Linux Network Administration

Similar documents
ssh and handson Matsuzaki maz Yoshinobu 1

Project #6: Using ssh, scp and sftp with Key-Based Authentication

SSH. Partly a tool, partly an application Features:

TELNET is short for Terminal Network Enables the establishment of a connection to a remote system, so that the local terminal appears to be the

CPSC 467: Cryptography and Computer Security

Practical Magic with SSH. By David F. Skoll Roaring Penguin Software Inc. 1 February

Cryptography Application : SSH. 7 Sept 2017, Taichung, Taiwan

CIS 551 / TCOM 401 Computer and Network Security. Spring 2006 Lecture 13

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

SEEM4540 Open Systems for E-Commerce Lecture 03 Internet Security

Security with SSH. Network Startup Resource Center

CPSC 467b: Cryptography and Computer Security

What is Secure. Authenticated I know who I am talking to. Our communication is Encrypted

An Overview of SSH. Presentation to Linux Users of Victoria. Melbourne, August 26, 2017

SSH. What is Safely 6/19/ June 2018 PacNOG 22, Honiara, Solomon Islands Supported by:

Table of Contents 1 SSH Configuration 1-1

(2½ hours) Total Marks: 75

Cryptography Application : SSH. Cyber Security & Network Security March, 2017 Dhaka, Bangladesh

Cryptography - SSH. Network Security Workshop May 2017 Phnom Penh, Cambodia

Secure SHell Explained!

SSH and keys. Network Startup Resource Center

If you prefer to use your own SSH client, configure NG Admin with the path to the executable:

LECTURE 7. Readings: - SSH: The Definitive Guide; D.J. Barret et al.; O Reilly Lecture outline: - SSH. Marco Spaziani Brunella, Manuel Campo

06/02/ Local & Metropolitan Area Networks. 0. Overview. Terminology ACOE322. Lecture 8 Network Security

Expedition. Hardening Guide Version Palo Alto Networks, Inc.

SSH SECURITY. If you ve never used SSH before on a computer, the chances are very high that

Defending Yourself Against The Wily Wireless Hacker

Cryptography - SSH. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

Chapter 2. Switch Concepts and Configuration. Part II

This is a guide about using Putty on Windows with OpenSSH on Linux. You would learn about how to:

AN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP

InterWorx Server Administrator SSH Guide. by InterWorx LLC

Transport Level Security

Password. authentication through passwords

The OpenSSH Protocol under the Hood

Securing Internet Communication: TLS

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

e-commerce Study Guide Test 2. Security Chapter 10

HP OO 10.x Network Architecture

FEPS. SSH Access with Two-Factor Authentication. RSA Key-pairs

Some SSH tips & tricks you may enjoy (plus, iptables)

CIS 551 / TCOM 401 Computer and Network Security. Spring 2008 Lecture 19

Using Encryption CHAPTER. In this chapter, you will learn about How encryption works Encrypting remote access with OpenSSH Encrypting Linux files

Contents. Configuring SSH 1

Security issues: Encryption algorithms. Threats Methods of attack. Secret-key Public-key Hybrid protocols. CS550: Distributed OS.

Man In The Middle Project completed by: John Ouimet and Kyle Newman

Content and Purpose of This Guide... 1 User Management... 2

Tutorial: SSH. Secure SHell: Connect remotely anything, anywhere. UL High Performance Computing (HPC) Team Sebastien Varrette

SE420 Software Quality Assurance

Protocol Comparisons: OpenSSH, SSL/TLS (AT-TLS), IPSec

Define information security Define security as process, not point product.

Using keys with SSH Rob Judd

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

E-commerce security: SSL/TLS, SET and others. 4.1

Transport Layer Security

TELE301 Lab16 - The Secure Shell

Network Security Issues and Cryptography

Introduction to Linux Workshop 2. The George Washington University SEAS Computing Facility

14. Internet Security (J. Kurose)

What action do you want to perform by issuing the above command?

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Configuring SSH Public Key Authentication

Strategic Infrastructure Security

CISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks

Security Handshake Pitfalls

Security in Distributed Systems. Network Security

How to Back Up Linux/UNIX Data Using SSHFS

Firewalls, Tunnels, and Network Intrusion Detection

Security with SSH. SANOG VI IP Services Workshop. Hervey Allen

Topics. Security with SSH. Cryptographic Methods and Apps. SSH Application Layer Security

AN TOÀN LỚP 4: TCP/IP ATTACKS NGUYEN HONG SON PTITHCM

Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls

Network Infrastructure Security

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

From Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design. Edition 4 Pearson Education 2005

Operating System Security. 0Handouts: Quizzes ProsoftTraining All Rights Reserved. Version 3.07

PROTECTING CONVERSATIONS

SSL/TLS. How to send your credit card number securely over the internet

F-Secure SSH and OpenSHH. VPN Authentication Configuration Guide. Copyright 2005 CRYPTOCard Corporation All Rights Reserved

IT Services Security. The Dark Arts Of SSH. Author: John Curran Version: 0.1

Lab - Examining Telnet and SSH in Wireshark

Security: Focus of Control. Authentication

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University

Operating Systems Design Exam 3 Review: Spring Paul Krzyzanowski

Technical Report : SSH. FS-TR01-01 April, 2001 (9 pages) ( ) {dolbe, Abstract( )

NETWORK INTRUSION. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

CS 161 Computer Security

OpenSSH. 24th February ASBL CSRRT-LU (Computer Security Research and Response Team Luxembourg) 1 / 12

Wireless Network Security

bî~äì~íáåö=oéñäéåíáçå=ñçê=péåìêé=fq `äáéåí=~åç=péêîéê=ñçê=rkfu

Digital Signatures. Public-Key Signatures. Arbitrated Signatures. Digital Signatures With Encryption. Terminology. Message Authentication Code (MAC)

6. Security Handshake Pitfalls Contents

Authentication Handshakes

CS 161 Computer Security

Wireless Terminal Emulation Advanced Terminal Session Management (ATSM) Device Management Stay-Linked

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

Cryptography (Overview)

Contents. SSL-Based Services: HTTPS and FTPS 2. Generating A Certificate 2. Creating A Self-Signed Certificate 3. Obtaining A Signed Certificate 4

CS 161 Computer Security

Authenticating on a Ham Internet

Transcription:

Secure Remote Connections with OpenSSH Objective At the conclusion of this module, the student will be able to: Configure the ssh daemon start, stop, and restart sshd 17 January 2005 NETW 111 - SSH 2 SSH 1

Remote Connections Often we need to make a remote connection to a system in which we have access privileges telnet consists of a client and server that permits this connection Once a connection is established, we are operating at a CLI and can do anything that we are permitted to do if we were connected by a console device Although the connection requires a login and password, these are sent as plain text and could be detected by unauthorized users This lack of secure connection has caused many organizations to use Secure Shell client server environments to be implemented 17 January 2005 NETW 111 - SSH 3 Secure Shell Secure shells like OpenSSH, a FREE version of the SSH suite of network connectivity tools, is replacing telnet in environments where security is paramount Networks connected to a public network like the Internet ssh connections encrypt all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks 17 January 2005 NETW 111 - SSH 4 SSH 2

What is SSH SSH (or Secure SHell) is designed to replace older, less secure terminal applications used to log into remote hosts, such as telnet or rsh allows users to log into host systems remotely Unlike FTP or Telnet, SSH encrypts the login session makes it impossible for intruders to collect unencrypted passwords A related program called scp replaces older programs designed to copy files between hosts, such as rcp Using secure methods to remotely log into remote systems decreases the risks for both the client system and the remote host 17 January 2005 NETW 111 - SSH 5 Features of SSH SSH is a protocol which facilitates secure communications between two systems using a client/server architecture. The SSH protocol provides the following safeguards: After an initial connection, the client can verify that it is connecting to the same server it connected to previously The client transmits its authentication information to the server using strong, 128 bit encryption All data sent and received during a session is transferred using 128 bit encryption makes intercepted transmissions extremely difficult to decrypt and read The client can forward X11 applications from the server using X11 forwarding this provides a secure means to use graphical applications over a network Using a technique called port forwarding, an SSH server can become a conduit to make insecure protocols like POP secure 17 January 2005 NETW 111 - SSH 6 SSH 3

OpenSSH Red Hat Linux includes the general OpenSSH package opensshserver - the OpenSSH server openssh-clients - the OpenSSH client Originally created for BSD and now ported to most other UNIX/Linux distros The OpenSSL package from http://www.openssh.org/ installs several important cryptographic libraries this enables OpenSSH to provide encrypted communications Windows Based SCP Clients WinSCP is a graphical SCP Client for Windows Putty is a text based SCP client for Windows 17 January 2005 NETW 111 - SSH 7 Why Use SSH Secure Shell protects against IP spoofing a remote host sends out packets which pretend to come from another, trusted IP source routing a host can pretend that an IP packet comes from another, trusted host DNS spoofing an attacker forges name server records Interception of cleartext passwords and other data by intermediate hosts Manipulation of data by people in control of intermediate hosts Attacks based on listening to X authentication data and spoofed connection to the X11 server 17 January 2005 NETW 111 - SSH 8 SSH 4

SSH Minimizes Communications Threats Interception of communication between two systems the attacker can be somewhere on the network between the two communicating entities, copying any information passed between them The attacker may intercept and keep the information or alter the information and send it to the intended recipient This attack can be mounted with a packet sniffer, a common network utility. Impersonation of a particular host an attacker's system is configured to pose as the intended recipient of a transmission the user's system will remain unaware it is communicating with the wrong host This attack can be mounted through techniques known as DNS poisoning or IP spoofing DNS poisoning occurs when an intruder cracks a DNS server, pointing client systems to a maliciously duplicated host IP spoofing occurs when an intruder sends network packets that falsely appear to be from a trusted host on the network 17 January 2005 NETW 111 - SSH 9 Sequence of Events for SSH Connection A cryptographic handshake is made so that the client can verify that it is communicating with the correct server The transport layer of the connection between client and remote host is encrypted using a symmetric cipher The client authenticates itself to the server The remote client can now interact safely with the remote host over the encrypted connection 17 January 2005 NETW 111 - SSH 10 SSH 5

Role of the Transport Layer The primary role of the transport layer is to facilitate safe and secure communication between the two hosts at the time of and after authentication The transport layer accomplishes this by handling the encryption and decryption of data providing integrity protection of data packets as they are sent and received The transport layer also provides compression, speeding the transfer of information 17 January 2005 NETW 111 - SSH 11 OpenSSH Key Exchange Once an SSH client contacts a server, key information is exchanged so that the two systems can correctly construct the transport layer. The following steps occur during this exchange: Keys are exchanged The public key encryption algorithm is determined The symmetric encryption algorithm is determined The message authentication algorithm is determined The hash algorithm to be used is determined During the key exchange, the server identifies itself to the client with a unique host key If the client has never communicated with this particular server before, the server's key will be unknown to the client and it will not connect OpenSSH gets around this problem by accepting the server's host key after the user is notified and verifies the acceptance of the new host key In subsequent connections, the server's host key is checked against the saved version on the client, providing confidence that the client is communicating with the intended server If the host key no longer matches, the user must remove the client's saved version before a connection can occur 17 January 2005 NETW 111 - SSH 12 SSH 6

OpenSSH Security After a certain amount of data has been transmitted using a given key and algorithm (the exact amount depends on the SSH implementation), another key exchange occurs This generates another set of hash values and a new shared secret value If an attacker were able to determine the hash and shared secret value this information would be useful for a limited period 17 January 2005 NETW 111 - SSH 13 Authentication Once the transport layer has constructed a secure tunnel to pass information between the two systems, the server tells the client the different authentication methods supported May be a private keyencoded signature or a password The client then tries to authenticate itself to the server using one of these supported methods SSH servers and clients can be configured to allow different types of authentication The server can decide which encryption methods it will support based on its security model, and the client can choose the order of authentication methods to attempt from among the available options This gives each side the optimal amount of control 17 January 2005 NETW 111 - SSH 14 SSH 7

OpenSSH Configuration Files moduli Contains Diffie-Hellman groups used for the Diffie-Hellman key exchange, which is critical for constructing a secure transport layer ssh_config The system-wide default SSH client configuration file overridden if one is also present in the user's home directory (~/.ssh/config). sshd_config The configuration file for the sshd daemon. ssh_host_dsa_key The DSA private key used by the sshd daemon. ssh_host_dsa_key.pub The DSA public key used by the sshd daemon. 17 January 2005 NETW 111 - SSH 15 OpenSSH Configuration Files Cont d sshfihostfikey The RSA private key used by the sshd daemon for version 1 of the SSH protocol. ssh_host_key.pub The RSA public key used by the sshd daemon for version 1 of the SSH protocol. ssh_host_rsa_key The RSA private key used by the sshd daemon for version 2 of the SSH protocol. ssh_host_rsa_key.pub The RSA public key used by the sshd for version 2 of the SSH protocol. 17 January 2005 NETW 111 - SSH 16 SSH 8

Contents of Users ~/.ssh/ directory authorized_keys holds a list of authorized public keys for servers When the client connects to a server, the server authenticates the client by checking its stored signed public key. id_dsa Contains the DSA private key of the user. id_dsa.pub The DSA public key of the user. id_rsa The RSA private key used by ssh for version 2 of the SSH protocol. id_rsa.pub The RSA public key used by ssh for version 2 of the SSH protocol identity The RSA private key used by ssh for version 1 of the SSH protocol. identity.pub The RSA public key used by ssh for version 1 of the SSH protocol. known_hosts This file contains DSA host keys of SSH servers accessed by the user Very important for ensuring that the SSH client is connecting the correct SSH server 17 January 2005 NETW 111 - SSH 17 Starting OpenSSH OpenSSH is installed by default during Linux installations both SSH and SCP share the same configuration file and are governed by the same /etc/init.d/sshd startup script Configure SSH to start at boot using the chkconfig chkconfig sshd on You can also start/stop/restart SSH after script changes service sshd start service sshd stop service sshd restart You must restart the SSH process every time you make a change to the configuration files 17 January 2005 NETW 111 - SSH 18 SSH 9

/etc/ssh/sshd_config /etc/ssh/ssh_config is SSH client configuration file /etc/ssh/sshd_config is SSH server configuration file By default SSH listens on all your NICs and uses TCP port 22 17 January 2005 NETW 111 - SSH 19 Warning Received When Key Changes ssh 172.16.11.2 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 5d:d2:f5:21:fa:07:64:0d:63:1b:3b:ee:a6:58:58:bb. Please contact your system administrator. Add correct host key in /root/.ssh/known_hosts to get rid of this message. Offending key in /root/.ssh/known_hosts:2 RSA host key for 172.16.11.2 has changed and you have requested strict checking. Host key verification failed. 17 January 2005 NETW 111 - SSH 20 SSH 10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback