Secure Connections to NERSC Systems Using the Secure Shell (SSH) Jed Donnelley 6/21/1999
June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 2 Using SSH to connect to Unix UseFrom:UnixPC/Mac Secure “Telnet”ssh, slogin X Windowsautomatic manually specified Data Transferscp, ftp ftp Authenticationssh-keygenKey generation Wizard DataFellows:
June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 3 Basic Facilities Offered by SSH 1. An encrypted channel for control (e.g. “Telnet”) communication. 2. Plumbing (aka forwarding, tunneling): multiplexing of IP forwarded communication across the encrypted channel. (e.g. for X Windows, FTP, POP , etc.) 3. Authentication: Public key authentication for users and servers. Allows use of a single passphrase rather than multiple passwords. Local Host SSH Client Remote Host SSH Daemon Secure Channel
June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 4 Simplest form - a secure “Telnet” (“normal” case) mordor 1: ssh mcurie Host 'mcurie' added to the list of known hosts. Password: * * * W A R N I N G W A R N I N G * * * U.S. GOVERNMENT COMPUTER If not authorized to access this system, disconnect NOW. YOU SHOULD HAVE NO EXPECTATION OF PRIVACY. By continuing, you consent to your keystrokes and data content being monitored. … Your terminal type is vt100. Your current working directory is /u/mpccc/jed. %
June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 5 Simplest form - a secure “Telnet” (first time connecting to this host) mordor 6: ssh Host key not found from the list of known hosts. Are you sure you want to continue connecting (yes/no)? yes Host ’ added to the list of known hosts. Creating random seed file ~/.ssh/random_seed. This may take a while. Password: Last login: Wed Mar 10 11:07: from gondor.nersc.gov No mail. Sun Microsystems Inc. SunOS 5.6 Generic August 1997 ***************************************************** Welcome to the primary NERSC Web server. Please report any problems or concerns to or x8600 ****************************************************** gondor.nersc.gov%
June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 6 SSH “Telnet” - a PC/Mac Example Generally recommended
June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 7 PC SSH - the Resulting Connection Note: If you set $DISPLAY you will break X forwarding. You can, however, specify a -display option to xclock
June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 8 Example: SSH from Unix % ssh killeen password: … Your current working directory is /u/ccc/jed. % printenv DISPLAY killeen:36.0 % xclock & [1] %
June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 9 Advanced Facilities 1. An encrypted channel for control (e.g. “Telnet”) communication. 2. Plumbing (aka forwarding, tunneling): multiplexing of forwarded IP communications across the encrypted channel. (e.g. for X Windows, FTP, POP , etc.) 3. Authentication: Public key authentication for users and servers. Allows use of a single passphrase rather than multiple passwords. Local Host SSH Client Remote Host SSH Daemon Secure Channel
June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 10 SSH Plumbing: IP Forwarding (Tunneling) Local Host SSH Client Remote Host SSH Daemon Secure Channel User Terminal Input User Shell IP Fwd Client e.g. X, FTP IP Fwd Server Non-secure data channel Note: Firewalls may affect this Connection in different directions
June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 11 SSH Port Forwarding: FTP example Local SSH Client Remote SSH Daemon Secure Channel User Terminal Input/output User Shell Port Fwd Client, FTP client Port Fwd Server, FTP demon S. port D. port FTP data connection Not secured
June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 12 X Windows Forwarding - Automatic Not defaulted on PC
June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 13 Configuration for Forwarded FTP
June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 14 FTP Data Transfer Configuration Note: Important for data connections PC example: WS_FTP
June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 15 When the Data Connection is Established
June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 16 When the Data Connection Fails Active/Passive mode failure indication
June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 17 Very Similar on a Macintosh Mac example: “Fetch” Connection dialogRemote system file list
June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 18 FTP Tunneling under Unix Requires two windows on your local workstation In window 1, set up the forwarded port while making a “regular” ssh terminal connection: ssh -L forwarded_port:forwarded_host:host_port host E.g. % ftp -L 2000:killeen.nersc.gov:21 killeen.nersc.gov SSH on your workstation listens for any outgoing connections using port 2000, and forwards them to port 21 on killeen; this is the FTP server port. In window 2: % ftp localhost 2000 % ftp myworkstation.lbl.gov 2000 % ftp When prompted to log in, supply password for remote system, e.g. killeen. The connection to your workstation on the forwarded port gets sent to port 21 on killeen, where it’s received by the FTP server. Only the CONTROL CONNECTION (user name and password) is protected by encryption.
June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 19 Secure Copy (scp) Client on Unix Syntax: scp [-aAqQprvBCL] [-S path-to-ssh] [-o ssh-options] [-P port] [-c cipher] [-i identity] Example: % scp test.file killeen.nersc.gov:new.file password: test.file | 0 KB | 0.0 kB/s | ETA: 00:00:00 | 99% % The entire session is protected by encryption.
June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 20 The Fly in the Ointment The fundamental operation of SSH is the terminal connection ftp tunneling requires it, so any system that doesn’t allow a shell, won’t allow tunneling (e.g. HPSS) scp seems to have a similar limitation, since it doesn’t work to HPSS, either Connecting to HPSS securely is something we’re working on. Right now it requires a two step process to do it securely, using an intermediate machine within NERSC, with the assumption that unsecured transfers between it and HPSS are safe.
June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 21 Firewalls There are many ways to set up firewalls, but they can be lumped into two categories: “statefull” - connections are remembered and this knowledge may be used in other connections; these are the easiest for users to deal with “stateless” - connections have no knowledge of other connections;
June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 22 SSH Port Forwarding: FTP Example Local SSH Client Remote SSH Daemon Secure Channel User Terminal Input/output User Shell Port Fwd Client, FTP Client Port Fwd Server, FTP Server S. port D. port FTP Data Connection Not secured
June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 23 FTP - “Active” (Default) Mode Local Host FTP Client Remote Host FTP Server Data Connection Control Connection Connect Server Data Connect Port 21: listen “PORT, ” Client data: listen “STOR ” “filename”’s data ---->
June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 24 FTP - “Passive” Mode Local Host FTP Client Remote Host FTP Server Data Connection Control Connection Connect Client Data Connect Port 21: listen “PORT, ” Server data: listen “STOR ” “filename”’s data ----> “PASV”
June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 25 Firewall Consequences, Active Mode Local SSH Client Remote SSH Daemon Secure Channel User Terminal Input/output User Shell S. port Dest. port FTP data connection FTP Server Data. port X Port 22 Outgoing connection: OK Incoming connection - blocked! FTP Client Client data: listen Never arrives Fails:
June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 26 Firewall Consequences, Passive Mode Local SSH Client Remote SSH Daemon Secure Channel User Terminal Input/output User Shell S. port Dest. port FTP data connection FTP Server Data. Port: listen Port 22 Outgoing connection: OK Outgoing connection - OK! FTP Client Client data: connect “PASV” Succeeds:
June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 27 “Local” Connections, Local Host What is a “local” connection? or mystation.lbl.gov or ?
June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) as “Active” “Local Host” Local SSH Client Remote SSH Daemon Secure Channel User Terminal Input/output User Shell S. port FTP data connection Port 22 Outgoing connection - Nobody home? FTP Client Dest. port FTP Server Fails: Client data: listen Never arrives Send Data. port
June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 29 as “Active “Local Host” Local SSH Client Remote SSH Daemon Secure Channel User Terminal Input/output User Shell S. port FTP data connection to OK Port 22 FTP Client Dest. port FTP Server Client data: listen OK Send Data. port Succeeds:
June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 30 SSH2 The SSH2 protocol is being standardized by the IETF and Will shortly become an official standard. The upcoming Internet standard is called SECSH. The SECSH working group at IETF is defining the SSH 2.x protocol. The goal of the working group is to define an IETF standards track protocol that will be used by future versions of SSH.
June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 31 F-Secure SSH Terminal FSecure SSH Terminal provides the user with secure login connections over untrusted networks. FSecure SSH Terminal acts as a replacement for the telnet protocol. The Terminal uses the cryptographic authentication, automatic session encryption, and integrity protection methods that are defined by the SSH protocol. FSecure SSH Terminal fully supports VT100 terminal emulation.
June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 32 F-Secure SSH Tunnel FSecure SSH Tunnel can be used to create local proxy servers for remote TCP/IP services. The service can be one of the Internet protocols: pop, smtp (used by software), http (used by Web browsers), etc. or almost any other TCP/IP based service (e.g. a TCP/IP connection to an RDBMS server). The local proxy server created by the FSecure SSH Tunnel listens for a socket on the desired port, forwards the request and data over the secure channel, and instructs the FSecure SSH Server to make the connection to the specified service on the remote machine.
June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 33 SSH2 Protocol Considerations The SSH2 Server can be configured to spawn an SSH1 protocol handler. The SSH2 protocol is safer and the SSH2 client has more capability ( sftp ) Why not support SSH2? Cost? ~2 person months (est. from Systems Group) Performance for SSH1 support? Only a possible problem for very interactive applications.
June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 34 SSH1/SSH2 Compatibility - PCs Font/color codes: ! - Works !!! - Works, compatibility O - Fails small italics - untested !! - Works, server fork ? - We don’t know
June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 35 Last Advanced Facility 1. An encrypted channel for control (e.g. “Telnet”) communication. 2. Plumbing: multiplexing of IP forwarded communication across the encrypted channel. (e.g. for X Windows, FTP, POP , etc.) 3. Authentication: Public key authentication for users and servers. Allows use of a single passphrase rather than multiple passwords. SSH client SSH Demon Secure Channel
June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 36 Background: Single Key Encryption Single Key (traditional) Encryption WE hold these Truths to be self- evident, that all Men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the Pursuit of Happiness -- That to secure these Rights, Governments are instituted among Men, deriving their just Powers from the Consent of the Governed, that whenever any Form of Government becomes destructive of these Ends, it is the Right of the People to alter or to abolish it, and to institute new Government, laying its Foundation on such Principles, and organizing its Powers in such Form, as to them shall seem most likely to effect their Safety and Happiness... Clear Text Shared Secret Key oijh238ysoid93ww8u38 Encrypt using the WE hold these Truths to be self- evident, that all Men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the Pursuit of Happiness -- That to secure these Rights, Governments are instituted among Men, deriving their just Powers from the Consent of the Governed, that whenever any Form of Government becomes destructive of these Ends, it is the Right of the People to alter or to abolish it, and to institute new Government, laying its Foundation on such Principles, and organizing its Powers in such Form, as to them shall seem most likely to effect their Safety and Happiness... Shared Secret Key oijh238ysoid93ww8u38 Decrypt using the ;lo4i50m;lkxiujermgldorjgmnk Xjnboiu409u09u0ojfoe9u9jfdr9 ue0ndlifbnod8rug039uy03updjo 384h03ptr7q24opogmeojodijb0r 96uy0984upownv9se8yp094im u[398jbndiuyfw8oy409umjh;pr 9n0pdi6u048u98nlncvksh.vl.ksd jgo845yut9w4ytowihgoioseyno nsilejh;o4u5b;obmjtho;ruh0596 umbrijnmh9r8uhi5t09suv9w7tor i83nytvowbj4;hmdrp/;okx;lkmn soudgo8w746ty049umyowiemr hglidufhbnod9upo9w847y594oj hlrjntbloidhrngo9n87se5m9w4u mj;yobe59u6h9osejmg;oeiuyp9 40uy;w94um5t98seynt9o84wu9 o8rumj;oeijgpm9se8rumtp0m9 w45muy9o8sreyG9pser8um04u 50u5y4098uy40u0095uy04uli8u lt9o4iu409upe95uy0ej0e9roijo9 8u08u09u0495uy09u049u09u... Clear Text Cipher Text Examples include DES, triple DES, Idea, Blowfish
June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 37 Public Key Encryption Public Key (dual key) Encryption WE hold these Truths to be self- evident, that all Men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the Pursuit of Happiness -- That to secure these Rights, Governments are instituted among Men, deriving their just Powers from the Consent of the Governed, that whenever any Form of Government becomes destructive of these Ends, it is the Right of the People to alter or to abolish it, and to institute new Government, laying its Foundation on such Principles, and organizing its Powers in such Form, as to them shall seem most likely to effect their Safety and Happiness... Clear Text Public Key Encrypt using the WE hold these Truths to be self- evident, that all Men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the Pursuit of Happiness -- That to secure these Rights, Governments are instituted among Men, deriving their just Powers from the Consent of the Governed, that whenever any Form of Government becomes destructive of these Ends, it is the Right of the People to alter or to abolish it, and to institute new Government, laying its Foundation on such Principles, and organizing its Powers in such Form, as to them shall seem most likely to effect their Safety and Happiness... Private Key Decrypt using the ;lo4i50m;lkxiujermgldorjgmnk Xjnboiu409u09u0ojfoe9u9jfdr9 ue0ndlifbnod8rug039uy03updjo 384h03ptr7q24opogmeojodijb0r 96uy0984upownv9se8yp094im u[398jbndiuyfw8oy409umjh;pr 9n0pdi6u048u98nlncvksh.vl.ksd jgo845yut9w4ytowihgoioseyno nsilejh;o4u5b;obmjtho;ruh0596 umbrijnmh9r8uhi5t09suv9w7tor i83nytvowbj4;hmdrp/;okx;lkmn soudgo8w746ty049umyowiemr hglidufhbnod9upo9w847y594oj hlrjntbloidhrngo9n87se5m9w4u mj;yobe59u6h9osejmg;oeiuyp9 40uy;w94um5t98seynt9o84wu9 o8rumj;oeijgpm9se8rumtp0m9 w45muy9o8sreyG9pser8um04u 50u5y4098uy40u0095uy04uli8u lt9o4iu409upe95uy0ej0e9roijo9 8u08u09u0495uy09u049u09u... Clear Text Cipher Text Some Public key schemes have the useful feature: Pvt(Pub(Data) = Pub(Pvt(Data) = Data (E.g. RSA)
June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 38 RSA Public Key Generation Pick two prime numbers, p and q, and compute n = pq. Next, choose d < n such that d is relatively prime to p-1 and q-1. Now, find e such that d*e -1 is divisible by (p-1)(q-1). The number n iscalled the modulus and the key pairs are (d, n) and (e, n). For example, if you pick p = 23 and q = 29, then n = 667. Choose d = 53, giving e = 93. The key pairs are then (53, 667) and (93, 667).
June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 39 RSA Public Key Encryption The "public key" is the pair (p*q, e) The “private key” is the pair (p*q, d) Plain text T must be a number between 0 and n-1 = p*q-1. The encryption function is encrypt(T) = (T^e) mod p*q = C The decryption function is decrypt(C) = (C^d) mod p*q decrypt(encrypt(T)) = encrypt(decrypt(T) = T
June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 40 Server Key Discussion SSH client SSH Demon Secure Channel User Terminal Input User Shell IP Fwd Client e.g. X FTP IP Fwd Server Server: Private Key Public Key
June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 41 Example Output for a New Host % ssh killeen Host key not found from the list of known hosts. Are you sure you want to continue connecting (yes/no)? yes Host 'killeen' added to the list of known hosts. password: … Your current working directory is /u/ccc/jed. %
June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 42 ~ /.ssh/known_hosts Example entry in jed/.ssh/known_hosts: killeen
June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 43 User (Client) Key Discussion SSH client SSH Demon Secure Channel User Terminal Input User Shell IP Fwd Client e.g. X FTP IP Fwd Server Server: Private Key Public Key Client: Private Key Public Key
June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 44 Example Key Generation, Unix gondor.nersc.gov% ssh-keygen Initializing random number generator... Generating p: (distance 524) Generating q: (distance 280) Computing the keys... Testing the keys... Key generation complete. Enter file in which to save the key (/u/ccc/jed/.ssh/identity): Enter passphrase: Enter the same passphrase again: Your identification has been saved in /u/ccc/jed/.ssh/identity. Your public key is: Your public key has been saved in /u/ccc/jed/.ssh/identity.pub gondor.nersc.gov%
June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 45 ~ /.ssh/authorized_keys Copied from : ~ /.ssh/identity.pub Example entry in :~jed/.ssh/authorized_keys :
June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 46 Client Authentication Using RSA
June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 47 For Unix, ssh-agent, ssh-add gondor.nersc.gov% ssh-agent csh gondor.nersc.gov% ssh-add Need passphrase for /u/ccc/jed/.ssh/identity Enter passphrase: Identity added: /u/ccc/jed/.ssh/identity gondor.nersc.gov% ssh mcurie * * * W A R N I N G W A R N I N G * * * … gondor.nersc.gov% scp test.file mcurie:ssh.file gondor.nersc.gov% printenv SSH_AUTH_SOCK=/tmp/ssh-jed/agent-socket SSH_AGENT_PID=19175 gondor.nersc.gov%