An Overview of SSH. Presentation to Linux Users of Victoria. Melbourne, August 26, 2017

Similar documents
Cryptography Application : SSH. 7 Sept 2017, Taichung, Taiwan

Project #6: Using ssh, scp and sftp with Key-Based Authentication

CPSC 467: Cryptography and Computer Security

Linux Network Administration

Cryptography Application : SSH. Cyber Security & Network Security March, 2017 Dhaka, Bangladesh

Secure SHell Explained!

ssh and handson Matsuzaki maz Yoshinobu 1

This is a guide about using Putty on Windows with OpenSSH on Linux. You would learn about how to:

Security with SSH. Network Startup Resource Center

Cryptography - SSH. Network Security Workshop May 2017 Phnom Penh, Cambodia

Cryptography - SSH. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

TELE301 Lab16 - The Secure Shell

SSH. What is Safely 6/19/ June 2018 PacNOG 22, Honiara, Solomon Islands Supported by:

2-1-1 ssh Secure SHell

2-1-1 ssh Secure SHell

FEPS. SSH Access with Two-Factor Authentication. RSA Key-pairs

Introduction to Linux Workshop 2. The George Washington University SEAS Computing Facility

Setting up a Chaincoin Masternode

CPSC 467b: Cryptography and Computer Security

What is Secure. Authenticated I know who I am talking to. Our communication is Encrypted

Tutorial: SSH. Secure SHell: Connect remotely anything, anywhere. UL High Performance Computing (HPC) Team Sebastien Varrette

Fundamentals of Linux Platform Security

SSH Tips and Tricks. Ferry Boender. Warning

LECTURE 7. Readings: - SSH: The Definitive Guide; D.J. Barret et al.; O Reilly Lecture outline: - SSH. Marco Spaziani Brunella, Manuel Campo

UL HPC School 2017[bis] PS1: Getting Started on the UL HPC platform

SSH and keys. Network Startup Resource Center

bî~äì~íáåö=oéñäéåíáçå=ñçê=péåìêé=fq `äáéåí=~åç=péêîéê=ñçê=rkfu

Telnet/SSH. Connecting to Hosts. Internet Technology 1

SSH. Partly a tool, partly an application Features:

Using Encryption CHAPTER. In this chapter, you will learn about How encryption works Encrypting remote access with OpenSSH Encrypting Linux files

Security with SSH. SANOG VI IP Services Workshop. Hervey Allen

Topics. Security with SSH. Cryptographic Methods and Apps. SSH Application Layer Security

IT Services Security. The Dark Arts Of SSH. Author: John Curran Version: 0.1

Using keys with SSH Rob Judd

Siemens PLM Software. HEEDS MDO Setting up a Windows-to- Linux Compute Resource.

The OpenSSH Protocol under the Hood

TELNET is short for Terminal Network Enables the establishment of a connection to a remote system, so that the local terminal appears to be the

If you prefer to use your own SSH client, configure NG Admin with the path to the executable:

Practical Magic with SSH. By David F. Skoll Roaring Penguin Software Inc. 1 February

About Backup and Restore, on page 1 Supported Backup and Restore Procedures, on page 3

(mis)trusting and (ab)using SSH

Man In The Middle Project completed by: John Ouimet and Kyle Newman

Common Report Engine Leipzig. Ref. 0003

NoMachine NX Client Configuration Guide

LAB :: Secure SHell (SSL)

Introduction to the ITA computer system

Siemens PLM Software. HEEDS MDO Setting up a Windows-to- Windows Compute Resource.

Lab #9: Basic Linux Networking

Ftp Command Line Commands Linux Example Windows Putty

Contents. SSL-Based Services: HTTPS and FTPS 2. Generating A Certificate 2. Creating A Self-Signed Certificate 3. Obtaining A Signed Certificate 4

Let s see some real traffic

MarketC - Masternode Setup Guide

Bitnami Apache Solr for Huawei Enterprise Cloud

SSH - Secure SHell. Lecture 23 CSIT571. Slides prepared by Joseph Zhaojun Wu Revised by Cunsheng Ding

Defending Yourself Against The Wily Wireless Hacker

Titan FTP Server SSH Host Key Authentication with SFTP

About the Tutorial. Audience. Prerequisites. Copyright & Disclaimer. Gerrit

MVAPICH MPI and Open MPI

How to Back Up Linux/UNIX Data Using SSHFS

Prerequisites: Students should be comfortable with computers. No familiarity with Linux or other Unix operating systems is required.

Docker task in HPC Pack

HOW TO SECURELY CONFIGURE A LINUX HOST TO RUN CONTAINERS

Most of the programming assignments in CS 2505 will require using the C language. We will use a (relatively) current version of the GCC C compiler.

Configuring SSH and Telnet

Parallel Programming Pre-Assignment. Setting up the Software Environment

Connect using Putty to a Linux Server

Communication protocols and services

Ftp Command Line Manual Windows User Password

Configuring SSH and Telnet

How to Configure SSH Tunnel in Remote Desktop Manager

Symantec Storage Foundation and High Availability Solutions 6.2 Readme First - Linux

CS197U: A Hands on Introduction to Unix

Additional laboratory

Setting up PuTTY. Software* Download PuTTY 6/9/18. Microsoft Windows 7 (64-bit) PuTTY 0.70 (64-bit) PuTTYgen 0.70 (64-bit) WinSCP 5.13.

Tectia Client/Server 6.3 (Windows) Quick Start Guide

File Protection using rsync. User guide

Using a Linux System 6

Contents. Configuring SSH 1

How to Back Up and Restore Application Consistent Snapshots of SQL and Exchange Databases

Quick Start Guide for Intel FPGA Development Tools on the Microsoft* Azure* Platform

Cluster Computing Spring 2004 Paul A. Farrell 4/25/2006. Dept of Computer Science Kent State University 1. Configuring & Tuning Cluster Networks

LINUX FUNDAMENTALS. Supported Distributions: Red Hat Enterprise Linux 6 SUSE Linux Enterprise 11 Ubuntu LTS. Recommended Class Length: 5 days

LINUX FUNDAMENTALS (5 Day)

Programming Tools. Computer Organization Tools. Most of the programming assignments will require using the C language.

Ftp Command Line Manual Windows Username Password Linux

1Z Oracle Linux Fundamentals (Oracle Partner Network) Exam Summary Syllabus Questions

Tectia Client/Server 6.4 (Windows) Quick Start Guide

Prerequisites: Students must be proficient in general computing skills but not necessarily experienced with Linux or Unix. Supported Distributions:

Supercomputing environment TMA4280 Introduction to Supercomputing

Let s see some real traffic

Configure HOSTNAME by adding the hostname to the file /etc/sysconfig/network. Do the same to all the other 3(4) nodes.

Click Studios. Passwordstate. Remote Session Launcher. Installation Instructions

Linux Fundamentals (L-120)

Expedition. Hardening Guide Version Palo Alto Networks, Inc.

Remote Access to Unix Machines

Windows Subsystem for Linux Guide Documentation

Linux Systems Security. Access Control and Authentication NETS1028 Fall 2016

SmartCash SmartNode SCRIPT Setup Guide v2.2. Windows 10. Date: 20/02/2018. By (Jazz) yoyomonkey

Step 3: Select This computer is part of business network,., click next

Unix. Examples: OS X and Ubuntu

Transcription:

An Overview of SSH Presentation to Linux Users of Victoria Melbourne, August 26, 2017 http://levlafayette.com

Utilisation and Rationale The most common use of SSH (secure shell) is remote login access to computer system. However, any network service can use ssh (e.g,. file transfers, remote mounts, proxy server tunneling etc). It is built on a small mountain of RFCs (4250-56, 4419, 4432, 6668 etc) The original reason for SSH is to provide a replacement for insecure remote system applications such as telnet, rlogin, ftp etc. All of these send information (e.g., passwords) in plain-text. Practical task: Use a network analyser to capture such information (e.g., https://www.wireshark.org/), and capture sessions and passwords. Short example available on Youtube. https://www.youtube.com/watch?v=xshwyuq-uhk. Example session with accessing (for example) telnet rainmaker.wunderground.com

A High Level Architecture SSH is based around public-key cryptography. This key-pair system requires a public key which is distributed so that others can send messages and a private key so the authenticated recipient can read them. On UNIX-like systems, a list of authorised public keys are usually kept in the ~/.ssh/authorized_keys file. SSH is built with a client-server architecture. An SSH client is an application that is used to connect via SSH to a remote system. An SSH server is an application which accepts connections from remote system. The most popular client and server is OpenSSH. If you are insane use a proprietary implementation. PuTTY is a useful GUI SSH client which can also be used on MS-Windows. The client is already installed on most systems; unless you want to login to your system remotely you don t need the server.

Installation and Management of OpenSSH Server OpenSSH is commonly installed via package management (e.g., sudo apt-get install openssh-server openssh-client). This will install the OpenSSH server and start the daemon on port 22 by default. MS-Windows has never had an SSH-server. In 2015 Microsoft announced (for the third time) that it would soon offer OpenSSH soon. It is currently (as of last night) up to v0.0.19.0 (pre-release, non-production ready) The configuration file is usually located in /etc/ssh/sshd_config. Common options to change; port number for SSH, allow root logins. Usual service method to stop/start/restart (e.g., /etc/init.d/ssh [stop start restart] or service ssh [stop start restart]) or systemctl [stop start restart] sshd.service)

Creating and Tracking Keys SSH keys should be generated on the computer you wish to log in from with the key generator; `sshkeygen`. Common options include -t (type, usually rsa), -b (size in bits, 4096 is a good choice, -f filename for multipe keys, -C to describe the keys) e.g., `sshkeygen -t rsa -b 4096`. Follow the prompts and choose a secure passphrase. After this the `~/.ssh/` directory will have an `id_rsa` file (private key, don't share) and a `id_rsa.pub` key which can be shared. If the key on a remote system has changed used `sshkeygen -R remote` to remove. Keeping track of passwords can be a pain; `sshagent` handles these passwords in background. In contrast `ssh-add` adds it to the list maintained by `ssh-agent`. The process is to initiate the agent with `eval $(ssh-agent)`, and then `ssh-add`, entering the private key passphrase. Kill the process prior to logging out, for example by adding `kill $SSH_AGENT_PID` to `.bash_logout`

Client Use of SSH A user connects with a remote system by invoking their SSH client with a variety of options, and the username and address of the remote system. The typical options than are passed are include the -p (port, if nonstandard), -i (to specify a partiuclar identity file), -X or -Y (to enable X-windows forwarding in normal or trusted mode). For example: ssh -Y lev@spartan.hpc.unimelb.edu.au

File Transfers and Directory Mounts Use of SSH to copy files between systems (scp) is one of the most common uses of the protocol. It uses the same sort of commands options as the cp command (e.g., -r for directories), and is based on the sourcedestination convention. e.g., `scp testfile spartan:files/`. Synchronisation applications like rsync also run over SSH. Another common use is the remote mounting of files. using SSHFS (SSH filesystem). The client interacts with the remote system with SSH File Transfer Protocol (SFTP), which conducts FTPoperations with an SSH channel.

Passwordless SSH Remote logins to systems with an SSH client provide encryption, and by themselves uses a password authentication system. However it is common to use public-private key authentication to allow for passwordless SSH connections. This is simply a matter of copying the public key to your account on a remote system and appending to the SSH authorized_keys file. For example: `ssh-copy-id -i.ssh/id_rsa.pub user@remote`

SSH Client Configuration Files If you have a range of hosts to connect to, different ports, multiple identity keys etc, keeping track of these could be onerous. One method would be to add them all as an alias in a login file (e.g., `alias spartan='ssh lev@spartan.hpc.unimelb.edu.au'). An even more elegant method however is to use an SSH config file, which provides all the alias features, plus client-side configuration features (such as keepalives). The ssh config file is kept in `~/.ssh/config` or `/etc/ssh/ssh_config` for global settings. Config directives are subject to local commands. SSH config files plus passwordless SSH combined are very useful tools that will free up your memory for more important tasks.

SSH Agent Authenication and Commands Authentication agent connection can be forwarded with the -A option. Note that the intermediate could hijack the session (not the keys); nevertheless this is obviously better than storing one's private key on remote servers to access even more remote servers. Example: `ssh ninjadan -A, ssh spartan-m`. SSH can be used to run a single command or a set of commands on remote systems. For example `ssh spartan ls > dirlist.txt` will execute remotely and save the results locally, whereas `ssh spartan "$(cat commands.txt)"` will execute commands.txt on the remote system.

SSH and GNU Screen SSH works very well with GNU Screen, a terminal multiplexer which allows a user to access multiple separate login sessions inside a single terminal window. A screen session can be started up (`ssh -t spartan /usr/bin/screen -xrr`), a second started (Cntrl+a C), detached (Ctrl+a d), then switch (Ctl+a n), then detached. Another alternative is to open it up when connected (`ssh spartan`, `screen`, detach), then connect to it remotely `ssh -t spartan screen -r test`).

SSH Port Forwarding Port forwarding with SSH creates a secure relay connection between system. It is very useful for tunneling unencrypted protocol information (e.g., IRC, VNC). The most common form is local port forwarding, where the SSH client connects to an SSH server and then the destination system. There is also remote port forwarding (server to client, then destination) and dynamic (multiple programs via client to server then to several destinations). Encrypted webbrowsing can be used by using the SOCKS Proxy with modifications to the webbrowser with (for example the 8080 port), with `ssh -D 8080 -C -N username@remotesite` (bind to port, compress data, non-execution) Another example is allocated by the user (local) and the other based on the destination (usually common port numbers). e.g., VNC desktop example (to itself! e.g., `ssh -L 5900:localhost:5900 <host>`).

SSH Verification When setting up an initial connection the possibility is raised that you might be facing a man-in-the-middle attack (short example: https://www.youtube.com/watch?v=4abglcndbcy). However this can be circumvented because when new key pairs are created they also create a unique fingerprint and ASCII-art image. When generating a key for a new server (e.g., `ssh-keygen -t rsa -C newserver -f.ssh/newserverkey`) save the key fingerprint and randomart image. Then you can fetch a key's fingerprint and randomart image anytime to compare and make sure they have not changed: (`ssh-keygen -lvf newserverkey` or for all of them, `$ ssh-keygen -lvf ~/.ssh/known_hosts`). A modification on a the ssh_config on a local computer (modify `/etc/ssh/ssh_config` to turn on `VisualHostKey yes`) followed by a login to remote systems can compare fingerpints (a key snippet) and the randomimage.

SSH History and Security Tatu Ylönen, a researcher at Helsinki University of Technology first developed SSH in 1995 after a password sniffing attack. It was later commoditised and in 1999, forked the older 1.2.12 version which the last released under a open-source license. For a while there was two SSHs in common circulation (OpenSSH and OSSH). A major security flaw was discovered in the proprietary version in 1998, and soon OpenSSH became the single most popular implementation. There were some inherent design flaws in SSH-1, and in 2006 it was replaced by SSH-2, which includes more sophisticated key exchange technology and message authentication codes. Some SSH implementations only support SSH-2 as a result. In 2008 a security flaw was discovered which allowed for the plain-text recovery of 32 bits from a block of encrypted text; this was easily circumvented by using a different default encryption mode. In 2017 it was revealed via Wikileaks that the CIA was using methods to hijack user credentials from active SSH sessions.

Future Developments There have been several developments in parallel SSH which presumably will become part of the mainstream in the future. The core idea is to read a hostfile launch a command which is executed on the remote systems in the hostfile. Technically these could be implmented as a loop but if the tasks take an extended period of time... Four main implementations; Parallel SSH, Cluster SSH, ClusterIT, and Distributed Shell. Parallel SSH has a parallel shell, parallel scp, parallel rsync, and parallel kill. ClusterSSH creates an xterm session on each system subject to to the multiple commands, and has one controller terminal as well. Distributed Shell (dsh) is the most popular, also works on a machine list (e.g., `/usr/local/etc/machines.list`), passwordless ssh, and can return results to the local terminal. Why aren t we using SSH for everything?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback