IT Services Security. The Dark Arts Of SSH. Author: John Curran Version: 0.1

Transcription

1 IT Services Security The Dark Arts Of SSH Author: John Curran Version: 0.1

2 STATUS\ REVISION HISTORY Date Version Description Review preparation 1.0 Presented to business & retained by Information security. Table of Contents 1. INTRODUCTION Purpose of document Installation 3 2. TECHNICAL CONFIGURATION SSH using public key cryptography Key generation and use: Authorized_keys file Key agents Using SCP and SFTP SCP and SFTP setup Using SCP Using PSFTP 8

3 1. Introduction SSH was originally developed as a secure alternative to insecure remote shell and file transfer applications such as Telnet and FTP. It has evolved to become a general purpose network encryption utility which facilitates not only these, but a variety of other uses. 1.1 Purpose of document. This document provides guidance on the use of SSH as a replacement for FTP file transfer scripts, as a tunnelling mechanism, and the use of key based authentication. The document provides a basis and steps for doing the activities described. It is not a recipe book, and your mileage may vary etc. etc. 1.2 Installation This document assumes that OpenSSH\Putty is in use and has been installed

4 2. Technical configuration 2.1 SSH using public key cryptography. Public key cryptography works by using a pair of keys to encrypt data in an asymettrical manner- i.e. one key to encrypt, and a different key to decrypt. One of these keys is designated as a public key, and one private. The process is reversible so that material encrypted using the private key may be decrypted using the public key. Now, if a host issues a public key upon connection and you accept it once, subsequent connections which provide an encrypted message which can be decrypted with this public key can be acknowledged as being from the server authorised previously (known server.) This is why, for first time connections, SSH servers offer a public key. The SSH host private key resides on the server, in an area accessible only by root. Client side private keys are used to encrypt all connections and are used for authentication. The passcode associated with the key is used to decrypt the key locally and is UNRELATED to the user s password on the system. The user s public key is stored (per user) on the server and is used to authenticate the user. In this manner we have established a mutually authenticated connection server to client and client to server. We now explain how this is achieved, and then used in scripts for SCP and SFTP. Final note: Public Key cryptography is NOT the same thing as PKI! It is certainly possible to integrate SSH with a PKI, but it s not for the fainthearted, and it s not what we re doing here. 2.2 Key generation and use: All keys must use passcodes, even for scripted uses. OpenSSH keys must be converted for use with PuTTY and vice versa. It is recommended that all keys for use are generated on the server and imported for use by the client. Use ssh-keygen for key generation bit DSA keys are fine. Name the identity file for the user or remote host which will use it, as it is useful to retain the public keys on the server, other than in the authorized_keys file. The manpage for ssh-keygen gives options for key conversion. For use with putty, generate as normal, transfer and convert using PuttyGEN Example $ ssh-keygen -t dsa -f username -C username@host -N depassphrase Generating public/private dsa key pair. Your identification has been saved in username. Your public key has been saved in username.pub. The key fingerprint is: c9:38:08:8b:71:31:de:bb:e2:43:44:e4:f4:6b:3b:a3 username@host $ more username.pub

5 ssh-dss AAAAB3Nza C6KMOzEw= 2.3 Authorized_keys file The authorized_keys file resides on the server, in the $HOME/.ssh directory per user. It contains a number of formatted lines, each of which is formatted as below. It is important to note that there may be several lines, each of which is a valid key. This is useful in so far that different keys may be used for different users of the same userid; and keys may be aged appropriately by replacing them over time. For Vodafone Ireland: Each host must have a different identity key for use as each user i.e. mediation server a and b must use different keys for the same userid on system billing a. For a key generated identity and identity.pub, copy identity.pub to authorized_preamble and edit to prepend the following: from= x.y, no-pty, no-port-forwarding ssh-dss AAA username@sourcehost.vodafone.ie This file is now a single line to be added to the authorized_keys file. Naturally, the usual levels of caution and backup are advised when making changes. Commands may be added as required, but port forwarding and shell allocation are not to be used for scripted file transfers. As a final note: The SSH daemon runs with Strictmodes in operation, this means that authorized_keys must be owned by the user and permissions set to rw Manpage description of file from="pattern-list" Specifies that in addition to public key authentication, the canonical name of the remote host must be present in the comma-separated list of patterns (`*' and `?' serve as wildcards). The list may also contain patterns negated by prefixing them with `!'; if the canonical host name matches a negated pattern, the key is not accepted. The purpose of this option is to optionally increase security: public key authentication by itself does not trust the network or name servers or anything (but the key); however, if somebody somehow steals the key, the key permits an intruder to log in from anywhere in the world. This additional option makes using a stolen key more difficult (name servers and/or routers would have to be compromised in addition to just the key). command="command" Specifies that the command is executed whenever this key is used for authentication. The command supplied by the user (if any) is ignored. The command is run on a pty if the client requests a pty; otherwise it is run without a tty. If an 8-bit clean channel is required, one must not request a pty or should specify no-pty. A quote may be included in the command by quoting it with a backslash. This option might be useful to restrict certain public keys to perform just a specific operation. An example might

6 be a key that permits remote backups but nothing else. Note that the client may specify TCP/IP and/or X11 forwarding unless they are explicitly prohibited. Note that this option applies to shell, command or subsystem execution. environment="name=value" Specifies that the string is to be added to the environment when logging in using this key. Environment variables set this way override other default environment values. Multiple options ofthis type are permitted. Environment processing is disabled bydefault and is controlled via the PermitUserEnvironment option. This option is automatically disabled if UseLogin is enabled. no-port-forwarding Forbids TCP/IP forwarding when this key is used for authentication. Any port forward requests by the client will return an error. This might be used, e.g., in connection with the command option. no-x11-forwarding Forbids X11 forwarding when this key is used for authentication. Any X11 forward requests by the client will return an error. no-agent-forwarding Forbids authentication agent forwarding when this key is used for authentication. no-pty Prevents tty allocation (a request to allocate a pty will fail). permitopen="host:port" Limit local ``ssh -L'' port forwarding such that it may only connect to the specified host and port. IPv6 addresses can be specified with an alternative syntax: host/port. Multiple permitopen options may be applied separated by commas. No pattern matching is performed on the specified hostnames, they must be literal domains or addresses. 2.4 Key agents For Interactive use only. The PuTTY series of applications for Windows contain an application called Pageant. This can be used and associated with a key file at start-up to ensure that a key resides in system memory and need not be explicitly called with a passcode at each use. This mechanism can only be used in line-interactive mode and is useful only for workstations. Similarly ssh-agent is only useful for interactive use. Ignore all other temptations. Unless you are familiar with expect, you will not get it to work automatically! 2.5 Using SCP and SFTP. SFTP and SCP are command line utilities which can be used for file transfer purposes. SFTP is supported only in SSH2 servers, and can be used in a manner very similar to FTP, with similar command support. For large file transfers it is recommended that the blowfish cipher is specified for data as it minimises the overhead associated with encryption.

7 SCP is commonly used as a single command line utility for transfer of single files or directories. The relevant manpages detail the exact syntax of the commands and this is not repeated here. For Windows hosts, SCPO and SFTP versions are available from the PuTTY website at: SCP and SFTP setup Before explaining how to use SCP or SFTP in scripts, it s important that the computer you are connecting from has loaded its private key into pageant. Making Pageant automatically load keys on startup Pageant can automatically load private keys when it starts up; you need to provide them on the Pageant command line and the location to your private key. Your command line might then look like: C:\Path to pageant\pageant.exe d:\privatekey.ppk If the keys are stored encrypted, Pageant will request the passphrases on startup. Making Pageant run another program You can arrange for Pageant to start another program once it has initialised itself and loaded any keys specified on its command line. You do this by specifying the `-c' option followed by the command, like this: C:\path to pageant\pageant.exe d:\privatekey.ppk -c C:\pscp.exe 2.7 Using SCP Download the Putty SCP command line utility pscp.exe from Copy the file to the C:\ on your computer Change directory to C: Run the command by typing pscp Sample PSCP commands copying a file to a remote system that can be used in a script: The password for user1 is password The file to be copied is called textfile The user on the remote system is specified as user1. The remote systems host name is server1. If the host name cannot be resolved you can specify the IP address here.

8 The file name when copied to the remote system is named textfile. The file is copied to the user1 home directory. This is the default but can be changed by specifying the absolute path before the file name. pscp textfile.txt List of options that can be used with PSCP Usage: pscp [options] target pscp [options] source [source...] pscp [options] -ls Options: -p preserve file attributes -q quiet, don't show statistics -r copy directories recursively -v show verbose messages -load sessname Load settings from saved session -P port connect to specified port -l user connect with specified username -pw passw login with specified password -1-2 force use of particular SSH protocol version -C enable compression -i key private key file for authentication -batch disable all interactive prompts -unsafe allow server-side wildcards (DANGEROUS) 2.8 Using PSFTP Download the Putty PSFTP command line utility PSFTP.exe from Copy the file to the C:\ on your computer Change directory to C: Run the command by typing psftp Sample PSFTP commands which achieves the following: Downloads a file called textfile.txt The file is stored in /export/home/user1 The remote system is called server1 The file downloaded is stored in c:/temp on the local computer psftp b batchfile.bat user1@server1

9 Writing the batch file Open note pad Type in the following text cd /export/home/user1 lcd c:/temp get textfile exit save the file as batchfile.bat in C:\ Note: When you log in to the remote system your path will be your home directory. If the file you are downloading is in a different located that you will need to change this by typing cd followed by the absolute path in the batch file. For instance to change directory to tmp you would type cd \tmp Files downloaded will be saved your current directory. If you wish to change this location use the lcd command. For instance to ensure all files downloaded are stored in a directory on your C: drive named user1 you would type lcd C:\user1 List of options that can be used with PSFTP! run a local command bye finish your SFTP session cd change your remote working directory chmod change file permissions and modes del delete a file dir list contents of a remote directory exit finish your SFTP session get download a file from the server to your help give help lcd change local working directory lpwd print local working directory ls list contents of a remote directory mkdir create a directory on the remote server mv move or rename a file on the remote serv open connect to a host put upload a file from your local machine to pwd print your remote working directory quit finish your SFTP session reget continue downloading a file ren move or rename a file on the remote serv reput continue uploading a file rm delete a file rmdir remove a directory on the remote server