Just under construction, version 0.1, last update 2003/01/20
Secure Shell (SSH)
What is Secure Shell?
SSH (Secure Shell) is a low-cost, software based solution to network
security. It can solve some of the privacy and security problems arising, when transfering
data (data, commands etc.) through a network.
Additionally, it can be seen as a secure replacement for telnet, ftp, and the R-commands,
services that are often used for remote administration of active network components (routers,
switches, firewalls, etc.) and servers.
The main features of SSH are:
- A secure, client-server protocol for encrypting and transmitting data over a network.
- Authentification of users by password, host, or public key, and optional integration
with other popular authetification systems like Kerberos etc.
- The SSH protocol garantees, that the data, traveling over the network, arrives unaltered.
- Tunneling of most other popular, TCP/IP based services, that are insecure. This is called
port forwarding.
There are two SSH protocols in use. Namely SSH protocol version 1 and 2.
The second version offers an enhancement in security, so it is better to use SSH version 2,
if possible.
Basic Client Usage
For Windows you can get graphical clients. Under Linux you will normally use
a shell, and so you will make a SSH connection from there. To connect to a server via
SSH, you have to type:
ssh -l <username> <server name or ip adress>
Example 1 shows an successful connection and login to linuxsecure.de
| Example 1: Using ssh |
$ ssh -l nikolei linuxsecure.de
nikolei@linuxsecure.de's password:
Last login: Mon Jan 20 12:39:01 2003 from 168.1.1.10
[nikolei@linuxsecure nikolei]$
|
If you have not exanged a public key with the server, then you will be
asked for a password. After a successful login, a shell is offered to you.
It is also possible to use ssh as a secure replacement for ftp.
Uder Windows you have a graphical Explorer-like interface with drag and
drop abilities. Under linux you can use the command line program scp,
offering a higher flexibility. To use scp under linux type:
scp [options] <user>@<server name or ip adress>:<source>
<user>@<server name or ip adress>:<destination>
Example 2 shows how to copy a file foo
in the current directory on your machine (the machine you are logged in) to a server called
linuxsecure.de into the directory
bar in your home directory.
| Example 2: Using scp |
$ scp foo nikolei@linuxsecure.de:/home/nikolei/bar
nikolei@linuxsecure.de's password:
foo 100% |*****************************| 100 00:01
$
|
You will be prompted for a password. If the password is correct, the file will be
copied to the server. By using wildcards or the option -r
you can copy several files at once or hole directories recoursively to an other server.
The option -C enables compression.
If you want to use ssh in the same way as the command line ftp for
file transfer, then sftp may be of interest for you.
It is, like ftp, interaktive. This means, that you have to log in to a remote machine. A command
line then accepts, after successful login, commands for file transfer. For example:
sftp <user>@<host>
The username is optional. If no username is given (then you also have to remove the @ sign),
your username (on the machine you are working on, is assumed). As an example to log into the machine
linuxsecure.de with username
nikolei see Example 3.
| Example 3: Using sftp |
$ sftp nikolei@linuxsecure.de
Connecting to linuxsecure.de...
nikolei@linuxsecure.de's password:
sftp>
|
Then you can use the well known commands get
and put for filetransfer.
These are the basics you need to work with ssh. There are much more options, but I will
only present some of them I find most useful.
Public-Key Authentication
Instead of password-authentication you can use public-key authentication that is more secure and
- in use with an SSH-agent - also more comfortable, if you have to manage a lot of servers via SSH. The idea is
to generate two cryptographic keys, a public one and a private one. The public key can be stored on the ssh-servers
and the private one is helt by the user. If you want to use public key authentication, it is best to disable all other
authentication mechanisms in order to provide best security. The key-pair that is used should be long enough and
stored in a way, so that others do not have access to it. Otherwise the authentication-mechanism can not said to be secure any more.
So what we need first is a sshd configuration, allowing only public-key authetication. In the following
exaple I am using a configuration file for OpenSSH:
| Example 4: OpenSSH Config |
Port 61524
Protocol 2
ListenAddress 126.15.160.52
AllowUsers nikolei
PermitRootLogin no
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys2
# override default of no subsystems
Subsystem sftp /usr/lib/misc/sftp-server
|
To explain the configuration line by line:
- Port 61524: The ssh server will listen on port 61524. Because that is not the default port of SSH, it will be harder to detect by portscanners.
- Protocol 2: Here I chose the more secure version 2 of the SSH protocol.
- ListenAddress 126.15.160.52: The ip-address, the server is listen on (relevant if more than one interface exists).
- AllowUsers nikolei: Allow only login of user nikolei.
- PermitRootLogin no: Root will not be allowed to login.
- RSAAuthentication yes: Use of RSA-keys.
- PubkeyAuthentication yes: Use of public-key authentication.
- AuthorizedKeysFile .ssh/authorized_keys2: Location of the file containing the public-key (in the home directory of every user).
- Subsystem sftp /usr/lib/misc/sftp-server: Our nice sftp-facility.
The next thing we have to do is to generate our RSA-keys (in this example 2048 bit keys):
| Example 5: Generating RSA-Keys |
$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/nikolei/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /nikolei/.ssh/id_rsa.
Your public key has been saved in /nikolei/.ssh/id_rsa.pub.
The key fingerprint is:
8e:c6:3f:de:b7:5e:9a:4c:6d:b9:6b:9d:c7:a8:6f:27 nikolei@linux
$
|
The private key ist stored in id_rsa and public one inb id_rsa.pub.
The last thing that is left is to copy the file containing the public key
(~/.ssh/id_rsa.pub) to the file ~/.ssh/autherized_keys2 on the server you want to login.
Because you have used another than the standard port for SSH, you have to tell your ssh-client
to use the non-standard port.
If you have provided a password during RSA-key generation (this password sould be different from your
system password!), then your private key is secured, but you are ask for it, when using ssh. And don't forget to make your private key
only readable for you using chmod!
Portforwarding
One of SSH's major benefits is transparency.A terminal session secured by SSH behaves like
an ordinary, insecure one, once it has been established. Behind the scenes, SSH keeps the session secire
via strong authentification, encryption, and integrity checking.
If you are using SSH Portforwarding to secure another application, then SSH intercepts
the service request from this application, sends it across the encrypted connection, and delivers it
to the intendet recipient on the other side.
To be continued ...
back to top
| 
Security Tasks