Post on 02-Feb-2016
description
Firewalls, Perimeter Protection, and VPNs - SANS ©20011
SSH Operation
The Swiss Army Knife of encryption tools…
Firewalls, Perimeter Protection, and VPNs - SANS ©20011
SSH Features
Command line terminal connection toolReplacement for rsh, rcp, telnet, and othersAll traffic encryptedBoth ends authenticate themselves to the other endAbility to carry and encrypt non-terminal traffic
Firewalls, Perimeter Protection, and VPNs - SANS ©20011
Brief History
SSH.com's SSH1, originally completely free with source code, then license changed with version 1.2.13SSH.com's SSH2, originally only commercial, but now free for some uses.OpenSSH team took the last free SSH1 release, refixed bugs, added features, and added support for the SSH2 protocol.
Firewalls, Perimeter Protection, and VPNs - SANS ©20011
Installation
OpenSSH is included with a number of Linux distributions, and available for a large number of Unices
On RPM-based Linuxes:
rpm -Uvh openssh*.rpm
Firewalls, Perimeter Protection, and VPNs - SANS ©20011
Basic use
ssh SshServerName
ssh -l UserName SshServerName
ssh SshServerName CommandToRun
ssh -v SshServerName
Server Host Key checks
Uses same login password
And if we need to encrypt other traffic?
Firewalls, Perimeter Protection, and VPNs - SANS ©20011
Port Forwarding - real server on remote machine
I want to listen on port 5110 on this machine; all packets arriving here get sent to mailserver, port 110:
ssh -L 5110:mailserver:110 mailserver
Firewalls, Perimeter Protection, and VPNs - SANS ©20011
Port Forwarding - real server on this machine
All web traffic to my firewall should be redirected to the web server running on port 8000 on my machine instead:
ssh -R 80:MyMachine:8000 firewall
Firewalls, Perimeter Protection, and VPNs - SANS ©20011
X Windows forwarding
No setup - already done!Run the X Windows application in the terminal window:
xclock &The screen display shows up on your computer, and any keystrokes and mouse movements are sent back, all encrypted.
Firewalls, Perimeter Protection, and VPNs - SANS ©20011
Securely copying files
scpscp -p localfile remotemachine:/remotepath/filePrompts for authentication if neededAll traffic encryptedReplaces ftp, rcp, file sharing
Firewalls, Perimeter Protection, and VPNs - SANS ©20011
SSH key background
Old way: password stored on server, user supplied password compared to stored version
New way: private key kept on client, public key stored on server.
Firewalls, Perimeter Protection, and VPNs - SANS ©20011
SSH key creation
General command:ssh-keygen -b 1024 -c 'Comment' -f ~/.ssh/identity_file
Different forms for each of the SSH flavorsAssign a hard-to-guess passphrase to the private key during creation.Key can be used for multiple servers
Firewalls, Perimeter Protection, and VPNs - SANS ©20011
SSH key installation
3 versions of ssh: interoperability is good, but poorly documented
ssh-keyinstall utility automates the creation and installation
'ssh-keyinstall -s SshServerName' creates keys, if needed, and installs them on the remote server
Need password during key install only
Firewalls, Perimeter Protection, and VPNs - SANS ©20011
Using SSH keys
ssh SshServerName
Ssh -l UserName SshServerName
ssh SshServerName CommandToRun
Ssh -v SshServerName
Firewalls, Perimeter Protection, and VPNs - SANS ©20011
ssh-agent
Remembers your private key(s)Other applications can ask ssh-agent to authenticate you automatically.Unattended remote sessions.ssh-agent bashssh-agent startxeval `ssh-agent` #Less preferredssh-add [KeyName]
Firewalls, Perimeter Protection, and VPNs - SANS ©20011
Fanout
Runs command on multiple machines by opening separate ssh session to each
fanout 'machine1 machine2 user@machine3' 'command params'
Gives organized output from each machine
Firewalls, Perimeter Protection, and VPNs - SANS ©20011
Fanterm – live control of multiple machines
Fanterm provides interactive control of multiple remote systems.
Initial window receives keystrokes.
Keystrokes sent to each remote system.
Output from each system shows up in a seperate terminal.
Firewalls, Perimeter Protection, and VPNs - SANS ©20011
Firewalls, Perimeter Protection, and VPNs - SANS ©20011
File synchronization - Rsync
Rsync copies a tree of files from a master out to a copy on another machine.Can use ssh as its transport.rsync -azv -e ssh /home/wstearns/webtree/ mirror.stearns.org/home/web/
Firewalls, Perimeter Protection, and VPNs - SANS ©20011
Rsync-backup
Rsync-backup automates the process of backing up machines with rsync and ssh.Features:
Only changed data shippedAll permissions preservedAll communication encryptedUnlimited snapshotsUse <= 2X-4X combined client capacity
Firewalls, Perimeter Protection, and VPNs - SANS ©20011
Rsync-backup client install
Install ssh, rsync, and rsync-backup-client rpms (see http://www.stearns.org )
Install ssh-keyinstall on client to create a backup key with
ssh-keyinstall -s backupserver -u root -c /usr/sbin/rsync-backup-server
Firewalls, Perimeter Protection, and VPNs - SANS ©20011
Rsync-backup server install
Install ssh, freedups, rsync-static, and rsync-backup-server rpms
Turn off password authentication in /etc/ssh/sshd_config
Firewalls, Perimeter Protection, and VPNs - SANS ©20011
Rsync-backup examples
Examples of backup commands:
rsync-backup-client / root@backupserver:/
rsync-backup-client /usr /home/gbk root@backupserver:/
Firewalls, Perimeter Protection, and VPNs - SANS ©20011
Links and references
http://www.ssh.comhttp://www.openssh.orgSSH, The Secure Shell, The Definitive Guidessh-keyinstall, fanout, rsync-backup, freedups and other apps at http://www.stearns.org/
Firewalls, Perimeter Protection, and VPNs - SANS ©20011
More links
Docs at http://www.stearns.org/doc/http://www.employees.org/~satch/ssh/faq/ssh-faq.htmlhttp://rsync.samba.orgWilliam Stearns wstearns@pobox.com