nebraskacert ssh tricks n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
NEbraskaCERT SSH Tricks PowerPoint Presentation
Download Presentation
NEbraskaCERT SSH Tricks

Loading in 2 Seconds...

play fullscreen
1 / 13

NEbraskaCERT SSH Tricks - PowerPoint PPT Presentation


  • 103 Views
  • Uploaded on

NEbraskaCERT SSH Tricks. Matthew G. Marsh 05/21/03. Overview. SSH What is it How does it work Discussion of Network Topology Tricks for multiple hosts Keys and config files MultiHop tricks Q&A. SSH . What is it

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'NEbraskaCERT SSH Tricks' - conway


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
nebraskacert ssh tricks

NEbraskaCERTSSH Tricks

Matthew G. Marsh

05/21/03

overview
Overview
  • SSH
    • What is it
    • How does it work
  • Discussion of Network Topology
    • Tricks for multiple hosts
    • Keys and config files
    • MultiHop tricks
  • Q&A
slide3
SSH
  • What is it
    • Secure Shell was developed to solve the two most acute problems in the Internet, secure remote terminal logins and secure file transfers.
    • Essentially an encrypted Remote Utilities replacement
  • How does it work
    • Set up and generation of an encrypted TCP connection
    • Authentication can be Password or PubPriv key
    • Arbitrary TCP ports - WKP = 22
  • In this session we will concentrate on SSH1 using key based authentication
simple examples
Simple Examples
  • Two hosts
    • 1 has a sshd running on WKP
    • 2 has a client

root@2: ssh 1

root@1’s password:

#

  • This allows root to login remotely using a password - BAD!
  • Better is to define: ‘PermitRootLogin no’ in the sshd_config file
simple examples1
Simple Examples
  • Two hosts - preshared key
    • 1 has a sshd running on WKP
    • 2 has a client

tech@2: ssh 1

tech@2$

  • The way to set this up is as follows:

tech@2$ ssh-keygen -t rsa1 -f /home/tech/.ssh/key4mac1 -N “”

tech@2$ scp .ssh/key4mac1.pub tech@1:~/.ssh/authorized_keys

tech@1’s password:

tech@2$ cat > .ssh/config

Host 1

User tech

Protocol 1

IdentityFile /home/tech/.ssh/key4mac1

Hostname 10.1.2.1

^D

a wee bit less simple examples
A wee bit less Simple Examples
  • Two hosts - preshared key
    • 1 has a sshd running on port 17
    • 2 has a client

tech@2: ssh 1

tech@2$

  • The way to set this up is as follows:

tech@2$ ssh-keygen -t rsa1 -f /home/tech/.ssh/key4mac1 -N “”

tech@2$ scp -P17 .ssh/key4mac1.pub tech@1:~/.ssh/authorized_keys

tech@1’s password:

tech@2$ cat > .ssh/config

Host 1

User tech

Port 17

Protocol 1

IdentityFile /home/tech/.ssh/key4mac1

Hostname 10.1.2.1

^D

a wee bit less simple examples1
A wee bit less Simple Examples
  • Three hosts - Assume: preshared keys
    • 1 has sshd running on port 17
    • 2 has sshd running on port 27

tech@3: ssh 2 ‘ssh 1’

tech@1$

  • The way to set this up is as follows:

tech@3$ cat > .ssh/config

Host 2

User tech

Port 27

Protocol 1

IdentityFile /home/tech/.ssh/key4mac2

Hostname 10.1.2.2

^D

  • Note you may need ssh -t 2 ‘ssh -t 1’ ...
an4scd
AN4SCD
  • Buy a copy of “SSH” by Daniel J. Barrett & Richard E. Silverman pub. O’Reilly (ISBN: 0-596-00011-1)
  • Read it
  • I use openssl 0.9.7b with openssh 2.9.9p2
  • I do not use any other version of SSH
  • I use Protocol 1 on purpose
  • I use TCP Wrappers w/ IPv6 extensions
  • I keep tight controls using TCP Wrappers
an4scd 2
AN4SCD - 2
  • Static Compile methods

Get the latest openssl

1. Compile it static with the /usr/static directory target

./config --openssldir=/usr/static --prefix=/usr/static no-shared

2. Get openssh-2.9.9p2

./configure --prefix=/usr/static --with-ssl-dir=/usr/static --with-ipaddr-display --with-ipv4-default --disable-lastlog --disable-utmp --disable-wtmp

NOTE: this one is the emergency backup so do not use TCP wrappers!

compile it and install

Now copy over the /etc/ssh/ directory into /usr/static/etc

Edit the sshd config file to change the port so that it does not interfere with the regular ssh

Make sure you also change the paths for the keys!!

fun examples
Fun Examples
  • Using commands attached to keys
    • On the server define a command in the authorized_keys file associated with a key
    • Format is “command=“my/command/string”…key data…

EX:

command=“/bin/ls -al /logs”ABCDEF1234567

Then ssh with the appropriate key will only allow you to execute this command.

fun examples 2
Fun Examples - 2
  • MultiBounce Sessions
    • Using the three hosts example from earlier
  • Consider:

ssh 1 ‘ssh 2 /bin/tar -C /home -zc myhomedir/’ | tar -zxv

ssh 1 ‘ssh 2 “ssh 3 /bin/tar -C /home -zc myhomedir/”’ | tar -zxv

Note that there are limits…