Introduction to SSH

What is ssh? How to compile and install ssh? ssh configuration. Securely execute commands on remote system. Transfer files securely. Use ssh tunnel to securely login into work system through firewall. Goals of the presentation

The Secure Shell It is a protocol not a product Software based approach to network security Encrypts the data sent between the computers Client/Server architecture Comes with all Linux distribution, Mac OS X, AIX, Sun Solaris, OpenBSD and other Unix variants Ported to other operating systems, such as Windows, Palm OS, Amiga, etc. Other clients, such as, scp, sftp, etc. are also available Replacement for telnet, rlogin, rsh, rcp, ftp, etc. What is SSH?

It is not a true shell like csh, ksh, sh, etc. It is not a command interpreter It creates secure channel for running commands on remote computer It is not a complete security solution It will not protect against trojans, viruses, etc. What SSH is NOT

In 1995, Tatu Ylönen, a researcher at Helsinki University designed the first version of the protocol (now called SSH-1) In July of 1995, he released SSH1 as free software In December of 1995 he formed SSH Communication Security to market and develop SSH In 1996 SSH-2 was developed, it was incompatible with SSH-1 SCS released SSH-2 in 1998 and had more restrictive license IETF formed group called SECSH to standardize the protocol OpenSSH, free implementation of SSH-2 protocol was released from OpenBSD project. In 2006 IETF SECSH group released SSH-2 as internet standard (RFC 4251) History

SSH - Generic term used for SSH protocols ssh - Client command for running remote command sshd - Server program SSH-1 - Version 1 of the protocol SSH-2 - Version 2 of the protocol OpenSSH - Product from open BSD project Terminology

SSH Architecture The brown fox jumped over the cow The brown fox jumped over the cow Anw@dc%9r&6cbditop*dekisn@h Network ??? ssh client ssh server Authentication

SSH Layers Ethernet Network Access Layer IP Internet Layer TCP Transport Layer ssh-transport Initial key exchange and server authentication, setup encryption ssh-userauth User authentication using public key, password, host based, etc. ssh-connection Session multiplexing, X11 and port forwarding, remote command execution, SOCKS proxy, etc. Application Layer

A cryptographic handshake is made with the server The connection between client and remote server is encrypted using symmetric cipher Client authenticates itself Client can now interact safely with remote server over encrypted connection SSH Connection Sequence

Strong encryption Strong authentication Authorization Integrity of communication Forwarding or tunneling SSH Features

Eavesdropping of data transmitted over the network Manipulation of data at intermediate elements in the network (e.g. routers) IP address spoofing where an attack hosts pretends to be a trusted host by sending packets with the source address of the trusted host DNS spoofing of trusted host names/IP addresses IP source routing SSH will protect against

Incorrect configuration or usage A compromised root account If you login from a host to a server and an attacker has control of root on either side, he/she can listen to your session by reading from the pseudo-terminal device, even though SSH is encrypted on the network, SSH must communicate in clear text with the terminal device Insecure home directories: if an attacker can modify files in your home directory (e.g. via NFS) he may be able to fool SSH SSH will not protect against

You may download the source from http://www.openssh.com/ Read installation instructions to check if you have pre-requisite packages and libraries. Downloading Source Code

gtar -xzf openssh-4.5p1.tar.gz cd openssh-4.5p1 ./configure make make install Building and installing OpenSSH

SSH has two different sets of configuration files System wide configuration files User specific configuration files SSH Configuration Files

The system wide configuration are stored in /etc/ssh directory ssh_config - Client configuration file. It is overridden by configuration file in user's home directory sshd_config - Configuration file for sshd server daemon ssh_host_dsa_key - The DSA private key used by the sshd daemon ssh_host_dsa_key.pub - The DSA public key used by the sshd daemon ssh_host_rsa_key - The RSA private key used by the sshd daemon for version 2 of the SSH protocol ssh_host_rsa_key.pub - The RSA public key used by the sshd for version 2 of the SSH protocol System wide configuration files

sshd.pid - Server's PID is stored in this file System wide configuration files

The user specific configuration files are stored in ~UserName/.ssh directory authorized_keys2 - This file holds a list of authorized public keys for users. When the client connects to a server, the server authenticates the client by checking its signed public key stored within this file id_dsa - Contains the DSA private key of the user id_dsa.pub - The DSA public key of the user id_rsa - The RSA private key of the user id_rsa.pub - The RSA public key of the user known_hosts - This file contains DSA host keys of SSH servers accessed by the user. This file is very important for ensuring that the SSH client is connecting the correct SSH server User specific configuration files

config - Client configuration file User specific configuration files

Specify authentication methods supported Specify SSH protocols supported Need to make trade-offs between security and easy-of use Behavior of the server can be controlled in following order: Compiling time configuration Configuration file Command line options Configuration files

IMPORTANT The ~/.ssh directory and the files in it must be owned by user and must be unreadable by anybody else. The ssh server will simply ignore the files with incorrect permissions. chmod -R og= ~/.ssh Configuration Permissions

ssh authenticates users using key pairs private key public key Key pairs

ssh-keygen - Create key pairs ssh-agent - Holds private key in memory ssh-add - Adds key to the key agent Key management commands

shahhe@kubuntu1:~$ ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/home/shahhe/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/shahhe/.ssh/id_dsa. Your public key has been saved in /home/shahhe/.ssh/id_dsa.pub. The key fingerprint is: 99:51:ac:02:10:0c:d4:55:09:cc:86:36:cf:59:d0:33 Generating key pairs

shahhe@kubuntu1:~$ cat ~/.ssh/id_dsa -----BEGIN DSA PRIVATE KEY----- MIIBuwIBAAKBgQDPmC7jSBnJMoQ8o6/cF4GUDP/gsCqonA0UGs2g/92N8qVTxxZg U3MgZAQ96FAsaGKFDfsxoqbp1eXX7IXUS+erPOMQnDtbooLgZN3VpvStvV/hulnn HoFJoDmoE5MnrY0Su93jZe2mPp4hOrYYQu0/8r3YRFtAzz6TCauHFxO4DQIVAJYo apGVvbg8J1rAefSBReOef/iXAoGBAJUXbyDtR0wpyz5UKT11FmVS/a34ST9Lfzld OjR38c9sRCf8klRZ6IuqoLUZZ3jSo56+SRsraFQReCB5GLWPx5qKzHz9xi9XFseT aCb3Qh70EbiP3uAFqnTvk2K8voKC4dNIEXZ7SZXZUsWBImLaYXf/scvL7fMlMy9d fCMf8By2AoGAGEdK17lrlD7zfWUVyJm+26ZaQ/QU4Yhff6Cfoe1lnq/1UmT6SEVf SZWsj9n8fj7Ez8l03gU/g+otZXDcsS6OmNMooWkADIbkHfQ6oeoK1h/3z0hV8TY4 HnOtMZuHJMf1LPFNvINbenLS+qldGvi19aTxZUkcQJiHdpr6GR3jn9cCFE9xHd8q Y8klJEyIPYK+KQ4UrbhZ -----END DSA PRIVATE KEY----- Generating key pairs

shahhe@kubuntu1:~$ cat ~/.ssh/id_dsa.pub ssh–dss AAAAB3NzaC1kc3MAAACBAM+YLuNIGckyhDyjr9wXgZQM/+CwKqicDRQazaD/3Y3ypVPHFmBTcyBkBD3oUCxoYoUN+zGipunV5dfshdRL56s84xCcO1uiguBk3dWm9K29X+G6WecegUmgOagTkyetjRK73eNl7aY+niE6thhC7T/yvdhEW0DPPpMJq4cXE7gNAAAAFQCWKGqRlb24PCdawHn0gUXjnn/4lwAAAIEAlRdvIO1HTCnLPlQpPXUWZVL9rfhJP0t/OV06NHfxz2xEJ/ySVFnoi6qgtRlneNKjnr5JGytoVBF4IHkYtY/HmorMfP3GL1cWx5NoJvdCHvQRuI/e4AWqdO+TYry+goLh00gRdntJldlSxYEiYtphd/+xy8vt8yUzL118Ix/wHLYAAACAGEdK17lrlD7zfWUVyJm+26ZaQ/QU4Yhff6Cfoe1lnq/1UmT6SEVfSZWsj9n8fj7Ez8l03gU/g+otZXDcsS6OmNMooWkADIbkHfQ6oeoK1h/3z0hV8TY4HnOtMZuHJMf1LPFNvINbenLS+qldGvi19aTxZUkcQJiHdpr6GR3jn9c= shahhe@kubuntu1 Generating key pairs

shahhe@kubuntu1:~$ ssh [email_address] Last login: Mon Jun 18 21:26:33 2007 from d47-69-253-190. * Problems? Questions? Email: [email_address] * Type "whatsup" to see information posted to our "What's Up?" page. You have mail. You have 17 read messages. You have no new mail. /home/customer/shah {shah@typhoon} 1> Logging into remote system

shahhe@kubuntu1:~$ scp .profile shah@xnet.com:tmp/profile.kubuntu .profile 100% 566 0.6KB/s 00:00 shahhe@kubuntu1:~$ scp shah@xnet.com:tmp/profile.kubuntu tmp/. profile.kubuntu 100% 566 0.6KB/s 00:00 Copying file to remote system

shahhe@kubuntu1:~$ ssh shah@xnet.com ls Mail News bin mail public_html tmp Executing commands on remote system

shahhe@kubuntu1:~$ ssh -Y shah@xnet.com /opt/sfw/bin/xterm Executing commands on remote system

To force an execution of a command use command keyword in authorized_key2 file. command="~/bin/DumpEmpNames",no-port-forwarding ssh-dss AAAAB3NzaC1kc3MAAACBAIB8B1MvYlWnVeyPE6bMwrTr1OM8O2HXiQQKq9801qfmOf9x3QYZzXVFegdNYDtN4o1sr6T7bmCNvOTC7sZoglaFIbfQoHfmIexabVyzxin/2d2Juof7YU53Zrx1BjHKzqQpCj6jx7FxjPqlLD0BvL9R3qoPIpJ6Jt0YvYAe4Zj9AAAAFQDoejxCMgfZ0O/Zxwxn3mFidTpogQAAAIBDQvrhRsDFhA1UUkBO203pVujfnNYF7X58mD/WPGZ+Z4aR8dGuD21X7hC6M8ko9a9wLLYigELSkUiWpsVZ/NJyBxhrCCD3YCNXeltJ7L0KaWGP96H2KkDtYsP7RMhAmztVpmlOrPzXbIpU3jpq8dRJqUksG8mq2dbXPBWgh9xHyQAAAIBG9iwGfjPLDTH1niXk5tbZQUuEGkGZzCaBw8jJlKPXMWeE7rVmBXV5sC/zhcX3OAXUNj8OUpafxFZxbxtmnzIgnehWduWTWmiQPOi2f8oV9fCulpFnYWGNn4V4hmqDlScWNoIe3ObV05WTerdyJAY8bv2Zfh9EJGEJvFFerdur/g== Key for Dumping active user names. Force execution of command

Execute command as follows: ssh -i ~/keys/DumpEmpNames.dsa user@remotehost Force execution of command

Options for authorized_keys2 file Disable X11 forwarding no-x11-forwarding Do not allocate TTY no-pty Disable port forwarding no-port-forwarding Disable forwarding agent no-agent-forwarding Limit incoming hosts from="host or ip address" Set environment variable environment="variable=value" Specify a force command command="command name" Meaning Option

Port forwarding Insecure Client App Server App ssh client ssh server Secure

Create SSH tunnel ssh -f -N -L10112:localhost:80 www.example.com Add to ~/.ssh/config file and run ssh command Host webtunnel User shahhe Hostname www.example.com LocalForward 10112 www.example.com:80 ssh -f -N webtunnel Port forwarding

Start application using port on localhost firefox http://localhost:10112 Port forwarding

You want to login to the computer at work from your home computer or from from hotel while traveling. The computer at work is behind the firewall so you cannot connect to it directly. You are allowed to connect to a bastion host, but are not allowed to store private keys on it. What can you do? Agent forwarding

Agent Forwarding ssh ssh sshd (proxy agent) sshd ssh Login ssh Work Bastion Home

The configuration is stored in /etc/ssh/sshd_config file. Port 46464 Protocol 2 PasswordAuthentication no ForwardX11 yes ForwardAgent yes Compression no sshd configuration on bastion host

The configuration is stored in ~/.ssh/tunnel.cfg file. Host * ForwardX11 yes ForwardAgent yes NoHostAuthenticationForLocalhost yes User RemoteUser IdentityFile /home/LocalUser/.ssh/work_dsa Host bastionhost HostName 69.2.50.60 Port 46464 LocalForward 10001 10.60.80.101:22 ssh tunnel configuration on home system

The configuration is stored in ~/.ssh/config file. Host * ForwardX11 yes ForwardAgent yes NoHostAuthenticationForLocalhost yes IdentityFile /home/LocalUser/.ssh/work_dsa Host portmap HostName localhost port 10001 LocalForward 18080 10.60.80.101:22 LocalForward 18081 10.60.80.102:22 Host host1 User RemoteUser HostName localhost Port 18080 Host host2 User RemoteUser HostName localhost Port 18081 ssh client configuration on home system

Generate key with password Store private key on Home system Store public key on Bastion host Store public key on Work system Setting Key Pair

Do the following on the HOME system: Start ssh-agent and add the key ssh-add ~/.ssh/work_dsa Create tunnel to bastion host ssh -f -N -F ~/.ssh/tunnel.cfg bastionhost ssh -f -N UserName @portmap Login in to work systems ssh host1 ssh host2 Login into work systems

Environment variables /dev/pts/48 Name of TTY SSH_TTY 10.90.10.107 45756 22 Client socket information SSH_CLIENT /tmp/ssh-FcRCI22249/agent.22249 Path to socket SSH_AUTH_SOCK 10.90.10.107 45756 10.90.10.182 22 Client and server socket information SSH_CONNECTION Example Meaning Variable

sshfs - ssh based file system client http://fuse.sourceforge.net/sshfs.html sftp - secure file transfer. Part of OpenSSH http://www.openssh.com/ Other ssh based applications

PuTTY TTSSH Cygwin MSSH WinSCP FileZilla OpenSSH alternatives for windows

Proven technology Strong encryption Both free and commercial versions exist Runs on many platforms Tunneling of ports works well and can be used for simple VPNs Many authentication methods supported Can be SOCKS5 proxy aware Use it instead of VPN Advantages

Port ranges & dynamic ports can't be forwarded SSH server daemon: Cannot restrict what ports may or may not be forwarded, per user When a user is authenticated by password, the client's RSA identity is not verified (against ssh_known_hosts). The verification only takes place when .[sr]hosts trust is used Port forwarding can also introduce security problems. The SSH server doesn't allow detailed configuration of what forwarding is allowed from what client to what server etc. A client on the Internet that uses SSH to access the Intranet, can expose the Intranet by port forwarding Disadvantages

http://www.openssh.com/ http://fuse.sourceforge.net/sshfs.html Barrett, D., Silverman, R., & Byrnes, R. (2005). SSH The Definitive Guide, Second Edition. O'Reilly Media, Inc. SSH FAQ http://www.employees.org/~satch/ssh/faq/ssh-faq.html Excellent agent forwarding tutorial http://unixwiz.net/techtips/ssh-agent-forwarding.html Turotial on building OpenSSH http://unixwiz.net/techtips/openssh.html Resources

Introduction to SSH

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Introduction to SSH (20)

Introduction to SSH

Editor's Notes