Chapter 7. Network applications

Table of Contents

7.1. Web browsers
7.1.1. Browser configuration
7.2. The mail system
7.2.1. Modern mail service basics
7.2.2. Basic mail software choice
7.2.3. The mail configuration strategy for workstation
7.2.3.1. The configuration of exim4
7.2.3.2. The configuration of postfix with SASL
7.2.3.3. The mail address configuration
7.2.4. Tips for managing the mail
7.2.4.1. Basic MTA operations
7.2.4.2. Basic MUA -- Mutt
7.2.4.3. Redeliver mbox contents
7.2.5. Choices of software for the mail
7.2.5.1. MTA
7.2.5.2. MUA
7.2.5.3. The remote mail retrieval and forward utility
7.2.5.4. MDA
7.2.5.5. POP3/IMAP4 server
7.3. The print server and utility
7.4. The remote access server and utility (SSH)
7.4.1. Basics of SSH
7.4.2. Port forwarding for SMTP/POP3 tunneling
7.4.3. Connecting with fewer passwords -- RSA
7.4.4. Dealing with alien SSH clients
7.4.5. Setting up ssh-agent
7.4.6. Troubleshooting SSH
7.5. Other network application servers
7.6. Other network application clients
7.7. The diagnosis of the system daemons

7.1. Web browsers

There are many web browser packages to access remote contents with Hypertext Transfer Protocol (HTTP).

Table 7.1.  List of web browsers.

package

popcon

size

description

iceweasel

V:31, I:59

3960

Web browser (X) (unbranded Firefox)

iceape-browser

V:3, I:6

35436

Web browser (X) (unbranded Mozilla browser)

epiphany-browser

V:11, I:45

32

Web browser (X) (Gnome HIG compliant browser)

galeon

V:1.2, I:2

1732

Web browser (X) (Gnome browser)

konqueror

V:11, I:21

6056

Web browser (X) (KDE browser)

w3m

V:20, I:85

1968

Web browser (text)

lynx

V:4, I:25

44

, ,

elinks

V:2, I:6

1444

, ,

links

V:2, I:9

1372

, ,

links2

V:1.0, I:4

3280

, ,


7.1.1. Browser configuration

You may be able to use following special URL strings for some browsers to confirm their settings.

  • "about:"

  • "about:config"

  • "about:plugins"

Debian offers many free browser plugin packages in the main component which can handle not only Java (software platform) and Flash but also MPEG, MPEG2, MPEG4, DivX, Windows Media Video (.wmv), QuickTime (.mov), MP3 (.mp3), Ogg/Vorbis files, DVDs, VCDs, etc. Debian also offers helper programs to install non-free browser plugin packages as contrib or non-free components.

Table 7.2.  List of browser plugin packages.

package

popcon

size

component

description

icedtea-gcjwebplugin

V:0.6, I:0.8

204

main

Java plugin using Hotspot JIT

java-gcj-compat-plugin

V:0.6, I:1.8

104

main

Java plugin using the gij runtime

sun-java5-plugin

I:4

NOT_FOUND

non-free

Java plugin for Sun's Java SE 5.0 (i386 only)

sun-java6-plugin

I:6

NOT_FOUND

non-free

Java plugin for Sun's Java SE 6 (i386 only)

swfdec-mozilla

V:5, I:9

244

main

Flash plugin based on libswfdec

mozilla-plugin-gnash

V:0.6, I:1.7

180

main

Flash plugin based on Gnash

flashplugin-nonfree

V:1.5, I:9

128

contrib

Flash plugin helper to install Adobe Flash Player (i386, amd64 only)

mozilla-bonobo

V:0.19, I:0.4

168

main

Mozilla plugin support for Gnome Bonobo components

mozilla-plugin-vlc

V:2, I:5

160

main

Multimedia plugin based on VLC media player

totem-mozilla

V:13, I:45

241

main

Multimedia plugin based on Gnome's Totem media player

gecko-mediaplayer

V:0.10, I:0.16

688

main

Multimedia plugin based on (GNOME) MPlayer

nspluginwrapper

V:2, I:3

372

contrib

A wrapper to run i386 Netscape plugins on amd64 architecture


[Tip] Tip

Although use of above Debian packages are much easier, browser plugins can be still manually enabled by installing "*.so" into plugin directories (e.g., /usr/lib/iceweasel/plugins/) and restarting browsers.

Some web sites refuse to be connected based on the user-agent string of your browser. You can work around this situation by spoofing the user-agent string. For exaple, you can do this by adding:

user_pref{"general.useragent.override","Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"};

into user configuration files such as ~/.gnome2/epiphany/mozilla/epiphany/user.js or ~/.mozilla/firefox/*.default/user.js. Alternatively, you can add and reset this variable by typing "about:config" into URL and right clicking its display contents.

[Caution] Caution

Spoofed user-agent string may cause bad side effects with Java.

7.2. The mail system

[Caution] Caution

If you are to set up the mail server to exchange mail directly with the Internet, you should be better than reading this elementary document.

7.2.1. Modern mail service basics

In order to contain spam (unwanted and unsolicited e-mail) problems, many ISPs which provide consumer grade Internet connection are implementing counter measures:

  • The smarthost service for their customers to send message uses the message submission port (587) specified in rfc4409 with the password (SMTP AUTH service) specified in rfc4954.

  • The SMTP port (25) connection from their internal network hosts (except ISP's own outgoing mail server) to the Internet are blocked.

  • The SMTP port (25) connection to the ISP's incoming mail server from some suspicious external network hosts are blocked. (The connection from hosts on the dynamic IP address range used by the dial-up and other consumer grade Internet connections are the first ones to be blocked.)

When configuring your mail system or resolving mail delivery problems, you must consider these new limitations.

In light of these hostile Internet situation and limitations, some independent Internet mail ISPs such as Yahoo.com and Gmail.com offer the secure mail service which can be connected from anywhere on the Internet using Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL) :

  • The smarthost service for their customers to send message uses the SMTP/SSL port (465) or the message submission port (587) with the password (SMTP AUTH service).

  • The incoming mail is accessible at the TLS/POP3 port (995) with POP3.

[Caution] Caution

It is not realistic to run SMTP server on consumer grade network to send mail directly to the remote host reliably. They are very likely to be rejected. You must use some smarthost services offered by your connection ISP or independent mail ISPs. For the simplicity, I will assume that the smarthost is located at "smtp.hostname.dom", requires SMTP AUTH, and uses the message submission port 587 in the following text.

7.2.2. Basic mail software choice

Table 7.3.  List of popular mail system for workstation.

package

popcon

size

function

exim4-daemon-light

V:57, I:67

928

Exim4 mail transport agent (MTA: Debian etch default)

exim4-base

V:59, I:70

1656

Exim4 documentation (text) and common files

exim4-doc-html

I:0.9

5756

Exim4 documentation (html)

exim4-doc-info

I:0.5

596

Exim4 documentation (info)

postfix

V:15, I:17

3196

Postfix mail transport agent (MTA: alternative)

postfix-doc

I:2

3124

Postfix documentation (html+text)

sasl2-bin

V:2, I:5

444

Cyrus SASL API implementation (supplement postfix for SMTP-AUTH)

cyrus-sasl2-doc

I:4

288

Cyrus SASL - documentation

fetchmail

V:3, I:7

1812

Remote mail retrieval and forwarding utility

procmail

V:16, I:87

360

Mail filter utility

mutt

V:21, I:84

5396

Mail user agent (MUA) to read/write the mail usually used with vim


The choice between exim4-* and postfix packages is really up to you.

Although the popcon vote count of exim4 looks several times popular than that of postfix, this does not mean postfix is not popular with Debian developers. The Debian server system uses both exim4 and postfix. The mail header analysis of mailing list postings from prominent Debian developers also indicate both of these MTAs are as popular.

The exim4-* are known to have very small memory consumption and very flexible for its configuration. The postfix is known to be compact, fast, simple, and secure. Both come with ample documentation and are as good in quality and license.

7.2.3. The mail configuration strategy for workstation

The most simple mail configuration is that the mail is sent to the ISP's smarthost and received from ISP's POP3 server by the MUA itself. This type of configuration is popular with full featured GUI based mail user agent (MUA) such as icedove, evolution, etc.. If you need to filter mail by their types, you use MUA's filtering function. For this case, the local mail transport agent (MTA) need to do local delivery only.

The alternative mail configuration is that the mail is sent via local MTA to the ISP's smarthost and received from ISP's POP3 by fetchmail(1) to the local mailbox. If you need to filter mail by their types, you use procmail(1) to filter mail into separate mailboxes. This type of configuration is popular with simple console based MUA such as mutt, gnus, etc., although this is possible with any MUAs. For this case, the local MTA need to do both smarthost delivery and local delivery.

7.2.3.1. The configuration of exim4

For Internet via smarthost, you (re)configure exim4-* packages as follows:

$ sudo /etc/init.d/exim4 stop
$ sudo dpkg-reconfigure exim4-conf
  • Chose "mail sent by smarthost; received via SMTP or fetchmail".

  • Set "IP address or host name of the outgoing smarthost:" to "smtp.hostname.dom:587".

$ sudo vim /etc/exim4/passwd.client
  • Create password entries for the smarthost.

$ cat /etc/exim4/passwd.client
^smtp.*\.hostname\.dom:username@hostname.dom:password
$ sudo /etc/init.d/exim4 start

The host name in /etc/exim4/passwd.client should not be the alias. You check the real host name with:

$ host smtp.hostname.dom
smtp.hostname.dom is an alias for smtp99.hostname.dom.
smtp99.hostname.dom has address 123.234.123.89

I use regex in /etc/exim4/passwd.client to work around the alias issue so even if the ISP moves host pointed by the alias, SMTP AUTH will likely be working.

[Tip] Tip

Local customization file /etc/exim4/exim4.conf.localmacros may be created to set MACROs. For example, Yahoo's mail service is said to require "MAIN_TLS_ENABLE = true" and "AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS=yes" in it.

[Note] Note

Please read the official guide at: /usr/share/doc/exim4-base/README.Debian.gz and update-exim4.conf(8).

[Caution] Caution

You should execute update-exim4.conf(8) after updating exim4 configuration files in /etc/exim4.

7.2.3.2. The configuration of postfix with SASL

For Internet via smarthost, you should first read postfix documentation and key manual pages:

Table 7.4.  List of important postfix manual pages

command

function

postfix(1)

Postfix control program

postconf(1)

Postfix configuration utility

postconf(5)

Postfix configuration parameters

postmap(1)

Postfix lookup table maintenance

postalias(1)

Postfix alias database maintenance


You (re)configure postfix and sasl2-bin packages as follows:

$ sudo /etc/init.d/postfix stop
$ sudo dpkg-reconfigure postfix
  • Chose "Internet with smarthost"

  • Set "SMTP relay host (blank for none):" to "[smtp.hostname.dom]:587"

$ sudo postconf -e 'smtp_sender_dependent_authentication = yes'
$ sudo postconf -e 'smtp_sasl_auth_enable = yes'
$ sudo postconf -e 'smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd'
$ sudo postconf -e 'smtp_sasl_type = cyrus'
$ sudo vim /etc/postfix/sasl_passwd
  • Create password entries for the smarthost.

$ cat /etc/postfix/sasl_passwd
[smtp.hostname.dom]:587     username:password
$ sudo postmap hush:/etc/postfix/sasl_passwd
$ sudo /etc/init.d/postfix start

Here the use of [ ] in the dpkg-reconfigure dialogue and /etc/postfix/sasl_passwd ensures not to check MX record but directly use exact hostname specified. Read more for "Enabling SASL authentication in the Postfix SMTP client" in usr/share/doc/postfix/html/SASL_README.html.

7.2.3.3. The mail address configuration

There are a few mail address configuration files for mail transport, delivery and user agents.

Table 7.5.  List of mail address related configuration files.

file

function

application

/etc/mailname

default host name for (outgoing) mail

Debian specific, mailname(5)

/etc/email-addresses

host name spoofing for outgoing mail

exim(8) specific, exim4-config_files(5)

/etc/postfix/generic

host name spoofing for outgoing mail

postfix(1) specific, activated after postmap(1) command execution.

/etc/aliases

account name alias for incoming mail

general, activated after newaliases(1) command execution.


The mailname in the /etc/mailname file is usually a fully qualified domain name (FQDN) that resolves to one of the host's IP addresses. The mobile workstation which does not have a hostname with resolvable IP address, set this mailname to the value of "hostname -f". (This is safe choice and works for both exim4-* and postfix.)

[Tip] Tip

The contents of /etc/mailname is used by many non-MTA programs for their default behavior. For mutt, set "hostname" and "from" variables in ~/muttrc file to override the mailname value. For devscripts package programs such as bts and dch, export environment variables "DEBFULLNAME" and "DEBEMAIL" to override it.

When setting the mailname to "hostname -f", the spoofing of the source mail address via MTA can be realized by:

  • /etc/email-addresses file for exim4(8) as explained in the exim4-config_files(5), and

  • /etc/postfix/generic file for postfix(1) as explained in the generic(5).

For postfix, the following extra steps are needed:

# postmap hash:/etc/postfix/generic
# postconf -e 'smtp_generic_maps = hash:/etc/postfix/generic'
# postfix reload

You check filters using:

  • exim(8) with -brw, -bf, -bF, -bV, ... options.

  • postmap(1) with -q option.

[Tip] Tip

Exim comes with several utility programs such as exiqgrep(8) and exipick(8). See "dpkg -L exim4-base|grep man8/" for available commands.

7.2.4. Tips for managing the mail

7.2.4.1. Basic MTA operations

There are several basic MTA operations. Some may be performed via sendmail(1) compatibility interface.

Table 7.6.  List of basic MTA operation.

exim command

postfix command

description

sendmail

sendmail

Read mail from standard input and arrange for delivery. (-bm)

mailq

mailq

List the mail queue with status and queue ID. (-bp)

newaliases

newaliases

Initialize alias database. (-I)

exim4 -q

postqueue -f

flush waiting mail (-q)

exim4 -qf

postsuper -r ALL deferred; postqueue -f

flush all mail

exim4 -qff

postsuper -r ALL; postqueue -f

flush even frozen mail

exim4 -Mg queue_id

postsuper -h queue_id

freeze one message by its queue ID

exim4 -Mrm queue_id

postsuper -d queue_id

remove one message by its queue ID

---

postsuper -d ALL

remove all messages


For the script in /etc/ppp/ip-up.d/*, "flush all mail" may be good idea.

7.2.4.2. Basic MUA -- Mutt

Use mutt as the mail user agent (MUA) in combination with vim. Customize with ~/.muttrc; for example:

# use visual mode and "gq" to reformat quotes
set editor="vim -c 'set tw=72 et ft=mail'"
#
# header weeding taken from the manual (Sven's Draconian header weeding)
#
ignore *
unignore from: date subject to cc
unignore user-agent x-mailer
hdr_order from subject to cc date user-agent x-mailer
set hostname=spoof.example.org
set from="First Last <username@example.org>"
....

Add the following to /etc/mailcap or $HOME/.mailcap to display HTML mail and MS Word attachments inline:

text/html; lynx -force_html %s; needsterminal;
application/msword; /usr/bin/antiword '%s'; copiousoutput; description="Microsoft Word Text"; nametemplate=%s.doc

7.2.4.3. Redeliver mbox contents

You need to manually deliver mails to the sorted mailboxes in your home directory from /var/mail/<username> if your home directory became full and procmail failed. After making disk space in the home directory, run:

# /etc/init.d/${MAILDAEMON} stop
# formail -s procmail </var/mail/<username>
# /etc/init.d/${MAILDAEMON} start

7.2.5. Choices of software for the mail

For mail system programs, there are many alternatives developed with different priority. Here is the overview.

7.2.5.1. MTA

Table 7.7.  List of MTA.

package

popcon

size

capability

exim4-daemon-light

V:57, I:67

928

full

postfix

V:15, I:17

3196

full (security)

exim4-daemon-heavy

V:1.8, I:2

1040

full (flexible)

sendmail-bin

V:2, I:2

2080

full (only if you are already familiar)

nullmailer

V:0.6, I:0.8

452

strip down, no local mail

ssmtp

V:0.8, I:1.2

8

strip down, no local mail

nbsmtp

V:0.3, I:0.4

120

?

courier-mta

V:0.2, I:0.2

4004

very full (web interface etc.)

xmail

V:0.15, I:0.19

824

light

masqmail

V:0.05, I:0.07

568

light

esmtp

V:0.08, I:0.2

156

light

esmtp-run

V:0.06, I:0.09

8

light (sendmail compatibility extension to esmtp)

msmtp

V:0.2, I:0.6

336

light

msmtp-mta

V:0.06, I:0.10

52

light (sendmail compatibility extension to msmtp)


7.2.5.2. MUA

If you subscribe to Debian related mailing list, it may be a good idea to use such MUA as mutt and gnus which are the de facto standard for the participant and known to behave as expected.

Table 7.8.  List of MUA.

package

popcon

size

type

iceweasel

V:31, I:59

3960

X GUI (unbranded Firefox)

evolution

V:17, I:45

9324

X GUI (part of a groupware suite)

icedove

V:9, I:14

38108

X GUI (unbranded Thunderbird)

mutt

V:21, I:84

5396

character terminal probably with vim

gnus

V:0.04, I:0.7

6272

character terminal under (x)emacs


7.2.5.3. The remote mail retrieval and forward utility

Table 7.9.  List of remote mail retrieval and forward utilities.

package

popcon

size

capability

fetchmail

V:3, I:7

1812

mail retriever (POP3, APOP, IMAP) (de facto)

getmail4

V:0.2, I:0.6

632

mail retriever (POP3, IMAP4, and SDPS)

mailfilter

V:0.02, I:0.08

352

mail retriever (POP3) with with regex filtering capability

mpop

V:0.02, I:0.06

360

mail retriever (POP3) and MDA with filtering capability


The fetchmail is the current de facto standard for the remote mail retrieval utility. The SysV init script in /etc/init.d/fetchmail will start a fetchmail daemon running as the user fetchmail to fetch mail from multiple POP3 accounts on multiple ISPs, if the configuration file /etc/fetchmailrc is present in the system. If the configuration file is not present, nothing is started.

[Note] Note

If your email headers are contaminated by ^M due to your ISP's mailer, add "stripcr" to your options in $HOME/.fetchmailrc:

options fetchall no keep stripcr

7.2.5.4. MDA

Table 7.10.  List of MDA.

package

popcon

size

description

procmail

V:16, I:87

360

MDA with filter (de facto)

mailagent

V:0.4, I:6

1688

MDA with perl filter

maildrop

V:0.4, I:0.8

1040

MDA with structured filtering language


The procmail is the current de facto standard for the mail filter utility. One needs to create $HOME/.procmailrc for each account that uses it. For example:

# All delivery to Qmail style Maildir.  i.e. followed by /
# No lock needed
MAILDIR=$HOME/Mail
DEFAULT=$MAILDIR/Inbox/
LOGFILE=$MAILDIR/Maillog

:0
* ^Resent-Sender.*debian-devel-request@lists.debian.org
debian-devel/

:0
Inbox/

7.2.5.5. POP3/IMAP4 server

If you are to run a private server on LAN, you may consider to run POP3 / IMAP4 server for delivering mail to LAN clients.

Table 7.11.  List of POP3/IMAP4 servers.

package

popcon

size

type

description

qpopper

V:1.2, I:5

644

POP3

Qualcomm enhanced version

courier-pop

V:1.0, I:2

232

POP3

support only the maildir format

ipopd

V:0.15, I:0.2

204

POP3

formerly part of the University of Washington IMAP package

cyrus-pop3d-2.2

V:0.16, I:0.3

856

POP3

part of the Cyrus IMAPd suite

xmail

V:0.15, I:0.19

824

POP3

ESMTP/POP3 mail server

courier-imap

V:3, I:4

1604

IMAP

This provides access to email stored in Maildirs

uw-imapd

V:1.0, I:5

272

IMAP

the University of Washington IMAP

cyrus-imapd-2.2

V:0.5, I:0.7

2636

IMAP

part of the Cyrus IMAPd suite


7.3. The print server and utility

In the old Unix-like system, the BSD Line printer daemon was the standard. Since the standard print out format of the free software is PostScript on the Unix like system, some filter system was used along with Ghostscript to enable printing to the non-PostScript printer.

Recently, Common UNIX Printing System (CUPS) is the new de facto standard. The CUPS uses Internet Printing Protocol (IPP). The IPP is now supported by other OSs such as Windows XP and Mac OS X and has became new cross-platform de facto standard for remote printing with bi-directional communication capability.

The standard printable data format for the application on the Debian system is the PostScript (PS) which is a page description language. The data in PS format is fed into the Ghostscript PostScript interpreter to produce the printable data specific to the printer. See: Section 12.3.1, “The Ghostscript” .

Thanks to the file format dependent auto-conversion feature of the CUPS system, simply feeding any data to the lpr command should generate the expected print output. (In CUPS, lpr can be enabled by installing the cups-bsd package.)

The Debian system has few notable packages for the print servers and utilities:

Table 7.12.  List of print servers and utilities.

package

popcon

size

function

port

lpr

V:3, I:4

440

BSD lpr/lpd (Line printer daemon)

printer (515)

lprng

V:1.2, I:1.4

3016

, , (Enhanced)

, ,

cups

V:18, I:23

10556

Internet Printing CUPS server

IPP (631)

cups-client

V:7, I:24

412

System V printer commands for CUPS: lp(1), lpstat(1), lpoptions(1), cancel(1), lpmove(8), lpinfo(8), lpadmin(8), ...

, ,

cups-bsd

V:5, I:21

176

BSD printer commands for CUPS: lpr(1), lpq(1), lprm(1), lpc(8)

, ,

cups-driver-gutenprint

V:4, I:15

1348

printer drivers for CUPS

Not applicable


[Tip] Tip

You can configure CUPS system by pointing your web browser to "http://localhost:631/" .

7.4. The remote access server and utility (SSH)

The Secure SHell (SSH) is the secure way to connect over the Internet. A free version of SSH called OpenSSH is available as the ssh package in Debian.

Table 7.13.  List of remote access server and utilities.

package

popcon

size

tool

comment

openssh-client

V:54, I:98

2080

ssh

Secure shell client

openssh-server

V:60, I:72

812

sshd

Secure shell server

ssh-askpass-fullscreen

V:0.11, I:0.5

92

ssh-askpass-fullscreen

asks user for a pass phrase for ssh-add (GNOME2)

ssh-askpass

V:0.6, I:4

156

ssh-askpass

asks user for a pass phrase for ssh-add (plain X)


[Tip] Tip

Please use the screen(1) program to enable remote shell process to survive the interrupted connection (see Section 10.1, “The screen program”).

[Caution] Caution

See Section 5.7.3, “Extra security measures for the Internet” if your SSH is accessible from Internet.

7.4.1. Basics of SSH

/etc/ssh/sshd_not_to_be_run must not be present if one wishes to run the OpenSSH server.

SSH has two authentication protocols:

Table 7.14.  List of SSH authentication protocols and methods.

SSH protocol

SSH method

description

SSH-1

RSAAuthentication

RSA identity key based user authentication

, ,

RhostsAuthentication

.rhosts based host authentication (insecure, disabled)

, ,

RhostsRSAAuthentication

.rhosts authentication combined with RSA host key (disabled)

, ,

ChallengeResponseAuthentication

RSA challenge-response authentication

, ,

PasswordAuthentication

password based authentication

SSH-2

PubkeyAuthentication

public key based user authentication

, ,

HostbasedAuthentication

.rhosts or /etc/hosts.equiv authentication combined with public key client host authentication (disabled)

, ,

ChallengeResponseAuthentication

challenge-response authentication

, ,

PasswordAuthentication

password based authentication


Be careful about these differences if you are using a non-Debian system.

See /usr/share/doc/ssh/README.Debian.gz, ssh(1), sshd(8), ssh-agent(1), and ssh-keygen(1) for details.

Following are the key configuration files:

Table 7.15.  List of SSH configuration files.

configuration file

function

/etc/ssh/ssh_config

SSH client defaults. See ssh_config(5).

/etc/ssh/sshd_config

SSH server defaults. See sshd_config(5).

$HOME/.ssh/authorized_keys

the lists of the default public SSH keys that clients use to connect to this account on this host.

$HOME/.ssh/identity

secret SSH-1 RSA key of the user.

$HOME/.ssh/id_rsa

secret SSH-2 RSA key of the user.

$HOME/.ssh/id_dsa

secret SSH-2 DSA key of the user.


[Tip] Tip

See ssh-keygen(1), ssh-add(1) and ssh-agent(1) for how to use public and secret SSH keys.

The following will start an ssh(1) connection from a client.

Table 7.16.  List of SSH client startup examples.

command

description

ssh username@hostname.domain.ext

connect with default mode

ssh -v username@hostname.domain.ext

connect with default mode with debugging messages

ssh -1 username@hostname.domain.ext

force to connect with SSH version 1

ssh -1 -o RSAAuthentication=no -l username hostname.domain.ext

force to use password with SSH version 1

ssh -o PreferredAuthentications=password -l username hostname.domain.ext

force to use password with SSH version 2


If you use the same user name on the local and the remote host, you can eliminate typing "username@". Even if you use different user name on the local and the remote host, you can eliminate it using "~/.ssh/config". For Debian Alioth service with account name "foo-guest", you set "~/.ssh/config" to contain:

Host alioth.debian.org svn.debian.org git.debian.org
    User foo-guest

For the user, ssh(1) functions as a smarter and more secure telnet(1). Unlike telnet command, ssh command does not bomb on the telnet escape character (initial default CTRL-]).

7.4.2. Port forwarding for SMTP/POP3 tunneling

To establish a pipe to connect to port 25 of remote-server from port 4025 of localhost, and to port 110 of remote-server from port 4110 of localhost through ssh, execute on the local machine:

# ssh -q -L 4025:remote-server:25 4110:remote-server:110 username@remote-server

This is a secure way to make connections to SMTP/POP3 servers over the Internet. Set the AllowTcpForwarding entry to yes in /etc/ssh/sshd_config of the remote host.

7.4.3. Connecting with fewer passwords -- RSA

One can avoid having to remember a password for each remote system by using RSAAuthentication (SSH-1 protocol) or PubkeyAuthentication (SSH-2 protocol).

On the remote system, set the respective entries, "RSAAuthentication yes" or "PubkeyAuthentication yes", in /etc/ssh/sshd_config.

Then generate authentication keys locally and install the public key on the remote system:

  • RSAAuthentication: RSA1 key for SSH-1 (deprecated because superseded.)

$ ssh-keygen
$ cat .ssh/identity.pub | ssh user1@remote "cat - >>.ssh/authorized_keys"
  • PubkeyAuthentication: RSA key for SSH-2

$ ssh-keygen -t rsa
$ cat .ssh/id_rsa.pub | ssh user1@remote "cat - >>.ssh/authorized_keys"
  • PubkeyAuthentication: DSA key for SSH-2 (deprecated because key is smaller and slow. Also see DSA-1571-1.)

$ ssh-keygen -t dsa
$ cat .ssh/id_dsa.pub | ssh user1@remote "cat - >>.ssh/authorized_keys"
[Note] Note

There are no more reasons to work around RSA patent using DSA since it has been expired. DSA stands for Digital Signature Algorithm and slow.

One can change the pass phrase later with "ssh-keygen -p". Make sure to verify settings by testing the connection. In case of any problem, use "ssh -v".

You can add options to the entries in authorized_keys to limit hosts and to run specific commands. See sshd(8) for details.

Note that SSH-2 has HostbasedAuthentication. For this to work, you must adjust the settings of HostbasedAuthentication to yes in both /etc/ssh/sshd_config on the server machine and /etc/ssh/ssh_config or $HOME/.ssh/config on the client machine.

7.4.4. Dealing with alien SSH clients

There are a few free SSH clients available for other platforms.

Table 7.17.  List of free SSH clients for other platforms.

environment

free SSH program

Windows

puTTY (http://www.chiark.greenend.org.uk/~sgtatham/putty/) (GPL)

Windows (cygwin)

SSH in cygwin (http://www.cygwin.com/) (GPL)

Macintosh Classic

macSSH (http://www.macssh.com/) (GPL)

Mac OS X

OpenSSH; use ssh in the Terminal application (GPL)


7.4.5. Setting up ssh-agent

It is safer to protect your SSH authentication key with a pass phrase. If it was not set, use ssh-keygen -p to set it.

Place your public key (e.g. ~/.ssh/id_rsa.pub) into ~/.ssh/authorized_keys on a remote host using a password-based connection to the remote host as described above.

$ ssh-agent bash
$ ssh-add ~/.ssh/id_rsa
Enter passphrase for /home/osamu/.ssh/id_rsa:
Identity added: /home/osamu/.ssh/id_rsa (/home/osamu/.ssh/id_rsa)
  • No passphrase needed from here on, e.g.:

$ scp foo user@remote.host:foo
  • No password requested.

  • Press ^D to terminating ssh-agent session.

For the X server, the normal Debian startup script executes ssh-agent as the parent process. So you only need to execute ssh-add once. For more, read ssh-agent(1)and ssh-add(1).

7.4.6. Troubleshooting SSH

If you have problems, check the permissions of configuration files and run ssh with the "-v" option.

Use the "-P" option if you are root and have trouble with a firewall; this avoids the use of server ports 1--1023.

If ssh connections to a remote site suddenly stop working, it may be the result of tinkering by the sysadmin, most likely a change in host_key during system maintenance. After making sure this is the case and nobody is trying to fake the remote host by some clever hack, one can regain a connection by removing the host_key entry from $HOME/.ssh/known_hosts on the local machine.

7.5. Other network application servers

Table 7.18.  List of other network application servers.

package

popcon

size

protocol

focus

telnetd

V:0.5, I:1.4

156

TELNET

TELNET server

telnetd-ssl

V:0.19, I:0.5

204

, ,

, , (SSL support)

nfs-kernel-server

V:13, I:23

396

NFS

Unix file sharing

nfs-user-server

V:0.6, I:1.0

292

, ,

, ,

samba

V:19, I:34

12380

SMB

windows file and printer sharing

netatalk

V:5, I:11

2304

ATP

apple/mac file and printer sharing (AppleTalk)

proftpd

V:5, I:9

196

FTP

general file download

wu-ftpd

V:0.6, I:0.8

820

, ,

, ,

apache2-mpm-prefork

V:34, I:40

572

HTTP

general web server

apache2-mpm-worker

V:5, I:6

580

, ,

, ,

squid

V:5, I:6

1816

, ,

general web proxy server

squid3

V:0.8, I:1.0

2444

, ,

, ,

slpd

V:0.2, I:0.4

228

SLP

OpenSLP Server as LDAP server

bind9

V:10, I:17

768

DNS

IP address for other hosts

dhcp3-server

V:4, I:8

804

DHCP

IP address of client itself


Common Internet File System Protocol (CIFS) is the same protocol as Server Message Block (SMB).

[Tip] Tip

Use of proxy server such as squid is much more efficient for saving bandwidth than use of local mirror server with the full Debian archive contents.

7.6. Other network application clients

Table 7.19.  List of network application clients.

package

popcon

size

protocol

focus

netcat

V:4, I:83

36

TCP/IP

TCP/IP swiss army knife

stunnel4

V:0.5, I:1.6

504

SSL

Universal SSL Wrapper

telnet

V:13, I:90

200

TELNET

TELNET client

telnet-ssl

V:0.3, I:1.3

244

, ,

, , (SSL support)

nfs-common

V:50, I:82

564

NFS

Unix file sharing

smbclient

V:5, I:40

18876

SMB

MS windows file and printer sharing client

smbfs

V:4, I:27

4168

, ,

Mount and umount commands for remote MS windows file

ftp

V:10, I:87

160

FTP

FTP client

lftp

V:1.3, I:6

1712

, ,

, ,

ncftp

V:1.7, I:8

1164

, ,

Full screen FTP client

wget

V:28, I:99

1944

HTTP and FTP

Web downloader

curl

V:4, I:18

320

, ,

, ,

dog

V:0.08, I:0.3

76

HTTP

Web uploader (cat with URL support)

bind9-host

V:42, I:90

172

DNS

The host command from bind9, priority standard

dnsutils

V:12, I:91

388

, ,

The dig command from bind, priority standard

host

V:1.3, I:3

180

, ,

The host command from dnsutils, priority extra

dhcp3-client

V:48, I:92

608

DHCP

Obtain IP address

ldap-utils

V:1.5, I:7

588

LDAP

Obtain data from LDAP server


7.7. The diagnosis of the system daemons

The telnet program enables manual connection and diagnosis of the system daemons. E.g.:

$ telnet mail.ispname.net pop3

The following RFCs provide required knowledge to text each system daemon.

Table 7.20.  List of popular RFCs.

RFC

description

rfc1939 and rfc2449

POP3 service

rfc3501

IMAP4 service

rfc2821 (rfc821)

SMTP service

rfc2822 (rfc822)

Mail file format

rfc2045

Multipurpose Internet Mail Extensions (MIME)

rfc819

DNS service

rfc2616

HTTP service

rfc2396

URI definition


The port usage is described in /etc/services.

[Note] Note

For testing TLS/SSL services such as HTTPS, you need TLS/SSL enabled telnet program.