Linux Security Techniques - 2.

0 Data Security

============================================================

Filename: techskills-linuxsecurity-2-4-data_encryption_with_ssh
Title: Data Encryption with SSH
Subtitle: Linux Security Techniques

2.4 Data Encryption with SSH

What do we need to get started with SSH?

SSH on most platforms is powered by OpenSSH

Installed by default
May need to be allowed through the firewall
Certificate authentication may need to be configured

How do we get our server ready to accept SSH connections?

Disable SSHv1
vi /etc/ssh/sshd_config
Protocol 2
systemctl restart sshd
Take note of key names/locations
Server keys are stored in /etc/ssh
You will want to generate new keys

What is wrong with the default keys?

You cannot verify the strength of the default keys

Some distros (LiveCDs) use pre-packaged keys
Others generate keys prior to hardware RNGs kicking in
It is best to generate new ones.

Is it hard to generate new keys?

Generating new keys

1. Delete the key files (rm -f /etc/ssh/*key*)
2. ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key
For SSHv1
3. ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
4. ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key
5. ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key

File Description
ssh_host_key SSHv1 Private Key
ssh_host_key.pub SSHv1 Public Key
ssh_host_rsa_key SSHv2 RSA Private Key
ssh_host_rsa_key.pub SSHv2 RSA Public Key
ssh_host_dsa_key SSHv2 DSA Private Key
ssh_host_dsa_key.pub SSHv2 DSA Public Key
ssh_host_ecdsa_key SSHv2 ECDSA Private Key
ssh_host_ecdsa_key.pub SSHv2 ECDSA Public Key

How does a client get the public key?

OpenSSH client configuration and usage

Public key is cached in ~/.ssh/known_hosts for individual users
Cached in /etc/ssh/ssh_known_hosts for the entire system
If you receive a key before hand you can pre-load it
/etc/ssh/ssh_host_ecdsa_key.pub
ssh-keyscan <host>
ssh-keyscan 192.168.0.100 >> ~/.ssh/known_hosts
Viewing the fingerprint (on server)
 ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key.pub
Can require key to pre-exist in /etc/ssh/ssh_config
StrictHostKeyChecking

Once we know the key is good, are we ready to connect?

Client connections
ssh <username>@<hostname>
ssh -l <username> <hostname>
Configuration file is /etc/ssh/ssh_config
Options
-1 v1 Only
-2 v2 Only
-4 IPv4 Only
-6 IPv6 Only

That gives us an encrypted shell, but can we encrypt other traffic?

SSH port tunnels

Send any port's traffic over an SSH tunnel
Useful for encrypting any traffic regardless of protocol
Telnet, for example, does not support encryption
Telnet can be run on top of SSH to provide security

How do we build a secure tunnel?

Establish the SSH tunnel

ssh -f <username>@<hostname> -L <localport>:<hostname>:<remoteport> -N
-f Go to background after execution
-L Local port to be redirected
-N Do not execute any remote commands
Just build the tunnel
ssh -f [email protected] -L 65023:172.16.0.128:23 -N

How does software know to use the tunnel?

Telnet through the tunnel

telnet 127.0.0.1 65023

PRESENTER NOTE

Telnet example setup

1. yum install telnet telnet-server

2. vi /etc/xinetd.d/telnet
disable=no
3. vi /etc/xinetd.conf
enabled=rsh telnet
4. systemctl enable --now telnet.socket
5. firewall-cmd --add-service=telnet
6. semanage port -a -t telnetd_port_t -p tcp 23