Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Connections to NERSC Systems Using the Secure Shell (SSH) Jed Donnelley 6/21/1999.

Similar presentations


Presentation on theme: "Secure Connections to NERSC Systems Using the Secure Shell (SSH) Jed Donnelley 6/21/1999."— Presentation transcript:

1 Secure Connections to NERSC Systems Using the Secure Shell (SSH) Jed Donnelley http://www.nersc.gov/~jed 6/21/1999

2 June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 2 Using SSH to connect to Unix UseFrom:UnixPC/Mac Secure “Telnet”ssh, slogin X Windowsautomatic manually specified Data Transferscp, ftp ftp Authenticationssh-keygenKey generation Wizard DataFellows: http://www.datafellows.fi/

3 June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 3 Basic Facilities Offered by SSH 1. An encrypted channel for control (e.g. “Telnet”) communication. 2. Plumbing (aka forwarding, tunneling): multiplexing of IP forwarded communication across the encrypted channel. (e.g. for X Windows, FTP, POP email, etc.) 3. Authentication: Public key authentication for users and servers. Allows use of a single passphrase rather than multiple passwords. Local Host SSH Client Remote Host SSH Daemon Secure Channel

4 June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 4 Simplest form - a secure “Telnet” (“normal” case) mordor 1: ssh mcurie Host 'mcurie' added to the list of known hosts. Password: ---------------------------------------------------------------------- * * * W A R N I N G W A R N I N G * * * U.S. GOVERNMENT COMPUTER If not authorized to access this system, disconnect NOW. YOU SHOULD HAVE NO EXPECTATION OF PRIVACY. By continuing, you consent to your keystrokes and data content being monitored. … Your terminal type is vt100. Your current working directory is /u/mpccc/jed. %

5 June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 5 Simplest form - a secure “Telnet” (first time connecting to this host) mordor 6: ssh www.nersc.gov Host key not found from the list of known hosts. Are you sure you want to continue connecting (yes/no)? yes Host ’www.nersc.gov' added to the list of known hosts. Creating random seed file ~/.ssh/random_seed. This may take a while. jed@www.nersc.gov’s Password: Last login: Wed Mar 10 11:07:08 1999 from gondor.nersc.gov No mail. Sun Microsystems Inc. SunOS 5.6 Generic August 1997 ***************************************************** Welcome to the primary NERSC Web server. Please report any problems or concerns to consult@nersc.gov or x8600 ****************************************************** gondor.nersc.gov%

6 June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 6 SSH “Telnet” - a PC/Mac Example Generally recommended

7 June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 7 PC SSH - the Resulting Connection Note: If you set $DISPLAY you will break X forwarding. You can, however, specify a -display option to xclock

8 June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 8 Example: SSH from Unix % ssh killeen jed@killeen's password: ---------------------------------------------------------------------- … Your current working directory is /u/ccc/jed. % printenv DISPLAY killeen:36.0 % xclock & [1] 16332 %

9 June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 9 Advanced Facilities 1. An encrypted channel for control (e.g. “Telnet”) communication. 2. Plumbing (aka forwarding, tunneling): multiplexing of forwarded IP communications across the encrypted channel. (e.g. for X Windows, FTP, POP email, etc.) 3. Authentication: Public key authentication for users and servers. Allows use of a single passphrase rather than multiple passwords. Local Host SSH Client Remote Host SSH Daemon Secure Channel

10 June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 10 SSH Plumbing: IP Forwarding (Tunneling) Local Host SSH Client Remote Host SSH Daemon Secure Channel User Terminal Input User Shell IP Fwd Client e.g. X, FTP IP Fwd Server Non-secure data channel Note: Firewalls may affect this Connection in different directions

11 June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 11 SSH Port Forwarding: FTP example Local SSH Client Remote SSH Daemon Secure Channel User Terminal Input/output User Shell Port Fwd Client, FTP client Port Fwd Server, FTP demon S. port D. port FTP data connection Not secured

12 June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 12 X Windows Forwarding - Automatic Not defaulted on PC

13 June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 13 Configuration for Forwarded FTP

14 June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 14 FTP Data Transfer Configuration Note: Important for data connections PC example: WS_FTP

15 June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 15 When the Data Connection is Established

16 June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 16 When the Data Connection Fails Active/Passive mode failure indication

17 June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 17 Very Similar on a Macintosh Mac example: “Fetch” Connection dialogRemote system file list

18 June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 18 FTP Tunneling under Unix Requires two windows on your local workstation In window 1, set up the forwarded port while making a “regular” ssh terminal connection: ssh -L forwarded_port:forwarded_host:host_port host E.g. % ftp -L 2000:killeen.nersc.gov:21 killeen.nersc.gov SSH on your workstation listens for any outgoing connections using port 2000, and forwards them to port 21 on killeen; this is the FTP server port. In window 2: % ftp localhost 2000 % ftp myworkstation.lbl.gov 2000 % ftp 127.0.0.1 2000 When prompted to log in, supply password for remote system, e.g. killeen. The connection to your workstation on the forwarded port gets sent to port 21 on killeen, where it’s received by the FTP server. Only the CONTROL CONNECTION (user name and password) is protected by encryption.

19 June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 19 Secure Copy (scp) Client on Unix Syntax: scp [-aAqQprvBCL] [-S path-to-ssh] [-o ssh-options] [-P port] [-c cipher] [-i identity] [[user@]host1:]filename1 [[user@]host2:]filename2 Example: % scp test.file killeen.nersc.gov:new.file jed@killeen.nersc.gov's password: test.file | 0 KB | 0.0 kB/s | ETA: 00:00:00 | 99% % The entire session is protected by encryption.

20 June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 20 The Fly in the Ointment The fundamental operation of SSH is the terminal connection ftp tunneling requires it, so any system that doesn’t allow a shell, won’t allow tunneling (e.g. HPSS) scp seems to have a similar limitation, since it doesn’t work to HPSS, either Connecting to HPSS securely is something we’re working on. Right now it requires a two step process to do it securely, using an intermediate machine within NERSC, with the assumption that unsecured transfers between it and HPSS are safe.

21 June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 21 Firewalls There are many ways to set up firewalls, but they can be lumped into two categories: “statefull” - connections are remembered and this knowledge may be used in other connections; these are the easiest for users to deal with “stateless” - connections have no knowledge of other connections;

22 June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 22 SSH Port Forwarding: FTP Example Local SSH Client Remote SSH Daemon Secure Channel User Terminal Input/output User Shell Port Fwd Client, FTP Client Port Fwd Server, FTP Server S. port D. port FTP Data Connection Not secured

23 June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 23 FTP - “Active” (Default) Mode Local Host FTP Client Remote Host FTP Server Data Connection Control Connection Connect Server Data Connect Port 21: listen “PORT, ” Client data: listen “STOR ” “filename”’s data ---->

24 June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 24 FTP - “Passive” Mode Local Host FTP Client Remote Host FTP Server Data Connection Control Connection Connect Client Data Connect Port 21: listen “PORT, ” Server data: listen “STOR ” “filename”’s data ----> “PASV”

25 June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 25 Firewall Consequences, Active Mode Local SSH Client Remote SSH Daemon Secure Channel User Terminal Input/output User Shell S. port Dest. port FTP data connection FTP Server Data. port X Port 22 Outgoing connection: OK Incoming connection - blocked! FTP Client Client data: listen Never arrives Fails:

26 June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 26 Firewall Consequences, Passive Mode Local SSH Client Remote SSH Daemon Secure Channel User Terminal Input/output User Shell S. port Dest. port FTP data connection FTP Server Data. Port: listen Port 22 Outgoing connection: OK Outgoing connection - OK! FTP Client Client data: connect “PASV” Succeeds:

27 June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 27 “Local” Connections, Local Host What is a “local” connection? 127.0.0.1 or mystation.lbl.gov or ?

28 June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 28 127.0.0.1 as “Active” “Local Host” Local SSH Client Remote SSH Daemon Secure Channel User Terminal Input/output User Shell S. port FTP data connection Port 22 Outgoing connection - Nobody home? FTP Client Dest. port FTP Server Fails: Client data: listen Never arrives Send Data. port

29 June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 29 as “Active “Local Host” Local SSH Client Remote SSH Daemon Secure Channel User Terminal Input/output User Shell S. port FTP data connection to OK Port 22 FTP Client Dest. port FTP Server Client data: listen OK Send Data. port Succeeds:

30 June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 30 SSH2 The SSH2 protocol is being standardized by the IETF and Will shortly become an official standard. The upcoming Internet standard is called SECSH. The SECSH working group at IETF is defining the SSH 2.x protocol. The goal of the working group is to define an IETF standards track protocol that will be used by future versions of SSH.

31 June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 31 F-Secure SSH Terminal F­Secure SSH Terminal provides the user with secure login connections over untrusted networks. F­Secure SSH Terminal acts as a replacement for the telnet protocol. The Terminal uses the cryptographic authentication, automatic session encryption, and integrity protection methods that are defined by the SSH protocol. F­Secure SSH Terminal fully supports VT100 terminal emulation.

32 June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 32 F-Secure SSH Tunnel F­Secure SSH Tunnel can be used to create local proxy servers for remote TCP/IP services. The service can be one of the Internet protocols: pop, smtp (used by e-mail software), http (used by Web browsers), etc. or almost any other TCP/IP based service (e.g. a TCP/IP connection to an RDBMS server). The local proxy server created by the F­Secure SSH Tunnel listens for a socket on the desired port, forwards the request and data over the secure channel, and instructs the F­Secure SSH Server to make the connection to the specified service on the remote machine.

33 June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 33 SSH2 Protocol Considerations The SSH2 Server can be configured to spawn an SSH1 protocol handler. The SSH2 protocol is safer and the SSH2 client has more capability ( sftp ) Why not support SSH2? Cost? ~2 person months (est. from Systems Group) Performance for SSH1 support? Only a possible problem for very interactive applications.

34 June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 34 SSH1/SSH2 Compatibility - PCs Font/color codes: ! - Works !!! - Works, compatibility O - Fails small italics - untested !! - Works, server fork ? - We don’t know

35 June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 35 Last Advanced Facility 1. An encrypted channel for control (e.g. “Telnet”) communication. 2. Plumbing: multiplexing of IP forwarded communication across the encrypted channel. (e.g. for X Windows, FTP, POP email, etc.) 3. Authentication: Public key authentication for users and servers. Allows use of a single passphrase rather than multiple passwords. SSH client SSH Demon Secure Channel

36 June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 36 Background: Single Key Encryption Single Key (traditional) Encryption WE hold these Truths to be self- evident, that all Men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the Pursuit of Happiness -- That to secure these Rights, Governments are instituted among Men, deriving their just Powers from the Consent of the Governed, that whenever any Form of Government becomes destructive of these Ends, it is the Right of the People to alter or to abolish it, and to institute new Government, laying its Foundation on such Principles, and organizing its Powers in such Form, as to them shall seem most likely to effect their Safety and Happiness... Clear Text Shared Secret Key oijh238ysoid93ww8u38 Encrypt using the WE hold these Truths to be self- evident, that all Men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the Pursuit of Happiness -- That to secure these Rights, Governments are instituted among Men, deriving their just Powers from the Consent of the Governed, that whenever any Form of Government becomes destructive of these Ends, it is the Right of the People to alter or to abolish it, and to institute new Government, laying its Foundation on such Principles, and organizing its Powers in such Form, as to them shall seem most likely to effect their Safety and Happiness... Shared Secret Key oijh238ysoid93ww8u38 Decrypt using the ;lo4i50m;lkxiujermgldorjgmnk Xjnboiu409u09u0ojfoe9u9jfdr9 ue0ndlifbnod8rug039uy03updjo 384h03ptr7q24opogmeojodijb0r 96uy0984upownv9se8yp094im u[398jbndiuyfw8oy409umjh;pr 9n0pdi6u048u98nlncvksh.vl.ksd jgo845yut9w4ytowihgoioseyno nsilejh;o4u5b;obmjtho;ruh0596 umbrijnmh9r8uhi5t09suv9w7tor i83nytvowbj4;hmdrp/;okx;lkmn soudgo8w746ty049umyowiemr hglidufhbnod9upo9w847y594oj hlrjntbloidhrngo9n87se5m9w4u mj;yobe59u6h9osejmg;oeiuyp9 40uy;w94um5t98seynt9o84wu9 o8rumj;oeijgpm9se8rumtp0m9 w45muy9o8sreyG9pser8um04u 50u5y4098uy40u0095uy04uli8u lt9o4iu409upe95uy0ej0e9roijo9 8u08u09u0495uy09u049u09u... Clear Text Cipher Text Examples include DES, triple DES, Idea, Blowfish

37 June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 37 Public Key Encryption Public Key (dual key) Encryption WE hold these Truths to be self- evident, that all Men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the Pursuit of Happiness -- That to secure these Rights, Governments are instituted among Men, deriving their just Powers from the Consent of the Governed, that whenever any Form of Government becomes destructive of these Ends, it is the Right of the People to alter or to abolish it, and to institute new Government, laying its Foundation on such Principles, and organizing its Powers in such Form, as to them shall seem most likely to effect their Safety and Happiness... Clear Text Public Key 8098898922830209877 0349850394803980837 Encrypt using the WE hold these Truths to be self- evident, that all Men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the Pursuit of Happiness -- That to secure these Rights, Governments are instituted among Men, deriving their just Powers from the Consent of the Governed, that whenever any Form of Government becomes destructive of these Ends, it is the Right of the People to alter or to abolish it, and to institute new Government, laying its Foundation on such Principles, and organizing its Powers in such Form, as to them shall seem most likely to effect their Safety and Happiness... Private Key 9837938798379783903 Decrypt using the ;lo4i50m;lkxiujermgldorjgmnk Xjnboiu409u09u0ojfoe9u9jfdr9 ue0ndlifbnod8rug039uy03updjo 384h03ptr7q24opogmeojodijb0r 96uy0984upownv9se8yp094im u[398jbndiuyfw8oy409umjh;pr 9n0pdi6u048u98nlncvksh.vl.ksd jgo845yut9w4ytowihgoioseyno nsilejh;o4u5b;obmjtho;ruh0596 umbrijnmh9r8uhi5t09suv9w7tor i83nytvowbj4;hmdrp/;okx;lkmn soudgo8w746ty049umyowiemr hglidufhbnod9upo9w847y594oj hlrjntbloidhrngo9n87se5m9w4u mj;yobe59u6h9osejmg;oeiuyp9 40uy;w94um5t98seynt9o84wu9 o8rumj;oeijgpm9se8rumtp0m9 w45muy9o8sreyG9pser8um04u 50u5y4098uy40u0095uy04uli8u lt9o4iu409upe95uy0ej0e9roijo9 8u08u09u0495uy09u049u09u... Clear Text Cipher Text Some Public key schemes have the useful feature: Pvt(Pub(Data) = Pub(Pvt(Data) = Data (E.g. RSA)

38 June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 38 RSA Public Key Generation Pick two prime numbers, p and q, and compute n = pq. Next, choose d < n such that d is relatively prime to p-1 and q-1. Now, find e such that d*e -1 is divisible by (p-1)(q-1). The number n iscalled the modulus and the key pairs are (d, n) and (e, n). For example, if you pick p = 23 and q = 29, then n = 667. Choose d = 53, giving e = 93. The key pairs are then (53, 667) and (93, 667).

39 June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 39 RSA Public Key Encryption The "public key" is the pair (p*q, e) The “private key” is the pair (p*q, d) Plain text T must be a number between 0 and n-1 = p*q-1. The encryption function is encrypt(T) = (T^e) mod p*q = C The decryption function is decrypt(C) = (C^d) mod p*q decrypt(encrypt(T)) = encrypt(decrypt(T) = T

40 June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 40 Server Key Discussion SSH client SSH Demon Secure Channel User Terminal Input User Shell IP Fwd Client e.g. X FTP IP Fwd Server Server: Private Key Public Key

41 June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 41 Example Output for a New Host % ssh killeen Host key not found from the list of known hosts. Are you sure you want to continue connecting (yes/no)? yes Host 'killeen' added to the list of known hosts. jed@killeen's password: ---------------------------------------------------------------------- … Your current working directory is /u/ccc/jed. %

42 June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 42 ~ /.ssh/known_hosts Example entry in jed/.ssh/known_hosts: killeen 1024 37 705325930642807236155564174058288088509433716307985164803840 4543720554999191917517478645773148302567656570907357366598312001346457953433 8113231393286414542817887873620249521301011281291251294893172579641922785486 2900150139148456014559802540031948689674063297709082139734061659587439275589 32541915106864908137

43 June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 43 User (Client) Key Discussion SSH client SSH Demon Secure Channel User Terminal Input User Shell IP Fwd Client e.g. X FTP IP Fwd Server Server: Private Key Public Key Client: Private Key Public Key

44 June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 44 Example Key Generation, Unix gondor.nersc.gov% ssh-keygen Initializing random number generator... Generating p:...................................++ (distance 524) Generating q:........................++ (distance 280) Computing the keys... Testing the keys... Key generation complete. Enter file in which to save the key (/u/ccc/jed/.ssh/identity): Enter passphrase: Enter the same passphrase again: Your identification has been saved in /u/ccc/jed/.ssh/identity. Your public key is: 1024 37 141065829193088583535393787336236519596422356561555617621686481111309766411198772 661982321105598609309699536285550930419740866537251689728318439216288854655452937 112522267785457094285051527541171601963234454922870814357588148505347811819557940 284482322861085587046666885623959789222189095197602745618669956589 jed@gondor.nersc.gov Your public key has been saved in /u/ccc/jed/.ssh/identity.pub gondor.nersc.gov%

45 June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 45 ~ /.ssh/authorized_keys Copied from : ~ /.ssh/identity.pub Example entry in :~jed/.ssh/authorized_keys : 1024 37 141065829193088583535393787336236519596422356561555617621686481111309766 4111987726619823211055986093096995362855509304197408665372516897283184392162888 5465545293711252226778545709428505152754117160196323445492287081435758814850534 7811819557940284482322861085587046666885623959789222189095197602745618669956589 jed@gondor.nersc.gov

46 June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 46 Client Authentication Using RSA

47 June 2000 Secure Connections to NERSC Systems Using the Secure Shell (SSH) 47 For Unix, ssh-agent, ssh-add gondor.nersc.gov% ssh-agent csh gondor.nersc.gov% ssh-add Need passphrase for /u/ccc/jed/.ssh/identity (jed@gondor.nersc.gov). Enter passphrase: Identity added: /u/ccc/jed/.ssh/identity (jed@gondor.nersc.gov) gondor.nersc.gov% ssh mcurie ---------------------------------------------------------------------- * * * W A R N I N G W A R N I N G * * * … gondor.nersc.gov% scp test.file mcurie:ssh.file gondor.nersc.gov% printenv SSH_AUTH_SOCK=/tmp/ssh-jed/agent-socket-19174 SSH_AGENT_PID=19175 gondor.nersc.gov%


Download ppt "Secure Connections to NERSC Systems Using the Secure Shell (SSH) Jed Donnelley 6/21/1999."

Similar presentations


Ads by Google