Understanding SSH

SSH lets you send secure, encrypted commands to a computer remotely, as if you were sitting at the computer. You use the ssh tool in Terminal to open a command-line connection to a remote computer. While the connection is open, commands you enter are performed on the remote computer.

Note: If the SSH service ( sshd daemon ) is enabled you can use any application that supports SSH to connect to a computer running Mac OS X or Mac OS X Server.

How SSH Works

SSH works by setting up encrypted tunnels using public and private keys. Here is a description of an SSH session:

  1. The local and remote computers exchange public keys. If the local computer has never encountered a given public key, SSH and your web browser prompt you whether to accept the unknown key.
  2. The two computers use the public keys to negotiate a session key used to encrypt subsequent session data.
  3. The remote computer attempts to authenticate the local computer using RSA or DSA certificates. If this is not possible, the local computer is prompted for a standard user-name/password combination.
  4. After successful authentication, the session begins and remote shell, a secure file transfer, a remote command, or other action is begun through the encrypted tunnel.

The following are SSH tools:

  • sshd—Daemon that acts as a server to all other commands
  • ssh—Primary user tool that includes a remote shell, remote command, and port-
  • forwarding sessions
  • scp—Secure copy, a tool for automated file transfers
  • sftp—Secure FTP, a replacement for FTP

Generating Key Pairs for Key-Based SSH Connections

By default, SSH supports the use of password, key, and Kerberos authentication. The standard method of SSH authentication is to supply login credentials in the form of a user name and password. Identity key pair authentication enables you to log in to the server without supplying a password.

Key-based authentication is more secure than password authentication because it requires that you have the private key file and know the password that lets you access that key file. Password authentication can be compromised without a private key file.

This process works as follows:

  1. A private and a public key are generated, each associated with a user name to establish that user’s authenticity.
  2. When you attempt to log in as that user, the user name is sent to the remote computer.
  3. The remote computer looks in the user’s .ssh/ folder for the user’s public key. This folder is created after using SSH the first time.
  4. A challenge is sent to the user based on his or her public key.
  5. The user verifies his or her identity by using the private portion of the key pair to decode the challenge.
  6. After the key is decoded, the user is logged in without the need for a password. This is especially useful when automating remote scripts.

Note: If the server uses FileVault to encrypt the home folder of the user you want to use SSH to connect as, you must be logged in on the server to use SSH. Alternatively, you can store the keys for the user in a location that is not protected by FileVault, but this is not secure.

To generate the identity key pair:

  1. Enter the following command on the local computer: $ ssh-keygen -t dsa
  2. When prompted, enter a filename in the user’s folder to save the keys in; then enter a password followed by password verification (empty for no password).For example:
    Generating public/private dsa key pair. Enter file in which to save the key (/Users/anne/.ssh/id_dsa): frog Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in frog. Your public key has been saved in frog.pub. The key fingerprint is: 4a:5c:6e:9f:3e:35:8b:e5:c9:5a:ac:00:e6:b8:d7:96 annejohnson1@mac.com

    This creates two files. Your identification or private key is saved in one file (frog in our example) and your public key is saved in the other (frog.pub in our example).

    The key fingerprint, which is derived cryptographically from the public key value, also appears. This secures the public key, making it computationally infeasible for duplication.

  3. Copy the resulting public file, which contains the local computer’s public key, to the .ssh/authorized_keys file in the user’s home folder on the remote computer (~/.ssh/ authorized_keys).
  4. The next time you log in to the remote computer from the local computer you won’t need to enter a password.

Note: If you are using an Open Directory user account and have logged in using the account, you do not need to supply a password for SSH login. On Mac OS X Server computers, SSH uses Kerberos for single sign-on authentication with any user account that has an Open Directory password. (Kerberos must be running on the Open Directory server.) For more information, see Open Directory Administration.

Updating SSH Key Fingerprints

The first time you connect to a remote computer using SSH, the local computer prompts for permission to add the remote computer’s fingerprint (or encrypted public key) to a list of known remote computers. You might see a message like this:

The authenticity of host "server1.example.com" can’t be established. RSA key fingerprint is a8:0d:27:63:74:f1:ad:bd:6a:e4:0d:a3:47:a8:f7. Are you sure you want to continue connecting (yes/no)?

The first time you connect, you have no way of knowing whether this is the correct host key. Most people respond “yes.” The host key is then inserted into the ~/.ssh/ known_hosts file so it can be verified in later sessions.

Be sure this is the correct key before accepting it. If possible, provide users with the encryption key through FTP, mail, or a download from the web, so they can be sure of the identity of the server.

If you later see a warning message about a man-in-the-middle attack (see below) when you try to connect, it might be because the key on the remote computer no longer matches the key stored on the local computer. This can happen if you:

Change your SSH configuration on the local or remote computer.

Perform a clean installation of the server software on the computer you are attempting to log in to using SSH.

StartupfromaMacOSXServerCDonthecomputeryouareattemptingtologinto using SSH.

AttempttouseSSHtoaccessacomputerthathasthesameIPaddressasacomputer that you used SSH with on another network.

To connect again, delete the entries corresponding to the remote computer (which can be stored by name and IP address) in the file ~/.ssh/known_hosts.

An SSH Man-in-the-Middle Attack

Sometimes an attacker can access your network and compromise routing information, so that packets intended for a remote computer are routed to the attacker, who then impersonates the remote computer to the local computer and the local computer to the remote computer.

Here’s a typical scenario: A user connects to the remote computer using SSH. By means of spoofing techniques, the attacker poses as the remote computer and receives information from the local computer. The attacker then relays the information to the intended remote computer, receives a response, and then relays the remote computer’s response to the local computer.

Throughout the process, the attacker is privy to all information that goes back and forth, and can modify it.

A sign that can indicate a man-in-the-middle attack is the following message that appears when connecting to the remote computer using SSH.

@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @

Protect for this type of attack by verifying that the host key sent back is the correct host key for the computer you are trying to reach. Be watchful for the warning message, and alert your users to its meaning.

Important: Removing an entry from the known_hosts file bypasses a security mechanism that would help you avoid imposters and man-in-the-middle attacks. Before you delete its entry from the known_hosts file, be sure you understand why the key on the remote computer has changed.

Connecting to a remote computer using SSH

Use the ssh tool to create a secure shell connection to a remote computer. To access a remote computer using ssh:

  1. Open Terminal.
  2. Log in to the remote computer by entering the following command:
    $ ssh -l username server Replace username with the name of an administrator user on the remote computer.
    Replace server with the name or IP address of the remote computer. For example:
    $ ssh -l anne 10.0.1.2
    If this is the first time you’ve connected to the remote computer, you’re prompted to continue connecting after the remote computer’s RSA fingerprint appears.
  3. Enter yes.
  4. When prompted, enter the user’s password for the remote computer.
    The command prompt changes to show that you’re connected to the remote computer. In the case of the previous example, the prompt might look like this:
    10.0.1.2:~ anne$
  5. To send a command to the remote computer, enter the command.
  6. To close a remote connection, enter logout.
    You can authenticate and send a command using a single line by appending the command to execute to the basic ssh tool. For example, to delete a file you could use:
    $ ssh -l anne server1.example.com rm /Users/anne/Documents/report
    or
    $ ssh -l anne@server1.example.com “rm /Users/anne/Documents/report”
    You’re prompted for the user’s password.

Reference:
Mac OS X Server (v10.3 or Later): CommandLine Administration (Manual) manuals.info.apple.com p. 31 – 35

Test the SMTP Service

To test the SMTP service, follow these steps:
1. Type Telnet at a command prompt (Terminal) , and then press ENTER.
2. At the telnet prompt, type set LocalEcho, press ENTER, and then type open 25, and then press ENTER.
3. Type helo me, and then press ENTER.
The output resembles the following:
250 OK
4. Type mail from:email@domain.com, and then press ENTER.
The output resembles the following:
250 OK – mail from
5. Type rcpt to:youremail@yourdomain.com, and then press ENTER.
The output resembles the following:
250 OK – Recipient
6. Type Data, and then press ENTER.
The output resembles the following:
354 Send data. End with CRLF.CRLF
7. Type Subject:This is a test, and then press ENTER two times.
8. Type Testing, and then press ENTER.
9. Press ENTER, type a period (.), and then press ENTER.
The output resembles the following:
250 OK
10. Type quit, and then press ENTER.
The output resembles the following:
221 Closing Port / Mail queued for delivery

Dr. Wongs Secret of Immortality

Sauce for rice, vegetables and/or fish.

Prepare a mix of two or three tablespoons of miso with enough water to give it a smooth, even consistency. Squeeze in one or two lemons. Grate a bit of fresh ginger, and add two tablespoons of cold-pressed extra virgin olive oil. Mix it all together. Use this sauce over your vegetables and rice. It is also delicious on fish. And kids love it.

Reference:
The Way of Qigong: The Art and Science of Chinese Energy Healing
Ken Cohen
ISBN  0345421094

Watsu – Water Shiatsu

Origins of Watsu

Watsu® (Water Shiatsu) began in 1980 in the warm pool at Harbin Hot Springs when Harold Dull started floating people while applying the stretches and principles of the Zen Shiatsu he had studied in Japan. In the Orient, stretching as a way to open channels through which our Chi energy flows is even older than acupuncture. Stretching strengthens muscle and increases flexibility. Warm water, which many associate with the body’s deepest states of waking relaxation, is the ideal medium. The support of water takes weight off the vertebrae and allows the spine to be moved in ways impossible on land. Gentle, gradual twists and pulls relieve the pressure a rigid spine places on nerves and helps undo any dysfunctioning this pressure can cause to the organs serviced by those nerves. The Watsu receiver experiences greater flexibility and freedom. During Watsu a range of emotions can come up and be released into the process of continuous flow. This reprograms receivers to face life out of the water with greater equanimity and flexibility.

Another principle of Zen Shiatsu, that of connecting with the breath, takes on a new dimension in Watsu. On land, the breathing is coordinated with leaning into points. In water, our most basic move is the Water Breath Dance, in which we float someone in our arms and let them sink a little as they breathe out and let the water lift us as we both breathe in. Repeated over and over at the beginning of a Watsu, this creates a connection that can be carried into all the stretches and moves. This Water Breath Dance, and its stillness, is returned to throughout the session.

Experiencing both giving and receiving this most nurturing form of bodywork can help heal whatever wounds of separation we carry and renew in us our sense of connection and oneness with others. For this reason Watsu is Rebonding Therapy. Watsu is used around the world by professional bodyworkers, physical therapists, psychologists, as well as the general public.

Watsu, and the way it is taught, has evolved over the years. In the beginning the focus was primarily on stretching. With the Waterbreath Dance and the greater connection of moves to the breath, a more meditative stillness entered in. The use of flotation devices on legs that would otherwise sink has widened the possibilities and the ease of a Watsu.

Once a practitioner has reached the level of presence and connection that the carefully evolved Watsu Forms instill, they are taught and encouraged to explore the creative potential in Watsu Free Flow.

Reference: www.watsu.com

Der blinde Knabe

An allen Türen blieb der blinde Knabe,
auf den der Mutter bleiche Schönheit schien,
und sang das Lied, das ihm sein Leid verliehn:
“Oh hab mich lieb, weil ich den Himmel habe.”
Und alle weinten über ihn.

An allen Türen blieb der blinde Knabe.

Die Mutter aber zog ihn leise mit;
weil sie die andern alle weinen schaute.
Er aber, der nicht wußte, wie sie litt,
und nur noch tiefer seinem Dunkel traute,
sang: “Alles Leben ist in meiner Laute.”

Die Mutter aber zog ihn leise mit.

So trug er seine Lieder durch das Land.
Und als ein Greis ihn fragte, was sie deuten,
da schwieg er, und auf seiner Stirne stand:
Es sind die Funken, die die Stürme streuten,
doch einmal werd ich breit sein wie ein Brand.

So trug er seine Lieder durch das Land.

Und allen Kindern kam ein Traurigsein.
Sie mußten immer an den Blinden denken
und wollten etwas seiner Armut weihn;
er nahm sie lächelnd an den Handgelenken
und sang: “Ich selbst bin kommen euch beschenken.”

Und allen Kindern kam ein Traurigsein.

Und alle Mädchen wurden blaß und bang.
Und waren wie die Mutter dieses Knaben,
der immer noch in ihren Nächten sang.
Und fürchteten: wir werden Kinder haben, –
und alle Mütter waren krank..

Da wurden ihre Wünsche wie ein Wort
und flatterten wie Schwalben um die Eine,
die mit dem Blinden zog von Ort zu Ort:
“Maria, du Reine,
sieh, wie ich weine.
Und es ist seine
Schuld. In die Haine
führ ihn fort!”

Bei allen Bäumen blieb der blinde Knabe,
auf den der Mutter müde Schönheit schien,
und sang das Lied, das ihm sein Leid verliehn:
“Oh hab mich lieb, weil ich den Himmel habe -”
Und alle blühten über ihm.

Links:
Rainer Marie Rilke wikipedia.org