Table of Contents
After establishing network connectivity (see Chapter 5, Network setup), you can run various network applications.
There are many web browser packages to access remote contents with Hypertext Transfer Protocol (HTTP).
Table 6.1. List of web browsers
package | popcon | size | type | description of web browser |
---|---|---|---|---|
iceweasel
*
|
V:33, I:54 | 3736 | X | unbranded Mozilla Firefox |
iceape-browser
*
|
V:2, I:3 | 35288 | , , | unbrandedMozilla, removed due to security concerns bug#505565 |
epiphany-browser
*
|
V:6, I:39 | 32 | , , | GNOME, HIG compliant, Epiphany |
galeon
*
|
V:1.2, I:1.9 | 1748 | , , | GNOME, Galeon, superseded by Epiphany |
konqueror
*
|
V:11, I:19 | 3496 | , , | KDE, Konqueror |
w3m
*
|
V:23, I:84 | 1964 | text | w3m |
lynx
*
|
V:1.9, I:25 | 48 | , , | XXX FIXME XXX |
elinks
*
|
V:2, I:6 | 1444 | , , | XXX FIXME XXX |
links
*
|
V:3, I:9 | 1372 | , , | XXX FIXME XXX |
links2
*
|
V:1.0, I:4 | 3280 | , , | XXX FIXME XXX |
You may be able to use following special URL strings for some browsers to confirm their settings.
about:
"
about:config
"
about:plugins
"
Debian offers many free browser plugin packages in the main component which can handle not only Java (software platform) and Flash but also MPEG, MPEG2, MPEG4, DivX, Windows Media Video (.wmv), QuickTime (.mov), MP3 (.mp3), Ogg/Vorbis files, DVDs, VCDs, etc. Debian also offers helper programs to install non-free browser plugin packages as contrib or non-free components.
Table 6.2. List of browser plugin packages
package | popcon | size | component | description |
---|---|---|---|---|
icedtea-gcjwebplugin
*
|
V:0.5, I:0.7 | 204 | main | Java plugin using Hotspot JIT |
sun-java6-plugin
*
|
I:9 | 52 | non-free | Java plugin for Sun's Java SE 6 (i386 only) |
swfdec-mozilla
*
|
V:11, I:24 | 244 | main | Flash plugin based on libswfdec |
mozilla-plugin-gnash
*
|
V:0.5, I:1.8 | 108 | main | Flash plugin based on Gnash |
flashplugin-nonfree
*
|
V:1.2, I:11 | 128 | contrib | Flash plugin helper to install Adobe Flash Player (i386, amd64 only) |
mozilla-bonobo
*
|
V:0.17, I:0.4 | 168 | main | Mozilla plugin support for GNOME Bonobo components |
mozilla-plugin-vlc
*
|
V:3, I:5 | 140 | main | Multimedia plugin based on VLC media player |
totem-mozilla
*
|
V:22, I:39 | 268 | main | Multimedia plugin based on GNOME's Totem media player |
gecko-mediaplayer
*
|
V:0.2, I:0.3 | 708 | main | Multimedia plugin based on (GNOME) MPlayer |
nspluginwrapper
*
|
V:1.4, I:2 | 472 | contrib | A wrapper to run i386 Netscape plugins on amd64 architecture |
Tip | |
---|---|
Although use of above Debian packages are much easier, browser plugins can be still manually enabled by installing "*.so" into plugin directories (e.g., " |
Some web sites refuse to be connected based on the user-agent string of your browser. You can work around this situation by spoofing the user-agent string. For example, you can do this by adding following line into user configuration files such as "~/.gnome2/epiphany/mozilla/epiphany/user.js
" or "~/.mozilla/firefox/*.default/user.js
".
user_pref{"general.useragent.override","Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"};
Alternatively, you can add and reset this variable by typing "about:config
" into URL and right clicking its display contents.
Caution | |
---|---|
Spoofed user-agent string may cause bad side effects with Java. |
Caution | |
---|---|
If you are to set up the mail server to exchange mail directly with the Internet, you should be better than reading this elementary document. |
In order to contain spam (unwanted and unsolicited e-mail) problems, many ISPs which provide consumer grade Internet connection are implementing counter measures.
When configuring your mail system or resolving mail delivery problems, you must consider these new limitations.
In light of these hostile Internet situation and limitations, some independent Internet mail ISPs such as Yahoo.com and Gmail.com offer the secure mail service which can be connected from anywhere on the Internet using Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL).
Caution | |
---|---|
It is not realistic to run SMTP server on consumer grade network to send mail directly to the remote host reliably. They are very likely to be rejected. You must use some smarthost services offered by your connection ISP or independent mail ISPs. For the simplicity, I assume that the smarthost is located at " |
The most simple mail configuration is that the mail is sent to the ISP's smarthost and received from ISP's POP3 server by the MUA (see Section 6.4, “Mail user agent (MUA)”) itself. This type of configuration is popular with full featured GUI based MUA such as icedove
(1), evolution
(1), etc. If you need to filter mail by their types, you use MUA's filtering function. For this case, the local MTA (see Section 6.3, “Mail transport agent (MTA)”) need to do local delivery only.
The alternative mail configuration is that the mail is sent via local MTA to the ISP's smarthost and received from ISP's POP3 by the mail retriever (see Section 6.5, “The remote mail retrieval and forward utility”) to the local mailbox. If you need to filter mail by their types, you use MDA with filter (see Section 6.6, “Mail delivery agent (MDA) with filter”) to filter mail into separate mailboxes. This type of configuration is popular with simple console based MUA such as mutt
(1), gnus
(1), etc., although this is possible with any MUAs (see Section 6.4, “Mail user agent (MUA)”). For this case, the local MTA (see Section 6.3, “Mail transport agent (MTA)”) need to do both smarthost delivery and local delivery.
For normal workstation, the popular choice for Mail transport agent (MTA) is either exim4-*
or postfix
packages. It is really up to you.
Table 6.3. List of basic mail transport agent related packages for workstation
package | popcon | size | description |
---|---|---|---|
exim4-daemon-light
*
|
V:60, I:66 | 924 | Exim4 mail transport agent (MTA: Debian default) |
exim4-base
*
|
V:62, I:68 | 1660 | Exim4 documentation (text) and common files |
exim4-doc-html
*
|
I:0.8 | 5756 | Exim4 documentation (html) |
exim4-doc-info
*
|
I:0.4 | 596 | Exim4 documentation (info) |
postfix
*
|
V:17, I:19 | 3436 | Postfix mail transport agent (MTA: alternative) |
postfix-doc
*
|
I:2 | 3332 | Postfix documentation (html+text) |
sasl2-bin
*
|
V:2, I:6 | 448 | Cyrus SASL API implementation (supplement postfix for SMTP AUTH) |
cyrus-sasl2-doc
*
|
I:3 | 284 | Cyrus SASL - documentation |
Although the popcon vote count of exim4-*
looks several times popular than that of postfix
, this does not mean postfix
is not popular with Debian developers. The Debian server system uses both exim4
and postfix
. The mail header analysis of mailing list postings from prominent Debian developers also indicate both of these MTAs are as popular.
The exim4-*
packages are known to have very small memory consumption and very flexible for its configuration. The postfix
package is known to be compact, fast, simple, and secure. Both come with ample documentation and are as good in quality and license.
There are many choices for mail transport agent (MTA) packages with different capability and focus in Debian archive.
Table 6.4. List of choices for mail transport agent (MTA) packages in Debian archive
package | popcon | size | capability and focus |
---|---|---|---|
exim4-daemon-light
*
|
V:60, I:66 | 924 | full |
postfix
*
|
V:17, I:19 | 3436 | full (security) |
exim4-daemon-heavy
*
|
V:1.8, I:2 | 1036 | full (flexible) |
sendmail-bin
*
|
V:2, I:2 | 2080 | full (only if you are already familiar) |
nullmailer
*
|
V:0.6, I:0.8 | 452 | strip down, no local mail |
ssmtp
*
|
V:0.9, I:1.5 | 8 | strip down, no local mail |
nbsmtp
*
|
V:0.2, I:0.2 | 120 | ? |
courier-mta
*
|
V:0.2, I:0.2 | 4000 | very full (web interface etc.) |
xmail
*
|
V:0.18, I:0.2 | 824 | light |
masqmail
*
|
V:0.05, I:0.07 | 556 | light |
esmtp
*
|
V:0.11, I:0.2 | 156 | light |
esmtp-run
*
|
V:0.08, I:0.13 | 8 |
light (sendmail compatibility extension to esmtp )
|
msmtp
*
|
V:0.2, I:0.6 | 316 | light |
msmtp-mta
*
|
V:0.09, I:0.12 | 32 |
light (sendmail compatibility extension to msmtp )
|
For the Internet mail via smarthost, you (re)configure exim4-*
packages as the following.
$ sudo /etc/init.d/exim4 stop $ sudo dpkg-reconfigure exim4-conf
Chose "mail sent by smarthost; received via SMTP or fetchmail".
Set "IP address or host name of the outgoing smarthost:" to "smtp.hostname.dom:587".
Reply to "Keep number of DNS-queries minimal (Dial-on-Demand)?" as one of the following.
Create password entries for the smarthost by editing " /etc/exim4/passwd.client
"
$ sudo vim /etc/exim4/passwd.client ... $ cat /etc/exim4/passwd.client ^smtp.*\.hostname\.dom:username@hostname.dom:password
Start exim4
by the following.
$ sudo /etc/init.d/exim4 start
The host name in "/etc/exim4/passwd.client
" should not be the alias. You check the real host name with the following.
$ host smtp.hostname.dom smtp.hostname.dom is an alias for smtp99.hostname.dom. smtp99.hostname.dom has address 123.234.123.89
I use regex in "/etc/exim4/passwd.client
" to work around the alias issue. SMTP AUTH probably works even if the ISP moves host pointed by the alias.
Caution | |
---|---|
You must execute |
Caution | |
---|---|
Starting |
Note | |
---|---|
Please read the official guide at: " |
Tip | |
---|---|
Local customization file " |
For the Internet mail via smarthost, you should first read postfix documentation and key manual pages.
Table 6.5. List of important postfix manual pages
command | function |
---|---|
postfix (1)
|
Postfix control program |
postconf (1)
|
Postfix configuration utility |
postconf (5)
|
Postfix configuration parameters |
postmap (1)
|
Postfix lookup table maintenance |
postalias (1)
|
Postfix alias database maintenance |
You (re)configure postfix
and sasl2-bin
packages as follows.
$ sudo /etc/init.d/postfix stop $ sudo dpkg-reconfigure postfix
Chose "Internet with smarthost".
Set "SMTP relay host (blank for none):" to "[smtp.hostname.dom]:587
" and configure it by the following.
$ sudo postconf -e 'smtp_sender_dependent_authentication = yes' $ sudo postconf -e 'smtp_sasl_auth_enable = yes' $ sudo postconf -e 'smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd' $ sudo postconf -e 'smtp_sasl_type = cyrus' $ sudo vim /etc/postfix/sasl_passwd
Create password entries for the smarthost.
$ cat /etc/postfix/sasl_passwd [smtp.hostname.dom]:587 username:password $ sudo postmap hush:/etc/postfix/sasl_passwd
Start the postfix
by the following.
$ sudo /etc/init.d/postfix start
Here the use of "[
" and "]
" in the dpkg-reconfigure
dialog and "/etc/postfix/sasl_passwd
" ensures not to check MX record but directly use exact hostname specified. See "Enabling SASL authentication in the Postfix SMTP client" in "usr/share/doc/postfix/html/SASL_README.html
".
There are a few mail address configuration files for mail transport, delivery and user agents.
Table 6.6. List of mail address related configuration files
file | function | application |
---|---|---|
/etc/mailname
|
default host name for (outgoing) mail |
Debian specific, mailname (5)
|
/etc/email-addresses
|
host name spoofing for outgoing mail |
exim (8) specific, exim4-config_files (5)
|
/etc/postfix/generic
|
host name spoofing for outgoing mail |
postfix (1) specific, activated after postmap (1) command execution.
|
/etc/aliases
|
account name alias for incoming mail |
general, activated after newaliases (1) command execution.
|
The mailname in the "/etc/mailname
" file is usually a fully qualified domain name (FQDN) that resolves to one of the host's IP addresses. For the mobile workstation which does not have a hostname with resolvable IP address, set this mailname to the value of "hostname -f
". (This is safe choice and works for both exim4-*
and postfix
.)
Tip | |
---|---|
The contents of " |
When setting the mailname to "hostname -f
", the spoofing of the source mail address via MTA can be realized by the following.
/etc/email-addresses
" file for exim4
(8) as explained in the exim4-config_files
(5)
/etc/postfix/generic
" file for postfix
(1) as explained in the generic
(5)
For postfix
, the following extra steps are needed.
# postmap hash:/etc/postfix/generic # postconf -e 'smtp_generic_maps = hash:/etc/postfix/generic' # postfix reload
You check filters using the following.
exim
(8) with -brw, -bf, -bF, -bV, …
options
postmap
(1) with -q
option.
Tip | |
---|---|
Exim comes with several utility programs such as |
There are several basic MTA operations. Some may be performed via sendmail
(1) compatibility interface.
Table 6.7. List of basic MTA operation
exim command | postfix command | description |
---|---|---|
sendmail
|
sendmail
|
read mails from standard input and arrange for delivery (-bm )
|
mailq
|
mailq
|
list the mail queue with status and queue ID (-bp )
|
newaliases
|
newaliases
|
initialize alias database (-I )
|
exim4 -q
|
postqueue -f
|
flush waiting mails (-q )
|
exim4 -qf
|
postsuper -r ALL deferred; postqueue -f
|
flush all mails |
exim4 -qff
|
postsuper -r ALL; postqueue -f
|
flush even frozen mails |
exim4 -Mg queue_id
|
postsuper -h queue_id
|
freeze one message by its queue ID |
exim4 -Mrm queue_id
|
postsuper -d queue_id
|
remove one message by its queue ID |
N/A |
postsuper -d ALL
|
remove all messages |
Tip | |
---|---|
It may be a good idea to flush all mails by a script in " |
If you subscribe to Debian related mailing list, it may be a good idea to use such MUA as mutt
and gnus
which are the de facto standard for the participant and known to behave as expected.
Table 6.8. List of mail user agent (MUA)
package | popcon | size | type |
---|---|---|---|
iceweasel
*
|
V:33, I:54 | 3736 | X GUI program (unbranded Mozilla Firefox) |
evolution
*
|
V:22, I:39 | 10264 | X GUI program (part of a groupware suite) |
icedove
*
|
V:10, I:14 | 38040 | X GUI program (unbranded Mozilla Thunderbird) |
mutt
*
|
V:23, I:83 | 5996 |
character terminal program probably used with vim
|
gnus
*
|
V:0.06, I:0.5 | 6272 |
character terminal program under (x)emacs
|
Customize "~/.muttrc
" as the following to use mutt
as the mail user agent (MUA) in combination with vim
.
# use visual mode and "gq" to reformat quotes set editor="vim -c 'set tw=72 et ft=mail'" # # header weeding taken from the manual (Sven's Draconian header weeding) # ignore * unignore from: date subject to cc unignore user-agent x-mailer hdr_order from subject to cc date user-agent x-mailer set hostname=spoof.example.org set from="First Last <username@example.org>" ....
Add the following to "/etc/mailcap
" or "~/.mailcap
" to display HTML mail and MS Word attachments inline.
text/html; lynx -force_html %s; needsterminal; application/msword; /usr/bin/antiword '%s'; copiousoutput; description="Microsoft Word Text"; nametemplate=%s.doc
Although fetchmail
(1) has been de facto standard for the remote mail retrieval on GNU/Linux, the author likes getmail
(1) now. If you want to reject mail before downloading to save bandwidth, mailfilter
or mpop
may be useful. Whichever mail retriever utilities are used, it is good idea to configure system to deliver retrieved mails to MDA, such as maildrop
, via pipe.
Table 6.9. List of remote mail retrieval and forward utilities
package | popcon | size | description |
---|---|---|---|
fetchmail
*
|
V:2, I:6 | 1816 | mail retriever (POP3, APOP, IMAP) (old) |
getmail4
*
|
V:0.3, I:0.7 | 632 | mail retriever (POP3, IMAP4, and SDPS) (simple, secure, and reliable) |
mailfilter
*
|
V:0.02, I:0.07 | 332 | mail retriever (POP3) with with regex filtering capability |
mpop
*
|
V:0.01, I:0.06 | 328 | mail retriever (POP3) and MDA with filtering capability |
getmail
(1) configuration is described in getmail documentation. Here is my set up to access multiple POP3 accounts as user.
Create "/usr/local/bin/getmails
" as the following.
#!/bin/sh set -e rcfiles="/usr/bin/getmail" for file in $HOME/.getmail/config/* ; do rcfiles="$rcfiles --rcfile $file" done exec $rcfiles $@
Configure it as the following.
$ sudo chmod 755 /usr/local/bin/getmails $ mkdir -m 0700 $HOME/.getmail $ mkdir -m 0700 $HOME/.getmail/config $ mkdir -m 0700 $HOME/.getmail/log
Create configuration files "$HOME/.getmail/config/pop3_name
" for each POP3 accounts as the following.
[retriever] type = SimplePOP3SSLRetriever server = pop.example.com username = pop3_name@example.com password = secret [destination] type = MDA_external path = /usr/bin/maildrop unixfrom = True [options] verbose = 0 delete = True delivered_to = False message_log = ~/.getmail/log/pop3_name.log
Configure it as the following.
$ chmod 0600 $HOME/.getmail/config/*
Schedule "/usr/local/bin/getmails
" to run every 15 minutes with cron
(8) by executing "sudo crontab -e -u <user_name>
" and adding following to user's cron entry.
5,20,35,50 * * * * /usr/local/bin/getmails --quiet
Tip | |
---|---|
Problems of POP3 access may not come from |
Most MTA programs, such as postfix
and exim4
, function as MDA (mail delivery agent). There are specialized MDA with filtering capabilities.
Although procmail
(1) has been de facto standard for MDA with filter on GNU/Linux, author likes maildrop
(1) now. Whichever filtering utilities are used, it is good idea to configure system to deliver filtered mails to a qmail-style Maildir.
Table 6.10. List of MDA with filter
package | popcon | size | description |
---|---|---|---|
procmail
*
|
V:18, I:86 | 360 | MDA with filter (old) |
mailagent
*
|
V:0.5, I:6 | 1688 | MDA with Perl filter |
maildrop
*
|
V:0.4, I:0.8 | 1040 | MDA with structured filtering language |
maildrop
(1) configuration is described in maildropfilter documentation. Here is a configuration example for "$HOME/.mailfilter
".
logfile $HOME/.maildroplog # clearly bad looking mails: drop them into X-trash and exit if ( /^X-Advertisement/ ||\ /^Subject:.*BUSINESS PROPOSAL/ ||\ /^Subject:.*URGENT.*ASISSTANCE/ ||\ /^Subject: *I NEED YOUR ASSISTANCE/ ) to "$HOME/Maildir/X-trash/" # Delivering mailinglist messages if ( /^Precedence:.*list/ ||\ /^Precedence:.*bulk/ ||\ /^List-/ ||\ /^X-Distribution:.*bulk/ ) { if ( /^Resent-Sender.*debian-user-request@lists.debian.org/) to "$HOME/Maildir/debian-user/" if ( /^Resent-Sender.*debian-devel-request@lists.debian.org/) to "$HOME/Maildir/debian-devel/" if ( /^Resent-Sender.*debian-announce-request@lists.debian.org/) to "$HOME/Maildir/debian-announce/" to "$HOME/Maildir/mailing-list/" } to "$HOME/Maildir/Inbox/" exit
Warning | |
---|---|
Unlike |
Here is an equivalent configuration with "$HOME/.procmailrc
" for procmail
(1).
MAILDIR=$HOME/Maildir DEFAULT=$MAILDIR/Inbox/ LOGFILE=$MAILDIR/Maillog # clearly bad looking mails: drop them into X-trash and exit :0 * 1^0 ^X-Advertisement * 1^0 ^Subject:.*BUSINESS PROPOSAL * 1^0 ^Subject:.*URGENT.*ASISSTANCE * 1^0 ^Subject: *I NEED YOUR ASSISTANCE X-trash/ # Delivering mailinglist messages :0 * 1^0 ^Precedence:.*list * 1^0 ^Precedence:.*bulk * 1^0 ^List- * 1^0 ^X-Distribution:.*bulk { :0 * 1^0 ^Return-path:.*debian-devel-admin@debian.or.jp jp-debian-devel/ :0 * ^Resent-Sender.*debian-user-request@lists.debian.org debian-user/ :0 * ^Resent-Sender.*debian-devel-request@lists.debian.org debian-devel/ :0 * ^Resent-Sender.*debian-announce-request@lists.debian.org debian-announce :0 mailing-list/ } :0 Inbox/
You need to manually deliver mails to the sorted mailboxes in your home directory from "/var/mail/<username>
" if your home directory became full and procmail
(1) failed. After making disk space in the home directory, run the following.
# /etc/init.d/${MAILDAEMON} stop # formail -s procmail </var/mail/<username> # /etc/init.d/${MAILDAEMON} start
If you are to run a private server on LAN, you may consider to run POP3 / IMAP4 server for delivering mail to LAN clients.
Table 6.11. List of POP3/IMAP4 servers
package | popcon | size | type | description |
---|---|---|---|---|
qpopper
*
|
V:1.3, I:5 | 644 | POP3 | Qualcomm enhanced BSD POP3 server |
courier-pop
*
|
V:1.5, I:2 | 232 | POP3 | Courier mail server - POP3 server (maildir format only) |
ipopd
*
|
V:0.13, I:0.2 | 204 | POP3 | The University of Washington POP2 and POP3 server |
cyrus-pop3d-2.2
*
|
V:0.18, I:0.3 | 852 | POP3 | Cyrus mail system (POP3 support) |
xmail
*
|
V:0.18, I:0.2 | 824 | POP3 | ESMTP/POP3 mail server |
courier-imap
*
|
V:3, I:4 | 1604 | IMAP | Courier mail server - IMAP server (maildir format only) |
uw-imapd
*
|
V:1.0, I:5 | 272 | IMAP | The University of Washington IMAP server |
cyrus-imapd-2.2
*
|
V:0.5, I:0.7 | 2632 | IMAP | Cyrus mail system (IMAP support) |
In the old Unix-like system, the BSD Line printer daemon was the standard. Since the standard print out format of the free software is PostScript on the Unix like system, some filter system was used along with Ghostscript to enable printing to the non-PostScript printer.
Recently, Common UNIX Printing System (CUPS) is the new de facto standard. The CUPS uses Internet Printing Protocol (IPP). The IPP is now supported by other OSs such as Windows XP and Mac OS X and has became new cross-platform de facto standard for remote printing with bi-directional communication capability.
The standard printable data format for the application on the Debian system is the PostScript (PS) which is a page description language. The data in PS format is fed into the Ghostscript PostScript interpreter to produce the printable data specific to the printer. See Section 11.3.1, “Ghostscript”.
Thanks to the file format dependent auto-conversion feature of the CUPS system, simply feeding any data to the lpr
command should generate the expected print output. (In CUPS, lpr
can be enabled by installing the cups-bsd
package.)
The Debian system has some notable packages for the print servers and utilities.
Table 6.12. List of print servers and utilities
package | popcon | size | port | description |
---|---|---|---|---|
lpr
*
|
V:3, I:3 | 440 | printer (515) | BSD lpr/lpd (Line printer daemon) |
lprng
*
|
V:0.8, I:1.1 | 3020 | , , | , , (Enhanced) |
cups
*
|
V:31, I:41 | 11176 | IPP (631) | Internet Printing CUPS server |
cups-client
*
|
V:10, I:42 | 440 | , , |
System V printer commands for CUPS: lp (1), lpstat (1), lpoptions (1), cancel (1), lpmove (8), lpinfo (8), lpadmin (8), …
|
cups-bsd
*
|
V:7, I:38 | 180 | , , |
BSD printer commands for CUPS: lpr (1), lpq (1), lprm (1), lpc (8)
|
cups-driver-gutenprint
*
|
V:8, I:34 | 1292 | Not applicable | printer drivers for CUPS |
Tip | |
---|---|
You can configure CUPS system by pointing your web browser to "http://localhost:631/" . |
The Secure SHell (SSH) is the secure way to connect over the Internet. A free version of SSH called OpenSSH is available as openssh-client
and openssh-server
packages in Debian.
Table 6.13. List of remote access server and utilities
package | popcon | size | tool | description |
---|---|---|---|---|
openssh-client
*
|
V:53, I:98 | 2076 |
ssh (1)
|
Secure shell client |
openssh-server
*
|
V:65, I:78 | 808 |
sshd (8)
|
Secure shell server |
ssh-askpass-fullscreen
*
|
V:0.12, I:0.5 | 92 |
ssh-askpass-fullscreen (1)
|
asks user for a pass phrase for ssh-add (GNOME2) |
ssh-askpass
*
|
V:0.7, I:4 | 156 |
ssh-askpass (1)
|
asks user for a pass phrase for ssh-add (plain X) |
Caution | |
---|---|
See Section 4.7.3, “Extra security measures for the Internet” if your SSH is accessible from the Internet. |
Tip | |
---|---|
Please use the |
Warning | |
---|---|
" |
SSH has two authentication protocols.
Table 6.14. List of SSH authentication protocols and methods
SSH protocol | SSH method | description |
---|---|---|
SSH-1 |
"RSAAuthentication "
|
RSA identity key based user authentication |
, , |
"RhostsAuthentication "
|
".rhosts " based host authentication (insecure, disabled)
|
, , |
"RhostsRSAAuthentication "
|
".rhosts " based host authentication combined with RSA host key (disabled)
|
, , |
"ChallengeResponseAuthentication "
|
RSA challenge-response authentication |
, , |
"PasswordAuthentication "
|
password based authentication |
SSH-2 |
"PubkeyAuthentication "
|
public key based user authentication |
, , |
"HostbasedAuthentication "
|
"~/.rhosts " or "/etc/hosts.equiv " based host authentication combined with public key client host authentication (disabled)
|
, , |
"ChallengeResponseAuthentication "
|
challenge-response authentication |
, , |
"PasswordAuthentication "
|
password based authentication |
Caution | |
---|---|
Be careful about these differences if you are using a non-Debian system. |
See "/usr/share/doc/ssh/README.Debian.gz
", ssh
(1), sshd
(8), ssh-agent
(1), and ssh-keygen
(1) for details.
Following are the key configuration files.
Table 6.15. List of SSH configuration files
configuration file | description of configuration file |
---|---|
/etc/ssh/ssh_config
|
SSH client defaults, see ssh_config (5)
|
/etc/ssh/sshd_config
|
SSH server defaults, see sshd_config (5)
|
~/.ssh/authorized_keys
|
default public SSH keys that clients use to connect to this account on this SSH server |
~/.ssh/identity
|
secret SSH-1 RSA key of the user |
~/.ssh/id_rsa
|
secret SSH-2 RSA key of the user |
~/.ssh/id_dsa
|
secret SSH-2 DSA key of the user |
Tip | |
---|---|
See |
Tip | |
---|---|
Make sure to verify settings by testing the connection. In case of any problem, use " |
Tip | |
---|---|
You can change the pass phrase to encrypt local secret SSH keys later with " |
Tip | |
---|---|
You can add options to the entries in " |
The following starts an ssh
(1) connection from a client.
Table 6.16. List of SSH client startup examples
command | description |
---|---|
ssh username@hostname.domain.ext
|
connect with default mode |
ssh -v username@hostname.domain.ext
|
connect with default mode with debugging messages |
ssh -1 username@hostname.domain.ext
|
force to connect with SSH version 1 |
ssh -1 -o RSAAuthentication=no -l username hostname.domain.ext
|
force to use password with SSH version 1 |
ssh -o PreferredAuthentications=password -l username hostname.domain.ext
|
force to use password with SSH version 2 |
If you use the same user name on the local and the remote host, you can eliminate typing "username@
". Even if you use different user name on the local and the remote host, you can eliminate it using "~/.ssh/config
". For Debian Alioth service with account name "foo-guest
", you set "~/.ssh/config
" to contain the following.
Host alioth.debian.org svn.debian.org git.debian.org User foo-guest
For the user, ssh
(1) functions as a smarter and more secure telnet
(1). Unlike telnet
command, ssh
command does not bomb on the telnet
escape character (initial default CTRL-]).
To establish a pipe to connect to port 25 of remote-server
from port 4025 of localhost
, and to port 110 of remote-server
from port 4110 of localhost
through ssh
, execute on the local host as the following.
# ssh -q -L 4025:remote-server:25 4110:remote-server:110 username@remote-server
This is a secure way to make connections to SMTP/POP3 servers over the Internet. Set the "AllowTcpForwarding
" entry to "yes
" in "/etc/ssh/sshd_config
" of the remote host.
One can avoid having to remember passwords for remote systems by using "RSAAuthentication
" (SSH-1 protocol) or "PubkeyAuthentication
" (SSH-2 protocol).
On the remote system, set the respective entries, "RSAAuthentication yes
" or "PubkeyAuthentication yes
", in "/etc/ssh/sshd_config
".
Generate authentication keys locally and install the public key on the remote system by the following.
RSAAuthentication
": RSA key for SSH-1 (deprecated because it is superseded.)
$ ssh-keygen $ cat .ssh/identity.pub | ssh user1@remote "cat - >>.ssh/authorized_keys"
PubkeyAuthentication
": RSA key for SSH-2
$ ssh-keygen -t rsa $ cat .ssh/id_rsa.pub | ssh user1@remote "cat - >>.ssh/authorized_keys"
PubkeyAuthentication
": DSA key for SSH-2 (deprecated because it is slow.)
$ ssh-keygen -t dsa $ cat .ssh/id_dsa.pub | ssh user1@remote "cat - >>.ssh/authorized_keys"
Tip | |
---|---|
Use of DSA key for SSH-2 is deprecated because key is smaller and slow. There are no more reasons to work around RSA patent using DSA since it has been expired. DSA stands for Digital Signature Algorithm and slow. Also see DSA-1571-1. |
Note | |
---|---|
For " |
There are some free SSH clients available for other platforms.
Table 6.17. List of free SSH clients for other platforms
environment | free SSH program |
---|---|
Windows | puTTY (http://www.chiark.greenend.org.uk/~sgtatham/putty/) (GPL) |
Windows (cygwin) | SSH in cygwin (http://www.cygwin.com/) (GPL) |
Macintosh Classic | macSSH (http://www.macssh.com/) (GPL) |
Mac OS X |
OpenSSH; use ssh in the Terminal application (GPL)
|
It is safer to protect your SSH authentication secret keys with a pass phrase. If a pass phrase was not set, use "ssh-keygen -p
" to set it.
Place your public SSH key (e.g. "~/.ssh/id_rsa.pub
") into "~/.ssh/authorized_keys
" on a remote host using a password-based connection to the remote host as described above.
$ ssh-agent bash $ ssh-add ~/.ssh/id_rsa Enter passphrase for /home/<username>/.ssh/id_rsa: Identity added: /home/<username>/.ssh/id_rsa (/home/<username>/.ssh/id_rsa)
No remote password needed from here on for the next command.
$ scp foo <username>@remote.host:foo
Press ^D to terminating ssh-agent session.
For the X server, the normal Debian startup script executes ssh-agent
as the parent process. So you only need to execute ssh-add
once. For more, read ssh-agent
(1)and ssh-add
(1).
You need to protect the process doing "shutdown -h now
" (see Section 1.1.8, “How to shutdown the system”) from the termination of SSH using the at
(1) command (see Section 9.5.13, “Scheduling tasks once”) by the following.
# echo "shutdown -h now" | at now
Running "shutdown -h now
" in screen
(1) (see Section 9.1, “The screen program”) session is another way to do the same.
If you have problems, check the permissions of configuration files and run ssh
with the "-v
" option.
Use the "-P
" option if you are root and have trouble with a firewall; this avoids the use of server ports 1 — 1023.
If ssh
connections to a remote site suddenly stop working, it may be the result of tinkering by the sysadmin, most likely a change in "host_key
" during system maintenance. After making sure this is the case and nobody is trying to fake the remote host by some clever hack, one can regain a connection by removing the "host_key
" entry from "~/.ssh/known_hosts
" on the local host.
Here are other network application servers.
Table 6.18. List of other network application servers
package | popcon | size | protocol | description |
---|---|---|---|---|
telnetd
*
|
V:0.5, I:1.3 | 156 | TELNET | TELNET server |
telnetd-ssl
*
|
V:0.16, I:0.4 | 152 | , , | , , (SSL support) |
nfs-kernel-server
*
|
V:13, I:23 | 408 | NFS | Unix file sharing |
samba
*
|
V:21, I:34 | 16696 | SMB | Windows file and printer sharing |
netatalk
*
|
V:5, I:10 | 2448 | ATP | Apple/Mac file and printer sharing (AppleTalk) |
proftpd-basic
*
|
V:4, I:5 | 2148 | FTP | General file download |
wu-ftpd
*
|
V:0.5, I:0.7 | 820 | , , | , , |
apache2-mpm-prefork
*
|
V:37, I:42 | 72 | HTTP | General web server |
apache2-mpm-worker
*
|
V:6, I:7 | 72 | , , | , , |
squid
*
|
V:6, I:7 | 1800 | , , | General web proxy server |
squid3
*
|
V:1.1, I:1.4 | 2356 | , , | , , |
slpd
*
|
V:0.2, I:0.3 | 228 | SLP | OpenSLP Server as LDAP server |
bind9
*
|
V:10, I:18 | 860 | DNS | IP address for other hosts |
dhcp3-server
*
|
V:5, I:9 | 800 | DHCP | IP address of client itself |
Common Internet File System Protocol (CIFS) is the same protocol as Server Message Block (SMB) and is used widely by Microsoft Windows.
Tip | |
---|---|
Use of proxy server such as |
Here are other network application clients.
Table 6.19. List of network application clients
package | popcon | size | protocol | description |
---|---|---|---|---|
netcat
*
|
V:2, I:52 | 36 | TCP/IP | TCP/IP swiss army knife |
stunnel4
*
|
V:0.5, I:1.7 | 508 | SSL | universal SSL Wrapper |
telnet
*
|
V:15, I:90 | 200 | TELNET | TELNET client |
telnet-ssl
*
|
V:0.3, I:1.3 | 208 | , , | , , (SSL support) |
nfs-common
*
|
V:51, I:81 | 596 | NFS | Unix file sharing |
smbclient
*
|
V:7, I:41 | 33472 | SMB | MS Windows file and printer sharing client |
smbfs
*
|
V:5, I:26 | 5268 | , , | mount and umount commands for remote MS Windows file |
ftp
*
|
V:10, I:86 | 160 | FTP | FTP client |
lftp
*
|
V:1.4, I:6 | 1716 | , , | , , |
ncftp
*
|
V:1.7, I:8 | 1212 | , , | full screen FTP client |
wget
*
|
V:28, I:99 | 1968 | HTTP and FTP | web downloader |
curl
*
|
V:5, I:20 | 304 | , , | , , |
bind9-host
*
|
V:44, I:90 | 176 | DNS |
host (1) from bind9, "Priority: standard "
|
dnsutils
*
|
V:12, I:91 | 392 | , , |
dig (1) from bind, "Priority: standard "
|
dhcp3-client
*
|
V:47, I:93 | 604 | DHCP | obtain IP address |
ldap-utils
*
|
V:1.4, I:7 | 696 | LDAP | obtain data from LDAP server |
The telnet
program enables manual connection to the system daemons and its diagnosis.
For example, try the following
$ telnet mail.ispname.net pop3
The following RFCs provide required knowledge to each system daemon.
The port usage is described in "/etc/services
".