Secure Shell (SSH)
Secure shell (SSH) is an application protocol supporting secure tunneling and remote terminal emulation and file copy.
- principal means of obtaining secure remote access to
- UNIX and Linux servers
- most network appliances
- connects to command interpreter rather than desktop window manager
- uses encryption to protect each session
- used for:
- terminal emulation (remote admin)
- secure file transfer protocol (SFTP)
- many SSH servers and terminal emulation clients available
- most common is OpenSSH
- SSH server listens on TCP port 22
Background
- name “terminal” comes from early days of computing
- configuration was performed by a teletype (TTY) device
- is the terminal or endpoint for communication between the computer and user
- handles text input and output between the user and the shell
- the command environment
- performs the actual processing
- configuration was performed by a teletype (TTY) device
- A terminal emulator is any kind of software that replicates this TTY input/output function
- may support connections to multiple types of shell
- remote terminal emulator allows you to connect to the shell of a different host over the network
How it Works
SSH Host Key
- Each SSH server is configured with a public/private encryption key pair
- identified by a host key fingerprint
- Clients use the host key fingerprint to verify that they are attempting to connect to a trusted server
- mitigates the risk of on-path (man-in-the-middle) attacks
- identified by a host key fingerprint
- A mapping of host names to SSH server (public) keys can be kept:
- manually by each SSH client
- by SSH key management software products
Warning
- host key must be changed if any compromise of the host is suspected
- If an attacker has obtained the private key of a server or appliance
- can masquerade as that server or appliance and perform a spoofing attack
- to obtaining other network credentials
- might also change the key to use a longer bit strength
SSH Client Authentication
- server’s host key pair is used to set up an encrypted channel so that the client can submit authentication credentials securely
- SSH allows various methods for the client to authenticate to the server
- each can be enabled or disabled
- using the
/etc/ssh/sshd_configfile
- using the
- Password authentication
- client submits a username and password
- client submits credentials that are verified by the SSH server either
- against a local user database
- or using a network authentication server
- Public key authentication
- SSH server is configured with a list of public keys of authorized users
- client uses its private key to authenticate
- Kerberos
- client submits the Kerberos credentials (a Ticket Granting Ticket)
- obtained when the user logged onto the workstation to the server using the Generic Security Services Application Program Interface (GSSAPI)
- SSH server contacts the Ticket Granting Service to validate the credential
- in Windows environment, TGS will be the domain controller
- client submits the Kerberos credentials (a Ticket Granting Ticket)
- each can be enabled or disabled
Warning
Managing valid client public keys is a critical security task.
- attacks on web servers may exploited poor key management
- if private key is compromised,
- delete the public key from the appliance
- regenerate the key pair on user’s device
- copy public key to SSH server
- delete public keys if the user’s access permissions have been revoked
Secure Shell Commands
sshd- start SSH Daemon (server)
- some parameters:
- host’s certificate file
- port to listen on
- logging options
ssh-keygen- create a key pair to use to access servers
- private key must be stored securely on local computer
- public must be copied to SSH server
- copy manually
- or using
ssh-copy-id
ssh-agent- configure a service to use to store the keys used to access multiple hosts
- agent stores the private key for each public key securely
- reduces the number of time use of private key has to be confirmed with a passphrase
- provides SSO mechanism for multiple SSH servers
ssh-addadds a key to the agent
ssh HOST- connect to the server running at HOST
- can be an FQDN or IP address
- can create a client configuration file
- connect to the server running at HOST
ssh Username@Host- connect to the server running at Host with a different Username
ssh Host "Command or Script"- execute a command or script on the remote server running at Host without starting a shell
scp Username@Host:RemoteFile /Local/Destination- a file transfer client with remote copy/rcp-like command interface
- use
-roption to copy contents of directory recursively
sftp- a file transfer client with FTP-like command interface
Secure SSH
- Disable password access and enable key pair access only
- Enable and start SSH server (
sshd) on destination server - On client, generate an SSH key pair:
ssh-keygen- specify desired options
- default storage location is
~/.ssh - Wise to give a contextual name
- Optionally, add a password to protect the key
- need to provide password each time
- can store password in a keychain manager
- Copy SSH public key to authorized keys file
- On client,
ssh-copy-id -i ~/.ssh/your_key.pub user@server- use your public key name
- use the user and host address of the server
- Or can manually copy key over
cat ~/.ssh/your_key.pub- copy output
- ssh into server with password
- on server,
nano ~/.ssh/authorized_keys- paste output
- save
- On client,
- Enable public key authentication on server
sudo nano /etc/ssh/sshd_config- set
PubKeyAuthenticationtoyes - Can optionally set a different authorized key file
- default is
~/.ssh/authorized_keys - can set to a remote server to manage keys centrally
- default is
- Disable password authentication on server
- in same
/etc/ssh/sshd_configfile - Uncomment and set
PasswordAuthenticationtono
- in same
- Restart SSH server to reload the config file
sudo systemctl restart sshd
- To connect to SSH server:
ssh user@server -i ~/.ssh/your_private_key
- Enable and start SSH server (