Presentation is loading. Please wait.

Presentation is loading. Please wait.

SSH Security vs. Automation

Published byRosemary Blankenship Modified over 7 years ago

Similar presentations

Presentation on theme: "SSH Security vs. Automation"— Presentation transcript:

1 SSH Security vs. Automation
SSH Security vs. Automation Berlin | | System Engineer Welcome Introduce Who is not using SSH for remote access and administration? What are they using instead? License:

2 Do what?! ssh devwoi01 @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the RSA key sent by the remote host is 0e:04:22:52:b1:64:bd:5f:4f:30:88:06:13:cf:3d:e8. Please contact your system administrator. Add correct host key in ~/.ssh/known_hosts to get rid of this message. Offending RSA key in ~/.ssh/known_hosts:180 remove with: ssh-keygen -f "~/.ssh/known_hosts" -R devwoi01 RSA host key for devwoi01 has changed and you have requested strict checking. Host key verification failed. What do you do? Permant problem in dynamicly virtualised environments.

3 Basics

4 Authentication Password Keybased Passphrase vs Password

5 Communication Human2Machine

6 Communication Machine2Machine Ask on first connect.

7 Ancestors

8 Telnet

9 Rlogin Host auth: source port only No enryption for pw auth
Versions with Kerberos OpenSSH_ Project Goals „Since telnet and rlogin are insecure ...“

10 RSH Host auth: IP addresse, source port
Usually available with Kerberos

11 SSH PW: local db Host auth: cert based, ask on first connect

12 Approachs

13 Maintaine ssh_know_hosts
man ssh(1) „This file should be prepared by the system administrator to contain the public host keys of all machines in the organization.“ Maintaine global ssh_know_hosts Deploy configuration (i.E. YADT/stand) Permanent changes.

14 Deploy Private Key Deploy key at (re)installation
Reduce changes in known_hosts, only adding/removing Privates key shouldn't leave the system Single point with all private keys Injection? Acces to repo → free access → only DNS sec as RSH

15 SSHFP Resource Record Something more centralised:
Fingerprint via DNS sounds great (No questions on first connect) but: insecure without DNSsec Without still askes on first connect (Asks but doesn't add) Howto add entries? (Suggestions by Jan-Piet Mens: Reverse look up on connect

16 SSH + Kerberos Host key problem: Asks at first connect:
StrictHostKeyChecking no|yes|ask

17 SSH + PKI 5.4: first PKI, 5.6: host certs
ssh-dss AAAAB3NzaC1kc3MAAACBAMeo0PULL9svYvy5kIG7jKDLmzsmzMRHd3h2sqGWMwxdufrLI22meltY8z88pjjJ8NEh2SHdN/bAFJ1wpd2vBr+rkhgpB2nGJLq5RTXz/ybQPNONN5K803IhuJp7Zz5xoV6zWst/9BBHL3FQ97lDFWppO+wJqS0JK2zLZ+4NeHM5AAAAFQC/O/J20qv1SMe17uBZigq5VsfU0QAAAIB7NvmB7symeLUfVeUgfe4nhvYohqrKhgGRxW9kx6sabinvwG0evco8+ekzybZilqms7qdsSpLjd6S4JaeEfE7K5LMvAqVuieY0uCsmqdiCFhkAkWgyXlj9ISPfRe1/J07chqjNoRRbhGKekFPnBwpb4m7DbtpWCPQMtZvx+ixHGgAAAIBvPtWnuwm2vXellJ4QonF655aR0M2MUkXCq8GT/GHgxWk3ASAEnsy2MFBTf9F+/c7VprCWQPay4bWg2dKXdh+frlcPAuc8VAruV/dPdqENyuQkESNLw3ykBxrWkcoSqPb+ABZR53dwtvCTR/BIwCppEgJQHNB7p/nZSVsggRlidA== 5.4: first PKI, 5.6: host certs

18 RSH + Kerberos RSH w. Kerberos prevents Man in the middle attack

19 Graphics Licences Tango Desktop Project: Public Domain
GNOME Disks: LGPL v2+ NetworkManager project: GPL v2 openclipart/jean_victor_balin: Public Domain openclipart/olo: Public Domain OpenBSD/Theo de Raadt/OpenBSD group: „it is our intent that anyone be able to use these images to represent OpenBSD in a positive light. So enjoy them and let the world see them, if that is your wish.“

20 Please contact me for further questions and discussions.
Thank you very much! Please contact me for further questions and discussions. Contact: Immobilien Scout GmbH Andreasstraße 10 10243 Berlin Fon: URL:

Download ppt "SSH Security vs. Automation"

Similar presentations

SCSC 455 Computer Security

SCSC 455 Computer Security
Sonny J Zambrana University of Pennsylvania ISC-SEO November 2008.

Sonny J Zambrana University of Pennsylvania ISC-SEO November 2008.
Engineering Secure Software. Networks, Crypto, & You.  Most application developers… Don’t implement networking protocols Don’t implement encryption algorithms.

Engineering Secure Software. Networks, Crypto, & You.  Most application developers… Don’t implement networking protocols Don’t implement encryption algorithms.
SSH Operation and Techniques - © 2001-2006 William Stearns 1 SSH Operation and Techniques The Swiss Army Knife of encryption tools…

SSH Operation and Techniques - © William Stearns 1 SSH Operation and Techniques The Swiss Army Knife of encryption tools…
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
SSH: An Internet Protocol By Anja Kastl IS 373 - World Wide Web Standards.

SSH: An Internet Protocol By Anja Kastl IS World Wide Web Standards.
TCP/IP - Security Perspective Upper Layers CS-431 Dick Steflik.

TCP/IP - Security Perspective Upper Layers CS-431 Dick Steflik.
Department of Information Engineering 1 What is port number? OK, you know that in order to connect to Internet, each computer must have a unique address.

Department of Information Engineering 1 What is port number? OK, you know that in order to connect to Internet, each computer must have a unique address.
Remote access and file transfer Getting files on and off Bio-Linux.

Remote access and file transfer Getting files on and off Bio-Linux.
Ssh: secure shell. overview Purpose Protocol specifics Configuration Security considerations Other uses.

Ssh: secure shell. overview Purpose Protocol specifics Configuration Security considerations Other uses.
OpenSSH: A Telnet Replacement Presented by Aaron Grothe Heimdall Linux, Inc.

OpenSSH: A Telnet Replacement Presented by Aaron Grothe Heimdall Linux, Inc.
Passive Monitoring with Nagios Jim Prins

Passive Monitoring with Nagios Jim Prins
National Energy Research Scientific Computing Center (NERSC) Computer Security – The New Threats Stephen Lau NERSC Center Division, LBNL June 24, 2004.

National Energy Research Scientific Computing Center (NERSC) Computer Security – The New Threats Stephen Lau NERSC Center Division, LBNL June 24, 2004.
Let’s Make An E-Mail Form! Bonney Armstrong GD 444 Westwood College February 9, 2005.

Let’s Make An Form! Bonney Armstrong GD 444 Westwood College February 9, 2005.
Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.

Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
Lab How to Use WANem Last Update 2011.08.01 1.1.0 Copyright 2011 Kenneth M. Chipps Ph.D. www.chipps.com 1.

Lab How to Use WANem Last Update Copyright 2011 Kenneth M. Chipps Ph.D. 1.
draft-kwatsen-netconf-zerotouch-01

draft-kwatsen-netconf-zerotouch-01
Authentication and Authorization Authentication is the process of verifying a principal’s identity (but how to define “identity”?) –Who the person is –Or,

Authentication and Authorization Authentication is the process of verifying a principal’s identity (but how to define “identity”?) –Who the person is –Or,
Secure Shell for Computer Science Nick Czebiniak Sung-Ho Maeung.

Secure Shell for Computer Science Nick Czebiniak Sung-Ho Maeung.
0Gold 11 0Gold 11 LapLink Gold 11 Firewall Service How Connections are Created A Detailed Overview for the IT Manager.

0Gold 11 0Gold 11 LapLink Gold 11 Firewall Service How Connections are Created A Detailed Overview for the IT Manager.

Similar presentations

Ads by Google