Security with SSH Unix System Administration Workshop AfNOG 2007 Hervey Allen.

Slides:



Advertisements
Similar presentations
Sonny J Zambrana University of Pennsylvania ISC-SEO November 2008.
Advertisements

1 Automated SFTP Windows and SUN Linux and SUN. 2 Vocabulary  Client = local=the machine generating the SFTP request  Server = remote = the machine.
NSRC Workshop Some fundamental security concerns... Confidentiality - could someone else read my data? Integrity - has my data been changed? Authentication.
Telnet/SSH Tim Jansen, Mike Stanislawski. TELNET is short for Terminal Network Enables the establishment of a connection to a remote system, so that the.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
Guide To UNIX Using Linux Third Edition
Remote access and file transfer Getting files on and off Bio-Linux.
Firewalls, Perimeter Protection, and VPNs - SANS © SSH Operation The Swiss Army Knife of encryption tools…
Ssh: secure shell. overview Purpose Protocol specifics Configuration Security considerations Other uses.
4-1 PSe_4Konf.503 EAGLE Getting Started and Configuration.
OpenSSH: A Telnet Replacement Presented by Aaron Grothe Heimdall Linux, Inc.
Security & Cryptographic Methods Unix System Administration May 28, 2008 Rabat, Morocco Hervey Allen.
SUSE Linux Enterprise Desktop Administration Chapter 5 Manage the Network Configuration.
SSH. Review 1-minute exercise: Find the open ports on you own VM [Good] nmap [Better] netstat -lpunt.
SUSE Linux Enterprise Server Administration (Course 3037) Chapter 10 Manage Remote Access.
Security & Cryptographic Methods PacNOG 6 Hervey Allen PacNOG 6 Hervey Allen.
The Saigon CTT Chapter 16 Remote Connectivity. The Saigon CTT  Objectives  Explain : telnet rsh ssh  Configure FTP.
Andreas Steffen, , 11-SSH.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen M. Liebi Institute for Internet Technologies and Applications.
| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.
We will now practice the following concepts: - The use of known_hosts files - SSH connection with password authentication - RSA version 2 protocol key.
AE6382 Secure Shell Usually referred to as ssh, the name refers to both a program and a protocol. The program ssh is one of the most useful networking.
1 Securing Data and Communication. 2 Module - Securing Data and Communication ♦ Overview Data and communication over public networks like Internet can.
CSCE 815 Network Security Lecture 26 SSH and SSH Implementation April 24, 2003.
The Secure Shell Copyright © Software Carpentry 2011 This work is licensed under the Creative Commons Attribution License See
Application Services COM211 Communications and Networks CDA College Theodoros Christophides
Computer Networking From LANs to WANs: Hardware, Software, and Security Chapter 13 FTP and Telnet.
Secure Shell (SSH) Presented By Scott Duckworth April 19, 2007.
SSH Operation The Swiss Army Knife of encryption tools…
Networking in Linux. ♦ Introduction A computer network is defined as a number of systems that are connected to each other and exchange information across.
ORAFACT The Secure Shell. ORAFACT Secure Shell Replaces unencrypted utilities rlogin and telnet rsh rcp Automates X11 authentication Supports tunneling.
SSH Tricks Slide 1 SSH Tricks Matthew G. Marsh. SSH Tricks Slide 2 Overview  SSH –What is it –How does it work  Discussion of Network Topology –Tricks.
Phil Hurvitz Securing UNIX Servers with the Secure.
SSH Tricks for CSF Slide 1 NEbraskaCERT SSH Tricks Matthew G. Marsh 05/21/03.
Team 6 Decrypting Encryption Jeffrey Vordick, Charles Sheefel, and Shyam Rasaily.
| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.
CPS Computer Security Tutorial on Creating Certificates SSH Kerberos CPS 290Page 1.
PGP Key Management Basic Principals AfNOG 2007 April 26, 2007 Abuja, Nigeria Hervey Allen.
SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.
1 Example security systems n Kerberos n Secure shell.
Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.
Remote access methods ● SSH ● VPNs ● VNC ● Screen - by Alex Harris.
Security with SSH ccTLD Workshop Samoa Hervey Allen.
1 Free Electrons. Kernel, drivers and embedded Linux development, consulting, training and support. http//free-electrons.com SSH Thomas Petazzoni Free.
OpenSSH – Public Key Authentication ● Jonathan Schipp ● Dubois County Linux User Group ● Nov 7 th 2010 ● jonschipp (at) gmail.com.
Security with SSH ISP Services Workshop SANOG 9 Hervey Allen.
SSH - Lab We will now practice the following concepts: - The use of known_hosts files - SSH connection with password authentication - RSA version 2.
Secure services Unit-IV CHAP-1
Ssh: secure shell.
Programming Tools Most of the programming assignments will require using the C language. We will use a current version of the GCC C compiler. What’s GCC?
PGP Key Management Basic Principals
NTP, Syslog & Secure Shell
Apache Security with SSL Using FreeBSD
cctld Workshop Georgetown, Guyana Hervey Allen
SECURE SHELL MONIKA GUPTA COT 4810.
AFNOG 5 Workshop Hervey Allen
XWN740 X-Windows Configuring and Using Remote Access
Getting SSH to Work Between Computers
PGP Key Management Basic Principals
SSSD and OpenSSH Integration
Lab 7 - Topics Establishing SSH Connection Install SSH Configure SSH
CGS 3175: Internet Applications Fall 2009
SSH Foo KW-LUG Presentation Epoch jasoneckert.net.
PGP Key Management Basic Principles
Preventing Privilege Escalation
Presentation transcript:

Security with SSH Unix System Administration Workshop AfNOG 2007 Hervey Allen

Topics ● Where to get SSH (Secure SHell) ● How to enable and configure SSH ● Where to get SSH clients for Windows ● Authentication of the server to the client (host keys) ● Issues to do with changing of the host key ● Password authentication of the client to the server ● Cryptographic authentication of the client to the server (rsa/dsa keys) ● hostkey exchange, scp, and sftp labs

Main Security Concerns SSH applies directly to dealing with these two areas of security: ● Confidentiality ● Keeping our data safe from prying eyes ● Authentication and Authorization ● Is this person who they claim to be?

Where to Get SSH First see if SSH is installed on your system and what version. Easiest way is: ssh -V If you want or need an updated version of OpenSSH (current version is 4.2) you can go to the following places: /usr/ports/security/openssh-portable/ We recommend using OpenSSH for FreeBSD. Default version installed in FreeBSD 6.1 is OpenSSH Portable version 4.2p1

Enable and Configure OpenSSH On our machines this is already done, but if you did somehing like: /usr/ports/security/openssh-portable/make install ● You should make sure that /etc/rc.conf is set: sshd_enable=”YES” ● Take a look at /etc/ssh/ssh_config and /etc/sshd_config. In sshd_config you might be interested in: PermitRootLogin yes/no (you generally want “no”) We'll be allowing root login, but only with keys in our exercises. There are many options in ssh_config and sshd_config. You should read through these files to verify they meet your expecations.

Where to Get SSH Clients for Windows There are several free, shareware, and commercial ssh clients for Windows: See for a list. A few that support protocol version 2 include: ● Putty: ● OpenSSH for Windows (using Cygwin): ● Secure Shell from ssh.com (free for personal use): m m And WRQ at is a nice product if you are willing to pay.

● If you want a great SSH RSA/DSA key overview Daniel Robbins ex-CEO of gentoo.org has written a 3-part series hosted on the IBM Developer Works pages. ● The three papers and URL's are: OpenSSH Key Management, Part 1 OpenSSH Key Management, Part 2 OpenSSH Key Management, Part 3 Some Useful SSH References

For a comparison of SSH Version 1 and 2 see: An excellent book on SSH is: SSH, The Secure Shell The Definitive Guide, Second Edition. By Daniel J. Barrett, Richard Silverman, & Robert G. Byrnes May 2005 ISBN: More SSH References

SSH Connection Methods Several things can happen when using SSH to connect from your machine (client) to another machine (server): ● Server's public host key is passed back to the client and verified against known_hosts ● Password prompt is used if public key is accepted, or already on client, or ● RSA/DSA key exchange takes place and you must enter in your private key passphrase to authenticate (assuming you have one).

SSH Quick Tips You have a choice of authentication keys - RSA is the default (dsa is fine as well). The files you care about are: /etc/ssh/ssh_config /etc/ssh/sshd_config ~/.ssh/id_dsa and id_dsa.pub ~/.ssh/id_rsa and id_rsa.pub ~/.ssh/known_hosts ~/.ssh/authorized_keys And, note the rsa/dsa host-wide key files in /etc/ssh Be sure that you do “man ssh” and “man sshd” and read the entire descriptions for both the ssh client and ssh server (sshd).

SSH Authentication Private key can be protected by a passphrase So you have to give it each time you log in Or use "ssh-agent" which holds a copy of your passphrase in RAM No need to change passwords across dozens of machines Disable passwords entirely! /etc/ssh/ssh_config # PasswordAuthentication yes

Man in the Middle Attacks The first time you connect to a remote host, remember its public key Stored in ~/.ssh/known_hosts The next time you connect, if the remote key is different, then maybe an attacker is intercepting the connection! Or maybe the remote host has just got a new key, e.g. after a reinstall. But it's up to you to resolve the problem You will be warned if the key changes.

Exchanging Host Keys First time connecting with ssh: ssh The authenticity of host 'pc1.cctld.pacnog2.dnsdojo.net ( )' can't be established. DSA key fingerprint is 91:ba:bf:e4:36:cd:e3:9e:8e:92:26:e4:57:c4:cb:da. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'pc1.cctld.pacnog2.dnsdojo.net, ' (DSA) to the list of known hosts. password: At this point the client has in the file ~/.ssh/known_hosts the contents of pc1.cctld.pacnog2.dnsdojo.net's /etc/ssh/ssh_host_dsa_key.pub. Next connection: ssh password: Now trusted - Not necessarily a good thing...

Exchanging Host Keys Cont. CommandKey Type GeneratedPublic File ssh-keygen -t rsaRSA (SSH protocol 2)id_rsa.pub ssh-keygen -t dsaDSA (SSH protocol 2)id_dsa.pub - Default key size is 1024 bits - Public files are text - Private files are encrypted if you use a passphrase (still text) Corresponding file on the host for host key exchange is “known_hosts”.

Exchanging Host Keys Cont. How does SSH decide what files to compare? Look in /etc/ssh/sshd_config. For OpenSSH version 3 the server defaults to protocol 2. By default OpenSSH version 2 client connects in this order: RSA version 2 key DSA version 2 key Password based authentication (even if RSA version 1 key is present) Pay attention to the “HostKeyAlgorithms” setting in /etc/ssh/ssh_config to help determine this order - or use ssh command line switches to override these settings.

Basic concept to understand how an SSH connection is made using RSA/DSA key combination: – Client X contacts server Y via port 22. – Y generates a random number and encrypts this using X's public key. X's public key must reside on Y. You can use scp to copy this over. – Encrypted random number is sent back to X. – X decrypts the random number using it's private key and sends it back to Y. – If the decrypted number matches the original encrypted number, then a connection is made. – The originally encrypted random number sent from Y to X is the “Magic Phrase” We'll try drawing this as well... SSH - “Magic Phrase”

Now I'll ask you to do the following ● Create public/private keys and copy them between neighbor machines ● Copy your public key to /root/.ssh on neighbor's machine ● Coordinate with your neighbor to update /etc/ssh/sshd_config ● Consider the power of scp -r Exercises

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.