Center; less. pdf. SSH Mastery: OpenSSH, PuTTY, Tunnels and Keys. Pages . OpenSSH is the most commonly deployed SSH implementation. Unless. Ed Mastery; SSH Mastery; Httpd and Relayd Mastery; PAM Mastery; Tarsnap direct from my bookstore as PDF, epub, and Mobi (non-EU only, because VAT). Ssh Mastery Openssh Putty Tunnels And Keys It stewart calculus 5th solution porter cable owners manual a crimson frost pdf the complete.
|Language:||English, Spanish, Arabic|
|Genre:||Health & Fitness|
|ePub File Size:||28.31 MB|
|PDF File Size:||17.75 MB|
|Distribution:||Free* [*Regsitration Required]|
ssh-keygen. Generating public/private rsa key pair. Enter file in which to save the key. (/home/mwlucas/.ssh/id_rsa). Enter passphrase (empty for no. SSH Mastery: OpenSSH, PuTTY, Tunnels and Keys. Home · SSH Mastery: OpenSSH, Mastery: The Keys to Success and Long-Term Fulfillment · Read more. Book details Author: Michael W Lucas Pages: pages Publisher: Tilted Windmill Press Language: English ISBN ISBN [PDF] DOWNLOAD System Center R2 Configuration Manager: Mastering the READ The Practice of Network Security.
The passphrase is used to encrypt and decrypt the private key. Successfully reported this slideshow. Do not use SSH Below is a list of accepted LogLevel values and what they send to syslogd. OpenSSH has many powerful features that will make systems management easier if you take the time to learn about them. If the computer is lost or stolen, the key must be recovered from backup or it's lost forever.
OpenPGP allows you to easily and reliably secure your email and your computer against snooping eyes. Available in two editions Let me be perfectly clear: Read Ed Mastery today! Ebook or Print: Same content. Print or DRM-free ebook: Lose the confusion.
My personal bookstore, Tilted Windmill Press. Until now. Get Httpd and Relayd Mastery today! Get print or DRM-free ebook at: Threat or Menace? Get print or ebook today! Tarsnap Mastery. Get the ebook from: Like this presentation? Why not share!
An annual anal Embed Size px. Start on.
Show related SlideShares at end. WordPress Shortcode. Published in: Full Name Comment goes here. Are you sure you want to Yes No. Be the first to like this. No Downloads. Views Total views. Actions Shares. Asymmetric encryption became popular only with the wide availability of computers that can handle the very difficult math, and is much, much slower and more computationally expensive than symmetric encryption. Having two separate keys creates interesting possibilities.
Make one key public. Give it away. Broadcast it to the entire world. Keep the other key very private, and protect it at all costs. Anyone who has the public key can encrypt a message that only the private key holder can read. Someone who has the private key can encrypt a message and send it out into the world. Anyone can use the public key to decrypt that message, but the fact that the public key can decrypt the message assures recipients that the message sender had the private key.
This is the basis of public key encryption. The public key and its matching private key are called a key pair. Again, think of the lock on your front door. The lock itself is public; anyone can touch it. The key is private. You must have both to get into your home. If you want more detail, research Diffie-Hellman key exchange.
Asymmetric encryption lets hosts exchange public keys, but it's slow and computationally expensive. But how can you efficiently encrypt a session between two hosts that have never previously communicated? Every SSH server has a key pair.
Whenever a client connects, the server and the client use this key pair to negotiate a temporary key pair shared only between those two hosts. The client and the server both use this temporary key to derive a symmetric key that they will use to exchange data during this session, as well as related keys to provide connection integrity. If the session runs for a long time or exchanges a lot of data, the computers will intermittently negotiate a new temporary key pair and a new symmetric key.
The SSH protocol is more complicated than this, and includes safeguards to prevent many different cryptographic attacks, but cryptographic key exchange is the heart of the protocol. SSH supports many symmetric and asymmetric encryption algorithms. The client and server negotiate mutually agreeable algorithms at every connection. People infinitely more knowledgeable about encryption than you or I, and with more encryption experience than both of us together, arrived at OpenSSH's encryption preferences after much hard thought and troubleshooting.
Gossip, rumor, and innuendo might crown Blowfish as the awesome encryption algorithm du jour, but that doesn't mean you should tweak your OpenSSH server to use that algorithm and no other. The most common reason people offer for changing the encryption algorithms is to improve speed. SSH's primary purpose is security, not speed. Do not abandon security to improve speed. Now that you understand how SSH encryption works, leave the encryption settings alone.
Chapter 3: The OpenSSH Server The OpenSSH server sshd is highly configurable and lets you restrict who may connect to the server, what actions those users can take, and what actions it will permit. Your operating system might differ. Test if sshd is listening to the network with the telnet command. Here, I connect to the host avarice on the standard SSH port, Connected to avarice.
If you don't get something similar, sshd isn't running or perhaps something on the network is blocking your connection; check your firewall. Additionally, you should see sshd in the server's process list.
The second sshd entry is for the v privileged sshd process required for every SSH session, while the third is the w unprivileged SSH session I'm actively using. If someone has deliberately disabled sshd's privilege separation and is running sshd insecurely, you won't see the unprivileged session.
Most operating systems run sshd as a standalone server without any command-line arguments.
You must be root to debug sshd. The simplest debugging methods are alternate configuration files, alternate ports, and debugging mode. Alternate Configurations and Ports The -f command-line argument tells sshd to use an alternate configuration file. Here I tell sshd to use a test configuration. Your test sshd process cannot start because it cannot bind port Note that a ListenAddress keyword binding sshd to a port overrides a command-line -p; see "Configuring sshd" later this chapter.
By setting an alternate configuration file and port on the command line, you make only the config file changes you want to test. Not that I've ever broken the system by testing, mind you. Remember to kill your test sshd process when finished testing. Debugging sshd The -d flag tells sshd to run in debugging mode, without detaching from the controlling terminal.
Debugging displays everything your sshd process does as it happens. Here I run sshd with debugging. Bind to port on Bind to port on 0.
Server listening on 0. The debug session shows the u OpenSSH version you're running. The server is now running and ready to accept connections. If you attempt to connect to this server with an SSH client, the server will display more debugging output.
An OpenSSH server in debugging mode will not fork, so it can only accept one client connection at a time. If you have a problem with your SSH server, run it in foreground mode with debugging on a different port and read the output. If you don't understand the error message, use it as an Internet search term. When you finish debugging, exit out of your client and the sshd process will end.
You can also hit CTRL-C in the sshd terminal, unceremoniously terminating sshd and disconnecting the client. In quiet mode, sshd doesn't send messages to the system log when a user logs in, authenticates, or logs out. You want to be able to identify who logged into your production systems so quiet mode isn't useful on live servers, but -q might help in special debugging situations.
Try it and see. If -d doesn't provide enough detail, add more -d's to increase verbosity. The standard files are: The configuration is a set of keywords and values, as shown in this snippet. Port 22 u AddressFamily any v ListenAddress 0. We'll cover the function of each configuration option later; for now, just understand how the file is laid out.
The pound sign indicates a comment. Everything after that is ignored. To change the defaults, remove the pound sign and change the value. For example, the configuration option u Port is set to 22, v AddressFamily is set to any, and ListenAddress is set to both w 0. These are defaults, and commented out. I'll give some generally useful sshd options in this chapter. For example, sshd options affecting X11 forwarding appear in Chapter 9.
Not all currently-deployed versions of OpenSSH support all the keywords described in this chapter. I've written this based on the most recent OpenSSH.
Some operating systems either include older versions, or deliberately remove certain functions for their own reasons. If a configuration option doesn't work on your server, consult your operating system documentation or ask your vendor. Operating systems handle missing key files differently. BSD-based and Red Hat systems usually create missing default key files automatically.
Many Linux systems require the systems administrator to manually create missing key files, but use a familiar tool to create them. For example, Debian-based systems create missing key files when you run dpkg-reconfigure openssh-server. Chapter 7 covers creating host keys by hand. Network Options sshd lets you control which network protocols it uses, the addresses it uses, and the TCP port it attaches to.
Port 22 AddressFamily any ListenAddress 0. The Port keyword controls the TCP port. Some organizations use a different port for SSH in the hope of improving security. You can override the Port keyword on the command line with -p see "Testing and Debugging sshd" earlier this chapter.
To only use IPv4, set this to inet. To only use IPv6, set this to inet6. The default, any, uses either version. Many hosts have multiple IP addresses. By default, sshd listens for incoming requests on all of them. If you want limit the IP addresses that sshd attaches to, use the ListenAddress keyword. Each ListenAddress keyword takes a single IP address as an argument, but you can use as many ListenAddress keywords as necessary. If a host has many IP addresses and you want to block SSH access to just a few of them, you might find blocking traffic with a packet filter easier than using many ListenAddress statements.
You can also use ListenAddress to define extra ports for sshd to listen on. If your host has three IP addresses, and you want sshd to listen to different ports on each, use ListenAddress statements. ListenAddress If you're stuck behind a packet filter that only allows outgoing connections to port 80, running sshd on port 80 would let you evade the firewall. The impact of evading the corporate firewall on your employment is left as an exercise for the reader. Do not use SSH The order doesn't matter, because the client will select the version it prefers from what the server offers.
Protocol 2,1 SSH-1 permits man-in-the-middle attacks and session hijacking, as discussed in Chapter 1. If someone insists on using SSH-1, practice saying "I told you so. This is called a banner. Banners don't always work, however, depending on exactly how the client connects. You can create a file containing a banner message and set the keyword Banner to the full path of the file, but be aware that it won't always appear.
This message does not appear until after the client has authenticated, so it might not meet your needs. The PrintMotd keyword can be yes or no. PrintMotd yes Be aware that if the banner works, it might interfere with automated processes run over SSH.
In some locations, though, a banner message can serve as legal notice to intruders. Choose the headache you prefer. Once a user has logged on, sshd prints the time of the user's last logon and where they logged in from. If you want to turn this off, you can set PrintLastLog to no. PrintLastLog yes I recommend leaving this on. More than once, users have alerted me to intrusions when they logged in and saw that their previous login was from a foreign country or at a ridiculous hour.
Authentication Options By default, a user can try to log in 6 times in 2 minutes in a single session. Twenty seconds should be long enough for most people to type their password correctly, but you can control the length of time and how many times the user can try. The LoginGraceTime keyword controls how much time sshd gives a user to authenticate. If a user is connected to sshd for this time without successfully authenticating, the connection is terminated. This takes a number of seconds s , minutes m , or hours h.
LoginGraceTime 2m You can also control how many times a user may attempt to authenticate in a single connection with MaxAuthTries. The default is 6. Authentication attempts include both public key authentication and passwords. My usual failure procedure is to fail to log in six times, then remember that I have a different username on this machine. When I follow my own advice on changing usernames from Chapter 5, and install a public key everywhere as in Chapter 7, I don't have this problem.
By default, sshd uses reverse DNS to generate log messages. A log message like "Login failed from secretary's computer" will make you sigh.
A log message like "Login failed from Hacker Haven Nation" should trigger an alarm. An intruder who controls the reverse DNS for his IP address can change the apparent hostname to something within your company. For protection against this sort of attack, sshd can verify connection attempts against DNS entries.
When a client connects, sshd looks up the host name for the source IP, then looks up the IP address for that host name. If the DNS names don't match, the connection will be rejected. He gives it a hostname within your company, such as desktop9. If the DNS entry for that hostname doesn't match the IP the connection is coming from, the connection will be rejected.
If he does, get him out of your systems, secure them, and disable SSH passwords as discussed in Chapter 7. Also, DNS checks can increase system load.
The additional load for any one session is small, but if you serve hundreds or thousands of SSH users, DNS checks just might topple the system. Control these with the SyslogFacility and LogLevel keywords. Below is a list of accepted LogLevel values and what they send to syslogd. These log enough data to violate user privacy. Debug messages are sent to syslog.
Most default syslog installations don't capture this level of detail; you'll need to configure your syslog server to capture all debugging data for this to be useful. The defaults fit almost all environments. These settings allow you to change the encryption methods your server supports. Don't muck with these settings. You will only hurt yourself. Restricting Access by User or Group I know of many applications — mainly industrial and business programs — that make use of user accounts from the underlying operating system.
People use the application over a Web page or proprietary client, but never actually log on to the operating system.
If Fred down in shipping needs to access the application, the system needs a fred account. This isn't ideal practice, but it is reality. If you're responsible for such an application, configure your system so that users who are not systems administrators cannot log on to the server. These options take comma-delimited lists of users or groups as arguments, and are processed in the order listed in the configuration file on a first-match basis.
As the directives are processed in order, a user listed here will be prevented from logging in even if he is listed in AllowUsers or is a member of a group in AllowGroups. This lets you make exceptions for individual users in a group. Override this by listing the user in AllowUsers.
Both DenyUsers and DenyGroups overrides this. Additionally, the presence of an AllowUsers or AllowGroups entry implies that nobody else can log in. The system denies SSH logins to all users who are not in one of these. Let's look at some examples. My system has four users: They are in groups as below: The billing application requires system accounts, but the user doesn't need access via SSH. When I add another billing user, though, I must explicitly list them in DenyUsers.
I'm better served by blocking access by group. On a BSD system, wheel is the group for systems administrators. Ubuntu does something similar with sudo and the "admin" group.
To allow only systems administrators to log in, use the following configuration. AllowGroups wheel Anyone in the wheel group can log in. The presence of an AllowGroups entry tells sshd that it should deny logins by default.
The users pkdick and jgballard cannot SSH in. I could do something similar by listing mwlucas explicitly. I'm likely to forget one or the other. Whenever possible, use groups. My users are globally distributed and synchronized via LDAP. While my support team has access to most of my systems, I have one particular system where a certain administrator is forbidden to log in. Here I block that user, but permit the group. This requires a user account with public key authentication see Chapter 7.
These accounts can be dangerous. While you can restrict the commands that can be run after authenticating with a public key, you don't want rsync connections from random hosts, and you don't want a user with shell access able to circumvent restrictions by editing a file he owns. You can use the Allow and Deny options to restrict where users can connect from by adding an and a host or IP address after the username. List hosts by IP or hostname. Hostnames are verified with reverse DNS, so using hostnames carries the usual security problems.
Here I restrict one user's access. AllowUsers backup All other users are denied. With sensible group memberships and proper Allow and Deny options, you can restrict login access as needed. When in doubt, give accounts the least level of privileges that will let users and programs accomplish their required tasks. Rather than listing all possible IP addresses in a network, patterns let you say "anything that matches this expression.
The next pattern matches all hosts in the blackhelicopters. It matches sloth. Here I match the hosts Address To match any host in The next pattern matches any address from Most configuration options accept lists of patterns like this. The Host option is slightly different, in that terms are separated by a white space. We'll go through several examples of per-host configuration in Chapter 5. We can negate patterns by putting an exclamation point in front. The next pattern excludes the hosts in blackhelicopters.
The lead OpenSSH developer describes negation as "a little fiddly," so you might have trouble with it. Negation isn't supported everywhere; you'll have to try it and see if it works in your environment. Conditional Configuration with Match Your server might need to behave differently depending on the source address or hostname of an incoming connection, or the username, or even what groups a user belongs to. Some users might require chroot se "Chrooting Users" later this chapter , or perhaps particular users may use X11 forwarding Chapter 9 from the local LAN.
The Match keyword lets you set special sshd configurations for these situations. A Match statement is followed by a set of conditions, then by a series of configuration statements sshd should apply to connections that meet all of those conditions.
Before implementing a Match statement, configure sshd for the most common situation. You might want to deny X11 forwarding to all but select users. Configure sshd to deny X11 forwarding, then use a Match statement to check the username and permit X11 forwarding.
Matching Users and Groups The most common situation I encounter is when I want to enable an option for a particular user or group. The User or Group Match terms permit this. Match User mwlucas X11Forwarding yes I am always permitted to use X11 forwarding, as my awesome psychic powers eliminate all possible security risks.
If all of my systems administrators share these powers, or if I settle for exterminating sysadmins who empower intruders, I could Match the whole group. My user claims he does, too. We'll see. Matching Addresses or Hosts Perhaps you must permit X11 forwarding, but only from particular networks. You can Match on IP addresses or hostnames. Match Address Here, we permit a single user to use password authentication if they connect from a specific IP address.
Check the current sshd manual page for the complete list of supported options. Placing Match Statements All configuration statements that follow a Match statement belong to that Match statement, until either the file ends or another Match statement appears. Consider the following configuration. When a user in the wheel group logs in, sshd sets the X11Forwarding option to yes for that user. When a user logs in from the IP addresses in the ranges If a user in the wheel group logs in from a listed address, he gets both options.
We'll use Match statements throughout the rest of the book. This is a colossally bad idea in almost all environments. When users must log in as a regular user and then change to root, the system logs record the user account, providing accountability. Logging in as root destroys that audit trail. It also encourages users to modify the root environment to suit their working habits.
Server programs are frequently started by root, and those environment changes can make those services unstable or actively destroy data. Tools such as sudo and pfexec permit user accounts limited degrees of privilege. If you need root access to run your backup program, use sudo instead of logging in as root.
Certain environments, particularly large server farms, are designed so that logging in as root is not only possible but preferable. These environments require public key authentication and log the key used to authenticate each session. Sudo can be configured to authenticate via an SSH agent so that a user's password is never exposed to the server.
Most readers of this book do not work in that environment. It is possible to override the security precautions and make sshd permit a login directly as root. It's such a bad idea that I'd consider myself guilty of malpractice if I told you how to do it. Chapter 12 discusses some ways to use sudo to avoid this requirement.
Logging in as root via SSH almost always means you're solving the wrong problem. Step back and look for other ways to accomplish your goal. Chrooting Users At times a user needs a command prompt or some specific program, but you don't want to let the user access files outside his home directory.
A directory the user cannot escape is called a chroot. ChrootDirectory none By default, sshd does not chroot users. Populating the Chroot A chrooted user cannot access anything outside the chroot. Any chroot you create will not have device nodes, shells, or other programs unless you place them there. When your restricted user logs in, sshd will fail to find a shell or home directory and immediately disconnect them.
At a minimum, you must set permissions on the chroot directory, create a home directory for the imprisoned user, create device nodes, and install a shell. The chroot directory must be owned by root and not be writable by the restricted user, just as you would not permit an unprivileged user to write to the system's root directory.
If the restricted user can write to the chroot directory, sshd will not let them log in. This directory should be owned by the user, just like a regular home directory, and should contain any necessary dotfiles. Create device nodes inside a dev directory inside the chroot. The method to create device nodes varies between operating systems. Some operating systems might require additional device nodes. Finally, users need a shell. Also copy static versions of any other programs the user needs.
You could add dynamically linked programs, but then you must also copy any necessary libraries. Note that your operating system might include tools to easily populate a chroot, such as jailkit http: Check your operating system documentation. Assigning Chroot Directories To chroot users, specify the users' root directory as the ChrootDirectory. This entry will lock users into their assigned home directory.
This lets you assign a group of users unique home directories in a shared chroot directory.
Log in as a chrooted user and watch sshd's output. Common issues include missing device nodes, incorrect directory permissions, or a missing shell. Worms, script kiddies, and other assorted scum would really like to break into your computer. If nothing else, someone wants to run an IRC bot on it. How can you protect your SSH service?
Some people recommend changing the TCP port that sshd runs on. This is a perfect example of security through obscurity. Scanners constantly probe all open ports on all Internet-connected IP addresses, and they're pretty good at figuring out what service is actually running on which port.
Changing ports might buy you a couple of minutes against a dedicated intruder, but no longer. Changing ports can reduce the amount of random noise in your logs, increasing your odds of noticing real problems.
You're better off having your firewall restrict access to known-friendly IP addresses. Similarly, some people suggest changing the sshd banner. You see the banner when you telnet to the SSH port. The banner usually identifies the type of server. SSH clients use the banner to detect any quirks needed for a reliable connection with a particular server.
If you change the banner to report SSH OpenSSH has built-in protection through privilege separation. Only a small section of sshd runs with root privileges.
Most of the server runs as an unprivileged user. This means that if an intruder successfully breaks into the OpenSSH server, he can only do a limited amount of damage to your system.
It's still really, really annoying, mind you, but not devastating. As with all Internet-facing services, a simple way to limit risk to your SSH service is to reduce the number of IP addresses that can access it. If your server runs a firewall, use it instead.
By only allowing authorized IP addresses on your network to access your SSH server, you block the vast majority of attackers. The most effective way to protect your server, however, is to disable passwords and only allow logins via keys.
We cover access via keys in Chapter 7. We'll return to configuring sshd when we cover particular SSH features, but for now let's examine client- side behavior. Chapter 4: Verifying Server Keys If you're paranoid, or if you've been a system administrator for longer than a week, you need to be sure that the server you're actually logging into is the server you think you're logging into.
Server keys help verify a server's identity before you enter your username and password into the wrong machine. Network connections over unencrypted protocols such as telnet are easy to divert to the wrong machine. An intruder who controls a publicly accessible device, such as a server, can make it spoof a different server's identity.
Every user that logs on to the spoof server gives his username and password to the intruder.
This is a classic network attack that is still widespread today; the protocols change, the applications change, but the underlying attack is identical. When properly deployed and used, SSH-2 categorically eradicates these spoofing attacks. Even if an intruder can make one machine resemble another, even if he copies the login prompts and the Web site and the operating system version, the intruder cannot copy the target server's private key unless he already controls the server.
Without the private key, the spoof server cannot decrypt anything sent using the server's public key. SSH server keys verify the server's identity. Every SSH server has a unique public key, as discussed in Chapter 2. The user is expected to compare the fingerprint shown with the server's key fingerprint. If they match, the user tells their SSH client to cache the key and the connection continues. If the keys don't match, the user terminates the connection.
On all subsequent connection attempts to that server, the client compares its cached key to the key presented by the server. If the keys match, the connection continues. If the keys don't match, the client assumes that something has gone wrong.
The client aborts the connection and notifies the user. For SSH server keys to be useful, you must verify that the key shown in the client is the key offered by the server. A public key is several hundred characters long, however. Systems administrators can't realistically ask users to compare hundreds of characters to a list of known-good host keys; most brains automatically dismiss the task as impossible.
It's very possible, but it is tedious and annoying. OpenSSH summarizes public keys with fingerprints. Key Fingerprints A key fingerprint is an almost human-readable summary of a public key. View a key's fingerprint with the ssh-keygen program. Use -l to print the fingerprint and -f to specify a key file.
The key is a bit RSA key, and the fingerprint itself is the long string beginning with You and your users will need the fingerprints when first connecting to the server. The simplest way to collect all the fingerprints is to copy the fingerprints to a file, as shown here.
You can use ssh-keyscan to retrieve public key fingerprints from SSH servers, but you must still verify those fingerprints against the server's public key. By the time you do that, you might as well extract the public key fingerprint from the server itself. Making Host Key Fingerprints Available A user first connecting to an SSH server should compare the host key fingerprint that appears in their client to a known-good host key fingerprint. They will only do this if the comparison process is easy, however.
The system administrator needs to make fingerprint comparisons simultaneously easy and secure. The easiest way is probably to display the key fingerprints on an encrypted Web site accessible only from within your company or site.