 951 952
* Algorithms: Algorithm options.  Selecting algorithms.
* Hostauth options::            
* Userauth options::            
* Actions: Action options.      What to do after login.
* Messages: Verbosity options.  Tuning the amount of messages.
953 954 955 956 957 958
@end menu

@node Algorithm options, Hostauth options, Invoking lsh, Invoking lsh
@comment  node-name,  next,  previous,  up
@section Algorithm options

959
Before a packet is sent, each packet can be compressed, encrypted
960 961 962 963 964 965 966 967
and authenticated, in that order. When the packet is received, it is
first decrypted, next it is checked that it is authenticated properly,
and finally it is decompressed. The algorithms used for this are
negotiated with the peer at the other end of the connection, as a part
of the initial handshake and key exchange.

Each party provides a list of supported algorithms, and the first
algorithm listed by the client, which is also found on the server's
968 969 970 971 972 973 974 975 976 977 978
list, is selected. Note that this implies that order in which algorithms
are listed on the server's list doesn't matter: if several algorithms
are present on both the server's and the client's lists, it's the
client's order that determines which algorithm is selected.

Algorithms of different types, e.g. data compression and message
authentication, are negotiated independently. Furthermore, algorithms
used for transmission from the client to the server are independent of
the algorithms used for transmission from the server to the client.
There are therefore no less than six different lists that could be
configured at each end.
979 980 981 982 983

The command line options for lsh and lshd don't let you specify
arbitrary lists. For instance, you can't specify different preferences
for sending and receiving.

984
There is a set of default algorithm preferences. When you use a command
985 986 987 988 989 990
line option to say that you want to use @var{algorithm} for one of the
algorithms, the default list is replaced with a list containing the
single element @var{algorithm}. For example, if you use @option{-c
arcfour} to say that you want to use @code{arcfour} as the encryption
algorithm, the connection will either end up using @code{arcfour}, or
algorithm negotiation will fail because the peer doesn't support
991
@code{arcfour}.
992

993
@multitable @columnfractions 0.1 0.2 0.2 0.5
994 995 996 997
@item Option
  @tab Algorithm type @tab Default @tab
@item @option{-z} @tab Data compression
  @tab @code{none}, @code{zlib}
998

999 1000
  @tab The default preference list supports zlib compression, but
prefers not to use it. 
1001

1002
@item @option{-c} @tab Encryption
1003
  @tab @code{aes256-cbs}, @code{3dec-cbc}, @code{blowfish-cbc}, @code{arcfour}
1004

1005
  @tab The default encryption algorithm is aes256. The default list
1006 1007 1008
includes only quite old and well studied algorithms. There is a special
algorithm name @code{all} to enable all supported encryption algorithms
(except @code{none}).
1009

1010 1011
@item @option{-m} @tab Message Authentication
  @tab @code{hmac-sha1}, @code{hmac-md5}
1012

1013
  @tab Both supported message authentication algorithms are of the
1014
@acronym{HMAC} family.
1015 1016
@end multitable

1017 1018
As a special case, @option{-z} with no argument changes the compression
algorithm list to @code{zlib}, @code{none}, which means that you want to
1019 1020 1021
use @code{zlib} if the other end supports it. This is different from
@option{-zzlib} which causes the negotiation to fail if the other end
doesn't support @code{zlib}. A somewhat unobvious consequence of
1022
@option{-z} having an @emph{optional} argument is that if you provide an
1023 1024
argument, it must follow directly after the option letter, no spaces
allowed. 
1025 1026


1027 1028 1029 1030
@node Hostauth options, Userauth options, Algorithm options, Invoking lsh
@comment  node-name,  next,  previous,  up
@section Host authentication options

1031
As described earlier (@pxref{Threats}), proper authentication of the
Niels Möller's avatar
Niels Möller committed
1032
remote host is crucial to protect the connection against
1033
man-in-the-middle attacks. By default, @command{lsh} verifies the server's
1034
claimed host key against the @dfn{Access Control Lists} in
Niels Möller's avatar
Niels Möller committed
1035 1036 1037 1038 1039 1040 1041 1042 1043 1044
@file{~/.lsh/known_hosts}. If the remote host cannot be authenticated,
the connection is dropped.

The options that change this behaviour are

@table @option
@item --host-db
Specifies the location of the @acronym{ACL} file.

@item --sloppy-host-authentication
1045
Tell @command{lsh} not to drop the connection if the server's key can not
1046 1047
be authenticated. Instead, it displays the fingerprint of the key, and
asks if it is trusted. The received key is also appended to the file
1048
@file{~/.lsh/captured_keys}. If run in quiet mode, @samp{lsh -q
1049
--sloppy-host-authentication}, @command{lsh} connects to any host, no
1050 1051
questions asked.

Niels Möller's avatar
Niels Möller committed
1052
@item --strict-host-authentication
1053 1054
Disable sloppy operation (this is the default behaviour).

Niels Möller's avatar
Niels Möller committed
1055
@item --capture-to
1056
Use some other file than @file{~/.lsh/captured_keys}. For example,
1057 1058 1059 1060 1061 1062

@example
lsh --sloppy-host-authentication --capture-to ~/.lsh/known_hosts
@end example

@noindent
1063
makes @command{lsh} behave more like the @command{ssh} program.
Niels Möller's avatar
Niels Möller committed
1064

1065 1066 1067
@item --srp-keyexchange
Try using @acronym{SRP} for keyexchange and mutual authentication.

Niels Möller's avatar
Niels Möller committed
1068 1069
@end table

1070 1071 1072 1073
@node Userauth options, Action options, Hostauth options, Invoking lsh
@comment  node-name,  next,  previous,  up
@section User authentication options

1074 1075 1076 1077
@table @option

@item -l
Provide a name to use when logging in. By default, the value of the
1078
@env{LOGNAME} environment variable is used.
1079 1080

@item -i
1081
Try the keys from this file to log in. By default, @command{lsh} uses
1082 1083 1084 1085 1086 1087 1088 1089 1090
@file{~/.lsh/identity}, if it exists. It ought to be possible to use
several @option{-i} options to use more than one file, but that is
currently not implemented.

@item --no-publickey
Don't attempt to log in using public key authentication.

@end table

1091 1092 1093 1094
@node Action options, Verbosity options, Userauth options, Invoking lsh
@comment  node-name,  next,  previous,  up
@section Action options

1095
There are many things @command{lsh} can do once you are logged in. There
1096 1097 1098 1099 1100
are two types of options that control this: @dfn{actions} and
@dfn{action modifiers}. For short options, actions use uppercase letters
and modifiers use lowercase.

For each modifier @option{--foo} there's also a negated form
1101
@option{--no-foo}. Options can also be negated by preceding it with the
1102
special option @option{-n}. This is mainly useful for negating short
1103
options. For instance, use @option{-nt} to tell @command{lsh} not to
1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115
request a remote pseudo terminal. Each modifier and its negation can be
used several times on the command line. For each action, the latest
previous modifier of each pair apply.

First, the actions:

@table @option

@item -L
Requests forwarding of a local port. This option takes mandatory
argument of the form
@var{listen-port}:@var{target-host}:@var{target-port}. This option tells
1116 1117
@command{lsh} to listen on @var{listen-port} on the local machine. When
someone conects to that port, @command{lsh} asks the remote server to open
1118 1119
a connection to @var{target-port} on @var{target-host}, and if it
succeeds, the two connections are joined together through an the
1120
@command{lsh} connection. Both port numbers should be given in decimal.
1121 1122 1123

@item -R
Requests forwarding of a remote port. It takes one mandatory argument,
1124
just like @option{-L}. But in this case @command{lsh} asks the
1125 1126
@emph{remote} server to listen on @var{listen-port}. When someone
connects to the remote hosts, the server will inform the local
1127
@command{lsh}. The local @command{lsh} then connects to @var{target-port} on
1128 1129 1130
@var{target-host}.

@item -E
1131 1132
This option takes one mandatory argument, which is a command line to be
executed on the remote machine.
1133 1134

@item -S
1135
Start an interactive shell on the remote machine. 
1136 1137 1138 1139

@item -G
Open a gateway on the local machine. A gateway is a local socket,
located under /tmp, that can be used for controlling and using the ssh
1140
connection. It is protected using the ordinary file permissions.
1141 1142 1143 1144

@item -N
This is a no-operation action. It inhibits the default action, which is
to start an interactive shell on the remote machine. It is useful if you
1145
want to set up a few forwarded tunnels or a gateway, and nothing more.
1146

Niels Möller's avatar
Niels Möller committed
1147
@item -B
1148 1149
Put the client into the background after key exchange and
user authentication. Implies @option{-N}
1150 1151 1152 1153
@end table

If there are trailing arguments after the name of the remote system,
this is equivalent to a @option{-E} option, with a command string
1154 1155 1156 1157
constructed by catenating all the remaining arguments, separated by
spaces. This implies that the arguments are usually expanded first by
the local shell, and then the resulting command string is interpreted
again by the remote system.
1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168

If there are no trailing arguments after the name of the remote system,
and the @option{-N} option is not given, the default action is to start
a shell on the remote machine. I.e. this is equivalent to the
@option{-S} option.

There are a few supported modifiers:

@table @option

@item -t