Date post: | 24-Dec-2015 |
Category: |
Documents |
Upload: | brianne-payne |
View: | 248 times |
Download: | 0 times |
SSH
Secure Shell (and friends)
From: http://en.wikipedia.org/wiki/Ssh
SSH
Secure Shell (SSH) Network protocol
Allows data to be exchanged over a secure channel between two computers
Encryption provides confidentiality and integrity of data
SSH uses public-key cryptography to authenticate the remote computer
Allows the remote computer to authenticate the user, if necessary
SSH
Typically used to log into a remote machine and execute commands Supports tunneling
Forwards arbitrary TCP ports and X11 connections
Basis of transfering files using the associated SFTP or SCP protocols
SSH
An SSH server Listens on TCP port 22 (default) ssh client program establishes connections to
an sshd daemon on an accepting remote connections
Both typically available for current OSs Mac OS X, Linux, Solaris, OpenVMS, …
Proprietary, freeware and open source versions of various levels of complexity and completeness exist
HISTORY
History
SSH-1 1995: Tatu Ylönen designed the first version of the protocol
(SSH-1) Prompted by a password-sniffing attack at his university’s network Goal of SSH was to replace the earlier rlogin, TELNET and rsh protocols
Did not provide strong authentication or guarantee confidentiality Ylönen released his implementation as freeware in July 1995
Tool quickly gained in popularity Towards the end of 1995, the SSH user base had grown to 20,000 users
in fifty countries. December 1995: Ylönen founded
SSH Communications Security to market and develop SSH. Original version of the SSH software used various pieces of free software
such as GNU libgmp Later versions released by SSH Secure Communications evolved into
increasingly proprietary software
History
SSH-2 1996: SSH-2 designed
incompatible with SSH-1. SSH-2 featured both security and feature improvements
over SSH-1 Better security through Diffie-Hellman key exchange Strong integrity checking via message authentication
codes New features of SSH-2 included the ability to run any
number of shell sessions over a single SSH connection
History
1999: developers wanted a free software version Went back to the 1.2.12 release of the original ssh
program Last released under an open source license
Björn Grönvall's OSSH developed from this codebase
OpenBSD developers forked Björn's code Extensive work done Created OpenSSH
Shipped with the 2.6 release of OpenBSD “Portability" branch was formed to port OpenSSH to
other operating systems At the end of 2000
Estimated 2,000,000 users of SSH
History
As of 2005 OpenSSH is the single most popular ssh
implementation Default in a large number of operating systems OSSH has become obsolete
SSH-2 protocol Became a proposed Internet standard in 2006 Publication by the IETF "secsh" working group of RFCs
Uses of SSH
MOST COMMON SSH USES:
Uses of SSH:
With an SSH client that supports terminal protocols Remote administration
Of the SSH server computer Via terminal (character-mode) console
Can be used as an alternative to a terminal on a headless server
In combination with SFTP, as a secure alternative to FTP Can be set up more easily on a small scale without a
public key infrastructure and X.509 certificates In combination with rsync to backup, copy and mirror
files efficiently and securely In combination with SCP
A secure alternative for rcp file transfers More often used in environments involving Unix
Uses of SSH
Port forwarding or tunneling Frequently as an alternative to a full-fledged VPN
A (non-secure) TCP/IP connection of an external application is redirected to the SSH program (client or server)
Forwards it to the other SSH party (server or client) In turn forwards the connection to the desired destination host
Forwarded connection is encrypted and protected on the path between the SSH client and server only
Uses of SSH port forwarding include accessing database servers, email servers, securing X11, Windows Remote Desktop and VNC connections or even forwarding Windows file shares
Primarily useful for tunneling connections through firewalls Ordinarily block that type of connection Encrypting protocols which are not normally encrypted
e.g. VNC
Uses of SSH
ssh and rdesktop Three computers
1. Computer to run rdesktop and ssh2. Computer to obtain access to a remote network3. Computer to display rdesktop
"ssh –L 3389:mytarget.mycompany.net:3389 sshtarget.mycompany.net" log into the middle computer and do nothing on it Open another shell from the first computer running ssh and
type rdesktop localhost This example uses the middle computer to port forward 3389 from
the end computer to the first computer. If on Windows, run ssh using another local port, e.g.
"ssh -L3390:mydesktop.mycompany.net:3389 sshserver.mycompany.net"
Start the native Windows Remote Desktop client and type localhost:3390 to remote into "mydesktop.mycompany.net"
Uses of SSH
Log into one machine from your local host Login from there to another machine Run an X application (eg. xterm, matlab) on the last machine
to display on your local display Especially useful for running X applications on a department
host from off campus Had to connect through another department host which is
available for ssh login through the campus firewall Channel the X-window through a series of logins back to the
host at which you are sitting Best way to do this is to make use of the X11-forwarding
feature of ssh For unix/linux to unix/linux, force an X11-forwarding request with
the '-X' option (capitalized x). ssh -X host.com
Uses of SSH
X11-forwarding for through multiple hosts ssh -X hostA.com → ssh -X hostB.com → ssh -X
hostC.com ensure the tunnel is working every step of the way by
running something like xterm on host B then C If this does not work the -Y may be needed ssh -X -Y hostA.com → ssh -X -Y hostB.com → ssh -X -Y
hostC.com Use an SSH client that supports dynamic port
forwarding (presenting to other programs a SOCKS or HTTP 'CONNECT' proxy interface)
SSH can be used to generally browse the web through an encrypted proxy connection use the SSH server as a proxy
Uses of SSH
Automated remote monitoring and management of servers with an SSH client that supports SSH exec
requests frequently embedded in other software, e.g. a
network monitoring program SSH Filesystem
Securely mount a directory on the server Acts as a filesystem on the local computer Use normal ssh login on a server
SSH ARCHITECTURE
SSH architecture
The SSH-2 protocol has a clean internal architecture with well-separated layers: Transport Layer User Authentication Layer Connection Layer
Defined in RFC 4251
SSH architecture –Transport Layer
The transport layer (RFC 4253) Handles initial key exchange and server
authentication Sets up:
Encryption Compression Integrity verification
Exposes to the upper layer an interface for sending and receiving plaintext packets of up to 32,768 bytes each
More can be allowed by the implementation Transport layer also arranges for key re-exchange
After 1 GB of data has been transferred- or - After 1 hour has passed Whichever is sooner
SSH architecture – User Authentication Layer
User authentication layer (RFC 4252) Handles client authentication Provides several authentication methods
Authentication is client-driven Commonly misunderstood by users When prompted for a password
May be the SSH client prompting Not the server
Server responds to client's authentication requests
SSH architecture – User Authentication Layer
Widely used user authentication methods include the following: "password" "publickey" "keyboard-interactive” GSSAPI authentication
SSH architecture – User Authentication Layer
"password“ style Method for straightforward password
authentication Includes a facility allowing a password to be
changed Method not implemented by all programs
SSH architecture – User Authentication Layer
"publickey" style Method for public key-based
authentication Usually supporting at least DSA or RSA
keypairs Other implementations also supporting X.509
certificates
SSH architecture – User Authentication Layer
"keyboard-interactive" style Server sends one or more prompts to enter
information Client displays them Sends back responses keyed-in by the user Used to provide one-time password authentication
such as S/Key or SecurID. Used by some OpenSSH configurations when
PAM is the underlying host authentication provider to effectively provide password authentication
Sometimes leads to inability to log in with a client that supports just the plain "password" authentication method
SSH architecture – User Authentication Layer
GSSAPI authentication methods Provide an extensible scheme to perform
SSH authentication using external mechanisms such as Kerberos 5 or NTLM, providing single sign on capability to SSH sessions.
Used by commercial SSH implementations Used in organizations Note: OpenSSH does have a working GSSAPI
implementation
SSH architecture – Connection Layer
Connection layer (RFC 4254) Defines which SSH services are provided:
Channels Channel requests Global requests
Single SSH connection can host multiple channels simultaneously
Each transfers data in both directions Channel requests are used to relay out-of-band
channel specific data, e.g.: Changed size of a terminal window Exit code of a server-side process
SSH architecture – Connection Layer
SSH client requests a server-side port to be forwarded using a global request
Standard channel types include: "shell" for terminal shells, SFTP and exec
requests (including SCP transfers) "direct-tcpip" for client-to-server forwarded
connections "forwarded-tcpip" for server-to-client forwarded
connections
SSH architecture
Open architecture provides considerable flexibility Allows SSH to be used for a variety of purposes
beyond secure shell Functionality of the transport layer alone is
comparable to TLS User authentication layer is highly extensible with
custom authentication methods; Connection layer provides the ability to multiplex
many secondary sessions into a single SSH connection
a feature comparable to BEEP and not available in TLS
SECURITY CAUTIONS
Security cautions
SSH-1 has inherent design flaws which make it vulnerable to man-in-the-middle type attacks Avoid by explicitly disabling fallback to SSH-1 Most modern servers and clients support SSH-2
Some organizations still use software with no support for SSH-2
SSH-1 cannot always be avoided
Security cautions
In all versions of SSH Important to verify unknown public keys before
accepting them as valid Accepting an attacker's public key as a valid
public key has the effect of disclosing the transmitted password and allowing man in the middle attacks
Security cautions
As with any encrypted protocol: SSH can be considered a security risk by
companies or governments who do not trust their users
Wish to eavesdrop on their communications SSH has built in tunneling features
make it easier for users to achieve passage of large volumes of information
establish an entry point for unauthorized inward access over a SSH link
Not using the other protocols
HOW SSH USES PUBLIC-KEY CRYPTOGRAPHY
How SSH uses public-key cryptography (with analogy) First, a pair of cryptographic keys is generated
One is the private key, the other is the public key. As an analogy, think of as a matching private-key and a public
padlock The public padlock is what is installed on the remote machine
Used by ssh to authenticate users using the matching private key
As a user of the system, don’t care who can see or copy the padlock (i.e. the public key)
Only the secret private key fits it Private key is the part you keep secret inside a secure box
Can only be opened with the correct passphrase When the user wants to access a remote system
opens the secure box with his passphrase uses the private-key to authenticate him with the padlock on the
remote computer Neither the passphrase nor the private key leave the user's
machine User still needs to trust the local machine
not to scrape his passphrase copy his private-key while it's out of the secure box
SCP
Secure Copy Securely transferring computer files using the
Secure Shell (SSH) protocol Between a local computer and a remote host Between two remote hosts
SCP can refer to two related things: SCP protocol SCP program
SCP protocol
The SCP protocol is similar to the BSD rcp protocol Unlike rcp, data is encrypted during transfer
Avoid potential packet sniffers extracting usable information from the data packets
Protocol itself does not provide authentication and security
Relies on SSH to provide these features
SCP protocol
SCP can interactively request any passwords or passphrases required to make a connection to a remote host Unlike rcp which fails in this situation
SCP protocol implements file transfers only Does by connecting to the host
using SSH executes an SCP server (scp)
SCP server program is typically the same program as the SCP client
SCP
Base command: scp [ [user@]host1:]file1 ... [ [user@]host2:]file2
Complete syntax: scp [-1246BCpqrv] [-c cipher] [-F ssh_config]
[-i identity_file] [-l limit] [-o ssh_option] [-P port] [-S program] [ [user@]host1:]file1 ... [ [user@]host2:]file2
Notes: Can copy:
Remote to local Local to remote Remote1 to remote2
SCP protocol
For upload: Client feeds the server with files to be
uploaded Optionally including their basic attributes
Permissions Timestamps
An advantage over the common FTP protocol FTP does not have provision for uploads to
include the original date/timestamp attribute
SCP protocol
For downloads Client sends a request for files or directories to
be downloaded Server feeds the client with its subdirectories
and files Download is server-driven
Imposes a security risk when connected to a malicious server
SCP protocol
For most applications, the SCP protocol is superseded by the more comprehensive SFTP protocol Also based on SSH
SCP program
Client implementing the SCP protocol Program to perform secure copying
Most widely used SCP client CLI scp program Provided in most SSH implementations scp program is the secure analog of the rcp
command scp program must be part of all SSH servers
that want to provide SCP service scp functions as SCP server too
SCP program
Some SSH implementations provide the scp2 program Uses the SFTP protocol instead of SCP Provides same command line interface as scp scp is typically a symbolic link to scp2
Syntax of the scp program is like that of cp: Simple examples:
scp SourceFile user@host:directory/TargetFile scp user@host:folder/SourceFile TargetFile
SCP program
As the SCP protocol implements file transfers only, GUI SCP clients are rare Implementing it requires additional functionality
Directory listing at least For example, WinSCP defaults to the SFTP protocol. Even when operating in SCP mode, clients like WinSCP are
typically not pure SCP clients They must use other means to implement the additional
functionality This in turn brings platform-dependency problems
Thus it may not be possible to work with a particular SCP server using a GUI SCP client
Even if you are able to work with the same server using a traditional command line client
More comprehensive tools for managing files over SSH are SFTP clients
SFTPhttp://en.wikipedia.org/wiki/SSH_file_transfer_protocol
SFTP
SSH File Transfer Protocol A network protocol that provides file transfer
and manipulation functionality over any reliable data stream
It is typically used with the SSH-2 protocol (TCP port 22) to provide secure file transfer
Intended to be usable with other protocols as well
Capabilities
The SFTP protocol allows for a range of operations on remote files More like a remote file system protocol SFTP client's extra capabilities compared to
SCP client’s include: Resuming interrupted transfers Directory listings Remote file removal
For the same reason it is reasonable to implement a GUI SFTP client, but not a GUI SCP client
Capabilities
SFTP attempts to be more platform-independent than SCP With SCP, the expansion of wildcards specified by the
client was up to the server SFTP's design avoids this problem While SCP was most frequently implemented on Unix
platforms, there exist SFTP servers for most platforms A common misconception is that SFTP is simply FTP
run over SSH In fact it is a new protocol designed from the ground up
by the IETF SECSH working group. It is sometimes confused with
Simple File Transfer Protocol
Capabilities
The protocol itself does not provide authentication and security Expects the underlying protocol to secure SFTP is most often used as subsystem of SSH
protocol version 2 implementations Designed by the same working group
However, it is possible to run it over SSH-1 or other data streams
Running SFTP server over SSH-1 is not platform independent as SSH-1 does not support the concept of subsystems
An SFTP client willing to connect to an SSH-1 server needs to know the path to the SFTP server binary on the server side
Capabilities
Secure Internet Live Conferencing (SILC) protocol defines the SFTP as its default file transfer protocol In SILC the SFTP data is not protected with SSH but
SILC's secure packet protocol Used to encapsulate the SFTP data into SILC packet Deliver it peer-to-peer
SFTP is designed to be protocol independent. For uploads
Transferred files may be associated with their basic attributes, such as timestamps
An advantage over the common FTP protocol Does not have provision for uploads to include the
original date/timestamp attribute
Standardization
The protocol is not yet an Internet standard The latest specification is an expired Internet Draft
Defines version 6 of the protocol Currently the most widely used version is 3
Implemented by the popular OpenSSH SFTP server Many Microsoft Windows-based SFTP
implementations use version 4 of the protocol, which lessened its ties with the Unix platform
The Internet Engineering Task Force (IETF) "Secsh Status Pages" search tool contains links to all versions of the Internet draft-ietf-secsh-filexfer which describes this protocol
SFTP client
The term SFTP can also refer to Secure file transfer program A command-line program Implements the client part of this protocol
Such as that supplied with OpenSSH sftp program provides an interactive interface
Similar to that of traditional FTP clients Some implementations of the scp program actually
use the SFTP protocol to perform file transfers Some such implementations are still able to fallback to
the SCP protocol if the server does not provide SFTP service
In which case would it be desirable to use rcp instead of scp1. Too difficult to enter a
password
2. Transferring a large public domain file
3. Copying sensitive files in a local network
4. It is never acceptable to use an insecure protocol
Too difficu
lt to ente
r a ...
Transfe
rring a la
rge publ..
Copying s
ensitive
files in ...
It is n
ever acce
ptable to ...
1% 3%5%
91%
Summary
Use secure methods when possible