The Keys to Using SSH

David Tomaschik
RHCE, LPIC-1
System Administrator, Kennesaw State University
MSCS Student, SPSU
[email protected]
http://systemoverlord.com

Special ALE Central Edition!

 What is SSH?

● SSH = Secure Shell

● Originally intended as “Encrypted Telnet”
● Allows remote shell (command-line) access
● Connection Encrypted Using Public Key
Cryptography
● SSH Version 1: Developed 1995, Now Insecure
● SSH Version 2: Standardized 2006
● Only use SSH2!
 Why use SSH?

● Useful for remote system administration

● Transfer files securely
● Run remote applications
● Secure OTHER communications
● Requires Little Bandwidth
● Industry Standard
 SSH Clients

● Linux: OpenSSH; Usually Installed by Default

● OS X: OpenSSH; Installed by Default
● Windows: PuTTY, OpenSSH under Cygwin,
Commercial SSH
● Android: ConnectBot + Others
● IOS: iSSH, Prompt, Others
 About the Presentation

● Assumes OpenSSH on Linux for both Client

and Server
● Some features may require relatively recent
versions of OpenSSH
 Basic Use

● ssh [email protected]
 Basic Use

● ssh [email protected]
 Verifying Who You're Connecting
To
● The highlighted lines show you which host you
are connecting to along with the key fingerprint.
● The key fingerprint is cryptographic proof that
your connection is not being tampered with.
● Depending on your level of paranoia:
● Get the fingerprint from the system
administrator
● Make your first connection from a 'trusted'
network
● Just ignore it and hope its ok
 What You Can Do Now

● Run Commands Remotely

● Install packages/services
● Configure applications
● Start/stop services
● Edit Files Remotely
● vi, nano, etc. (Masochists may even use emacs)
● Command-line only
● Plain Text Only
 Login Environment

● After connecting
● /etc/motd, unless ~/.hushlogin
● Check /etc/nologin
● Drop privileges (switch to user)
● /etc/ssh/sshrc, ~/.ssh/rc
● Run shell or command
● SSH_CONNECTION
● <client ip> <client port> <server ip> <server port>
 IPv6

● SSH works well over IPv6 (naturally)

● IPv6 Addresses should be specified in square
brackets, e.g., [2600:3c03::f03c:91ff:fe93:f3fb]
● Or use a hostname
● Can be forced
● -6 to force IPv6
● -4 to force IPv4
 Run a Single Command

● ssh [email protected] COMMAND

 Remote GUI (X Forwarding)

● Headless/Remote Server?
● Application that “must” be GUI?
● No Problem!
● ssh -X [email protected]
● Then run command
● ssh -X [email protected] command
Remote GUI (X Forwarding)
 Getting Files From Here to There
(Or from There to Here)
● scp (Secure Copy)
● Basic form similar to cp
● scp [path1] [path2]
● Path can be a local path or remote path:
● user@host:/path/to/file
● Relative paths from your home directory
● scp Documents/Presentation.pdf
david@work:Documents/
 Another Way to Move Files

● SFTP
● More like FTP, but encrypted via SSH
● GUIs Available
● gftp on Linux
● WinSCP on Windows
● FireFTP (In Firefox)
 SSH Tunneling (Port Forwarding)

● Tunnel Arbitrary TCP Connections Across SSH

● Encrypted
● Authenticated
● Tunnel through Firewalls
SSH Tunneling
SSH Tunneling
 SSH Tunneling (Syntax)

● Forward single point

● Add -L <localport>:<remotehost>:<remoteport>
● ssh -L8000:10.10.10.10:80 user@firewall
● Open web browser to http://localhost:8000/
● Dynamic Proxy
● Add -D <localport>
● SOCKS 4/5 Protocol Support
● Works with any SOCKS-aware application
 SSH Tunneling (Edge Cases)

● Reverse Tunnel
● Tunnels connections from server to client
● -R <remoteport>:<host>:<hostport>
● Allow others to use tunnels
● -g option
● Use with caution!
● Only do port forwarding
● -N (No Command)
A Word About Security

●SSH gets brute forced. A lot.

Popular Brute Force Usernames

http://www.dragonresearchgroup.org/insight/sshpwauth-cloud.html
Popular Brute Force Passwords

http://www.dragonresearchgroup.org/insight/sshpwauth-cloud.html
Where are they coming from?

Source: Cisco Systems

 Security Measures

● Use an alternate port (reduces noise, but is

NOT security)
● Use a strong password (always a good idea)
● Use Fail2Ban (Firewall rules from too many bad
logins)
● Use SSH Keys!
 SSH Keys?

● An SSH Key 'replaces' your password

● Private key: kept by user to authenticate
● Public key: placed on servers to identify user
● ssh-keygen to create new key pair
● Use a passphrase!
● ssh-copy-id will copy the public key over
 SSH Key Strength

● Typically 2048 bit RSA

● ~112 bits of entropy
● Not going to happen in an online attack
● Protect private key with passphrase
● Keep the private key private!
● On the other hand...
● If your local system is compromised, you have
all kinds of problems
 Avoiding the Passphrase

● ssh-agent caches the key for you

● eval `ssh-agent` to load into current session
● Type passphrase once
● Many desktop environments start ssh-agent (or
a clone) for you
● gpg-agent can also function as an agent for
SSH keys
● GPG Keys can also be used for authentication
 SSH Access Control

● /etc/ssh/sshd_config
● PasswordAuthentication
● PubkeyAuthentication
● HostBased, ChallengeResponse,
KeyboardInteractive, etc.
● AllowGroups, AllowUsers (intersection)
● DenyGroups, DenyUsers (union)
● UsePAM (default no, but most distros ship yes)
– Only account and session for key-based auth
 SSHD Permissions

● AllowTCPForwarding
● PermitOpen
● AllowAgentForwarding
● X11Forwarding
● PermitTunnel (tun forwarding)
● PermitUserEnvironment
 Shortcuts

● You could type something like this:

● ssh -X -L 8000:10.10.10.10:80 -p 2200
[email protected]
● Or you could set up to do:
● ssh dev
● In a day, I make 20+ SSH connections
● What would you do?
 ~/.ssh/config (Example)

Host dev
User johndoe
Hostname devserver.somecompany.com
Port 2200
ForwardX11 yes
LocalForward 8000 10.10.10.10:80
 Speeding Up SSH

● SSH2 Allows Multiple Channels Per Connection

● SSH Multiplexing
● ControlMaster auto
● ControlPath ~/.ssh/master/%r@%h:%p
● ControlPersist yes
 Stayin' Alive

● TCPKeepAlive [yes|no]
● TCP-level Keep Alive packets
● ServerAliveInterval [sec.]
● Encrypted packets requesting response from
server.
 Let's Bust Out of Here!

● Some venues block port 22

● More likely, allow limited ports
● Like... this venue.
● Alternate Port
● 443 if you're not running HTTPS on the server
● Most places just let 443 out
 Layer 7 Firewalls

● SSH is encrypted!
● But the first step of the handshake is not
● SSH-2.0-OpenSSH_5.5p1 Debian-6
Really!
 So what's left to do?

● Tunnel-in-tunnel
● openssl s_client → stunnel
● Bad for latency
● Virtually indistinguishable from HTTPS or other
SSL traffic (it IS SSL traffic)
● Obfuscated SSH
● Requires patched client & server
● https://github.com/inf0/obfuscated-openssh
 Fun Things
(For Some Definition of “Fun”)

● Copy a file between two hosts that can't directly

communicate
● scp -3 host1:/file1 host2:/file2
● Force a user to run a certain command
(sshd_config)
● Match User <username>
● ForceCommand <command>
 Questions/Demos

● Questions?
● Comments?