openssh (ssh - secure shell) silvio c. sampaio [email protected] doctoral programme in informatics...

OpenSSH(SSH - Secure SHell)

OpenSSH(SSH - Secure SHell)

Silvio C. [email protected]

Doctoral Programme in Informatics Engineering PRODEI011 - Computer Systems Security – 2009/10

PRODEI011 - Computer Systems Security – 2009/10Silvio C. Sampaio

2

Outline

• Overview• Protocol details• Experiments• References


3

Overview: What is OpenSSH?

• “OpenSSH is a FREE version of the SSH connectivity tools that technical users of the Internet rely on”. (SOURCE: http://www.openssh.com/)

• SSH is a set of standards and associated protocols to establish a secure channel between two computers.

Covers authentication, encryption, and data integrity.

Originally, a replacement of insecure applications like telnet and some others “r-commands”


4

Overview: History and Development

• In 1995, Tatu Ylönen, a researcher at Helsinki University of Technology, Finland, designed the first version of the protocol (now called SSH-1)

• "Secsh" was the official Internet Engineering Task Force's (IETF) name for the IETF working group responsible for version 2 of the SSH protocol. In 1996, a revised version of the protocol, SSH-2, was

adopted as a standard. This version is incompatible with SSH-1.

• A complete description about the history and development of the SSH can be found at [1].


5

Overview: SSH Features

• Secure Remote Logins• Secure File Transfer and Backup• Secure Remote Command Execution• Keys and Agents• Access Control• Port Forwarding and Tunneling


6

Overview: Some SSH Implementations

Source: Daniel J. Barrett, Richard E. Silverman, and Robert G. Byrnes – SSH: The Secure Shell (The Definitive Guide), O'Reilly 2005 (2nd edition).


7

Protocol details: Introduction

• The SSH protocol ensures that all communication over the network is secure through the following safeguards: Encryption of data during transmission to protect privacy Prevention of data corruption, whether deliberate or

otherwise, through integrity checking Authentication of users and hosts to prevent unauthorized

logins/connections Authorization or controlling access and privileges Protection of other TCP/IP sessions through tunneling or

forwarding


8

Protocol details: Authentication Methods• Different methods can be used to authenticate users and servers

in SSH Secure Shell. These authentication methods can be combined or used separately,

depending on the level of functionality and security you want.

• Methods: For Server authentication:

• Public-Key Authentication• Certificate Authentication

For Users authentication:• Password Authentication• Public-Key Authentication• Host-Based Authentication• Certificate Authentication• Kerberos Authentication• Pluggable Authentication Module (PAM)• SecurID


9

Protocol details: Architecture

• The Architecture of an general SSH System



10

Protocol details: Architecture of SSH1• The Architecture of an SSH1 System



11

Protocol details: Architecture of SSH2• The Architecture of an SSH2 System



12

Protocol details: SSH1 x SSH2

• SSH1 is older, slower protocol with significant security problems

• SSH2 is the newest, most efficient protocol Resolves all known weaknesses in SSH1 security IETF standard

• SSH1 “hardcodes” most of it’s cryptography• SSH2 negotiates cryptographic algorithms at

runtime Makes it easier to use internationally

• A good summary of the difference between versions 1 and 2 of the SSH protocol can be found at: http://www.snailbook.com/faq/ssh-1-vs-2.auto.html


13

Protocol details: SSH1 x SSH2

• The major differences between SSH-1 and SSH-2 are, namely [1]: Expanded algorithm negotiation between client

and server Multiple methods for key-exchange Certificates for public keys More flexibility with authentication, including

partial authentication Stronger integrity checking through cryptography Periodic replacement of the session key

(“rekeying”)


14

Protocol details: Algorithms Used

SSH-1 Ciphers

3DES IDEA RC4 DES (Blowfish)

SSH1 x x o o x

OpenSSH x - - - x

SSH-2 Ciphers

3DES Blowfish Twofish CAST-128 IDEA RC4

SSH2 x x x - - x

F-Secure SSH2

x x x x - x

OpenSSH x x - x - x

x : The implementation supports the algorithm and is included in the default build. o : The implementation supports the algorithm, but it isn't included in the default build (it must be specifically enabled when compiling). - : The implementation doesn't support the algorithm.


15

Exp #1: Secure Remote Login (1)

• Remote Login Command line

• ssh user@servidor• ssh –l user servidor

Using some ssh client At the first connection

• Cliente(known_hosts) += Server(ssh_host_rsa_key.pub)


16

Exp #1: Secure Remote Login (2)

• X11 Forwarding Automatic on

Linux/Unix client• ssh –X user@servidor

Windows client:• XServer is needed (e.g.

Xming)• Some applications (e.g.

PuTTy) has especific configurations (but you can always use the comand export DISPLAY=Client_IP)


17

Exp #2: Secure File Copy

• Secure copy

• Copies files between host machines

• Authenticates user and host

• Encrypts copied data during transmission

• If keys are set up correctly for the user, no password entry will be required for access to remote machine.

• Ex: scp [[user@]host1:]file1 […] [[user@]host2:]file2 scp [email protected]:/tmp/test.txt . scp -r ~/simulations/* [email protected]:/tmp/.


18

Exp #3: Secure Remote Command Execution• Executes command(s) on a remote machine from a

local machine

• Authenticates user and host

• Encrypts transmitted data between machines

• If keys are set up correctly for the user, no password entry will be required for access to remote machine.

• Ex: ssh [user@]machine command ssh [email protected] ls -la


19

Exp #4: Port Forwarding and Tunneling

• Experiment assumptions: • Servidor POP3: pop3.server.com, porta 110 • Servidor SMTP: smtp.server.com, porta 25 • Seu “username” em server.com: user

• ssh -L7110:pop3.servidor.com:110 -L7025:smtp.server.com:25 [email protected] Sintaxe: -L localport:server:remoteport

• In the webmail client: Replace the POP3 pop3.servidor.com by localhost and the

port 110 by 7110 Replace the POP3 smtp.servidor.com by localhost and the

port 25 by 7025


20

Exp #5: Automatic Authentication

• Key creation ssh-keygen -t rsa ssh-keygen -b 1024 -t rsa

• Enter file in which to save the key (/home/ac/.ssh/id_rsa):• Enter passphrase (empty for no passphrase):• Enter same passphrase again:• Just to make sure!!!: chmod 0600 ~/.ssh/id_rsa

• Copying the key to remote servers scp ~/.ssh/id_rsa.pub

remote_user@remote_host:rsa.pub_imported ssh remote_user@remote_host cat rsa.pub_imported >> .ssh/authorized_keys

• Testing ssh remote_user@remote_host (and i hope it works!!!)


21

Exp #6: File Transfer

• SFTP SFTP stands for ‘Secure File Transfer Protocol’. It provides secure file

transfer functionality over any reliable data stream. It uses SSH. SFTP protocol runs on secure channel. Encrypts all traffic (including passwords) to effectively. Provides variety of authentication methods. It can be automated by public and private key authentication.

• sftp [email protected]

• Once you are connected: sftp> lcd /files [change local directory to /files] sftp> cd /tmp [change remote directory to /etc] sftp> get test.txt [download /tmp/test.txt to /files/test.txt] sftp> ? [view summary help] sftp> bye [terminate connection]


22

References

1. Daniel J. Barrett, Richard E. Silverman, and Robert G. Byrnes – SSH: The Secure Shell (The Definitive Guide), O'Reilly 2005 (2nd edition).

2. http://www.snailbook.com/faq/ssh-1-vs-2.auto.html

3. http://en.wikipedia.org/wiki/Secure_Shell

4. http://www.openssh.org


23

Thank you!

Silvio C. [email protected]

Any Questions?

openssh (ssh - secure shell) silvio c. sampaio [email protected] doctoral programme in informatics...

Documents

ssh protocol

authentication of users

users authentication

ssh secure shell

byrnes ssh

server authentication

ssh implementations

ssh connectivity tools