1. SSH Tricks for CSF Slide 1 NEbraskaCERT SSH Tricks Matthew G. Marsh 05/21/03

2. SSH Tricks for CSF Slide 2 Overview  SSH –What is it –How does it work  Discussion of Network Topology –Tricks for multiple hosts –Keys and config files –MultiHop tricks  Q&A

3. SSH Tricks for CSF Slide 3 SSH  What is it –Secure Shell was developed to solve the two most acute problems in the Internet, secure remote terminal logins and secure file transfers. –Essentially an encrypted Remote Utilities replacement  How does it work –Set up and generation of an encrypted TCP connection –Authentication can be Password or PubPriv key –Arbitrary TCP ports - WKP = 22  In this session we will concentrate on SSH1 using key based authentication

4. SSH Tricks for CSF Slide 4 Simple Examples  Two hosts –1 has a sshd running on WKP –2 has a client root@2: ssh 1 root@1’s password: #  This allows root to login remotely using a password - BAD!  Better is to define: ‘PermitRootLogin no’ in the sshd_config file

5. SSH Tricks for CSF Slide 5 Simple Examples  Two hosts - preshared key –1 has a sshd running on WKP –2 has a client tech@2: ssh 1 tech@2$  The way to set this up is as follows: tech@2$ ssh-keygen -t rsa1 -f /home/tech/.ssh/key4mac1 -N “” tech@2$ scp.ssh/key4mac1.pub tech@1:~/.ssh/authorized_keys tech@1’s password: tech@2$ cat >.ssh/config Host 1 User tech Protocol 1 IdentityFile /home/tech/.ssh/key4mac1 Hostname 10.1.2.1 ^D

6. SSH Tricks for CSF Slide 6 A wee bit less Simple Examples  Two hosts - preshared key –1 has a sshd running on port 17 –2 has a client tech@2: ssh 1 tech@2$  The way to set this up is as follows: tech@2$ ssh-keygen -t rsa1 -f /home/tech/.ssh/key4mac1 -N “” tech@2$ scp -P17.ssh/key4mac1.pub tech@1:~/.ssh/authorized_keys tech@1’s password: tech@2$ cat >.ssh/config Host 1 User tech Port 17 Protocol 1 IdentityFile /home/tech/.ssh/key4mac1 Hostname 10.1.2.1 ^D

7. SSH Tricks for CSF Slide 7 A wee bit less Simple Examples  Three hosts - Assume: preshared keys –1 has sshd running on port 17 –2 has sshd running on port 27 tech@3: ssh 2 ‘ssh 1’ tech@1$  The way to set this up is as follows: tech@3$ cat >.ssh/config Host 2 User tech Port 27 Protocol 1 IdentityFile /home/tech/.ssh/key4mac2 Hostname 10.1.2.2 ^D  Note you may need ssh -t 2 ‘ssh -t 1’...

8. SSH Tricks for CSF Slide 8 AN4SCD  Buy a copy of “SSH” by Daniel J. Barrett & Richard E. Silverman pub. O’Reilly (ISBN: 0-596- 00011-1)  Read it  I use openssl 0.9.7b with openssh 2.9.9p2  I do not use any other version of SSH  I use Protocol 1 on purpose  I use TCP Wrappers w/ IPv6 extensions  I keep tight controls using TCP Wrappers

9. SSH Tricks for CSF Slide 9 AN4SCD - 2  Static Compile methods Get the latest openssl 1. Compile it static with the /usr/static directory target./config --openssldir=/usr/static --prefix=/usr/static no-shared 2. Get openssh-2.9.9p2./configure --prefix=/usr/static --with-ssl-dir=/usr/static --with-ipaddr- display --with-ipv4-default --disable-lastlog --disable-utmp --disable-wtmp NOTE: this one is the emergency backup so do not use TCP wrappers! compile it and install Now copy over the /etc/ssh/ directory into /usr/static/etc Edit the sshd config file to change the port so that it does not interfere with the regular ssh Make sure you also change the paths for the keys!!

10. SSH Tricks for CSF Slide 10 Fun Examples  Using commands attached to keys –On the server define a command in the authorized_keys file associated with a key –Format is “command=“my/command/string”…key data… EX: command=“/bin/ls -al /logs”ABCDEF1234567 Then ssh with the appropriate key will only allow you to execute this command.

11. SSH Tricks for CSF Slide 11 Fun Examples - 2  MultiBounce Sessions –Using the three hosts example from earlier  Consider: ssh 1 ‘ssh 2 /bin/tar -C /home -zc myhomedir/’ | tar -zxv ssh 1 ‘ssh 2 “ssh 3 /bin/tar -C /home -zc myhomedir/”’ | tar -zxv Note that there are limits…

12. SSH Tricks for CSF Slide 12 Q & A

13. SSH Tricks for CSF Slide 13 This is The