Docstoc

SSH_talk

Document Sample
SSH_talk Powered By Docstoc
					SSH & SSL



 Peter Burkholder
    CO-SAGE
14 November 2001
              Why this talk
} Co-SAGE interest in SSH and security:
 } 5: Security or security tool usage
 } 2: Configuring SSH
 } 3: VPN (1 specifically VPN tunneling via
   SSH)
} Added SSL since it fits some niches
  better
 Layer model: insecure protocols
 } Application layer:    RSH, Telnet, FTP
 } Transport layer:      TCP, UDP
 } Network layer:         IP, IPX, EtherTalk
 } Link layer:           Ethernet, PPP
 } Physical layer:       CAT-5 cable,
   Wireless
} Network security? Confidentiality,
  Integrity, and Endpoint Authentication
 Layer model: secured protocols
 "   Application layer:     SSH, PGP, Kerberos,
     S-HTTP
 "   Transport layer:         SSL/TLS as
     extension of TCP
         socket model
 "   Network layer:           IPSec, IPv6
 "   Link Layer:              WEP, PPP/ECP
 "   Physical layer:          Alarmed,
     pressurized conduits
The two approaches we will look at today
  are using SSL(TLS) and SSH.
                SSL Overview
} SSL (Secure Sockets Layer)
 } Protocol built on top of TCP
 } Encryption, Host Authentication, Integrity
 } Applications can be SSL-enabled
 } SSL ports
  }   https (443), smtps (465), nntps (563), ldaps (636),
      imaps (993), pop3s (995), ftps (989&990).
 } Netscape: SSLv2 in 1994. SSLv3 in 1995.
   TLS (RFC2246) completed in January, 1999.
                 SSH Overview
} SSH: Secure SHell
 } Application-level protocol (v1&v2)
 } Encryption, Host & user authentication,
     Integrity
 } Port 22 (w/ port tunneling, X-forwarding)
 } Designed to replace rsh/rcp
 } Tatu Ylonen, first publicly released in July,
   1995. SSHv2 (SECSH) IETF draft published
   February 1997.
 }   Reportedly 2 million users by late 2000
  Network Encryption primitives
Symmetric encryption: shared session
  keys, e.g.: DES, 3DES, AES-Rijndael,
  Blowfish
Asymmetric or public-key encryption:
  RSA, ElGamal
Message digest: one-way hash: MD5, SHA
Digital signatures: DSS, RSA
Key Exchange: Diffie-Helman
            SSL, PKI, and Authentication
    "   The trickiest part of network security is proving
         the identity of the other end of the connection.
"       For example, I can say that I'm Bill Gates, here's
          my public key, anything I send you with my
         digital signature, you can verify that it is from
                                me.
        "True, it is from "me", but a) there's no linkage
        between my public key and my claimed identity,
        and b) anyone else who has that private key can
                       also claim to be "me".
  PKI: Public Key Infrastructure
} PKI relies on "God" to prove identities,
  where "God" is a Certificate Authority
  (CA). If I can prove my identity to a CA
  (and pay), I'll be issued a Digital
  Certificate: my public key signed by the
  CA's private key + identifying
  information.
} If my private key is compromised (or if I
  fooled the CA about my identity), then
  the CA can add the corresponding
     PKI 2: Certificate & Clients
Certificates are accepted if signed by a root CA.
  CA root certs are often encoded in the client
  software (IE, Netscape, Opera).
Certificates may also be self-signed or signed by
  an unknown CA. The user must exercise
  discretion in accepting or adding certificates.
Uses: SSL, S/MIME, Signed Software, IpSec/IPv6
  (ISAKMP)
Failure points: Issuing CRL's and "user
  discretion"
Netcraft: 1.5 million servers run SSL, but only
      OpenSSL: Introduction
SSL: RSA's BSAFE, Netscape, Certicom,
  Sun,...
OpenSSL is based on Eric A. Young's
  SSLeay.
Both a cryptographic library and an SSL
  implemention. BSD-style license.
"Solid package...[but] serious lack of
  documentation....SSL implementation is
  quite complex to use properly"
  [Viega&McGraw2001]
      OpenSSL: Generate Keys
Generate keys
 Only certificate owner knows private key
 Make RSA key pair, and encrypt
   $ openssl genrsa -des3 1024 > privkey.pem
   # using -des|-des3 will encrypt key
Generate certificate request
Sign certificate
Present certificate
   OpenSSL: Certificate Request
Generate keys
Generate certificate request
 $ openssl req -new -key ../private/privkey.pem
    > www.pburkholder.me.csr
 # enter identifying information when prompted
   -- the Common Name must match DNS name
Sign certificate
Present certificate
          CA-signed Certificates
Generate keys
Generate certificate request
Certificate signing
 CAs require documentation. E.g.,
   Letter of Authorization
   Proof of Organizational Name / Domain Name
   Money: $125 - $895 per year per server
 Test certs (free) signed by untrusted root CA
Present certificate
SSL: The Client Perspective
OpenSSL: Self-signed Certificate
Generate keys
Generate certificate request
Certificate signing
 $ openssl req -x509 -key ../private/privkey.pem -in
    www.pburkholder.me.csr > www.pburkholder.me.crt
 I am who I am claim to be
 Clients will generate warnings
Present certificate
SSL Client: Unknown Root Cert
      OpenSSL: Using Certificates
Generate keys
Generate certificate request
Certificate signing
Present certificate
 Modify httpd.conf directives:
   SSLCertificateFile $SSL/certs/www.pburkholder.me.crt
   SSLCertificateKeyFile $SSL/private/privkey.pem
 If encrypted private key, need passphrase on start
 Spoofing only requires private key and certificate
   OpenSSL: Roll-your own CA
} For developing own software, or small
  deployments
} Install root certificate on client browsers
 } To Apache httpd.conf add line
   }    AddType application/x-x509-ca-cert .cacert
 } Copy cacert.pem to a web-accessible file,
       e.g, $WWW/MyRoot.cacert
 } Point browser to URL. Browser will prompt
   to install
Installing a Root Certificate
  SSL Attacks: Dug Song's dsniff
dnsspoof: /etc/dnspoof.hosts
  <my_host_ip> login.yahoo.com
 webmitm -d login.yahoo.com #make     Client
Server
    webmitm.cert
https:/ / login.yahoo.com

                   MITM

             SSL             SSL

                          Spoof DNS
                             LAN
                STunnel
} STunnel wrapper for SSL services.
  (www.stunnel.org)
} Sslwrap -same idea, not as actively
  developed.
} As with all SSL services, STunnel needs
  a certificate:
 } $ openssl req -new -x509 -days 365 -nodes
   -out stunnel.pem -keyout stunnel.pem
STunnel POP3 Server & Client

HOST A           HOST B
   Client                    POP3
   POP3          port 110    Server

           l
 localhost:110


                 port 995
  STUNNEL                   STUNNEL
 STunnel: POP3 server example
} On Server, an inetd entry to provide
  pop3 service may be something like:
   pop3 stream tcp nowait root
  /usr/sbin/tcpd ipopd
} You can instead put a service on pop3s
  (995):
   /usr/sbin/stunnel -r localhost:pop3 \
   -p /path/to/stunnel.pem
} STunnel will SSL-encrypt on port 995
  (pop3s), and tunnel the unencrypted
        STunnel on Windows
} Download openssl.dll and ssleay.dll to
  $WIN/system; stunnel.exe to a
  convenient place
} Test: "stunnel -c -d 110 -r
  mail.server:995"
} As service? Easiest is to create
  stunnel.bat
   START stunnel -c -d 110 -r mail:995
  and run stunnel.bat from Scheduled
  Tasks at user login. But must contend
         STunnel: Debugging
Run STunnel with -D 6 (debug level 6) and
  -f (foreground)
Use Eric Rescorla's SSLDUMP (rtfm.org)
 $ ssldump -k ./stunnel.pem -d -i vmnet1 port
   995
 # see all traffic decrypted
Note: STunnel by default not picky about
 certification
                     SSH
} If SSL is a toolbox, SSH is a Leatherman
} Features
 } Encryption: AES, ARC4, Blowfish,...
 } Secure logins, remote command, file transfer
 } Authentication: Password, PubKey, Host-
   based,...
 } Access control by host, user
 } Key management
 } Port-forwarding
      SSH Protocol Version 1
} Monolithic protocol
} Authentication by: KerberosIV, Rhosts,
  RhostsRSA, Public-Key, TIS/SecureID,
  Password (many flavors)
} RSA for authentication and key exchange
} Weaknesses
 }   CRC-32 integrity, attacks, keystroke monitoring
     (sshow)
} SSH-1 still common: Licensing, Cost, and
  First to Market. 2 million users estimated
       SSH Protocol Version 2
 } DSS for authentication, Diffie-Hellman keys
 } Supports x.509 PKI certificates

          Server               Client
 SSH Connection                     SSH Connection
SSH Authentication                 SSH Authentication
 SSH Transport                       SSH Transport
TCP/IP, IPX/SPX, etc.             TCP/IP, IPX/SPX, etc.
                  Ethernet, etc...

   Packet Padding     Payload    Random Integrity
   Length Length    (compressed) Padding Data (MAC)
                 encrypted
   SSH Server implementations
} OpenSSH (v 3.0 released Nov. 6)
 } SSHv2 and SSHv1
 } Standard implementation for this talk
} SSH Communications Security: SSH3.0.1
 } *nix Servers: $475 / Windows Servers: $565
 } Free servers for non-commercial use
} F-Secure SSH 2.4.0 (Unix server &
  client)
 } *nix Server: $594/Windows: $834
        Compiling & Installing
/dev/random or EGD
./configure, make, make install...
OpenSSH
 Requires: zlib, OpenSSL
 ./configure --disable-suid-ssh --with-tcp-
    wrappers --with-pam
Potential SetUID binaries for host-base
  auth
 OSSH: ssh
        Server Configuration
Command-line opts      Host Access
Compile-time flags      ssh_known_hosts
                          ~/ssh/known_hosts
Configuration file
                        /etc/hosts.{allow,deny
  (sshd_config)
                           }
/etc/hosts.equiv;       /etc/nologin
  /etc/shosts.equiv
                       User authentication
key files in $CONF/      files
 ssh_host_dsa_key;      ~/.ssh/authorized_key
   moduli; <key>.pub      s,
  sshd_config - typical settings
PermitRootLogin (yes|(without-
  passwd|nopwd)|forced-command-only|no)
StrictModes yes
PubkeyAuthentication yes
HostbasedAuthentication no # v2
  /etc/hosts.equiv
PasswordAuthentication yes
PermitEmptyPasswords no
X11Forwarding no ## ???
{Allow,Deny}{Users,Groups}
           Running Server
Make install runs key generation
$ sshd # detaches and forks daemons
$ sshd -d -p <some-port> # is great for
  testing, messages to stderr, doesn't fork
$ sshd2 -v -p <some-port>
       Client: basic operation
SSH: remote logins, remote commands
 $ ssh user@remotehost.example.com
 $ ssh user@remotehost "command to run"
 # -v option provides connection details
SCP: secure copy
 $ scp user@remote:remote/file ./local/file
SFTP: secure file transfer (a al FTP)
 $ sftp user@remote
Clients try public-key, then password
 Using Public-key Authentication
} ssh client sends public key
} if server finds key in .ssh(2)/<file>,
  encrypts a challenge to client
} client with private key, proving ID
} .ssh/.ssh2 path permissions
$ ssh pb@remote host
 Enter passphrase for key
   '/home/peter/.ssh/id_dsa':
     Generate Public-key Pairs
Generate a key-pair for each identity
$ ssh-keygen -t dsa # (enter passphrase
  for default id )
# use '-f file' to save to different identity
  files
Concatenate public part of key-pair to
  remote account's .ssh/authorized_keys2
Place <public-key-file> in .ssh2/; Add
  "Key <public-key-file" line to
         Forced commands:
$ ssh -keygen -f pb_command -t dsa
~/.ssh/authorized_keys2
 from=<host>, command="/bin/cat
    $SSH_ORIGINAL_COMMAND" ...key...
~/.ssh2/authorization
 Key pb_command_pubkey #no pass-phrase
 Command "/bin/cat
   $SSH2_ORIGINAL_COMMAND"
$ ssh -i path/to/pb_command_id
   Forced commands continued
} Command gets: stdin, args in $SSH2_...
  env var
} Can also set "environment=",
  "from=host", etc
} Enviroment, host restrictions only if
  script called
} Command executes in user shell, after
  (.profile/.cshrc)
} Unencrypted private keys and forced
            SSH Key Agents
An ssh-agent process stores keys in
  memory, and clients use it to sign
  authenticators
 $ ssh-agent $SHELL # invoke a subshell --
    shell dies if agent dies
 $ eval 'ssh-agent' # process sets env and
    detaches, doesn't die on logout
 X:
  $ ssh-agent startx
  .xsession: exec ssh-agent ./.xsession-stuff
        Remote Agent Forwarding


 ZERO                    ONE                      TWO
                         # no private keys        # pubkey
$ eval `ssh-agent` SSH                        SSH
                         # pubkey authorized      # authorized
# $SSH_AUTH_..
                           for pb@one             # for pb@zero
$ ssh-add
$ ssh pb@one       Agent # $SSH_AUTH_..           $ I'm in!
                         $ ssh pb@two
                         # client uses socket
                         # to [zero] for auth
       SSH Port Forwarding
MYHOST              REMOTEHOST
   POP3                       POP3
   Client                     Server

         l
  localhost:110



   SSH              port 22   SSH
   Client                     Server
             Port Forwarding
If the TCP client application (whose conx
   you want to forward) is running on local
   machine, use local forwarding. If client
   is on remote machine, use remote
   forwarding.
 $ ssh -L<localport>:localhost:<remport>
    pb@remote
 $ ssh -R<
X-forwarding: happens automatically if
  server accepts local host connections
            Windows Servers
"   SSH2, F-Secure, and OpenSSH (&
    Cygwin)
"   SSH2: command line only, ~10 sessions
"   VNC: server port 5800, runs under
    Win2k
"   Set VNC registry to allow loopback
    connect
$ ssh -L5801:localhost:5800 peter@win2k
$ vncviewer localhost:5801
   Windows, Mac & Java Clients
See snailbook.com. Free Mac clients are weak
My favorites are PuTTY for Windows and Mindterm
  (appgate.com) for anything else
         File Transfer: SFTP
} Handy interface, but s...l...o...w
} netcat 100Mb random data: 35s
} sftp 100Mb random data 10m51s
} Barrett & Silverman claim 1/4 speed of
  scp
} I've seen 1/10 of FTP speed
 SSL & SSH: Recommendations
} SSH is an essential tool for remote
  administration. OpenSSH excellent;
  SSH2 has some better configuration
  options and more advanced features.
  X-forwarding a great feature. ssh-
  agent/forced-command a boon for
  scripting
} SSL-enabled apps and PKI becoming
  ubiquitous. A better choice for securing
  particular apps, especially with STunnel
       Web SSL References
} Thawte: http://www.thawte.com
} Thawte:.Apache SSL Key and CSR
  Generation Instructions.
  http://www.thawte.com/certs/\
  server/keygen/apachessl.html
} Frederick Hirsch, SSLeay Certificate
  Cookbook.
  http://www.ultranet.com/~fhirsch/Papers
  /cook/ssl_cook.html
} Dug Song's dsniff.

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:3
posted:8/28/2011
language:Finnish
pages:48