2Apr il 2003, 17:00:47 The Complete FreeBSD (netclient.mm), page 415 24 Basic network access: clients In this chapter: • The Wor ld Wide Web • Webbrowsers • ssh • Access without a password • ssh tunnels • Configur ing ssh • Troubleshooting ssh connections • telnet • Copying files • scp • ftp • sftp • rsync • Using an rsync ser ver • The Networ k File System • NFS client • NFS strangenesses In this chapter: • The Wor ld Wide Web • Webbrowsers • ssh • Access without a password • ssh tunnels • Configur ing ssh • Troubleshooting ssh connections • telnet • Copying files • scp • ftp • sftp • rsync • Using an rsync ser ver • The Networ k File System • NFS client • NFS strangenesses Finally we have set up the network connections, and everything is working. What can we do with the network? In this part of the book, we’ll takealook at some of the more important services that makeupthe application layer. The Internet protocols perform most services with a pair of processes: a client at one end of the link that actively asks for services, and a server at the other end of the link that responds to requests and performs the requested activity.These terms are also used to describe computer systems, but here we’re talking about processes, not systems. In this chapter,we’ll look at the client side of things, and in Chapter 25, Basic network access: servers we’ll look at the corresponding servers. Probably the single most important network service is the Hypertext Transfer Protocol or HTTP,the service that web browsers use to access the Web.We’ll look at web browsers in the next section. The next most important service is probably the Simple Mail Transfer Protocol or SMTP, the primary service for sending mail round the Internet. There’salso the Post Office Protocol or POP,which is used by systems unable to run SMTP.This topic is so important that we’ll devote Chapters 26 and 27 to it. To use a remote machine effectively,you need better access than such specialized servers can give you. The most powerful access is obviously when you can execute a shell on the remote machine; that givesyou effectively the same control overthe machine as you have overyour local machine. Anumber of services are available to do this. In the olden days, you would use telnet or rlogin to log into another machine. These programs are netclient.mm,v v4.12 (2003/04/02 03:42:50) 415 The Complete FreeBSD 416 2April 2003, 17:00:47 The Complete FreeBSD ( /tools/tmac.Mn), page 416 still with us, but security concerns makethem effectively useless outside a trusted local network. We’ll look at them briefly on page 428. The preferred replacement is ssh,which stands for secureshell.Infact, it’snot a shell at all, it’saservice to communicate with a remote shell. It encrypts the data sent overthe network, thus making it more difficult for crackers to abuse. We’ll look at it in detail on page 417. Another important service is the ability to move data from one system to another.There are a number of ways of doing this. The oldest programs are rcp and ftp.These programs have the same security concerns as telnet and rlogin,though ftp still has some uses. More modern copying programs use scp,which is based on ssh.We’ll look at file copyprograms on page 429. In addition, rsync is a useful program for maintaining identical copies files on different systems. We’lllook at it on page 435. Asomewhat different approach is the Network File System or NFS,which mounts file systems from another machine as if theywere local. We’lllook at NFS clients on page 438. The World Wide Web Forthe vast majority of the public, the Internet and the World Wide Web are the same thing. FreeBSD is an important contender in this area. Some of the world’slargest web sites, including Yahoo! (http://www.yahoo.com/ )run FreeBSD. Even Microsoft runs FreeBSD on its Hotmail service (http://www.hotmail.com/ ), though theyhav e frequently denied it, and for image reasons theyare moving to their own software. Webbro wsers A web browser is a program that retrievesdocuments from the Web and displays them. The base FreeBSD system does not include a web browser,but a large number are available in the Ports Collection. All web browsers seem to have one thing in common: theyare buggy.Theyfrequently crash when presented with web pages designed for Microsoft, and in other cases theydon’tdisplay the page correctly.Inmanycases this is due to poorly designed web pages, of course. Currently,the most important web browsers are: • netscape wasonce the only game in town, but it’snow showing its age. In addition, manyweb sites only test their software with Microsoft, and their bugs cause problems with netscape. • mozilla is derivedfrom the same sources as netscape,but comes in source form. It has nowreached the stage where it is less buggy than netscape.Anumber of other browsers, such as galeon and skipstone,are based on mozilla.They’re all available in the Ports Collection. galeon is included in the instant-workstation port described netclient.mm,v v4.12 (2003/04/02 03:42:50) 417 Chapter 24: Basic networ k access: clients 2April 2003, 17:00:47 The Complete FreeBSD ( /tools/tmac.Mn), page 417 in Chapter 6. • konqueror is included with the KDE port. • Opera is a newbrowser that some people like. The version in the Ports Collection is free, but it makes up for it by giving you evenmore advertisements than the web pages give you anyway.You can buy a version that doesn’tdisplay the advertise- ments. • lynx is a web browser for people who don’tuse X. It displays text only. Youmay note twoomissions from this list. Microsoft’s Internet Explorer is not available for FreeBSD. Not manypeople have missed it. Also, mosaic,the original web browser, is nowcompletely obsolete, and it has been removedfrom the Ports Collection. In addition to these browsers, StarOffice and OpenOffice include integrated browsers. Youmay find you prefer them. This book does not deal with howtouse a web browser: just about everybody knows how to use one. Youcan also get help from just about anybrowser; just click on the text or icon marked Help or ?. ssh ssh is a secureshell,ameans of executing programs remotely using encrypted data transfers. There are a number of different implementations of ssh:there are twodifferent protocols, and the implementations are complicated both by bugs and license conditions. FreeBSD comes with an implementation of ssh called OpenSSH,originally developed as part of the OpenBSD project. Using ssh is simple: $ ssh freebie The authenticity of host ’freebie.example.org (223.147.37.1)’ can’t be established. DSA key fingerprint is 08:f7:c4:14:48:0b:14:06:0e:2c:93:4b:1f:f6:ce:b5. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added ’freebie.example.org’ (DSA) to the list of known hosts. grog@freebie.example.org’s password: as usual, doesn’techo Last login: Mon May 13 14:21:11 2002 Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 5.0-RELEASE (FREEBIE) #3: Sun Jan 513:25:02 CST 2003 Welcome to FreeBSD! $ tty /dev/ttyp3 $ Once you get this far,you are connected to the machine in almost the same manner as if you were directly connected. This is particularly true if you are running X. As the output of the tty command shows, your ‘‘terminal’’isapseudo-tty or pty (pronounced ‘‘pity’’). This is the same interface that you have with an xterm. netclient.mm,v v4.12 (2003/04/02 03:42:50) ssh 418 2April 2003, 17:00:47 The Complete FreeBSD ( /tools/tmac.Mn), page 418 It’sworth looking in more detail at howthe connection is established: • The first line (The authenticity .)appears once ssh has established preliminary contact with the remote system. It indicates that you’re connected, but that the local system has no information about the remote system. Theoretically you could be connected to a different machine masquerading as the machine you want to connect to. ssh savesthe fingerprint in ˜/.ssh/known_hosts and checks it every time you connect to that machine thereafter. • The reference to DSA keysindicates that ssh is using the ssh Version 2 protocol. We’lllook at the differences between the protocols below. • The password prompt is for the same password as you would see locally.The slightly different format is to clarify exactly which password you should enter. Again, a number of exploits are possible where you might find yourself giving awaya password to an intruder,sothis caution is justified. When you log in via ssh,there’sachance that your TERM environment variable is set incorrectly.See table 7-3 on page 130 for more details. Remember that TERM describes the display at your end of the link. There is no display at the other end, but the other end needs to knowthe termcap parameters for your display.Ifyou’re running an xterm,this shouldn’tbeaproblem: the name xterm propagates to the other end. If you’re using a character-oriented display (/dev/ttyvx), however, your TERM variable is probably set to cons25,which manysystems don’tknow. Ifyou have problems where systems refuse to start full-screen modes when you connect from a virtual terminal, try setting the TERM variable to ansi. To exit ssh,just log out. If you run into problems, however, likeahung network, you can also hit the combination Enter ˜. Enter,which always drops the connection. Access without a password Sending passwords across the Net, evenifthey’re encrypted, is not a complete guarantee that nobody else can get in: there are a number of brute-force ways to crack an encrypted password. Toaddress this issue, ssh has an access method that doesn’trequire passwords: instead it uses a technique called public key cryptography.You have two keys, one of which you can give away freely,and the other of which you guard carefully. Youcan encrypt or decrypt with either key:data encrypted with the public key can be decrypted with the private key,and data encrypted with the private key can be decrypted with the public key. Once you have these keysinplace, you can use the challenge-response method for authentication. Toinitiate an ssh connection, ssh sends your public key tothe sshd process on the remote system. The remote system must already have a copyofthis key. It uses it to encrypt a random text, a challenge,which it sends back to your system. The ssh process on your system decrypts it with your private key,which is not stored anywhere else, and sends the decrypted key back to the remote sshd.Only your system can decode the challenge, so this is evidence to the remote sshd that it’sreally you. netclient.mm,v v4.12 (2003/04/02 03:42:50) 419 Chapter 24: Basic networ k access: clients 2April 2003, 17:00:47 The Complete FreeBSD ( /tools/tmac.Mn), page 419 By default, the private key for Version 1 of the protocol is stored in the file ˜/.ssh/identity, and the public key isstored in the file ˜/.ssh/identity_pub.For Version 2, you have a choice of twodifferent encryption schemes, DSA and RSA.The corresponding private and public keysare stored in the files ˜/.ssh/id_dsa, ˜/.ssh/id_dsa.pub, ˜/.ssh/id_rsa and ˜/.ssh/id_rsa.pub respectively.Ifyou have the choice between DSA keysand RSA keys for protocol Version 2, use DSA keys, which are considered somewhat more secure. You still should have anRSA key pair in case you want to connect to a system that doesn’t support DSA keys. There’sstill an issue of unauthorized local access, of course. To ensure that somebody doesn’tcompromise one system and then use it to compromise others, you need a kind of password for your private keys. Toavoid confusion, ssh refers to it as a passphrase.If ssh finds keysinthe ˜/.ssh directory,itattempts to use them: $ ssh hub Enter passphrase for key ’/home/grog/.ssh/id_rsa’: (no echo) Last login: Sat Jul 13 17:27:33 2002 from wantadilla.lemis Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 5.0-STABLE (HUB) #7: Thu Jun 26 12:44:34 PDT 2003 (etc) Creating and distributing keys Youcreate keyswith the program ssh-keygen.Here’sanexample of generating all three keys: $ ssh-keygen -t rsa1 Generating public/private rsa1 key pair. Enter file in which to save the key (/home/grog/.ssh/identity): (ENTER pressed) Enter passphrase (empty for no passphrase): (no echo) Enter same passphrase again: (no echo) Your identification has been saved in /home/grog/.ssh/identity. Your public key has been saved in /home/grog/.ssh/identity.pub. The key fingerprint is: 02:20:1d:50:78:c5:7c:56:7b:1d:e3:54:02:2c:99:76 grog@bumble.example.org $ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/grog/.ssh/id_rsa): (ENTER pressed) Enter passphrase (empty for no passphrase): (no echo) Enter same passphrase again: (no echo) Your identification has been saved in /home/grog/.ssh/id_rsa. Your public key has been saved in /home/grog/.ssh/id_rsa.pub. The key fingerprint is: 95:d5:01:ca:90:04:7d:84:f6:00:32:7a:ea:a6:57:2d grog@bumble.example.org $ ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/home/grog/.ssh/id_dsa): (ENTER pressed) Enter passphrase (empty for no passphrase): (no echo) Enter same passphrase again: (no echo) Your identification has been saved in /home/grog/.ssh/id_dsa. Your public key has been saved in /home/grog/.ssh/id_dsa.pub. The key fingerprint is: 53:53:af:22:87:07:10:e4:5a:2c:21:31:ec:29:1c:5f grog@bumble.example.org Before you can use these keys, you need to get the public keysonthe remote site in the file ˜/.ssh/authorized_keys.Older versions of ssh used a second file, ˜/.ssh/autho- rized_keys2,for protocol Version 2, but modern versions store all the keysinthe one file netclient.mm,v v4.12 (2003/04/02 03:42:50) Access without a password 420 2April 2003, 17:00:47 The Complete FreeBSD ( /tools/tmac.Mn), page 420 ˜/.ssh/authorized_keys.There are a number of ways to get the keysinthese files. If you already have access to the machine (via password-based authentication, for example), you can put them there yourself. Typically,though, you’ll have toget somebody else involved. Tomakeiteasier,the public keysare in ASCII, so you can send them by mail. The three public keysgenerated above look likethis: 1024 35 1101242842742748033454498238668225412306578450520406221165673293206460199556 751223553035331118710873315456577313425763305854786629592671460454493321979564518976 839276314768175285909667395039795936492323578351726210382756436676090411475643317216 92291413130012157442638303275673247163400686283060339457790686649 grog@bumble.exampl e.org ssh-dss AAAAB3NzaC1kc3MAAACBAIltWeRXnqD9HqOLn5kugPSWHicJiu1r0I9dHg8F5m2PpmupyRYSmDzs cAcsxifo50+1yXk3Vf4P1+EDsAwkyqFlujuMVeKoTYcOi1yrnLDWIDiAeIzt1BQ6ONwbXqxwWKCq1eo1tXxO rTxw84VboHUuq4XFdt+yPJs8QdxLhj+jAAAAFQC1JL+tU19+UR+c45JGom6ae29d7wAAAIAvNgdN6rTitMjD CglN7Rq3/8WgI1kzh20XURbCe1n2yYsFifcImKb0sUYD2qsB5++gogzsse2IxyIECRCuyCOOFXIQ7WqkvjTp /T+fuwGPIlho8eeNDRKKABUhHjkuApnoYLIC1O5uyciJ+dIbGaRtGFJr0da7KlkjOLkiv3sR1gAAAIAwgKfW sRSQJyRZTkKGIHxn3EWTvSicnIRYza+HTaMuMFHMTkNMZBjhei6EoCFpV9B1QB9MlIZgf6WXM2DlmtdUbpm7 KFA669/LZT2LvxbtGP/B++7s0PMs0AgKrKgUxnhVweufMZlPvPPPOz4QS1ZZ5kYhN+lu0S8yuioXYNlDtA== grog@bumble.example.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA1/W3oa1ZEs58KRWMzsrZWMXzPfwoqQ+Z59p6SJlzhevsXG1P AVWra2wcRz1utKFBjkDpJfEe+09L7h8VAx1aYCHji50tKI8F8YT8OuWGH+UqF/37Wl292SsXsb8g80yyymSf xgOM/HegvOuHQu46MfaPj9ddfcgY06z3ufcmXts= grog@bumble.example.org In the original, each key isonasingle line. Obviously you don’twant anybody messing with your authorized_keys files, so ssh requires that the files belong to you and are only writeable by you. These twofiles typically contain multiple keys; to add a newone, just append it to the end of the file. For example, if you receive a new key and store it in the file newkey,copyitlikethis: $ cat newkey >> ˜/.ssh/authorized_keys Authenticating automatically Having to supply the passphrase can become a nuisance and evenaserious problem. If you want to run ssh from scripts, it may not evenbepossible to supply the passphrase. ssh has another feature available here: it has an authentication agent that keeps track of the keys. The authentication agent is called ssh-agent,and you add keyswith ssh-add.Due to the manner in which it is started, ssh-agent needs to be the ancestor of the shell you are running, and of the ssh-add command. Otherwise you see error messages likethis: $ ssh-agent SSH_AUTH_SOCK=/tmp/ssh-cwT9aBbV/agent.42902; export SSH_AUTH_SOCK; SSH_AGENT_PID=42903; export SSH_AGENT_PID; echo Agent pid 42903; $ ssh-add Could not open a connection to your authentication agent. netclient.mm,v v4.12 (2003/04/02 03:42:50) 421 Chapter 24: Basic networ k access: clients 2April 2003, 17:00:47 The Complete FreeBSD ( /tools/tmac.Mn), page 421 To solvethis problem, execute the agent in your current environment with eval,then run ssh-add: $ eval ‘ssh-agent‘ $ ssh-add Enter passphrase for /home/grog/.ssh/id_rsa: (enter the passphrase) Identity added: /home/grog/.ssh/id_rsa (/home/grog/.ssh/id_rsa) Identity added: /home/grog/.ssh/id_dsa (/home/grog/.ssh/id_dsa) Identity added: /home/grog/.ssh/identity (grog@zaphod.example.org) Youcan use ssh-add’s -l flag to list which keysthe authentication agent currently knows about: $ ssh-add -l 1024 02:20:1d:50:78:c5:7c:56:7b:1d:e3:54:02:2c:99:76 grog@zaphod.example.org (RSA1) 1024 95:d5:01:ca:90:04:7d:84:f6:00:32:7a:ea:a6:57:2d /home/grog/.ssh/id_rsa (RSA) 1024 53:53:af:22:87:07:10:e4:5a:2c:21:31:ec:29:1c:5f /home/grog/.ssh/id_dsa (DSA) If you’re using a Bourne-style shell such as bash,you can automate a lot of this by putting the following commands in your .bashrc or .profile file: if tty >/dev/null ssh-add -l > /dev/null if [ $? -ne 0 ]; then eval ‘ssh-agent‘ fi fi This first uses the tty command to check if this is an interactive shell, then checks if you already have anauthentication agent. If it doesn’t, it starts one. Don’tstart a new authentication agent if you already have one: you’dlose anykeysthat the agent already knows. This script doesn’tadd keys, because this requires your intervention and could be annoying if you had to do it every time you start a shell. Setting up X to use ssh If you work with X, you have the opportunity to start a large number of concurrent ssh sessions. It would be annoying to have toenter keysfor each session, so there’san alternative method: start X with an ssh-agent,and it will pass the information on to any xtermsthat it starts. Add the following commands to your .xinitrc: eval ‘ssh-agent‘ ssh-add < /dev/null When you run ssh-add in this manner,without an input file, it runs a program to prompt for the passphrase. By default it’s /usr/X11R6/bin/ssh-askpass,but you can change it by setting the SSH_ASKPASS environment variable. /usr/X11R6/bin/ssh-askpass opens a windowand prompts for a passphrase. From then on, anything started under the X session will automatically inherit the keys. netclient.mm,v v4.12 (2003/04/02 03:42:50) Access without a password 422 2April 2003, 17:00:47 The Complete FreeBSD ( /tools/tmac.Mn), page 422 ssh tunnels Tunneling is a technique for encapsulating an IP connection inside another IP connection. Whywould you want to do that? One reason is to add encryption to an otherwise unencrypted connection, such as telnet or POP.Another is to get access to a service on a system that does not generally supply this service to the Internet. Let’sconsider using http first. Assume you are travelling, and you want to access your private web server back home. Normally a connection to the http port of presto.exam- ple.com might have the following parameters: andante presto IP 192.1.7.245 Port 9132 IP 223.147.37.2 Port 80 But what if the server is firewalled from the global Internet, so you can’taccess it directly? That’swhen you need the ssh tunnel. The ssh tunnel creates a local connection at each end and a separate secure connection across the Internet: andante Tunnel A Tunnel B presto 127.1 4096 192.1.7.245 3312 150.101.248.57 22 127.1 80 The ssh connection is shown in fixed italic font. It looks just likeany other ssh connection. The difference are the local connections at each end: instead of talking to presto port 80 (http), you talk to port 4096 on your local machine. Why4096? It’syour choice; you can use anyport above 1024. If you’re on andante,you can set up this tunnel with the command: $ ssh -L 4096:presto.example.org:80 presto.example.org To dothe same thing from the presto end, you’dset up a re verse tunnel with the -R option: $ ssh -R 4096:presto.example.org:80 andante.example.org These commands both set up a tunnel from port 4096 on andante to port 80 on the host presto.example.org.You still need to supply the name of the system to connect to; it doesn’thav e to be the same. Forexample, you might not be able to log in to the web server,but you could access your machine back home, and it has access to the web server. In this case, you could connect to your machine at home: $ ssh -L 4096:presto.example.org:80 freebie.example.org In addition to setting up the tunnel, ssh creates a normal interactive session. If you don’t want this, you can use the -f option tell ssh to go into the background after authentication. You also need a command to execute; in case of doubt, use sleep,which netclient.mm,v v4.12 (2003/04/02 03:42:50) 423 Chapter 24: Basic networ k access: clients 2April 2003, 17:00:47 The Complete FreeBSD (netclient.mm), page 423 simply sleeps for a specified time. If this is what you want to do, you could enter a command like: $ ssh -L 4096:presto.example.org:80 presto.example.org -f sleep 3600 The command sleep 3600 suspends execution for an hour (3600 seconds) and then exits. At this point, your tunnel also shuts down, so you should choose the time to be long enough. Tunneling X Running X clients on the remote machine is special enough that ssh provides a special form of tunneling to deal with it. To use it, you must tell ssh the location of an .Xauthority file. Do this by adding the following line to the file ˜/.ssh/environment: XAUTHORITY=/home/yourname/.Xauthority The name must be in fully qualified form: ssh does not understand the shortcut ˜/ to represent your home directory.You don’tneed to create ˜/.Xauthority,though: ssh can do that for you. Once you have this in place, you can set up X tunneling in twodifferent ways. Tostart it from the command line, enter something like: $ ssh -X -f website xterm As before, the -f option tells ssh to go into the background. The -X option specifies X tunneling, and ssh runs an xterm on the local machine. The DISPLAY environment variable points to the (remote) local host: $ echo $DISPLAY localhost:13.1 Other uses of tunnels Tunneling has manyother uses. Another interesting one is bridging networks. For example, http://unix.za.net/gateway/documentation/networking/vpn/fbsd.html describes howtoset up a VPN (Virtual Private Network) using User PPP and an ssh tunnel. Configuring ssh It can be a bit of a nuisance to have tosupply all these parameters to ssh,but you don’t have to: you can supply information for frequently accessed hosts in a configuration file. On startup, ssh checks for configuration information in a number of places. It checks for them first in the command-line options, then in you configuration file ˜/.ssh/config,and finally in the system-wide configuration file /etc/ssh/ssh_config.The way it treats duplicate information is pretty much the opposite of what you’dexpect: unlikemost other netclient.mm,v v4.12 (2003/04/02 03:42:50) Configur ing ssh 424 2April 2003, 17:00:47 The Complete FreeBSD (netclient.mm), page 424 programs, options found in a configuration file read in later do not replace the options found in an earlier file. Options on the command line replace those givenin configuration files. In practice, such conflicts happen less often than you might expect. The file /etc/ssh/ssh_config,the main configuration file for the system, normally contains only comments, and by default you don’tevenget a local ˜/.ssh/config. ssh_config can contain a large number of options. They’re all described in the man page ssh_config(8),but it’sworth looking at some of the more common ones. In this section we’ll look at some of the more common configuration options. • The entry Host is special: the options that follow, uptothe end of the file or the next following Host argument, relate only to hosts that match the arguments on the Host line. • Optionally, ssh can compress the data streams. This can save a lot of traffic, but it can also increase CPU usage, so by default it is disabled. Youcan do this by passing the -C flag to ssh,but you can also do so by setting Compression yes in the configuration file. • Youcan escape out of an ssh session to issue commands to ssh with the EscapeChar.Bydefault it’sthe tilde character, ˜.Other programs, notably rlogin, use this character as well, so you may want to change it. Youcan set this value from the ssh command line with the -e option. • To forward an X11 connection, as shown above,you can also set the ForwardX11 variable to yes.This may be useful if you frequently access a remote machine and require X forwarding. This also sets the DISPLAY environment variable correctly to go overthe secure channel. • By default, ssh sends regular messages to the remote sshd server to check if the remote system has gone down. This can cause connections to be dropped on a flaky connection. Set the KeepAlive option to no to disable this behaviour. • Use the LocalForward parameter to set up a tunnel. The syntax is similar to that of the -L option above:onandante,instead of the command line: $ ssh -L 4096:presto.example.org:80 presto.example.org you would put the following in your ˜/.ssh/config: host presto.example.org LocalForward 4096 presto.example.org:80 Note that the first port is separated from the other twoparameters by a space, not a colon. netclient.mm,v v4.12 (2003/04/02 03:42:50) [...]... AOSS-programme-orig.html AOSS-programme.html BSDCon-2002.html etc The Network File System The Network File System, or NFS, is the standard way to share UNIX files across a network We’ve already seen that UNIX file systems are accessible in a single tree by mounting them on a specific directory NFS continues this illusion across the network From a user point of view, there is little difference: you use... common ones: • After some delay, you get the message: ssh: connect to address 223.147.37.76 port 22: Operation timed out This probably means that the remote host is down, or that you can’t reach it due to network problems • You get the message: ssh: connect to address 223.147.37.65 port 22: Connection refused This means that the remote host is up, but no sshd is running • You have set up keys, but you still... ssh-add -l Could not open a connection to your authentication agent netclient.mm,v v4.12 (2003/04/02 03:42:50) 2 April 2003, 17:00:47 The Complete FreeBSD (netclient.mm), page 427 427 Chapter 24: Basic network access: clients This means that you haven’t run ssh-agent Do it like this: $ eval ‘ssh-agent‘ Agent pid 95180 $ ssh-add -l The agent has no identities $ ssh-add Enter passphrase for /home/grog/.ssh/id_rsa:... times out, it will continue normally, but the delay is a nuisance netclient.mm,v v4.12 (2003/04/02 03:42:50) 2 April 2003, 17:00:47 The Complete FreeBSD (netclient.mm), page 429 429 • Chapter 24: Basic network access: clients Logging in is almost exactly the same as logging in locally Normally you won’t be able to log in directly as root, unless you have set /dev/ptyx as secure in your /etc/ttys (see... systems don’t know If the remote system refuses to start programs in full-screen modes, try setting the TERM variable to ansi To exit telnet, you just log off If you run into problems, however, like a hung network, you can also hit Ctrl-] to enter telnet command mode, and from there enter quit: $ ˆ] telnet> quit $ If you hit Ctrl-] by accident, just hit Enter to return to the telnet session Secure telnet... you may find that scp or NFS are better alternatives in these areas netclient.mm,v v4.12 (2003/04/02 03:42:50) 2 April 2003, 17:00:47 The Complete FreeBSD (netclient.mm), page 431 431 Chapter 24: Basic network access: clients One serious drawback in duplicating files across the net is that you need to have permission to access the remote system Traditionally, you need a user ID to access a system Of course,... 03:42:50) 2 April 2003, 17:00:47 The Complete FreeBSD (netclient.mm), page 433 433 -rw-rw-r 1 -rw-rw-r 1 -rw-rw-r 1 -rw-rw-r 1 -rw-rw-r 1 -rw-rw-r 1 -rw-rw-r 1 226 Transfer ftp> Chapter 24: Basic network access: clients 117 1001 76271 117 1001 8047 117 1001 5994481 117 1001 10753 117 1001 14726 117 1001 5955006 117 1001 5997896 complete Nov Dec Nov Dec Jan Dec Jan 27 3 27 12 24 22 24 16:48 09:22... successful 150 Opening BINARY mode data connection for gcc-2.5.2-2.5.3.diff.gz (78731 bytes) 226 Transfer complete 78731 bytes received in 33 seconds (2.835 Kbytes/s) etc prompt Using mget saves a lot of network bandwidth and copies the files faster, but it has one disadvantage: ftp prompts you for each file name, so you have to wait around to answer the prompts If you don’t, ftp disconnects after 15 minutes... login attempt failed To complete the login, use the user command: netclient.mm,v v4.12 (2003/04/02 03:42:50) 2 April 2003, 17:00:47 The Complete FreeBSD (netclient.mm), page 435 435 Chapter 24: Basic network access: clients ftp> user ftp 331 Guest login ok, send ident as password Password: username does not echo 230 Guest login ok, access restrictions apply sftp sftp is yet another ssh-based program... there are only small changes in large files, this can be relatively inefficient You can perform this task more efficiently with rsync, which is designed to keep identical copies of files on and to optimize network bandwidth while doing so It’s in the Ports Collection Install in the normal manner: # cd /usr/ports/net/rsync # make install By default, rsync uses ssh to perform the transfer, so you need to have . bridging networks. For example, http://unix.za.net/gateway/documentation/networking/vpn/fbsd.html describes howtoset up a VPN (Virtual Private Network) . and in Chapter 25, Basic network access: servers we’ll look at the corresponding servers. Probably the single most important network service is the Hypertext