Firewalls, Perimeter Protection, and VPNs - SANS ©20011

SSH Operation

The Swiss Army Knife of encryption tools…

Firewalls, Perimeter Protection, and VPNs - SANS ©20012

SSH Features

• Command line terminal connection tool

• Replacement for rsh, rcp, telnet, and others

• All traffic encrypted• Both ends authenticate themselves

to the other end• Ability to carry and encrypt non-

terminal traffic

Firewalls, Perimeter Protection, and VPNs - SANS ©20013

Brief History

• SSH.com’s SSH1, originally completely free with source code, then license changed with version 1.2.13

• SSH.com’s SSH2, originally only commercial, but now free for some uses.

• OpenSSH team took the last free SSH1 release, refixed bugs, added features, and added support for the SSH2 protocol.

Firewalls, Perimeter Protection, and VPNs - SANS ©20014

Installation

• OpenSSH is included with a number of Linux distributions, and available for a large number of Unices

• On RPM-based linuxes:– “rpm –Uvh openssh*.rpm”

Firewalls, Perimeter Protection, and VPNs - SANS ©20015

Basic use

• ssh SshServerName• ssh –l UserName SshServerName• ssh SshServerName CommandToRun• ssh –v SshServerName• Server Host Key checks• Uses same login password• And if we need to encrypt other

traffic?

Firewalls, Perimeter Protection, and VPNs - SANS ©20016

Port Forwarding – real server on remote machine• I want to listen on port 5110 on

this machine; all packets arriving here get sent to mailserver, port 110:– ssh –L 5110:mailserver:110

mailserver

Firewalls, Perimeter Protection, and VPNs - SANS ©20017

Port Forwarding – real server on this machine

• All web traffic to my firewall should be redirected to the web server running on port 8000 on my machine instead:– ssh –R 80:MyMachine:8000

firewall

Firewalls, Perimeter Protection, and VPNs - SANS ©20018

X Windows forwarding

• No setup – already done!• Run the X Windows application

in the terminal window:– xclock &– The screen display shows up on

your computer, and any keystrokes and mouse movements are sent back, all encrypted.

Firewalls, Perimeter Protection, and VPNs - SANS ©20019

Securely copying files

• scp• scp –p localfile

remotemachine:/remotepath/file• Prompts for authentication if

needed• All traffic encrypted• Replaces ftp, rcp, file sharing

Firewalls, Perimeter Protection, and VPNs - SANS ©200110

SSH key background

• Old way: password stored on server, user supplied password compared to stored version

• New way: private key kept on client, public key stored on server.

Firewalls, Perimeter Protection, and VPNs - SANS ©200111

SSH key creation

• General command:– ssh-keygen –b 1024 –c “Comment” –f

~/.ssh/identity_file• Different forms for each of the SSH

flavors• Assign a hard-to-guess passphrase

to the private key during creation.• Key can be used for multiple

servers

Firewalls, Perimeter Protection, and VPNs - SANS ©200112

SSH key installation

• 3 versions of ssh: interoperability is good, but poorly documented

• ssh-keyinstall utility automates the creation and installation– “ssh-keyinstall –s SshServerName”

creates keys, if needed, and installs them on the remote server

– Need password during key install only

Firewalls, Perimeter Protection, and VPNs - SANS ©200113

Using SSH keys

• ssh SshServerName• Ssh –l UserName

SshServerName• ssh SshServerName

CommandToRun• Ssh –v SshServerName

Firewalls, Perimeter Protection, and VPNs - SANS ©200114

ssh-agent

• Remembers your private key(s)• Other applications can ask ssh-agent

to authenticate you automatically.• Unattended remote sessions.• ssh-agent bash• ssh-agent startx• eval `ssh-agent` #Less preferred• ssh-add [KeyName]

Firewalls, Perimeter Protection, and VPNs - SANS ©200115

Fanout

• Runs command on multiple machines by opening separate ssh session to each

• fanout “machine1 machine2 user@machine3” “command params”

• Gives organized output from each machine

Firewalls, Perimeter Protection, and VPNs - SANS ©200116

File synchronization - Rsync

• Rsync copies a tree of files from a master out to a copy on another machine.

• Can use ssh as its transport.• rsync –azv –e ssh

/home/wstearns/webtree/ mirror.stearns.org/home/web/

Firewalls, Perimeter Protection, and VPNs - SANS ©200117

Rsync-backup

• Rsync-backup automates the process of backing up machines with rsync and ssh.

• Features:– Only changed data shipped– All permissions preserved– All communication encrypted– Unlimited snapshots– Use <= 2X-4X combined client capacity

Firewalls, Perimeter Protection, and VPNs - SANS ©200118

Rsync-backup client install

• Install ssh, rsync, and rsync-backup-client rpms (see http://www.stearns.org

• Install ssh-keyinstall on client to create a backup key with– ssh-keyinstall –s backupserver –u

root –c /usr/sbin/rsync-backup-server

Firewalls, Perimeter Protection, and VPNs - SANS ©200119

Rsync-backup server install

• Install ssh, freedups, rsync-static, and rsync-backup-server rpms

• Turn off password authentication in /etc/ssh/sshd_config

Firewalls, Perimeter Protection, and VPNs - SANS ©200120

Rsync-backup examples

• Examples of backup commands:– rsync-backup-client /

root@backupserver:/– rsync-backup-client /usr

/home/gbk root@backupserver:/

Firewalls, Perimeter Protection, and VPNs - SANS ©200121

Links and references

• http://www.ssh.com• http://www.openssh.org• SSH, The Secure Shell, The

Definitive Guide• ssh-keyinstall, fanout, rsync-

backup, freedups and other apps at http://www.stearns.org/

Firewalls, Perimeter Protection, and VPNs - SANS ©200122

More links

• Docs at http://www.stearns.org/doc/

• http://www.employees.org/~satch/ssh/faq/ssh-faq.html

• http://rsync.samba.org• William Stearns

wstearns@pobox.com