% Nick Urbanik % Copyright 2000 under the conditions of the GNU Free Documentation License, % a copy of which is available at http://www.gnu.org/copyleft/fdl.html % Copy and modify freely as long as this paragraph remains intact. % Suggestions for improvement (and the improvements themselves!) welcome. \chapter{SSH --- The Secure Shell} \label{cha:secure-shell} {\mns \subsection{Objectives} \begin{itemize} \item After completing this section, you will be able to: \begin{itemize} \item Use secure shell as a replacement for {\cmdn telnet} \item Understand some of the dangers of {\cmdn telnet} \item Use {\cmdn scp} to copy files % \item Install and use {\cmdn sftp} as a secure replacement for % {\cmdn ftp} \item Understand how to create private and public keys for the secure shell using {\cmdn ssh-keygen} \item Understand how to configure the files {\fn $\sim$/.ssh/authorized\_keys}, {\fn $\sim$/.ssh/known\_hosts} with public keys \item Know how to configure {\pgn ssh-agent} and {\pgn ssh-add} to allow login without a password. \item Be able to configure some important options of the client and server, including X11 forwarding. \end{itemize} \end{itemize} \section{What is the Secure Shell?} \label{sec:what-is-ssh} \begin{itemize} \item Provides secure network access for system administrators, replacing obsolete protocols such as {\cmdn telnet} and many others \item Allows tunneling of other protocols (such as X) through the encrypted connection \item Allows secure, encrypted copying of data over the Internet with {\pgn scp} \item After it is set up, it is very easy to use \end{itemize} \section{But what's wrong with {\cmdn telnet}?} \label{sec:telnet-problems} \begin{itemize} \item We still use {\cmdn telnet} for some of our other classes. What could be wrong with it? \item The program {\cmdn hunt}, freely available from \url{http://lin.fsid.cvut.cz/~kra/}, lets you very easily: \begin{itemize} \item read passwords \item hijack telnet sessions \item monitor what the person is typing \end{itemize} \item Pavel Krauz wrote the program just to show how insecure {\cmdn telnet} is---try it out! \item Other tools can do this too (but just with less convenience) \item Spread the news! {\cmdn telnet} is dead! Demand the Secure Shell\@! Use the secure shell at your work; persuade people to stop using {\cmdn telnet}, except where passwords are not required, and the information is not useful (in which case, you should be doing something else!) \end{itemize} \section{OpenSSH and its history} \label{sec:openssh} \enlargethispage{\baselineskip} \begin{itemize} \item Originally, SSH was free, developed by Tatu Yl\"onen, \item later, increasingly restrictive licensing. \item Two versions of SSH: SSH1 and SSH2, available from Datafellows at a high price \item International group of programmers chose to develop a completely free SSH from Tatu's original SSH \begin{itemize} \item Development moving very rapidly \item well implemented \item used by many system administrators round the world \item Completely free (both in the sense of ``freedom'' and in the sense of ``free beer''), open protocol \item now IETF is standardising SSH \end{itemize} \item Provides a very nice blowfish logo, seen here burying the old insecure protocols: {\cmdn telnet}, {\cmdn rlogin}, {\cmdn rsh}. \end{itemize} \begin{center} \includegraphics[clip=true,width=0.65\columnwidth]{../images/shherrif} \end{center} % \begin{itemize} % \item Originally developed as free software. % \item Licences become more restrictive % \end{itemize} \section{Okay, I like the blowfish---what else does OpenSSH provide?} \label{sec:openssh-files} \begin{itemize} \item OpenSSH 2.3 is compatible with both SSH1 and SSH2, and interoperates with the commercial versions \item OpenSSH provides powerful encryption to the entire session \item OpenSSH 2.3 provides the following main programs: \begin{itemize} \item A server {\pgn sshd} which provides services for all the clients below, as well as {\pgn sftp}, an {\pgn ftp} replacement \item The clients {\pgn ssh}, {\pgn slogin}, {\pgn scp}: \begin{itemize} \item {\pgn ssh} is for executing programs on other remote computers \item {\pgn slogin} replaces {\pgn telnet} \item {\pgn scp} is a network copy program; works like {\pgn cp}, but over the network. \end{itemize} \item The utilities: \begin{itemize} \item {\pgn ssh-keygen} for generating the private and public keys used by SSH \item {\pgn ssh-agent} to conveniently hold the personal private key to allow you to login without typing passwords \item {\pgn ssh-add} for adding the personal private key to {\pgn ssh-agent} \end{itemize} \end{itemize} \end{itemize} \section{So okay, how do I use this Secure Shell?} \label{sec:how-use-slogin} \begin{itemize} \item To use it like {\cmdn telnet} is easy \item Just type {\cmdn slogin \usb computername} \item The first time you connect, you may receive a warning something like this: {\myfs \begin{verbatim} The authenticity of host 'nick' can't be established. RSA key fingerprint is 48:2a:cb:1f:ac:7d:21:89:39:de:47:20:cf:06:d3:44. Are you sure you want to continue connecting (yes/no)? \end{verbatim}} For now, enter {\uin yes}. The program will reply something like this: {\myss \begin{verbatim} Warning: Permanently added 'nick' (RSA) to the list of known hosts. \end{verbatim}} \item Enter your password when prompted \item You now have a high security, military-strength encrypted link to the other computer. \end{itemize} \section{Using {\cmdn scp} to copy files over the network} \label{sec:how-use-scp} \begin{itemize} \item Use like the {\cmdn cp} command \item Put the computer name and a colon in front of a remote file \item Put a username then {\cmdn @} in front of this if you want to connect as a different user from yourself \item Enough! Here is an example of copying a file from my computer to your home directory, as the user \texttt{emacs}: {\myss \begin{verbatim} $ scp emacs@nick:/usr/share/emacs/site-lisp/site-start.el ~ \end{verbatim}}%$ \item The most useful options to {\cmdn scp}: \begin{tabularx}{0.9\linewidth}[t]{@{}>{\ttfamily}cX@{}} \toprule% \textnormal{\emph{option}} & \emph{purpose}\\ \midrule% -p & preserve the permissions (and owner if you are root)\\ -r & recursively copy all the subdirectories and their contents\\ \bottomrule \end{tabularx} \end{itemize} % \section{Using {\cmdn sftp} to copy files over the network} % \label{sec:how-use-sftp} % \begin{itemize} % \item % \end{itemize} \section{SSH uses public and private keys} \label{sec:public-private-keys} \begin{itemize} \item The Secure Shell uses a public key and a private key for each computer (public key cryptography) \item Each user can also have their own private and public keys \item Public key cryptography allows a public key (a very long number) to be freely distributed and made public \item The private key \emph{must be kept secret}. Your personal private key is usually stored encrypted on the hard disk, protected by a long pass phrase \item The keys are used to: \begin{itemize} \item make sure the computer you are connecting to is really the one you want \item to establish secret \emph{session} keys used to encrypt all communication in the session, including any passwords \item To establish the identity of the person who has initiated the session (authentication) \end{itemize} \end{itemize} \section{Using {\cmdn ssh-keygen} to create a personal pair of private and public keys} \label{sec:ssh-keygen} \begin{itemize} \item When you installed Red Hat Linux, you installed the openssh RPM which generated the public and private \emph{host keys} automatically. \item You can create your own pair of keys: just type {\cmdn \$ ssh-keygen -d} accept the default file name, but when asked for a pass phrase, type a long sentence that you can easily remember, but which will be impossible for other people to guess. {\myfs \begin{verbatim} $ ssh-keygen -d Generating DSA parameter and key. Enter file in which to save the key (/home/nicku/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/nicku/.ssh/id_dsa. Your public key has been saved in /home/nicku/.ssh/id_dsa.pub. The key fingerprint is: 13:6f:6b:1f:ac:6a:21:89:f0:de:47:20:d4:06:5c:2b nicku@nickpc.tycm.vtc.edu.hk \end{verbatim}}%$ \item This will generate the files $\sim${\fn /.ssh/id\_dsa.pub} and $\sim${\fn /.ssh/id\_dsa} \item The private key $\sim${\fn /.ssh/id\_dsa} \emph{must} have access permissions \emph{only} for you, the owner. \end{itemize} \section{The host keys in {\fn /etc/ssh/ssh\_known\_hosts2} and {\fn $\sim$/.ssh/known\_hosts2}} \label{sec:host-keys} \begin{itemize} \item An important step in using SSH is having the public host key of the computers you want to connect to. Unfortunately, the only really secure way is to copy it on a floppy disk from the remote machine, and take it to your own computer. \item Copy the file {\fn /etc/ssh/ssh\_host\_dsa\_key.pub} from the remote machine to a floppy. \item On the local machine, append the file \emph{as one line} to the file {\fn /etc/ssh/ssh\_known\_hosts2}, or to the file $\sim${\fn /.ssh/known\_hosts2}. \item An alternative is just to enter {\uin yes} when asked, as in section~\vref{sec:how-use-slogin}, but this is a serious security hazard, and cracking tools exist to easily hijack SSH sessions before the host key is transferred, \item There are tools to automate this insecure procedure (of building the {\fn /etc/ssh/ssh\_known\_hosts2} file). \end{itemize} \section{The file {\fn $\sim$/.ssh/authorized\_keys2}} \label{sec:authorized_keys} \begin{itemize} \item This file contains the personal public keys of user accounts that you trust (your own) to connect to your computer without a password. \item The file (and the directory that contains it) should have no access to any other than the user that owns it (you). \item To set it up on a remote computer: \begin{itemize} \item Copy your local personal public key to the remote computer (do not copy to $\sim${\fn /.ssh}, or you will overwrite your own local key!) Here put the host name of the remote computer instead of ``{\usb remote}.'' {\cmdn local \$ scp -p $\sim$/.ssh/id\_dsa.pub {\usb remote}:$\sim$} \item Log into the remote machine using {\pgn slogin}: {\cmdn local \$ slogin {\usb remote}} \item Append this to $\sim${\fn /.ssh/authorized\_keys2} on the remote machine, in the {\pgn slogin} session: {\myss {\cmdn\mbox{remote \$ cat $\sim$/id\_dsa.pub >> $\sim$/.ssh/authorized\_keys2}\\ remote \$ rm $\sim$/id\_dsa.pub\\ remote \$ exit}} \end{itemize} \item You now have installed your personal public key from your local computer account to the remote computer, allowing you to log in to the remote computer using public key cryptography instead of passwords. \end{itemize} \section{Setting up {\cmdn ssh-agent}: logging in without typing passwords} \label{sec:ssh-agent} \begin{itemize} \item Now you can use public key cryptography to login to the remote machine. But you need to type that long pass phrase each time! Oh, that's not convenient. \item So let's use the utilities {\pgn ssh-agent} and {\pgn ssh-add} to store the private key. Here's what we do: \begin{itemize} \item edit your login script $\sim${\fn /.bash\_profile} and add the line: {\cmdn eval `ssh-agent`} \emph{Note} that the quotes are backquotes, found under the {\kbk Esc} key. \item Edit the logout script $\sim${\fn /.bash\_logout} and add the two lines: {\cmdn ssh-agent -k\\ sudo -k} \item Log out of {\pgn X} and log back in again. \item Open a window, and type: {\cmdn ssh-add} then type your pass phrase when prompted. \end{itemize} \item Your secret key is now held decrypted by the agent, letting you conveniently log in. If you do this: {\cmdn local \$ slogin \uin remote} you will connect to the remote computer without having to type a password. And that's not all! \end{itemize} \section{Running X applications remotely} \label{sec:remote-X-with-ssh} \begin{itemize} \item You can run {\kwd X} applications remotely. \item Simply log into the remote machine using {\pgn slogin}, \item type the name of the graphical program, and it just works, as if it were running locally! \item The program executes on the remote computer, but the {\kwd X} protocol sends the graphics commands through the encrypted session, \item the application is displayed on your local machine, though the processing is done remotely. \item Great for running remote graphical system administration applications (remote administration) \end{itemize} \section{Configuring ssh} \label{sec:cinfiguring-ssh} \begin{itemize} \item The configuration file for the client is {\fn /etc/ssh/ssh\_config} \item The configuration file for the server is {\fn /etc/ssh/sshd\_config} \item An important configuration option in {\fn /etc/ssh/ssh\_config} is: {\cmdn ForwardX11 yes} \item An important configuration option in {\fn /etc/ssh/sshd\_config} is: {\cmdn X11Forwarding yes} \item These enable {\kwd X} to work over SSH as described in section~\ref{sec:remote-X-with-ssh} \end{itemize} \section{Using {\cmdn ssh} from Windows, with {\cmdn XWin32}: setting up} \label{sec:ttssh-setup} \begin{itemize} \item Install TeratermPro (freely available telnet client for Windows). Accept all defaults in the InstallShield program. \item unzip {\pgn TTSSH} into the TeraTerm installation directory. \begin{itemize} \item {\pgn TTSSH} is an SSH1 plugin for TeraTerm Pro, also free software. \item Note that {\pgn TTSSH} does not understand the SSH2 protocol. \end{itemize} \item start TTSSH, and from the \textsf{Setup} menu, select \textsf{SSH Forwarding}, and check \textsf{Display remote X applications on local X server} \item Select \textsf{Setup} $\rightarrow$ \textsf{Save Setup} and click on the \textsf{Save} button. \item Start \texttt{XWin32}. \item I configured {\pgn XWin32} to connect to \textsf{localhost}, use \textsf{XDMCP}, \texttt{query}, and set the window type to \texttt{multiple}. \end{itemize} \section{Using {\pgn ssh} from Windows, with {\pgn XWin32}} \label{sec:ttssh-using-it} \begin{itemize} \item Once it is set up, using it is simple: \item start up {\pgn TTSSH} to connect to a remote computer that has: \begin{itemize} \item X applications \item A secure shell server \end{itemize} such as one running Linux \item Type any graphical command; you will see the result appear in a window on your windows screen. \end{itemize} \section{What else can this do?} \label{sec:what-else-with-ssh} \begin{itemize} \item Can execute programs remotely (i.e., for doing a backup of a remote computer) \item Can do ``port forwarding'', allowing amazing flexibility in sending any protocol over the encrypted tunnel, so that the application appears to be executing locally. Useful for {\pgn VNC} (\url{http://www.uk.research.att.com/vnc/sshvnc.html}), many other applications. \item Can provide a basic type of encrypted tunnel, a simple VPN (virtual private network) \item Many other things. There is a great book just published about it: \url{http://www.oreilly.com/catalog/sshtdg/} \end{itemize} }% end of \mns started at beginning of this file. \section{Secure Shell Exercises} \label{sec:ssh-exercises} % Our setup is a laboratory of 45 computers behind a Linux firewall % using IP masquerade to map all addresses to one address % (192.168.128.51), since our Computer Centre staff are unable to % allocate us enough private addresses because the only competent % staff member left to get a better job "in the real world", leaving % the only other person in the Computer Centre who had even the slightest % clue about 3Com routers and switches (having the lowly position of % "Computer Operator") unable to cope, the remainder burdened by % lack of competence with routers (Oh, you people should blush % with shame! I believe that they feel it, but do not act to remedy % their ignorance.) The firewall also runs the ISC DHCP server 3.0b2pl11, % allocating the addresses 10.1.1.1 to 10.1.1.100 dynamically. It also % dynamically updates our name server. Students have given their % machines a name, and maybe our BIND 8.2.2_P7 will not like all of % the names, while some names are duplicated. {\normalsize \begin{enumerate} \item Set up {\pgn sudo} with a line like this: {\cmdn {\usb your-user-name}\ \ \ \ ALL=(ALL) ALL} as described in the handout about {\pgn sudo}. %solution to question~\vref{qes:sudo-all-all}. \item \label{qes:ok-names}The name of your computer must be unique, and contain no other characters besides a\ldots z, 0\ldots9, A\ldots Z and the hyphen `\texttt{-}'. If you suspect that it does not match these criteria, type {\cmdn \$~sudo~netcfg} and modify your hostname. Make sure that your hostname ends with our domain: \texttt{tycm.vtc.edu.hk} \item If you have already changed your hostname in step~\ref{qes:ok-names}, do the following: \begin{itemize} \item If when you type {\cmdn \$ hostname} you get a different name from the name you entered in {\pgn netcfg}, then type:\\ {\cmdn \$ sudo hostname {\usb newhostname}.tycm.vtc.edu.hk\\ \$ sudo ifdown eth0\\ \$ sudo ifup eth0}\\ This will ensure that the DHCP server sends your new host name to the name server using a dynamic update. \item You may then need to log out, and log back in again, since {\pgn X} authentication depends on the name of the computer not changing. \end{itemize} \item Check that the name of your computer in the name server matches your IP address. Do the following: \begin{itemize} \item type: {\cmdn \$ hostname} to find the name of your computer. \item type: {\cmdn \$ ifconfig} and read the IP address of your Ethernet card, \texttt{eth0}. \item type: {\cmdn \$ nslookup \usb your-hostname} where {\usb your-hostname} is the name you found in front of our domain \texttt{tycm.vtc.edu.hk}\footnote{The program {\cmdn nslookup} is a powerful tool for debugging name server problems. The same program was compiled by Microsoft on Windows 2000, and you can use it there too.} \item If {\pgn nslookup} says ``Non-existent host/domain'', then check the conditions at step~\ref{qes:ok-names}. Ask Nick if you see no other problem. \end{itemize} \item Turn to your neighbour and ask them to make an account for you. Make sure that you type your password for your account yourself. \item Back on your own machine, login to your new account on your neighbour's machine, \item Set up your own private and public keys as described in section~\ref{sec:ssh-keygen}. You should use a pass phrase for this exercise. \item Set up your $\sim${\fn /.ssh/authorized\_keys2} using the methods described in \ref{sec:authorized_keys}. \item Setup {\pgn ssh-agent} and use {\pgn ssh-add} to make your personal private key available to {\pgn slogin}. \item Demonstrate to your tutor that you can log in to your account on your neighbour's computer without typing any passwords. \item One neighbour should shut down Linux, remove their removable hard disk, and boot Windows 2000. You will see that {\pgn TTSSH} is installed, as is {\pgn XWin32}\@. Use these to log into your account on your neighbour's computer, and execute a graphical program, such as {\pgn emacs} or {\pgn xclock}. \end{enumerate} \section{Secure Shell Solutions} \label{sec:ssh-solutions} We will provide solutions soon. }% end of normalsize