SSH by liwenting



Scott Nykl
Jim Wyllie
            SSH - Overview

• Secure Shell
• Designed to replace “r-tools” [1]
   rlogin, rsh, rcp
   3 main attacks [1]:
     Password eavesdropping
     Man-in-the-middle
     Replay attacks

• SSH1 -- First incantation of SSH [3]
• Created in 1995, obsolete in 1996
   Allowed rhost authentication (not secure)
   Man-in-the-middle

• What we use today
• More secure session key generation
• Dropped rhost authentication
Default Authentication Methods

• SSH2
   Client will try to authenticate using
     1) Keyboard-interactive and password
     2) Host-based method
     3) Public key authentication
Default Authentication Methods

• Keyboard-interactive and password
   You all know this one

                            <-1337 Haxor
Default Authentication Methods

• Host-based method
   If user’s machine is listed on remote machine
     /etc/hosts.equiv or
     /etc/shosts.equiv
   And user names are the same on both sides
   The user is immediately logged in
Default Authentication Methods

• Public Key Authentication
   Using keychain or pagent
     Public-Key authentication

•   Far fewer passwords to memorize
•   Robust against brute force guessing
•   Easy to grant / deny access to an account
•   Creating a key: ssh-keygen -t dsa
     Follow the menus
Public Key / Private Key Encryption

• Public Key
    Made widely available
    Can only encrypt a message
• Private Key
    Kept private by owner
    Can only decrypt a message
• On machine A:
    Encrypt(Public Key,“Secret Message”)  “375448382”
• On machine B:
    Decrypt(Private Key, “375448382”)  “Secret Message”
• Anyone eavesdropping only sees “375448382”
• Encryption is based on large prime numbers and properties of
   Public-key Authentication

• Question: What do I do with it now?
   Desktop: Copy id_dsa to ~/.ssh/id_dsa
   Remote box:
   cat >>
• You now have public-key access
   Public-key Authentication

• “Ok, now I type the key password instead
  of my account password. Lame.”
• Not if we cache passwords
        Caching Passwords

• The hard way
   ssh-agent
   Entering a zillion lines
   See [5] for more info about it
• The easy way
   keychain
   Terminal front-end to ssh-agent

• Terminal standard for key mgmt.
   By the folks at Gentoo
• Download / Install
• Paste into ~/.bashrc:
   keychain -q ~/.ssh/id_rsa
   . ~/.keychain/$HOSTNAME-sh
• That’s it. One password entry.

• So, to use keys:
   Use ssh-keygen -t dsa to create public /
    private keys
   Copy / append your public key to any box
    you’re going into
   Keep your private key on any box you work
   Use keychain to stop typing passwords

• Allows you to set up some cool things
   Aliases for common connections
   -> primus
   Agent forwarding (a little risky)
• See [6] for my config file example
• man ssh_config
            X11 Forwarding

• X11 uses sockets to connect
   Sockets can communicate over networks
• You can tunnel X11 GUIs through SSH
• X11Forwarding = yes
• Slow over the Internet, fast on a LAN
• Just run any graphical app like normal
   Requires sane xorg.conf
            SOCKS Proxy

• SSH can act as a SOCKS Proxy
   pr0n at work
   Safari from off-campus
   IEEE, ACM Papers (Ohio University subnet)
• Point proxy at localhost:SSH port
   Wait, what port did SSH use? It’s random!
• ssh -D 16950
         SOCKS Proxy

Edit -> Preferences… -> Connection Settings
           SOCKS Proxy (PuTTY)

• PuTTY: A Free Telnet/SSH Client
•   Do what Jim said, but without installing a thing (from a windows box)!
            SOCKS Proxy

• What does tunnelling web traffic give me?
   Security through wireless access
   remotely
   IEEE, ACM Papers
   Privacy through a workplace
   Protection against DNS hijacking
   Bypassing web filters
   Does your job track web browsing? (hint: No)
        General Tunneling

• You can tunnel anything with SSH
• ssh -L port:host:hostport dest
  Starts daemon on port; spits traffic out from
   dest to host:hostport
• ssh -R port:host:hostport dest
  Port on the remote (server) host is to be
   forwarded to the given host and port on the
   local side (opposite as above)
Tunneling -L
Tunneling -R
         General Tunneling

• Remember!!!
   Tunneling forwards traffic through an
    intermediate link
   Slowness may result if this intermediate link is
   eg, you tunnel pr0n from work through your
    home dialup… You will wait!
       Tunneling examples

• “Secure” POP over wireless
• ssh -L      p1
• In /etc/hosts:
   Or just connect over localhost:110
• No more wireless email sniffing
• (PS: Don’t use POP: Use secure IMAP)
          Tunneling examples

• RSYNC through a blocking firewall
•   ssh -L p1
     Same deal with /etc/hosts as before
• “Hides” your RSYNC traffic in SSH
              SSH as a pipe

• SSH can also act as a simple pipe
• ssh p1 “ls -l” lists your prime home
• cat /dev/cdrom | ssh p1 “cat - > my_local_cd.iso”
       Tunnels w/o prompts

• Want all the tunnels without minimized idle
  SSH sessions?
• screen to the rescue
   Puts you in a nested shell
   Ctrl+a d puts it in the background
   screen -r retrieves it to your terminal
• Barely scratching the surface; man
  screen for more
     Put it together: rbackup

• I use something like this to back up every
  box I control
• tar / bzips your entire box, sends over
  SSH to a remote host for storage
     With cron, can run overnight
• Be careful about security risks!
•   tar cjf - / | ssh p1 “cat ~/backup.tar.bz2”

• Collection of useful Windows Utilities that provide SSH

• PuTTY - Telnet and SSH client
• PSCP - SCP client, i.e. command-line secure file copy
• PSFTP - SFTP client, i.e. general file transfer sessions
  much like FTP
• PuTTYtel - Telnet-only client

• Plink - a command-line interface to the PuTTY back
  ends (remember our plink –D example)
• Pageant - SSH authentication agent for PuTTY, PSCP
  and Plink
• PuTTYgen (an RSA and DSA key generation utility).

• Cygwin is a Linux-like environment for Windows. It
  consists of two parts:
• A DLL (cygwin1.dll) which acts as a Linux API emulation
  layer providing substantial Linux API functionality.
• A collection of tools which provide Linux look and feel.

• This includes SSH and SSHD!
   Quick Detour – LAN Setup

• How To Setup Your LAN


                           Linux Box using
                            IPTABLES for
    Quick Detour – Dynamic DNS

•   Use Dynamic DNS (DynDNS)
• (FREE)
•   Run ddclient on Firewall
•   Remotely connect using DNS Name
•   ssh
•   ssh –D 1650
     (set firefox to use SOCKS at
                 More SSH Uses

• Copy Files (FAST+SAFE)
   Push (current machine to remote machine)
     scp -r -P 222 ./myDir/
     tar -cf - ./myDir/ | ssh -p 222 "cd /test/; tar -xf -"

   Pull (remote machine to current machine)
     scp -r -P 222 ./
     ssh -p 222 "cd /test/; tar -cf - ./myDir" | tar -xf -

   Faster than SCP!
     Only 1 TCP connection for ALL files (SSH)
     No three-way handshake per file (SCP)

• SSH keys for better authentication
• SOCKS with SSH
•  keychain for fewer passwords
• General tunneling for privacy
• SSH pipes
• Remote backups
• Faster Recursive File Copy than SCP, SFTP,
  FTP, etc
• SSH can do more than this

•   [1]
•   [2]
•   [3]
•   [4]   RFC 4251
•   [5]
•   [6]
•   [7]   http://
•   [8]

To top