firewalls, perimeter protection, and vpns - sans ©2001 1 ssh operation the swiss army knife of...
Post on 24-Dec-2015
219 Views
Preview:
TRANSCRIPT
Firewalls, Perimeter Protection, and VPNs - SANS ©20011
SSH Operation
The Swiss Army Knife of encryption tools…
Firewalls, Perimeter Protection, and VPNs - SANS ©20012
SSH Features
• Command line terminal connection tool
• Replacement for rsh, rcp, telnet, and others
• All traffic encrypted• Both ends authenticate themselves
to the other end• Ability to carry and encrypt non-
terminal traffic
Firewalls, Perimeter Protection, and VPNs - SANS ©20013
Brief History
• SSH.com’s SSH1, originally completely free with source code, then license changed with version 1.2.13
• SSH.com’s SSH2, originally only commercial, but now free for some uses.
• OpenSSH team took the last free SSH1 release, refixed bugs, added features, and added support for the SSH2 protocol.
Firewalls, Perimeter Protection, and VPNs - SANS ©20014
Installation
• OpenSSH is included with a number of Linux distributions, and available for a large number of Unices
• On RPM-based linuxes:– “rpm –Uvh openssh*.rpm”
Firewalls, Perimeter Protection, and VPNs - SANS ©20015
Basic use
• ssh SshServerName• ssh –l UserName SshServerName• ssh SshServerName CommandToRun• ssh –v SshServerName• Server Host Key checks• Uses same login password• And if we need to encrypt other
traffic?
Firewalls, Perimeter Protection, and VPNs - SANS ©20016
Port Forwarding – real server on remote machine• I want to listen on port 5110 on
this machine; all packets arriving here get sent to mailserver, port 110:– ssh –L 5110:mailserver:110
mailserver
Firewalls, Perimeter Protection, and VPNs - SANS ©20017
Port Forwarding – real server on this machine
• All web traffic to my firewall should be redirected to the web server running on port 8000 on my machine instead:– ssh –R 80:MyMachine:8000
firewall
Firewalls, Perimeter Protection, and VPNs - SANS ©20018
X Windows forwarding
• No setup – already done!• Run the X Windows application
in the terminal window:– xclock &– The screen display shows up on
your computer, and any keystrokes and mouse movements are sent back, all encrypted.
Firewalls, Perimeter Protection, and VPNs - SANS ©20019
Securely copying files
• scp• scp –p localfile
remotemachine:/remotepath/file• Prompts for authentication if
needed• All traffic encrypted• Replaces ftp, rcp, file sharing
Firewalls, Perimeter Protection, and VPNs - SANS ©200110
SSH key background
• Old way: password stored on server, user supplied password compared to stored version
• New way: private key kept on client, public key stored on server.
Firewalls, Perimeter Protection, and VPNs - SANS ©200111
SSH key creation
• General command:– ssh-keygen –b 1024 –c “Comment” –f
~/.ssh/identity_file• Different forms for each of the SSH
flavors• Assign a hard-to-guess passphrase
to the private key during creation.• Key can be used for multiple
servers
Firewalls, Perimeter Protection, and VPNs - SANS ©200112
SSH key installation
• 3 versions of ssh: interoperability is good, but poorly documented
• ssh-keyinstall utility automates the creation and installation– “ssh-keyinstall –s SshServerName”
creates keys, if needed, and installs them on the remote server
– Need password during key install only
Firewalls, Perimeter Protection, and VPNs - SANS ©200113
Using SSH keys
• ssh SshServerName• Ssh –l UserName
SshServerName• ssh SshServerName
CommandToRun• Ssh –v SshServerName
Firewalls, Perimeter Protection, and VPNs - SANS ©200114
ssh-agent
• Remembers your private key(s)• Other applications can ask ssh-agent
to authenticate you automatically.• Unattended remote sessions.• ssh-agent bash• ssh-agent startx• eval `ssh-agent` #Less preferred• ssh-add [KeyName]
Firewalls, Perimeter Protection, and VPNs - SANS ©200115
Fanout
• Runs command on multiple machines by opening separate ssh session to each
• fanout “machine1 machine2 user@machine3” “command params”
• Gives organized output from each machine
Firewalls, Perimeter Protection, and VPNs - SANS ©200116
File synchronization - Rsync
• Rsync copies a tree of files from a master out to a copy on another machine.
• Can use ssh as its transport.• rsync –azv –e ssh
/home/wstearns/webtree/ mirror.stearns.org/home/web/
Firewalls, Perimeter Protection, and VPNs - SANS ©200117
Rsync-backup
• Rsync-backup automates the process of backing up machines with rsync and ssh.
• Features:– Only changed data shipped– All permissions preserved– All communication encrypted– Unlimited snapshots– Use <= 2X-4X combined client capacity
Firewalls, Perimeter Protection, and VPNs - SANS ©200118
Rsync-backup client install
• Install ssh, rsync, and rsync-backup-client rpms (see http://www.stearns.org
• Install ssh-keyinstall on client to create a backup key with– ssh-keyinstall –s backupserver –u
root –c /usr/sbin/rsync-backup-server
Firewalls, Perimeter Protection, and VPNs - SANS ©200119
Rsync-backup server install
• Install ssh, freedups, rsync-static, and rsync-backup-server rpms
• Turn off password authentication in /etc/ssh/sshd_config
Firewalls, Perimeter Protection, and VPNs - SANS ©200120
Rsync-backup examples
• Examples of backup commands:– rsync-backup-client /
root@backupserver:/– rsync-backup-client /usr
/home/gbk root@backupserver:/
Firewalls, Perimeter Protection, and VPNs - SANS ©200121
Links and references
• http://www.ssh.com• http://www.openssh.org• SSH, The Secure Shell, The
Definitive Guide• ssh-keyinstall, fanout, rsync-
backup, freedups and other apps at http://www.stearns.org/
Firewalls, Perimeter Protection, and VPNs - SANS ©200122
More links
• Docs at http://www.stearns.org/doc/
• http://www.employees.org/~satch/ssh/faq/ssh-faq.html
• http://rsync.samba.org• William Stearns
wstearns@pobox.com
top related