Firewalls, Perimeter Protection, and VPNs - SANS ©20011

SSH Operation

The Swiss Army Knife of encryption tools…

Firewalls, Perimeter Protection, and VPNs - SANS ©20011

SSH Features

Command line terminal connection toolReplacement for rsh, rcp, telnet, and othersAll traffic encryptedBoth ends authenticate themselves to the other endAbility to carry and encrypt non-terminal traffic

Firewalls, Perimeter Protection, and VPNs - SANS ©20011

Brief History

SSH.com's SSH1, originally completely free with source code, then license changed with version 1.2.13SSH.com's SSH2, originally only commercial, but now free for some uses.OpenSSH team took the last free SSH1 release, refixed bugs, added features, and added support for the SSH2 protocol.

Firewalls, Perimeter Protection, and VPNs - SANS ©20011

Installation

OpenSSH is included with a number of Linux distributions, and available for a large number of Unices

On RPM-based Linuxes:

rpm -Uvh openssh*.rpm

Firewalls, Perimeter Protection, and VPNs - SANS ©20011

Basic use

ssh SshServerName

ssh -l UserName SshServerName

ssh SshServerName CommandToRun

ssh -v SshServerName

Server Host Key checks

Uses same login password

And if we need to encrypt other traffic?

Firewalls, Perimeter Protection, and VPNs - SANS ©20011

Port Forwarding - real server on remote machine

I want to listen on port 5110 on this machine; all packets arriving here get sent to mailserver, port 110:

ssh -L 5110:mailserver:110 mailserver

Firewalls, Perimeter Protection, and VPNs - SANS ©20011

Port Forwarding - real server on this machine

All web traffic to my firewall should be redirected to the web server running on port 8000 on my machine instead:

ssh -R 80:MyMachine:8000 firewall

Firewalls, Perimeter Protection, and VPNs - SANS ©20011

X Windows forwarding

No setup - already done!Run the X Windows application in the terminal window:

xclock &The screen display shows up on your computer, and any keystrokes and mouse movements are sent back, all encrypted.

Firewalls, Perimeter Protection, and VPNs - SANS ©20011

Securely copying files

scpscp -p localfile remotemachine:/remotepath/filePrompts for authentication if neededAll traffic encryptedReplaces ftp, rcp, file sharing

Firewalls, Perimeter Protection, and VPNs - SANS ©20011

SSH key background

Old way: password stored on server, user supplied password compared to stored version

New way: private key kept on client, public key stored on server.

Firewalls, Perimeter Protection, and VPNs - SANS ©20011

SSH key creation

General command:ssh-keygen -b 1024 -c 'Comment' -f ~/.ssh/identity_file

Different forms for each of the SSH flavorsAssign a hard-to-guess passphrase to the private key during creation.Key can be used for multiple servers

Firewalls, Perimeter Protection, and VPNs - SANS ©20011

SSH key installation

3 versions of ssh: interoperability is good, but poorly documented

ssh-keyinstall utility automates the creation and installation

'ssh-keyinstall -s SshServerName' creates keys, if needed, and installs them on the remote server

Need password during key install only

Firewalls, Perimeter Protection, and VPNs - SANS ©20011

Using SSH keys

ssh SshServerName

Ssh -l UserName SshServerName

ssh SshServerName CommandToRun

Ssh -v SshServerName

Firewalls, Perimeter Protection, and VPNs - SANS ©20011

ssh-agent

Remembers your private key(s)Other applications can ask ssh-agent to authenticate you automatically.Unattended remote sessions.ssh-agent bashssh-agent startxeval `ssh-agent` #Less preferredssh-add [KeyName]

Firewalls, Perimeter Protection, and VPNs - SANS ©20011

Fanout

Runs command on multiple machines by opening separate ssh session to each

fanout 'machine1 machine2 user@machine3' 'command params'

Gives organized output from each machine

Firewalls, Perimeter Protection, and VPNs - SANS ©20011

Fanterm – live control of multiple machines

Fanterm provides interactive control of multiple remote systems.

Initial window receives keystrokes.

Keystrokes sent to each remote system.

Output from each system shows up in a seperate terminal.

Firewalls, Perimeter Protection, and VPNs - SANS ©20011

Firewalls, Perimeter Protection, and VPNs - SANS ©20011

File synchronization - Rsync

Rsync copies a tree of files from a master out to a copy on another machine.Can use ssh as its transport.rsync -azv -e ssh /home/wstearns/webtree/ mirror.stearns.org/home/web/

Firewalls, Perimeter Protection, and VPNs - SANS ©20011

Rsync-backup

Rsync-backup automates the process of backing up machines with rsync and ssh.Features:

Only changed data shippedAll permissions preservedAll communication encryptedUnlimited snapshotsUse <= 2X-4X combined client capacity

Firewalls, Perimeter Protection, and VPNs - SANS ©20011

Rsync-backup client install

Install ssh, rsync, and rsync-backup-client rpms (see http://www.stearns.org )

Install ssh-keyinstall on client to create a backup key with

ssh-keyinstall -s backupserver -u root -c /usr/sbin/rsync-backup-server

Firewalls, Perimeter Protection, and VPNs - SANS ©20011

Rsync-backup server install

Install ssh, freedups, rsync-static, and rsync-backup-server rpms

Turn off password authentication in /etc/ssh/sshd_config

Firewalls, Perimeter Protection, and VPNs - SANS ©20011

Rsync-backup examples

Examples of backup commands:

rsync-backup-client / root@backupserver:/

rsync-backup-client /usr /home/gbk root@backupserver:/

Firewalls, Perimeter Protection, and VPNs - SANS ©20011

Links and references

http://www.ssh.comhttp://www.openssh.orgSSH, The Secure Shell, The Definitive Guidessh-keyinstall, fanout, rsync-backup, freedups and other apps at http://www.stearns.org/

Firewalls, Perimeter Protection, and VPNs - SANS ©20011

More links

Docs at http://www.stearns.org/doc/http://www.employees.org/~satch/ssh/faq/ssh-faq.htmlhttp://rsync.samba.orgWilliam Stearns wstearns@pobox.com