Download - Pisr Curs 06
![Page 1: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/1.jpg)
Cursul 6
6 Servicii de securitate
12 noiembrie 2009
![Page 2: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/2.jpg)
12.11.2009 2
Moto
There are two types of encryption: one that will prevent your sister from reading your diary and one that will prevent your government.
Bruce Schneier
Bruce Schneier's secure handshake is so strong, you won't be able to exchange keys with anyone else for days. (Bruce Schneier Facts)
![Page 3: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/3.jpg)
12.11.2009 3
Cuprins
● Serviciul SSH
● Facilită i SSH; forme de autentificareț
● Firewall-uri în Linux: iptables
● GPG
● openssl
![Page 4: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/4.jpg)
12.11.2009 4
Remote connection
● telnet
● rsh, rlogin
● SSH
● VNC
● FreeNX
● RDP
![Page 5: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/5.jpg)
12.11.2009 5
SSH
● Ce este SSH?
– protocol de comunicare între două dispozitive de re ea printr-un canal țsecurizat
● SSH-2, standard din 2006 (RFC 425x), implementat din 2000
– SSH-1, „inherent design flaws” (MitM attacks)
● Client-server
– TCP, portul 22
● OpenSSH
– „sigle most popular implementation of SSH-2”
– „This is a software monopoly but at least it was written by people who care about security, so it's not like Microsoft's monopoly.” (Theo de Raadt)
– echipa OpenBSD
– 5.3 (1 octombrie 2009)
● Pe sisteme Debian-based, pachetele openssh-client, openssh-server
![Page 6: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/6.jpg)
12.11.2009 6
Comenzi/componente OpenSSH
● ssh
– clientul SSH
● scp, sftp
– copierea de fi iereș
● sshd
– serverul SSH
● ssh-keygen
– generarea de perechi chei publice/private pentru autentificare
● ssh-agent, ssh-add
– stocarea cheilor i a passphrase-urilorș
![Page 7: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/7.jpg)
12.11.2009 7
Facilită i oferite de SSH/OpenSSHț
● Conectare la distan ă pe canal sigurț
● Copiere de fi iere la distan ăș ț
● Autentificare pe bază de chei publice
● X Forwarding
● Tunelare, reverse tunneling
● SOCKS proxy
![Page 8: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/8.jpg)
12.11.2009 8
Conectare la distan ăț
● ssh anaconda.cs.pub.ro
– se folose te ca login numele utilizatorului curentș
● ssh [email protected]
● ssh -l razvan anaconda.cs.pub.ro
● ssh -l razvan anaconda.cs.pub.ro -p 2222
● ssh -l razvan anaconda.cs.pub.ro -p 2222 „/sbin/ifconfig eth0”
![Page 9: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/9.jpg)
12.11.2009 9
Copiere la/de la distan ăț● scp my_file.txt [email protected]:
– upload
– nu mai merge -l :-(
– nu uita i simbolul două puncte (:) (de la sfâr it)ț ș
● scp my_file.txt [email protected]:/tmp/rd/
● scp my_file.txt [email protected]:code/channel/
● scp [email protected]:code/test.c .
– download
– destina ia este directorul curent (punct - .) (la sfâr it)ț ș
● scp -r [email protected]:code/ local-copy
● scp -P 2222 -r [email protected]:code/ /tmp/rd/
– portul trebuie pus înainte de sursă
● scp -r [email protected]:local-swarm/ [email protected]:local-anaconda
– Merge?
● depinde :-)
![Page 10: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/10.jpg)
12.11.2009 10
Autentificare folosind chei publice
● De ce?
– mai sigură – nu trebuie să re ii paroleț
● poate fi protejată prin passphrase
– one key to rule them all (acces la toate conturile)
– automatizare
● merge i la autentificare fără chei, folosind expect ( da’ mai greu :-) i ne e lene)ș ș
● Cine se autentifică la cine?
– serverul la client (tot timpul)
● ~/.ssh/known_hosts
● /etc/sshd/ssh_host_*_key{,.pub}
– clientul la server
● situa ia obi nuită în care se discută despre autentificare folosind chei publiceț ș
● RSA, DSA
● Comunicarea efectivă este criptată folosind cheie simetrică
– mai rapidă
![Page 11: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/11.jpg)
12.11.2009 11
Generarea unei perechi de chei
● ssh-keygen
– utilitar implicit interactiv
● ssh-keygen -t rsa
– solicită nume fi ier cheie privată (implicit ~/.ssh/id_rsa)ș
● cheia publică prime te extensia .pubș
– solicită introducerea passphrase-ului
● ssh-keygen -t rsa -f /tmp/my_key
– solicită introducere passphrase-ului
● ssh-keygen -t rsa -f /tmp/my_key -N „”
– fără passphrase
● ssh-keygen -t rsa -f /tmp/my_key -N „s@|dh43)k2D-#A”
![Page 12: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/12.jpg)
12.11.2009 12
Copierea unei chei pe server● Cheia publică trebuie să fie adăugată în fi ierul ș
~/.ssh/authorized_keys al utilizatorului de la distan ăț
● First choice: manually
– scp /tmp/my_key.pub [email protected]:
– ssh [email protected] „cat /tmp/my_key.pub >> ~/.ssh/authorized_keys”
● se presupune directorul ~/.ssh/ creat
● Second choice: automatically
– ssh-copy-id -i /tmp/my_key [email protected]
● creează directoare etc.
● are nevoie de acces la cheia privată
● Third choice: my way
– cat id_rsa.pub | ssh -l root koala.cs.pub.ro „cat - >> ~user/.ssh/authorized_keys”
● trebuie creat directorul ~/.ssh/
● util pentru administratori – vrei să adaugi cheia publică a cuiva la un cont
![Page 13: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/13.jpg)
12.11.2009 13
Conectarea/copierea folosind chei publice
● La fel ca până acum
● Trebuie să ai acces la cheia privată
● Dacă folose ti mai multe chei private?ș
– cheia privată se mai cheamă identity file
– ssh -i /tmp/my_key -l razvan anaconda.cs.pub.ro
– scp -i /tmp/my_key ....
![Page 14: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/14.jpg)
12.11.2009 14
ssh-agent
● Agent de autentificare
● Re ine chei private (identită i)ț ț
– permite introducerea o singură dată a passphrase-ului
● Rulează ca un daemon
● Interac iune folosind comanda ssh-addț
● Pornit cu interfa a graficăț
● Pentru linia de comandă
– ssh-agent bash ; un nou shell
– eval $(ssh-agent) ; în shell-ul curent
![Page 15: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/15.jpg)
12.11.2009 15
ssh-agent (2)
● ssh-add
– adaugă cheile private implicite (~/.ssh/id_rsa, ~/.ssh/id_dsa)
– solicită passphrase-ul dacă este cazul
● ssh-add /tmp/my_key
● ssh-add -l, ssh-add -L
● ssh-add -d /tmp/my_key
● ssh-add -D
● Avantaje
– nu se mai solicită passphrase
– nu trebuie men ionată cheia privată în cazul în care sunt mai multeț
– agent-forwarding pentru scp [email protected]: [email protected]:
![Page 16: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/16.jpg)
12.11.2009 16
Tunelare i reverse tunnelingș
● ssh -L 8080:anaconda.cs.pub.ro:80 -l razvan anaconda.cs.pub.ro
– conexiunile pe portul local 8080 sunt transmise securizat către portul 80 al anaconda.cs.pub.ro
● ssh -N -L 8080:swarm.cs.pub.ro:80 -l razvan anaconda.cs.pub.ro
– -N - nu se execută comandă (forwarding only)
– conexiune securizată până la anaconda.cs.pub.ro
– nesecurizată între anaconda.cs.pub.ro i swarm.cs.pub.roș
● ssh -N -R 2222:localhost:22 -l razvan anaconda.cs.pub.ro
– conexiunile pe portul 2222 de pe anaconda.cs.pub.ro ajung pe portul 22 al sistemului local
– dacă nu avem adresă IP publică (suntem în spatele lui NAT)
● ssh -N -R 8080:localhost:80 -l razvan anaconda.cs.pub.ro
– acces securizat la serverul web între anaconda.cs.pub.ro i sta ia localăș ț
![Page 17: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/17.jpg)
12.11.2009 17
SOCKS proxy
● ssh -D 8080 -l razvan anaconda.cs.pub.ro
● totul este proxy-at prin anaconda.cs.pub.ro (no more limitations :-P)
![Page 18: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/18.jpg)
12.11.2009 18
X Forwarding
● Serverul trebuie să permită X Forwarding
● ssh -X -l razvan anaconda.cs.pub.ro
– comenzile rulate prin SSH sunt redate pe sistemul local
![Page 19: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/19.jpg)
12.11.2009 19
Configurare server SSH● /etc/ssh/sshd_config
● /etc/init.d/ssh start|stop|restart|reload
● Port 22
● HostKey /etc/ssh/ssh_host_rsa_key
● SyslogFacility AUTH
● LogLevel INFO
– logging în /var/log/auth.log
● PubkeyAuthentication yes
● PasswordAuthentication no
– autentificare dezactivată fără parole (doar folosind chei publice)
● AllowUsers / DenyUsers
● PermitRootLogin
● man sshd_config
![Page 20: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/20.jpg)
12.11.2009 20
Useful tools
● corkscrew
– tunelare trafic SSH prin proxy-uri HTTP
● dropbear
– implementare SSH pentru sisteme embedded
– fără SSH-1, fără scp
● SSHFS
– SSH filesystem, folose te FUSEș
● Putty, WinSCP
– Clien i de SSH/SCP pe Windowsț
● WebShell
– sesiune shell pe o conexiune HTTP (interfa ă în browser)ț
![Page 21: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/21.jpg)
12.11.2009 21
Firewall-uri
● Hardware
– viteză mare
– oferă i criptareș
● Software
– viteză mai mică
– flexibile
– personale i la nivelul sistemelor de operareș
![Page 22: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/22.jpg)
12.11.2009 22
iptables
● Interfa ă în userspace pentru controlul tabelelor furnizate de țmodulul netfilter
– filter
– nat
– mangle
● ip6tables pentru ipv6
● Folose te tabeleș
● Fiecare tabelă folose te lan uriș ț
– lan uri predefinite (INPUT, OUTPUT, FORWARD)ț
– lan uri definite de utilizatorț
– versiunea anterioară se numea ipchains
● Lan urile con in reguli (de filtrare, translatare de adrese, mangling)ț ț
![Page 23: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/23.jpg)
12.11.2009 23
iptables (2)
![Page 24: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/24.jpg)
12.11.2009 24
Sintaxa iptables
● iptables <tabelă> <comandă> <lan > <op iuni comandă>ț ț
● Tabela implicită este filter (filtrare, firewall)
● iptables -t filter -L
● iptables -t filter -L -n
● iptables -t nat -L OUTPUT -v
● iptables -t mangle -L OUTPUT -v -n --line-number
![Page 25: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/25.jpg)
12.11.2009 25
Comenzi iptables
● flush reguli
– iptables -t filter -F
– iptables -t nat -F PREROUTING
● politica implicită
– poate fi configurată explicit
– iptables -t filter -P INPUT DROP
● lan nou (creare, tergere, redenumire)ț ș
– iptables -N mychain
– iptables -X
– iptables -X mychain
– iptables -E mychain mynewchain
![Page 26: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/26.jpg)
12.11.2009 26
Comenzi iptables (2)
● Lucrul cu reguli
● <op iuni comandă> = <specificare de reguli>ț
– parte de match + parte de ac iune (-j action)ț
● Adăugare regulă (append)
– iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
● Inserare regulă
– iptables -t filter -I INPUT 2 -s 10.38.1.2 -d 141.85.37.25 -p tcp - -dport 80 ! --syn -j ACCEPT
● tergere regulăȘ
– iptables -t nat -D 1
– iptables -t mangle -D OUTPUT -d 141.85.37.25 -p icmp -j TTL --ttl-set 8
● Înlocuire regulă
– iptables -t nat -R PREROUTING 1 -i eth1 -p tcp - -dport 8080 -j DNAT --to-destination 10.38.5.6:80
![Page 27: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/27.jpg)
12.11.2009 27
Persisten a regulilorț
● Regulile sunt introduse în linia de comandă
● Nu s-a impus un utilitar care să permită automatizare generării regulilor
● Cum se păstrează regulile?# iptablessave > /etc/network/iptables.rules
# cat /etc/network/ifup.d/iptables
#!/bin/bash
iptablesrestore < /etc/network/iptables.rules
exit 0
![Page 28: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/28.jpg)
12.11.2009 28
Interfe e peste iptablesț
● Firewall Builder (http://www.fwbuilder.org/)
● Firestarter (http://www.fs-security.com/)
● IPTables Firewall (RedHat only) (http://www.iptablesfirewall.com/)
● Webmin module (http://www.webmin.com/)
![Page 29: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/29.jpg)
12.11.2009 29
GPG
● GNU Privacy Guard
● Suite of cryptographic software
● Alternativă free la PGP (Pretty Good Privacy)
● Semnarea mesajelor
● Criptarea informa ieiț
![Page 30: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/30.jpg)
12.11.2009 30
Opera ii GPGț
● Generarea perechii de chei
– gpg –gen-key
● Listare chei
– gpg --list-keys
● Export cheie publică
– gpg --armor --export AEA0A627 >> rd_gpg.pub
● Import cheie publică (pe alt sistem)
– gpg --import rd_gpg.pub
● Verificare fingerprint
– gpg --fingerprint
![Page 31: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/31.jpg)
12.11.2009 31
Opera ii GPGț
● Semnarea unei chei
– gpg --sign-key AEA0A627
● Criptarea unui mesaj
– gpg -r AEA0A627 --armor --output todo.enc --encrypt todo-2009-11-08.txt
● Decriptarea unui mesaj
– gpg --decrypt todo.enc > out.txt
● Semnarea unui fi ierș
– gpg --default-key 449BE5C2 --armor --sign todo-2009-11-08.txt
– gpg --default-key 449BE5C2 --armor --detach-sig todo-2009-11-08.txt
● Verificarea unui fi ier (semnătura este validă)ș
– gpg --default-key 449BE5C2 --verify todo-2009-11-08.txt.asc
![Page 32: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/32.jpg)
12.11.2009 32
GPG frontends
● Seahorse (GNOME)
● Kgpg
● Front-end-uri pentru clien i de e-mailț
● Mac GPG
![Page 33: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/33.jpg)
12.11.2009 33
openssl
● Cryptographic toolkit
● SSL/TLS
● OpenSSL crypto library
● openssl – utilitar în linia de comandă
– generare de chei publice/private
– opera ii cu chei publiceț
– lucru cu certificate X.509
![Page 34: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/34.jpg)
12.11.2009 34
openssl – lucrul cu certificate
● Crearea unei chei private
– openssl genrsa -out www.gogu.com.key 1024
● Crearea unui CSR (Certificate Signing Request)
– openssl req -new -key www.gogu.com.key -out www.gogu.com.csr
● Ob inerea unui certificat self-signedț
– openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
● Semnarea unui CSR (de un CA – Certification Authority)
– openssl x509 -req -days 365 -in www.gogu.com.csr -CA server.crt -CAkey server.key -set_serial 01 -out www.gogu.com.crt
![Page 35: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/35.jpg)
12.11.2009 35
openssl – inspec ie certificateț
● openssl rsa -noout -text -in server.key
● openssl x509 -noout -text -in server.crt
● openssl rsa -noout -text -in www.gogu.com.key
● openssl req -noout -text -in www.gogu.com.csr
● openssl x509 -noout -text -in www.gogu.com.crt
![Page 36: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/36.jpg)
12.11.2009 36
Cuvinte cheie
● SSH
● OpenSSH
● ssh, scp
● chei publice/private
● ssh-keygen
● ssh-agent, ssh-add
● ~/.ssh/known_hosts
● ~/.ssh/authorized_keys
● tunelare, reverse tunneling
● SOCKS proxy
● X Forwarding
● sshd
● /etc/ssh/sshd_confing
● firewall
● iptables, netfilter
● tabelă, lan , regulăț
● iptables-save, iptables-restore
● GPG, PGP
● gpg
● semnare, criptare
● openssl
● CSR, certificat
● CA
![Page 37: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/37.jpg)
12.11.2009 37
Bibliografie
● SSH, The Secure Shell: The Definitive Guide
● http://www.linuxjournal.com/article/4412 (101 Uses of OpenSSH)
● http://talks.rosedu.org/prezentari (SSH)
● http://www.netfilter.org/
● http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables
● http://www.shell-tips.com/sheets/linux_quickref.pdf
● http://www.tc.umn.edu/~brams006/selfsign.html
![Page 38: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/38.jpg)
12.11.2009 38
Întrebări
?
![Page 39: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/39.jpg)
12.11.2009 1
Cursul 6
6 Servicii de securitate
12 noiembrie 2009
![Page 40: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/40.jpg)
12.11.2009 2
Moto
There are two types of encryption: one that will prevent your sister from reading your diary and one that will prevent your government.
Bruce Schneier
Bruce Schneier's secure handshake is so strong, you won't be able to exchange keys with anyone else for days. (Bruce Schneier Facts)
![Page 41: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/41.jpg)
12.11.2009 3
Cuprins
● Serviciul SSH
● Facilită i SSH; forme de autentificareț
● Firewall-uri în Linux: iptables
● GPG
● openssl
![Page 42: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/42.jpg)
12.11.2009 4
Remote connection
● telnet
● rsh, rlogin
● SSH
● VNC
● FreeNX
● RDP
![Page 43: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/43.jpg)
12.11.2009 5
SSH
● Ce este SSH?
– protocol de comunicare între două dispozitive de re ea printr-un canal țsecurizat
● SSH-2, standard din 2006 (RFC 425x), implementat din 2000
– SSH-1, „inherent design flaws” (MitM attacks)
● Client-server
– TCP, portul 22
● OpenSSH
– „sigle most popular implementation of SSH-2”
– „This is a software monopoly but at least it was written by people who care about security, so it's not like Microsoft's monopoly.” (Theo de Raadt)
– echipa OpenBSD
– 5.3 (1 octombrie 2009)
● Pe sisteme Debian-based, pachetele openssh-client, openssh-server
![Page 44: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/44.jpg)
12.11.2009 6
Comenzi/componente OpenSSH
● ssh
– clientul SSH
● scp, sftp
– copierea de fi iereș
● sshd
– serverul SSH
● ssh-keygen
– generarea de perechi chei publice/private pentru autentificare
● ssh-agent, ssh-add
– stocarea cheilor i a passphrase-urilorș
![Page 45: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/45.jpg)
12.11.2009 7
Facilită i oferite de SSH/OpenSSHț
● Conectare la distan ă pe canal sigurț
● Copiere de fi iere la distan ăș ț
● Autentificare pe bază de chei publice
● X Forwarding
● Tunelare, reverse tunneling
● SOCKS proxy
![Page 46: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/46.jpg)
12.11.2009 8
Conectare la distan ăț
● ssh anaconda.cs.pub.ro
– se folose te ca login numele utilizatorului curentș
● ssh [email protected]
● ssh -l razvan anaconda.cs.pub.ro
● ssh -l razvan anaconda.cs.pub.ro -p 2222
● ssh -l razvan anaconda.cs.pub.ro -p 2222 „/sbin/ifconfig eth0”
![Page 47: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/47.jpg)
12.11.2009 9
Copiere la/de la distan ăț● scp my_file.txt [email protected]:
– upload
– nu mai merge -l :-(
– nu uita i simbolul două puncte (:) (de la sfâr it)ț ș
● scp my_file.txt [email protected]:/tmp/rd/
● scp my_file.txt [email protected]:code/channel/
● scp [email protected]:code/test.c .
– download
– destina ia este directorul curent (punct - .) (la sfâr it)ț ș
● scp -r [email protected]:code/ local-copy
● scp -P 2222 -r [email protected]:code/ /tmp/rd/
– portul trebuie pus înainte de sursă
● scp -r [email protected]:local-swarm/ [email protected]:local-anaconda
– Merge?
● depinde :-)
![Page 48: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/48.jpg)
12.11.2009 10
Autentificare folosind chei publice
● De ce?
– mai sigură – nu trebuie să re ii paroleț
● poate fi protejată prin passphrase
– one key to rule them all (acces la toate conturile)
– automatizare
● merge i la autentificare fără chei, folosind expect ( da’ mai greu :-) i ne e lene)ș ș
● Cine se autentifică la cine?
– serverul la client (tot timpul)
● ~/.ssh/known_hosts
● /etc/sshd/ssh_host_*_key{,.pub}
– clientul la server
● situa ia obi nuită în care se discută despre autentificare folosind chei publiceț ș
● RSA, DSA
● Comunicarea efectivă este criptată folosind cheie simetrică
– mai rapidă
![Page 49: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/49.jpg)
12.11.2009 11
Generarea unei perechi de chei
● ssh-keygen
– utilitar implicit interactiv
● ssh-keygen -t rsa
– solicită nume fi ier cheie privată (implicit ~/.ssh/id_rsa)ș
● cheia publică prime te extensia .pubș
– solicită introducerea passphrase-ului
● ssh-keygen -t rsa -f /tmp/my_key
– solicită introducere passphrase-ului
● ssh-keygen -t rsa -f /tmp/my_key -N „”
– fără passphrase
● ssh-keygen -t rsa -f /tmp/my_key -N „s@|dh43)k2D-#A”
![Page 50: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/50.jpg)
12.11.2009 12
Copierea unei chei pe server● Cheia publică trebuie să fie adăugată în fi ierul ș
~/.ssh/authorized_keys al utilizatorului de la distan ăț
● First choice: manually
– scp /tmp/my_key.pub [email protected]:
– ssh [email protected] „cat /tmp/my_key.pub >> ~/.ssh/authorized_keys”
● se presupune directorul ~/.ssh/ creat
● Second choice: automatically
– ssh-copy-id -i /tmp/my_key [email protected]
● creează directoare etc.
● are nevoie de acces la cheia privată
● Third choice: my way
– cat id_rsa.pub | ssh -l root koala.cs.pub.ro „cat - >> ~user/.ssh/authorized_keys”
● trebuie creat directorul ~/.ssh/
● util pentru administratori – vrei să adaugi cheia publică a cuiva la un cont
![Page 51: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/51.jpg)
12.11.2009 13
Conectarea/copierea folosind chei publice
● La fel ca până acum
● Trebuie să ai acces la cheia privată
● Dacă folose ti mai multe chei private?ș
– cheia privată se mai cheamă identity file
– ssh -i /tmp/my_key -l razvan anaconda.cs.pub.ro
– scp -i /tmp/my_key ....
![Page 52: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/52.jpg)
12.11.2009 14
ssh-agent
● Agent de autentificare
● Re ine chei private (identită i)ț ț
– permite introducerea o singură dată a passphrase-ului
● Rulează ca un daemon
● Interac iune folosind comanda ssh-addț
● Pornit cu interfa a graficăț
● Pentru linia de comandă
– ssh-agent bash ; un nou shell
– eval $(ssh-agent) ; în shell-ul curent
![Page 53: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/53.jpg)
12.11.2009 15
ssh-agent (2)
● ssh-add
– adaugă cheile private implicite (~/.ssh/id_rsa, ~/.ssh/id_dsa)
– solicită passphrase-ul dacă este cazul
● ssh-add /tmp/my_key
● ssh-add -l, ssh-add -L
● ssh-add -d /tmp/my_key
● ssh-add -D
● Avantaje
– nu se mai solicită passphrase
– nu trebuie men ionată cheia privată în cazul în care sunt mai multeț
– agent-forwarding pentru scp [email protected]: [email protected]:
![Page 54: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/54.jpg)
12.11.2009 16
Tunelare i reverse tunnelingș
● ssh -L 8080:anaconda.cs.pub.ro:80 -l razvan anaconda.cs.pub.ro
– conexiunile pe portul local 8080 sunt transmise securizat către portul 80 al anaconda.cs.pub.ro
● ssh -N -L 8080:swarm.cs.pub.ro:80 -l razvan anaconda.cs.pub.ro
– -N - nu se execută comandă (forwarding only)
– conexiune securizată până la anaconda.cs.pub.ro
– nesecurizată între anaconda.cs.pub.ro i swarm.cs.pub.roș
● ssh -N -R 2222:localhost:22 -l razvan anaconda.cs.pub.ro
– conexiunile pe portul 2222 de pe anaconda.cs.pub.ro ajung pe portul 22 al sistemului local
– dacă nu avem adresă IP publică (suntem în spatele lui NAT)
● ssh -N -R 8080:localhost:80 -l razvan anaconda.cs.pub.ro
– acces securizat la serverul web între anaconda.cs.pub.ro i sta ia localăș ț
![Page 55: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/55.jpg)
12.11.2009 17
SOCKS proxy
● ssh -D 8080 -l razvan anaconda.cs.pub.ro
● totul este proxy-at prin anaconda.cs.pub.ro (no more limitations :-P)
![Page 56: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/56.jpg)
12.11.2009 18
X Forwarding
● Serverul trebuie să permită X Forwarding
● ssh -X -l razvan anaconda.cs.pub.ro
– comenzile rulate prin SSH sunt redate pe sistemul local
![Page 57: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/57.jpg)
12.11.2009 19
Configurare server SSH● /etc/ssh/sshd_config
● /etc/init.d/ssh start|stop|restart|reload
● Port 22
● HostKey /etc/ssh/ssh_host_rsa_key
● SyslogFacility AUTH
● LogLevel INFO
– logging în /var/log/auth.log
● PubkeyAuthentication yes
● PasswordAuthentication no
– autentificare dezactivată fără parole (doar folosind chei publice)
● AllowUsers / DenyUsers
● PermitRootLogin
● man sshd_config
![Page 58: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/58.jpg)
12.11.2009 20
Useful tools
● corkscrew
– tunelare trafic SSH prin proxy-uri HTTP
● dropbear
– implementare SSH pentru sisteme embedded
– fără SSH-1, fără scp
● SSHFS
– SSH filesystem, folose te FUSEș
● Putty, WinSCP
– Clien i de SSH/SCP pe Windowsț
● WebShell
– sesiune shell pe o conexiune HTTP (interfa ă în browser)ț
![Page 59: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/59.jpg)
12.11.2009 21
Firewall-uri
● Hardware
– viteză mare
– oferă i criptareș
● Software
– viteză mai mică
– flexibile
– personale i la nivelul sistemelor de operareș
![Page 60: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/60.jpg)
12.11.2009 22
iptables
● Interfa ă în userspace pentru controlul tabelelor furnizate de țmodulul netfilter
– filter
– nat
– mangle
● ip6tables pentru ipv6
● Folose te tabeleș
● Fiecare tabelă folose te lan uriș ț
– lan uri predefinite (INPUT, OUTPUT, FORWARD)ț
– lan uri definite de utilizatorț
– versiunea anterioară se numea ipchains
● Lan urile con in reguli (de filtrare, translatare de adrese, mangling)ț ț
![Page 61: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/61.jpg)
12.11.2009 23
iptables (2)
![Page 62: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/62.jpg)
12.11.2009 24
Sintaxa iptables
● iptables <tabelă> <comandă> <lan > <op iuni comandă>ț ț
● Tabela implicită este filter (filtrare, firewall)
● iptables -t filter -L
● iptables -t filter -L -n
● iptables -t nat -L OUTPUT -v
● iptables -t mangle -L OUTPUT -v -n --line-number
![Page 63: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/63.jpg)
12.11.2009 25
Comenzi iptables
● flush reguli
– iptables -t filter -F
– iptables -t nat -F PREROUTING
● politica implicită
– poate fi configurată explicit
– iptables -t filter -P INPUT DROP
● lan nou (creare, tergere, redenumire)ț ș
– iptables -N mychain
– iptables -X
– iptables -X mychain
– iptables -E mychain mynewchain
![Page 64: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/64.jpg)
12.11.2009 26
Comenzi iptables (2)
● Lucrul cu reguli
● <op iuni comandă> = <specificare de reguli>ț
– parte de match + parte de ac iune (-j action)ț
● Adăugare regulă (append)
– iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
● Inserare regulă
– iptables -t filter -I INPUT 2 -s 10.38.1.2 -d 141.85.37.25 -p tcp - -dport 80 ! --syn -j ACCEPT
● tergere regulăȘ
– iptables -t nat -D 1
– iptables -t mangle -D OUTPUT -d 141.85.37.25 -p icmp -j TTL --ttl-set 8
● Înlocuire regulă
– iptables -t nat -R PREROUTING 1 -i eth1 -p tcp - -dport 8080 -j DNAT --to-destination 10.38.5.6:80
![Page 65: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/65.jpg)
12.11.2009 27
Persisten a regulilorț
● Regulile sunt introduse în linia de comandă
● Nu s-a impus un utilitar care să permită automatizare generării regulilor
● Cum se păstrează regulile?# iptablessave > /etc/network/iptables.rules
# cat /etc/network/ifup.d/iptables
#!/bin/bash
iptablesrestore < /etc/network/iptables.rules
exit 0
![Page 66: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/66.jpg)
12.11.2009 28
Interfe e peste iptablesț
● Firewall Builder (http://www.fwbuilder.org/)
● Firestarter (http://www.fs-security.com/)
● IPTables Firewall (RedHat only) (http://www.iptablesfirewall.com/)
● Webmin module (http://www.webmin.com/)
![Page 67: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/67.jpg)
12.11.2009 29
GPG
● GNU Privacy Guard
● Suite of cryptographic software
● Alternativă free la PGP (Pretty Good Privacy)
● Semnarea mesajelor
● Criptarea informa ieiț
![Page 68: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/68.jpg)
12.11.2009 30
Opera ii GPGț
● Generarea perechii de chei
– gpg –gen-key
● Listare chei
– gpg --list-keys
● Export cheie publică
– gpg --armor --export AEA0A627 >> rd_gpg.pub
● Import cheie publică (pe alt sistem)
– gpg --import rd_gpg.pub
● Verificare fingerprint
– gpg --fingerprint
![Page 69: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/69.jpg)
12.11.2009 31
Opera ii GPGț
● Semnarea unei chei
– gpg --sign-key AEA0A627
● Criptarea unui mesaj
– gpg -r AEA0A627 --armor --output todo.enc --encrypt todo-2009-11-08.txt
● Decriptarea unui mesaj
– gpg --decrypt todo.enc > out.txt
● Semnarea unui fi ierș
– gpg --default-key 449BE5C2 --armor --sign todo-2009-11-08.txt
– gpg --default-key 449BE5C2 --armor --detach-sig todo-2009-11-08.txt
● Verificarea unui fi ier (semnătura este validă)ș
– gpg --default-key 449BE5C2 --verify todo-2009-11-08.txt.asc
![Page 70: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/70.jpg)
12.11.2009 32
GPG frontends
● Seahorse (GNOME)
● Kgpg
● Front-end-uri pentru clien i de e-mailț
● Mac GPG
![Page 71: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/71.jpg)
12.11.2009 33
openssl
● Cryptographic toolkit
● SSL/TLS
● OpenSSL crypto library
● openssl – utilitar în linia de comandă
– generare de chei publice/private
– opera ii cu chei publiceț
– lucru cu certificate X.509
![Page 72: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/72.jpg)
12.11.2009 34
openssl – lucrul cu certificate
● Crearea unei chei private
– openssl genrsa -out www.gogu.com.key 1024
● Crearea unui CSR (Certificate Signing Request)
– openssl req -new -key www.gogu.com.key -out www.gogu.com.csr
● Ob inerea unui certificat self-signedț
– openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
● Semnarea unui CSR (de un CA – Certification Authority)
– openssl x509 -req -days 365 -in www.gogu.com.csr -CA server.crt -CAkey server.key -set_serial 01 -out www.gogu.com.crt
![Page 73: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/73.jpg)
12.11.2009 35
openssl – inspec ie certificateț
● openssl rsa -noout -text -in server.key
● openssl x509 -noout -text -in server.crt
● openssl rsa -noout -text -in www.gogu.com.key
● openssl req -noout -text -in www.gogu.com.csr
● openssl x509 -noout -text -in www.gogu.com.crt
![Page 74: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/74.jpg)
12.11.2009 36
Cuvinte cheie
● SSH
● OpenSSH
● ssh, scp
● chei publice/private
● ssh-keygen
● ssh-agent, ssh-add
● ~/.ssh/known_hosts
● ~/.ssh/authorized_keys
● tunelare, reverse tunneling
● SOCKS proxy
● X Forwarding
● sshd
● /etc/ssh/sshd_confing
● firewall
● iptables, netfilter
● tabelă, lan , regulăț
● iptables-save, iptables-restore
● GPG, PGP
● gpg
● semnare, criptare
● openssl
● CSR, certificat
● CA
![Page 75: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/75.jpg)
12.11.2009 37
Bibliografie
● SSH, The Secure Shell: The Definitive Guide
● http://www.linuxjournal.com/article/4412 (101 Uses of OpenSSH)
● http://talks.rosedu.org/prezentari (SSH)
● http://www.netfilter.org/
● http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables
● http://www.shell-tips.com/sheets/linux_quickref.pdf
● http://www.tc.umn.edu/~brams006/selfsign.html
![Page 76: Pisr Curs 06](https://reader034.vdocuments.mx/reader034/viewer/2022042821/563db90f550346aa9a99a192/html5/thumbnails/76.jpg)
12.11.2009 38
Întrebări
?