Ssh: secure shell.

Slides:



Advertisements
Similar presentations
Network Security.
Advertisements

SSH SSH is “Secure SHell” Secure, compressed, widely supported, fast Allows both users to get jobs done, and also allows system administrators to sleep.
SSH Operation and Techniques - © William Stearns 1 SSH Operation and Techniques The Swiss Army Knife of encryption tools…
Telnet/SSH Tim Jansen, Mike Stanislawski. TELNET is short for Terminal Network Enables the establishment of a connection to a remote system, so that the.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
TCP/IP - Security Perspective Upper Layers CS-431 Dick Steflik.
Remote access and file transfer Getting files on and off Bio-Linux.
Firewalls, Perimeter Protection, and VPNs - SANS © SSH Operation The Swiss Army Knife of encryption tools…
Ssh: secure shell. overview Purpose Protocol specifics Configuration Security considerations Other uses.
Telnet/SSH: Connecting to Hosts Internet Technology1.
Course 201 – Administration, Content Inspection and SSL VPN
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
SUSE Linux Enterprise Server Administration (Course 3037) Chapter 10 Manage Remote Access.
Network Security SSH Tunneling David Funk Matt McLaughlin Systems Administrators Computer Systems Support COE, University of Iowa.
Secure Shell for Computer Science Nick Czebiniak Sung-Ho Maeung.
Andreas Steffen, , 11-SSH.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen M. Liebi Institute for Internet Technologies and Applications.
AE6382 Secure Shell Usually referred to as ssh, the name refers to both a program and a protocol. The program ssh is one of the most useful networking.
1 Securing Data and Communication. 2 Module - Securing Data and Communication ♦ Overview Data and communication over public networks like Internet can.
CSCE 815 Network Security Lecture 26 SSH and SSH Implementation April 24, 2003.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Application Services COM211 Communications and Networks CDA College Theodoros Christophides
Computer Networking From LANs to WANs: Hardware, Software, and Security Chapter 13 FTP and Telnet.
Secure Shell (SSH) Presented By Scott Duckworth April 19, 2007.
CHAPTER 9 Sniffing.
SSH Operation The Swiss Army Knife of encryption tools…
Linux Security. Module 13 – Linux Security ♦ Overview Linux is more prone today to security loopholes and attacks, both inside and outside the network.
1 Linux Security. 2 Linux is not secure No computer system can ever be "completely secure". –make it increasingly difficult for someone to compromise.
Networking in Linux. ♦ Introduction A computer network is defined as a number of systems that are connected to each other and exchange information across.
ORAFACT The Secure Shell. ORAFACT Secure Shell Replaces unencrypted utilities rlogin and telnet rsh rcp Automates X11 authentication Supports tunneling.
FTP File Transfer Protocol Graeme Strachan. Agenda  An Overview  A Demonstration  An Activity.
Phil Hurvitz Securing UNIX Servers with the Secure.
SSH Tricks for CSF Slide 1 NEbraskaCERT SSH Tricks Matthew G. Marsh 05/21/03.
Server Hardening Moses Ike and Paul Murley TexSAW 2015 Credit to Daniel Waymel and Corrin Thompson.
Linux Services Configuration
XWN740 X-Windows Configuring and Using Remote Access (Chapter 13: Pages )‏
Database Security David Nguyen. Dangers of Internet  Web based applications open up new threats to a corporation security  Protection of information.
SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.
1 Example security systems n Kerberos n Secure shell.
Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.
Secure Communications ● Cleartext vs. encryption and encapsulation ● Protocols not to use ● SSH – scp/ftp – SSH tunnelling ● VPN.
Remote access methods ● SSH ● VPNs ● VNC ● Screen - by Alex Harris.
1 Free Electrons. Kernel, drivers and embedded Linux development, consulting, training and support. http//free-electrons.com SSH Thomas Petazzoni Free.
OpenSSH – Public Key Authentication ● Jonathan Schipp ● Dubois County Linux User Group ● Nov 7 th 2010 ● jonschipp (at) gmail.com.
Security with SSH Unix System Administration Workshop AfNOG 2007 Hervey Allen.
Security with SSH ISP Services Workshop SANOG 9 Hervey Allen.
Secure services Unit-IV CHAP-1
Working at a Small-to-Medium Business or ISP – Chapter 8
NTP, Syslog & Secure Shell
FTP Lecture supp.
Configuring and Troubleshooting Routing and Remote Access
Radius, LDAP, Radius used in Authenticating Users
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Managing Software.
XWN740 X-Windows Configuring and Using Remote Access
Fundamental Concepts in Security and its Application Cloud Computing
Getting SSH to Work Between Computers
SSSD and OpenSSH Integration
IS3440 Linux Security Unit 6 Using Layered Security for Access Control
VPN-Implementation Using UBUNTU OS and OpenVPN and Hamachi in client-server environment. By Ruphin Byamungu, Kusinza United States International University-Nairobi.
Telnet/SSH Connecting to Hosts Internet Technology.
SSH SSH is “Secure SHell” Secure, compressed, widely supported, fast
Lab 7 - Topics Establishing SSH Connection Install SSH Configure SSH
– Chapter 3 – Device Security (B)
SSH – the practical solution
Secure Shell & Denial of Service Attacks
Chapter 7 Network Applications
Test 3 review FTP & Cybersecurity
MESSAGE ACCESS AGENT: POP AND IMAP
Presentation transcript:

ssh: secure shell

Poll: You need a password to ssh to another computer True False

overview Purpose Protocol specifics Configuration Security considerations Other uses

ssh purpose A network protocol Uses public-key cryptography to establish a secure connection between hosts Original intention to replace the clear-text telnet protocol Client-server model Requester is the client Target is server Commonly used to connect to a shell remotely Also supports Secure copying Port forwarding Tunneling …

Important Note Two programs needed to make a secure connection SSH client Typically ssh Typically comes enabled on most systems SSH server Typically sshd Typically needs to be installed Configured Running as a service Allows a "one-way" secure connection from client to server If a connection is required in the other direction another client and server pair is required

protocol 2 versions (SSH-1, SSH-2) Version 1 is deprecated Did not use Diffie-Hellman key exchange Server listens on TCP port 22 (default) Authentication based on: Passwords RSA/DSA key pairs Other keys are allowed DSA and RSA are the most widely used algorithms GSSAPI (Kerberos, NTLM)

diffie-hellman

keys For public cryptography each party has 2 keys: Stored on client 1 public, 1 private Keeps private, distributes public For each ID or client Stored on client Server public key(s): ~/.ssh/known_hosts One key for each server you want to go to Client private key: ~/.ssh/id_rsa Stored on server Server private key: /etc/ssh/ssh_host_rsa_key Client public key(s): ~/.ssh/authorized_keys One for each person allowed Note: this is for one-way authentication Another key pair is needed if want to connect the other direction

Sample keys: Public Key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8VXxhszucLV0jOu8GlNt6T/eJYW5VICh1GomcsGfhDRS0nNKMHy9IJvCrT9toj+06pdFt4ODVEcqp40IClZnPxq1duFu/6TrExkDO+LsaZ4M+GWB1sUGIDiPtkafLieN9trUT417RND9/y1nVZ8AutLx3rT15fpi5rN/TJC6A6BIRNeOn/ETTkGB3NT3cytULBh2fWkaBuzZMpUNXgWxgsxMDOpc2NTZQGd59Kn/qUlB94lmB1UCytpkINTn9b9H1bM9kIxfMiuomV1QMJ5A15qMeZiOgTl5qLi63Kotb7WYW7nt6BKTbBVMc9w1kdLNCcRPrYXaMFYCz3+K2ZN1GPAvGdccNeQy9z925UgYnuPbvpj1cMNSEgylZlPXNRjpQKwz6/JcUDTD9brB+eOf7uM1MwSOSLim2baZ+e3bfu/VfmBEnSPAl15Ba9CyOByMDuHlAOsflmeOfmxMM86Jz03xUy+DDmBCBfSztwOaxJSTJMDhq6hY6AUytRzLErOeMFGM0+yTTux3dJX4i2xe4ieZWAlsqCR0yjGTaINAY2iY6IKo8NFjKTLWn8TxgIdCxRKMBbrFOJq7zfomLbZwDcWXl4Wo+7s1mov+SmtwiWuGxLkLMPGDci/W1CGhbcwwLMIYGGHzUQ6wevcwb7GClIlAbnf5dAJi3feTzZGDsIQ== tkombol@tkombol-Latitude-E6320 -----BEGIN RSA PRIVATE KEY-----MIIJKQIBAAKCAgEAvFV8YbM7nC1dIzrvBpTbek/3iWFuVSAodRqJnLBn4Q0UtJzSjB8vSCbwq0/baI/tOqXRbeDg1RHKqeNCApWZz8atXbhbv+k6xMZAzvi7GmeDPhlgdbFBiA4j7ZGny4njfba1E+Ne0TQ/f8tZ1WfALrS8d609eX6Yuazf0yQugOgSETXjp/xE05BgdzU93MrVCwYdn1pGgbs2TKVDV4FsYLMTAzqXNjU2UBnefSp/6lIQfeJZgdVAsraZCDU5/W/R9WzPZCMXzIrqJldUDCeQNeajHmYjoE5eai4utyqLW+1mFu57egSk2wVTHPcNZHSzQnET62F2jBWAs9/itmTdRjwLxnXHDXkMvc/duVIGJ7j276Y9XDDUhIMpWZT1zUYxkCsM+vyXFA0w/W6wfnjn+7jNTMEjki4ptm2mfnt237v1X5gRJ0jwJdeQWvQsjgcjA7h5QDrH5Znjn5sTDPOic9N8VMvgw5gQgX0s7cDmsSUkyTA4auoWOgFMrUcyxKznjBRjNPsk07sd3SV+ItsXuInmVgJbKgkdMoxk2iDQGNomOiCqPDRYyky1p/E8YCHQsUSjAW6xTiau836Ji22cA3Fl5eFqPu7NZqL/kprcIlrhsS5CzDxg3Iv1tQhoW3MMCzCGBhh81EOsHr3MG+xgpSJQG53+XQCYt33k82Rg7CECAwEAAQKCAgEAqQRTBt8yLPvtLRPTtWVb/s3LSchdmxmsFUQGoc8Sur7hiSGANu45oZgIvsWBE7qu3MY5SFHblHxOE972u5kEm5oitgwgkv89laCSQuyoBY9GEjH2BklYlUCTb74bBygtOAIDSeDwk/E+13JooYNlzsS2qvSXSfSaHXAOws8iyN78b+Ob9oMIRZG5cOIgLYj+XtFTPlJnGkAn/+sEn4BwAexTsL8hOy3QG1zL9ipw95pEYKUFTOZUFM6YUexqqY5zr7zB9o0j65Xzgws2S14qJqVgWISzjkcmpkXh+NG+lXZc+1F1ENEgHcsOht0UcMXmpkcS6Ffkat1VTpgrPyMQDFDqgHRJHkrNcW8donE9NE3cmI1vcMgyFo2QSnNS9qFcnINocr1tvR5N1mxxUGeOL9aMURB/Q2A5MP/oZNE7t6OS6ZPL2yBxFP3s6FILUIDxOwTTuO01BHX4urpDrJRmYHQIpir3IkdU9crfg4c7gcXeh0WuW3rmRtVIkTC/hNTA0hYKqCz+aAMnmWofZfETHetOiSYuJYa1FRcIoRsCrJYJhqQs/ktk+k/JAzZXVe2XM/VJVj8/954bdvP1Fn2Pclt4cu8WNUFrjwzjUa6yuBQmF7wr0GO5befYG/LJd5W8JowLwMRW3Yei4Bj9yzr6kop8dzzAzVC7mhw15c1Hlm0CxxEBAN6PlRh2Co6vd7ARQbgUJAIwokF6wuCmdYGaSQ3Y24/VXFtlXD+ugzd46d/g314N2aAW43MddJmT9B+hBt0PuDS4vdXrJaMORo1nqTHRYgw/S3KPygYaF79CB3AA29MOW5WMiauUanUR6ovCLDE9U9p5TzBEmKMgcWbN5z3bll2Hp0AFvENTAD8mVsAmLF7QEF/bWBg/cnbxei42exbDifGK33FH/VI4b8h6GhfpAg4L7Io8zKVAPevJJDMjTdIYxLGJqp79C88m6vkmK1qz7DeA7DuoIdEXL/SZRB2f8x+P31qR4vyVppQTX49PKv2Sz9wPp0Xll2Osy9vbaEKfYdMCggEBANihbHKz6ejzbhH6knq5uVKmx1zmOoO0+U9LDN+NaF0YaSO2g54BzeXQtYkTTR1tH8pxXyEPTfQUSf0pKzJnM+16Tbtr+JEtCk+hcsbfFItawXhOzznhbGTxp1ZSR912C3X41lyq/IPZI5g9LY4vliPHG0A2QUFOnP8UE1IH35mplsZAKy+nW4KekVpHsCUXk+e93rUVTpK2U4Vyi8BEwKFGg591hpdZ8cwwXQ3swMceQ89Mnn4JJjXlavFaGoOEUy5aSCvhGrus8Lif81F2Hae8hfbFhykSbqS3BBElJtpbWMjWfx1QnOFieHya7gfWPXjIDICg1/T9HBL/KZNYTbsCggEAfA+lmMEUGX2ORkMYUzhG6kGZ8M4xm3Cux9PtLR7ZJVBV70yNI6Jv2pg4Jmf/mzo1OZwIpb6hpIpo5sioPsnocNsaVwiBLmdixKgoFHEXKqSNtgqZHtWkryRraO/RmdDDFJYGl/JfdWrLR6SxZbE98Ob2UX2raCNJk3jrkfu50eEwRevsicrWtFz2tp2Q1jk9J3HppXqYn9zzspcD/ih52H8FFux+NTrodOQ7b2CfmJzk+hnyKZup6Kly2F6xno/X9O88gOuljY+wI7o3KJRq9HWVOZv7XcaDIOHeqnTi3ZEhfCceVJZHCPvTpNsIp9kSrSS8paXZweIssR2Y/KpDqQKCAQEApY0Xd8EOrTv7jjnT3343pnZWPSSk6ypOrM5KFD3Y1+xjzSsaApKWa17InOznLenLNcbWUEmF5VXsBVCE9ovwHzgsV2L4Htow2xIiyOCKrsS4vdxceXtQfwQ+QbW3vgMMVyfHiiIRwCEdFqcKPXMYZlcu+C9+Rw5w5G7PJQ1nT+NOmktHta9MO9I6eqf2cSJHof50SCb0WSKFSaJ0ModYPufIhwAlz1ypcMY1FwMrgAAdCjsflGohjWa6B6A4SvHBL9dG+GGbMHnFrRJvvH1rxFhKeIAT/stbSv2iWgfuXUkZ3MIvepO0kHnUYkV0SwDrEXawN0y0PUGBRvNBLp15KQKCAQA6hhbTIQ8vRsM8ZkzkuJs5HiFLIAAKsqs0fanIDjjhxvvjSd+DZajqcNniCj4yQMGYOcTj4jFBVJQhdLkwZ6h+o1OhbSaecdWuk8y3B02AKRbzlsSTWRwsOVYQkCEXuYWp+g/CKFCWgXwsI7KDwcCAny1hpvCWBxk0JsYBtwbbk2yb4TB0hCekzfP2aSu0LQoKm1VGGeENQVpnB6rcdVHeuMUmPfOci8XTSKhOzm54sXm/sx/44eF4wfmd35QhChVay9U23BCb3czoncOhWZ2nk1gP4OvNbTA50XhfYl0VKOcnwQIqrIjHXUmq6zf34/n6O6YSXr5gBHTCupvtVR/3-----END RSA PRIVATE KEY-----

configurationclient Example: open-ssh Install the openssh package Create keys ssh-keygen -t rsa -b 4096 Creates id_rsa and id_rsa.pub keys in ~/.ssh/ Give your public key to the ssh server in ~/.ssh/authorized_keys Your private key will be used from ~/.ssh/id_rsa Most systems come with ssh (client) installed

configurationserver Install the openssh-server package Configuration file is located in /etc/ssh/sshd_conf listening port protocol (1 or 2) authentication specifics Most systems do not come with sshd (server) installed Security concern

configurationserver Show config files on ajklinux2 /etc/ssh

Three common ways to authenticate Userid/password Must have a valid userid and pw on the target Can be disabled on the target Keypair Must have the proper key data on the client and target Identifies valid clients Identifies valid targets No need for a password if the keys are set up properly If Userid/password is disabled on the server, then only users from specific clients can access that Keypair and PW For the really paranoid Must have the keys set up properly Must supply another password for the pair Different than the normal UID/PW

Use example scp: Users can transfer files from client to server Generic source/destination syntax:     user@computer:/path/to/file   So, to copy a file (/home/johnny/file.txt) from Debian to CentOS (/home/alice/file.txt) what are the values for the command? scp username@<source_comp>:/path/to/file username@<dest_comp>:/path/to/file Note: this can copy from any computer to any computer (remote or local that has an appropriate key pair for each user on the computers

security considerations ssh is often a target of (automated) attacks as outside parties try to gain access to a system Brute-force attacks target port 22 (default) try to login using common usernames and passwords (only effective against password-based authentication) Prevention: use key-based authentication (with >2048 bit length) change the port sshd listens on use tools to block access after n failed login attempts (denyhosts, fail2ban)

Tool: denyhosts One of many utilities to detect and block brute-force attacks against secure shell IPS Blocks attacker IP addresses using TCP wrappers Capable of downloading and sharing attacker information with other users Default configuration usually acceptable

tcp wrapper Host-based Network ACL Filters network access to network services Services must be compiled against it Most are these days Files /etc/hosts.allow /etc/hosts.deny

other uses X11 forwarding SOCKS Proxy ssh -X user@host SOCKS Proxy ssh -ND 9999 user@host File transfers (SSH FTP, Secure Copy) sftp user@host (put/get/ls, etc.) scp srcFile user@host:dir/destFile

Hak5 SSH assignment: Video: fair game for the test Watch Hak5 video: https://www.youtube.com/watch?v=S-G9yaxw0rc 1st segment SSH starts 2:15 in (18:01) Ad 13:30-14:00 2nd segment continues to 5:15 (19:21) At 7:00 continues with Windows and PuTTY example to 18:30 3rd segment (22:11) Linux example Configuring SSH server Done at 16:45 (ads and wrap-up) Show notes: http://hak5.org/episodes/hak5-1109 Video: fair game for the test

A PW is not required for ssh if: Using scp A key pair for a valid user has been setup on the client and server TCP is used A PW is always required to be typed in on the client

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.