1© David Morgan 2003ssh – The Secure ShellDavid Morgan© David Morgan 2003A client-server pair of programs ssh - client– /usr/bin/ssh (configurable) sshd - server– /usr/sbin/sshd– assigned port number 22 Originated by TatuYlonen as a secure drop-in replacement for rsh/rlogin/rcp2© David Morgan 2003Secure Shell’s Functions Explicit functionalites Remote login tool Remote command executor Implicit activites Authentication Encryption© David Morgan 2003ssh stated mission“ssh is a program for logging into a remote machine and for executing commands in a remote machine. It is intended to replace rlogin and rsh, and provide secure encrypted communications between twountrusted hosts over an insecure channel.”ssh man page – first sentence3© David Morgan 2003ssh syntaxLogging inssh –l remote-user-name remote-machine-ide.g., ssh -l root 193.6.37.12 Executing a commandssh –l remote-user-name remote-machine-id commande.g., ssh -l root 193.6.37.12 cat /etc/passwd© David Morgan 2003ssh dynamic encryption all session/command traffic passes through ssh/sshd (sshd runs on port 22) encrypted going out/decrypted coming in for duration of session/command4© David Morgan 2003ssh – why secure? uses RSA (public-key) authentication then strong-key symmetrical encryption© David Morgan 2003Cryptographic processingplaintextciphercryptogramcryptogramreverse cipherplaintextEncryption Decryption5© David Morgan 2003Key cipher - encryptionY25E5N14O15M13K11S19Y25K11S19plaintextkey = “sky”J10X24M13Z26F6ciphertext13+19=32 -26=615+11=2614+25=39 -26=135+19=2425+11=36 -26=10+© David Morgan 2003Key cipher - decryptionK11S19Y25K11S19Key = “sky”6-19=-13 +26=1326-11=1513-25=-12 +26=1424-19=510-11=-1 +26=25Y25E5N14O15M13plaintextJ10X24M13Z26F6ciphertext-6© David Morgan 2003Ciphertext is key-dependentY25E5N14O15M13M13Y25M13Y25M13plaintextKey = “my”L12D4M13N14Z26ciphertext13+13=2615+25=40 -26=1414+13=27 -26=135+25=30 -26=425+13=38 -26=12+not FZMXJ © David Morgan 2003Cryptograhy systems: issues Number of keys? Locus of decrypt key origination? Locus of decrypt key utilization? Does decrypt key have to travel? Is there in-transit interception risk?7© David Morgan 2003Secret (single)-key Cryptography One key - same key encrypts and decrypts Decrypt key origination: encryptor’s place Decrypt key utilization: decryptor’s place Different places Decrypt key must travel© David Morgan 2003Public (dual)-key Cryptography Two keys - one encrypts, other decrypts(keys are mathematically paired) Decrypt key origination: decryptor’s place Decrypt key utilization: decryptor’s place Same place Decrypt key never travels8© David Morgan 2003Decrypt key interception risk Secret-key: nonzero Public-key: zero© David Morgan 2003ssh implementationLOCALUSER EFFECTS KEY TRANSFER:/home/<localuser>/.ssh /home/<remoteuser>/.sshid_dsa authorized_keys2id_dsa.pubCopy asciipublic key ssh-keygen utility (local) generates: private/decrypt key in /home/<localuser>/.ssh/id_dsa public/encrypt/ascii key in /home/<localuser>/.ssh/ id_dsa.pub9© David Morgan 2003ssh implementationWhen local machine issues:ssh –l remote-user-name remote-machine-idLocal machine (ssh) sends local user’s public key to remote machine (sshd) Remote machine authenticates if 1) that key appears in remote-user-name’s authorized_keys file, if so 2) local machine can decrypt random text encrypted with it by remote machine as a challenge.© David Morgan 2003Configuration files ssh - /etc/ssh/ssh_config– Cipher selection– Compresssion level– Port forwardings sshd - /etc/ssh/sshd_config– authentication options Key-based Password both– Logging options10© David Morgan 2003ssh feature: port forwardingPrivate Network – 192.168.1.0192.168.1.1206.170.218.30 64.54.209.204ssh port forwarding:correspond some port on the client (e.g., 3000) tosome port (e.g., 80) on a machine reachable thru the server….Example: http://127.0.0.1:3000 in client’s browser gets served from 192.168.1.111sshserver192.168.1.111:80http (web) serversshclient© David Morgan 2003puTTY11© David Morgan 2003puTTY© David Morgan 2003puTTY12© David Morgan 2003Don’t leave back door ajar!“System security is not improved unless rshd, rlogind, rexecd, and rexd are disabled (thus completely disabling rlogin and rsh into that machine).”sshd man page© David Morgan 2003Getting ssh commercialhttp://www.ssh.com/http://www.f-secure.com/ freehttp://www.openssh.com/(ssl is prerequisite http://www.openssl.org/) ftp site – encryption downloadhttp://www.zedz.net/13© David Morgan 2003Free windows clients puTTYhttp://www.chiark.greenend.org.uk/~sgtatham/putty/ cygwin under Windows / openSSH under cygwinhttp://www.cygwin.com/© David Morgan 2003fopenapi for OS services, eg fopen( )fopenlin appfopen( )win appfopen( )OS/kerneluserspaceLinux computer Windows computer14© David Morgan 2003fopenapi mapping by cygwinwin appfopen( )Windows computerlin appfopen( )cygwinfopen( )fopen( ) cygwin is general any lin app that’s been adapted can run openSSH has been adapted openSSH can run under Windows© David Morgan 2003ssh information ssh FAQhttp://www.ssh.org/ “Getting Started with ssh”http://kimmo.suominen.com/ssh/ ssh resource pagehttp://www.csri.utoronto.ca/~djast/ssh.html15© David Morgan 2003Please don’t tell…… it’s a
View Full Document