Presentation is loading. Please wait.

Presentation is loading. Please wait.

OpenSSH (SSH - Secure SHell) Silvio C. Sampaio Doctoral Programme in Informatics Engineering PRODEI011 - Computer Systems Security –

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "OpenSSH (SSH - Secure SHell) Silvio C. Sampaio Doctoral Programme in Informatics Engineering PRODEI011 - Computer Systems Security –"— Presentation transcript:

1 OpenSSH (SSH - Secure SHell) Silvio C. Sampaio silviocs@fe.up.pt Doctoral Programme in Informatics Engineering PRODEI011 - Computer Systems Security – 2009/10

2 Silvio C. Sampaio 2 Outline Overview Protocol details Experiments References

3 PRODEI011 - Computer Systems Security – 2009/10 Silvio C. Sampaio 3 Overview: What is OpenSSH? “OpenSSH is a FREE version of the SSH connectivity tools that technical users of the Internet rely on”. (SOURCE: http://www.openssh.com/) SSH is a set of standards and associated protocols to establish a secure channel between two computers.  Covers authentication, encryption, and data integrity.  Originally, a replacement of insecure applications like telnet and some others “r-commands”

4 PRODEI011 - Computer Systems Security – 2009/10 Silvio C. Sampaio 4 Overview: History and Development In 1995, Tatu Ylönen, a researcher at Helsinki University of Technology, Finland, designed the first version of the protocol (now called SSH-1) "Secsh" was the official Internet Engineering Task Force's (IETF) name for the IETF working group responsible for version 2 of the SSH protocol.  In 1996, a revised version of the protocol, SSH-2, was adopted as a standard.  This version is incompatible with SSH-1. A complete description about the history and development of the SSH can be found at [1].

5 PRODEI011 - Computer Systems Security – 2009/10 Silvio C. Sampaio 5 Overview: SSH Features Secure Remote Logins Secure File Transfer and Backup Secure Remote Command Execution Keys and Agents Access Control Port Forwarding and Tunneling

6 PRODEI011 - Computer Systems Security – 2009/10 Silvio C. Sampaio 6 Overview: Some SSH Implementations Source: Daniel J. Barrett, Richard E. Silverman, and Robert G. Byrnes – SSH: The Secure Shell (The Definitive Guide), O'Reilly 2005 (2nd edition).

7 PRODEI011 - Computer Systems Security – 2009/10 Silvio C. Sampaio 7 Protocol details: Introduction The SSH protocol ensures that all communication over the network is secure through the following safeguards:  Encryption of data during transmission to protect privacy  Prevention of data corruption, whether deliberate or otherwise, through integrity checking  Authentication of users and hosts to prevent unauthorized logins/connections  Authorization or controlling access and privileges  Protection of other TCP/IP sessions through tunneling or forwarding

8 PRODEI011 - Computer Systems Security – 2009/10 Silvio C. Sampaio 8 Protocol details: Authentication Methods Different methods can be used to authenticate users and servers in SSH Secure Shell.  These authentication methods can be combined or used separately, depending on the level of functionality and security you want. Methods:  For Server authentication: Public-Key Authentication Certificate Authentication  For Users authentication: Password Authentication Public-Key Authentication Host-Based Authentication Certificate Authentication Kerberos Authentication Pluggable Authentication Module (PAM) SecurID

9 PRODEI011 - Computer Systems Security – 2009/10 Silvio C. Sampaio 9 Protocol details: Architecture The Architecture of an general SSH System Source: Daniel J. Barrett, Richard E. Silverman, and Robert G. Byrnes – SSH: The Secure Shell (The Definitive Guide), O'Reilly 2005 (2nd edition).

10 PRODEI011 - Computer Systems Security – 2009/10 Silvio C. Sampaio 10 Protocol details: Architecture of SSH1 The Architecture of an SSH1 System Source: Daniel J. Barrett, Richard E. Silverman, and Robert G. Byrnes – SSH: The Secure Shell (The Definitive Guide), O'Reilly 2005 (2nd edition).

11 PRODEI011 - Computer Systems Security – 2009/10 Silvio C. Sampaio 11 Protocol details: Architecture of SSH2 The Architecture of an SSH2 System Source: Daniel J. Barrett, Richard E. Silverman, and Robert G. Byrnes – SSH: The Secure Shell (The Definitive Guide), O'Reilly 2005 (2nd edition).

12 PRODEI011 - Computer Systems Security – 2009/10 Silvio C. Sampaio 12 Protocol details: SSH1 x SSH2 SSH1 is older, slower protocol with significant security problems SSH2 is the newest, most efficient protocol  Resolves all known weaknesses in SSH1 security  IETF standard SSH1 “hardcodes” most of it’s cryptography SSH2 negotiates cryptographic algorithms at runtime  Makes it easier to use internationally A good summary of the difference between versions 1 and 2 of the SSH protocol can be found at: http://www.snailbook.com/faq/ssh-1-vs-2.auto.html http://www.snailbook.com/faq/ssh-1-vs-2.auto.html

13 PRODEI011 - Computer Systems Security – 2009/10 Silvio C. Sampaio 13 Protocol details: SSH1 x SSH2 The major differences between SSH-1 and SSH-2 are, namely [1]:  Expanded algorithm negotiation between client and server  Multiple methods for key-exchange  Certificates for public keys  More flexibility with authentication, including partial authentication  Stronger integrity checking through cryptography  Periodic replacement of the session key (“rekeying”)

14 PRODEI011 - Computer Systems Security – 2009/10 Silvio C. Sampaio 14 Protocol details: Algorithms Used SSH-1 Ciphers 3DESIDEARC4DES(Blowfish) SSH1xxoox OpenSSHx---x SSH-2 Ciphers 3DESBlowfishTwofishCAST-128IDEARC4 SSH2xxx--x F-Secure SSH2 xxxx-x OpenSSH xx-x-x x : The implementation supports the algorithm and is included in the default build. o : The implementation supports the algorithm, but it isn't included in the default build (it must be specifically enabled when compiling). - : The implementation doesn't support the algorithm.

15 PRODEI011 - Computer Systems Security – 2009/10 Silvio C. Sampaio 15 Exp #1: Secure Remote Login (1) Remote Login  Command line ssh user@servidor ssh –l user servidor  Using some ssh client  At the first connection Cliente(known_hosts) += Server(ssh_host_rsa_key.pub)

16 PRODEI011 - Computer Systems Security – 2009/10 Silvio C. Sampaio 16 Exp #1: Secure Remote Login (2) X11 Forwarding  Automatic on Linux/Unix client ssh –X user@servidor  Windows client: XServer is needed (e.g. Xming) Some applications (e.g. PuTTy) has especific configurations (but you can always use the comand export DISPLAY=Client_IP)

17 PRODEI011 - Computer Systems Security – 2009/10 Silvio C. Sampaio 17 Exp #2: Secure File Copy Secure copy Copies files between host machines Authenticates user and host Encrypts copied data during transmission If keys are set up correctly for the user, no password entry will be required for access to remote machine. Ex: scp [[user@]host1:]file1 […] [[user@]host2:]file2  scp ssampaio@192.168.0.11:/tmp/test.txt.  scp -r ~/simulations/* ssampaio@192.168.0.11:/tmp/.

18 PRODEI011 - Computer Systems Security – 2009/10 Silvio C. Sampaio 18 Exp #3: Secure Remote Command Execution Executes command(s) on a remote machine from a local machine Authenticates user and host Encrypts transmitted data between machines If keys are set up correctly for the user, no password entry will be required for access to remote machine. Ex: ssh [user@]machine command  ssh ssampaio@192.168.0.11 ls -la

19 PRODEI011 - Computer Systems Security – 2009/10 Silvio C. Sampaio 19 Exp #4: Port Forwarding and Tunneling Experiment assumptions: Servidor POP3: pop3.server.com, porta 110 Servidor SMTP: smtp.server.com, porta 25 Seu “username” em server.com: user ssh -L7110:pop3.servidor.com:110 - L7025:smtp.server.com:25 user@server.com  Sintaxe: -L localport:server:remoteport In the webmail client:  Replace the POP3 pop3.servidor.com by localhost and the port 110 by 7110  Replace the POP3 smtp.servidor.com by localhost and the port 25 by 7025

20 PRODEI011 - Computer Systems Security – 2009/10 Silvio C. Sampaio 20 Exp #5: Automatic Authentication Key creation  ssh-keygen -t rsa  ssh-keygen -b 1024 -t rsa Enter file in which to save the key (/home/ac/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Just to make sure!!!: chmod 0600 ~/.ssh/id_rsa Copying the key to remote servers  scp ~/.ssh/id_rsa.pub remote_user@remote_host:rsa.pub_imported  ssh remote_user@remote_host  cat rsa.pub_imported >>.ssh/authorized_keys Testing  ssh remote_user@remote_host (and i hope it works!!!)

21 PRODEI011 - Computer Systems Security – 2009/10 Silvio C. Sampaio 21 Exp #6: File Transfer SFTP  SFTP stands for ‘Secure File Transfer Protocol’. It provides secure file transfer functionality over any reliable data stream. It uses SSH.  SFTP protocol runs on secure channel.  Encrypts all traffic (including passwords) to effectively.  Provides variety of authentication methods.  It can be automated by public and private key authentication. sftp ssampaio@192.168.0.11 Once you are connected:  sftp> lcd /files [change local directory to /files]  sftp> cd /tmp [change remote directory to /etc]  sftp> get test.txt [download /tmp/test.txt to /files/test.txt]  sftp> ? [view summary help]  sftp> bye [terminate connection]

22 PRODEI011 - Computer Systems Security – 2009/10 Silvio C. Sampaio 22 References 1.Daniel J. Barrett, Richard E. Silverman, and Robert G. Byrnes – SSH: The Secure Shell (The Definitive Guide), O'Reilly 2005 (2nd edition). 2.http://www.snailbook.com/faq/ssh-1-vs-2.auto.htmlhttp://www.snailbook.com/faq/ssh-1-vs-2.auto.html 3.http://en.wikipedia.org/wiki/Secure_Shellhttp://en.wikipedia.org/wiki/Secure_Shell 4.http://www.openssh.orghttp://www.openssh.org

23 PRODEI011 - Computer Systems Security – 2009/10 Silvio C. Sampaio 23 Thank you! Silvio C. Sampaio silviocs@fe.up.pt Any Questions?

Download ppt "OpenSSH (SSH - Secure SHell) Silvio C. Sampaio Doctoral Programme in Informatics Engineering PRODEI011 - Computer Systems Security –"

Similar presentations

Sonny J Zambrana University of Pennsylvania ISC-SEO November 2008.

Sonny J Zambrana University of Pennsylvania ISC-SEO November 2008.
SSH Operation and Techniques - © 2001-2006 William Stearns 1 SSH Operation and Techniques The Swiss Army Knife of encryption tools…

SSH Operation and Techniques - © William Stearns 1 SSH Operation and Techniques The Swiss Army Knife of encryption tools…
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
SSH: An Internet Protocol By Anja Kastl IS 373 - World Wide Web Standards.

SSH: An Internet Protocol By Anja Kastl IS World Wide Web Standards.
Secure Shell – SSH Tam Ngo Steve Licking cs265. Overview Introduction Brief History and Background of SSH Differences between SSH-1 and SSH- 2 Brief Overview.

Secure Shell – SSH Tam Ngo Steve Licking cs265. Overview Introduction Brief History and Background of SSH Differences between SSH-1 and SSH- 2 Brief Overview.
File Transfer Methods : A Security Perspective. What is FTP FTP refers to the File Transfer Protocol, one of the protocols within the TCP/IP protocol.

File Transfer Methods : A Security Perspective. What is FTP FTP refers to the File Transfer Protocol, one of the protocols within the TCP/IP protocol.
Telnet/SSH Tim Jansen, Mike Stanislawski. TELNET is short for Terminal Network Enables the establishment of a connection to a remote system, so that the.

Telnet/SSH Tim Jansen, Mike Stanislawski. TELNET is short for Terminal Network Enables the establishment of a connection to a remote system, so that the.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
TCP/IP - Security Perspective Upper Layers CS-431 Dick Steflik.

TCP/IP - Security Perspective Upper Layers CS-431 Dick Steflik.
Amazon EC2 Quick Start adapted from EC2_GetStarted.html.

Amazon EC2 Quick Start adapted from EC2_GetStarted.html.
Remote access and file transfer Getting files on and off Bio-Linux.

Remote access and file transfer Getting files on and off Bio-Linux.
Firewalls, Perimeter Protection, and VPNs - SANS ©2001 1 SSH Operation The Swiss Army Knife of encryption tools…

Firewalls, Perimeter Protection, and VPNs - SANS © SSH Operation The Swiss Army Knife of encryption tools…
Secure Shell (SSH) 4/19/06 Diane Conner Zoltan Csizmadia Doug Le.

Secure Shell (SSH) 4/19/06 Diane Conner Zoltan Csizmadia Doug Le.
Cs490ns-cotter1 SSH / SSL Supplementary material.

Cs490ns-cotter1 SSH / SSL Supplementary material.
Ssh: secure shell. overview Purpose Protocol specifics Configuration Security considerations Other uses.

Ssh: secure shell. overview Purpose Protocol specifics Configuration Security considerations Other uses.
SSH Secure Login Connections over the Internet

SSH Secure Login Connections over the Internet
Telnet/SSH: Connecting to Hosts Internet Technology1.

Telnet/SSH: Connecting to Hosts Internet Technology1.
OpenSSH: A Telnet Replacement Presented by Aaron Grothe Heimdall Linux, Inc.

OpenSSH: A Telnet Replacement Presented by Aaron Grothe Heimdall Linux, Inc.
Computation for Physics 計算物理概論 Introduction to Linux.

Computation for Physics 計算物理概論 Introduction to Linux.

Similar presentations

Ads by Google