SSH

2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software implementing SSH is PuTTY – Download and test for free – ad.html ad.html – You need a login account on a server (usually Linux) supporting logins through SSH Servers usually operate SSH at TCP port 22 – What is a TCP port?

3 SSH Protocol Basics Host authentication (to the user) – Known hosts Server on the list of trusted hosts on client machine Danger of spoofing User authentication (to the server) – Password based User enters a username and password Sent encrypted with Server’s public key – RSA/DSA Server maintains copy of user’s public key Method 1: signed session id: The client signs a session id. The server verifies it with the corresponding public key Method 2: challenge-response: Server encrypts a random number with the user’s public key; Client proves identity by decrypting it.

4 Uses and Advantages of SSH SSH Overcomes limitation of Telnet – Of transmitting passwords in clear on networks on the way to the server Originally designed for remote login – But can also be used for encrypted file transfer Increasingly used to transport other applications – This is called SSH port forwarding or tunnelling

5 SSH-Architecture Client-Server architecture An SSH server program listens on a computer’s TCP port 22 An SSH Client program (e.g. PuTTY) requests connection to the server Disconnects when finished Or when server announces time out SSH Server SSH Client port 22 On Desktop e.g. on thoth.dsunix.net

6 SSH - Software Several implementations for both SSH Client and Servers exist – PuTTY is just one of them (and the most popular) Linux: – Client: OpenSSH Client (most popular) Run at the command line with the command “ssh” – Server: OpenSSH Server (most popular) Either starts automatically at startup or by typing command “sshd” (stands for ssh daemon) Windows: – Client: PuTTY (most popular)-Has a GUI – Server: SSH Server by OpenSSH Uncommon but not impossible to have SSH Server on Desktop machine

7 User Agent Role S/MIME uses Public-Key Certificates - X.509 version 3 signed by Certification Authority Functions: – Key Generation - Diffie-Hellman, DSS, and RSA key-pairs. – Registration - Public keys must be registered with X.509 CA. – Certificate Storage - Local (as in browser application) for different services. – Signed and Enveloped Data - Various orderings for encrypting and signing.

8 SSH Software usage SSH provides a virtual terminal – User almost feels as if she is using the remote system – In reality, she is only connected to the remote system Same in Telnet too but there transmitted data is unencrypted – In SSH, all data is encrypted SSH can also be used for remote command execution – Syntax: ssh –l username hostname command – E.g. ssh –l malladis thoth.dsunix.net ‘rm index.html’

9 User Agent Role Example: Verisign ( – Class-1: Buyer’s address confirmed by ing vital info. – Class-2: Postal address is confirmed as well, and data checked against directories. – Class-3: Buyer must appear in person, or send notarized documents.

10 File transfer with SSH FTP transfers files in the clear – SSH can be used to do encrypted file transfer – Also termed SCP (Secure Copy) WinSCP is a software that implements SCP – available for free download – Has a GUI Command line SCP tools require the command – pscp

11 Port Forwarding in SSH Use of SSH from a different port Enables the use of SSH for insecure TCP/IP applications (such as , web browsing etc.) Also to bypass firewalls – How? Port forwarding can solve problems – See next slide

12 SSH Port forwarding NOTE: Same host need not host SSH, Mail, Database and VNC (as in this picture).

13 A Problem Consider the situation – Say an employee at a company is away from office – Wants to access her IMAP by connecting to an internal host in the corporate network, remotely – But the IMAP port (143) is blocked by the corporate firewall Normally this would mean she cant read her

14 A Problem ( continued) But say the SSH port (22) is open on the firewall And she has an account on an internal machine that runs SSH server She can then set up a “SSH tunnel” from a local port on her client PC, through the SSH server and on to the desired application (in this case, the mail server on port 143). Next she can connect her mail client on the local port (from which she set up an SSH tunnel to port 22) – The connection is forwarded to the desired application (the mail server)

15 Secure Tunnel Set up command (also possible in PuTTY): ssh –l loginname –L 1143:mailserver:143 sshserver.company.com (user is prompted for password) Company Network Firewall Port 1143 Port 22 Port 143 Internet Secure SSH Tunnel

16 To use it: In the client settings, incoming mail server has to be set to and port number for IMAP to 1143: –Note that host name localhost or IP address refer to the local machine

17 Port forwarding – more examples Say your academic institution subscribed to journals and articles from various websites – Where authentication is based on the institution’s IP address range – Meaning that only people within the institution (physically) can get access But if you can forward a local port on the Web Proxy via a SSH server accessible from outside, you can appear to websites as though you are accessing from within your institution

18 Security of port forwarding Good aspects of port forwarding – Secure access to insecure services Can transport any kind of application – , web browsing, file transfer etc. – Bypassing firewalls Forces users to only access internal services securely Bad aspects – Gives users (consequently attackers) means to access arbitrary internal services – Since only password authentication is used, all an attacker is need is password of any one user on SSH And then for example, browse the company’s intranet