slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
SSH PowerPoint Presentation
Download Presentation

Loading in 2 Seconds...

play fullscreen
1 / 56

SSH - PowerPoint PPT Presentation

  • Uploaded on

SSH. Secure Shell (and friends) From: SSH. Secure Shell (SSH) Network protocol Allows data to be exchanged over a secure channel between two computers Encryption provides confidentiality and integrity of data

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
    Presentation Transcript
    1. SSH Secure Shell (and friends) From:

    2. SSH • Secure Shell (SSH) • Network protocol • Allows data to be exchanged over a secure channel between two computers • Encryption provides confidentiality and integrity of data • SSH uses public-key cryptography to authenticate the remote computer • Allows the remote computer to authenticate the user, if necessary

    3. SSH • Typically used to log into a remote machine and execute commands • Supports tunneling • Forwards arbitrary TCP ports and X11 connections • Can transfer files using the associated SFTP or SCP protocols

    4. SSH • An SSH server • Listens on TCP port 22 (default) • ssh client program establishes connections to an sshd daemon on an accepting remote connections • Both typically available for current OSs • Mac OS X, Linux, Solaris, OpenVMS, … • Proprietary, freeware and open source versions of various levels of complexity and completeness exist

    5. History

    6. History • SSH-1 • 1995: Tatu Ylönen designed the first version of the protocol (SSH-1) • Prompted by a password-sniffing attack at his university’s network • Goal of SSH was to replace the earlier rlogin, TELNET and rsh protocols • Did not provide strong authentication or guarantee confidentiality • Ylönen released his implementation as freeware in July 1995 • Tool quickly gained in popularity • Towards the end of 1995, the SSH user base had grown to 20,000 users in fifty countries. • December 1995: Ylönen founded SSH Communications Security to market and develop SSH. • Original version of the SSH software used various pieces of free software • such as GNU libgmp • Later versions released by SSH Secure Communications evolved into increasingly proprietary software

    7. History • SSH-2 • 1996: SSH-2 designed • incompatible with SSH-1. • SSH-2 featured both security and feature improvements over SSH-1 • Better security through Diffie-Hellman key exchange • Strong integrity checking via message authentication codes • New features of SSH-2 included the ability to run any number of shell sessions over a single SSH connection

    8. History • 1999: developers wanted a free software version • Went back to the 1.2.12 release of the original ssh program • Last released under an open source license • BjörnGrönvall's OSSH developed from this codebase • OpenBSD developers forkedBjörn's code • Extensive work done • Created OpenSSH • Shipped with the 2.6 release of OpenBSD • “Portability" branch was formed to port OpenSSH to other operating systems • At the end of 2000 • Estimated 2,000,000 users of SSH

    9. History • As of 2005 • OpenSSH is the single most popular ssh implementation • Default in a large number of operating systems • OSSH has become obsolete • SSH-2 protocol • Became a proposed Internet standard in 2006 • Publication by the IETF "secsh" working group of RFCs

    10. Uses of SSH

    11. most common SSH uses:

    12. Uses of SSH: • With an SSH client that supports terminal protocols • Remote administration • Of the SSH server computer • Via terminal (character-mode) console • Can be used as an alternative to a terminal on a headless server • In combination with SFTP, as a secure alternative to FTP • Can be set up more easily on a small scale without a public key infrastructure and X.509 certificates • In combination with rsync to backup, copy and mirror files efficiently and securely • In combination with SCP • A secure alternative for rcp file transfers • More often used in environments involving Unix

    13. Uses of SSH • Port forwarding or tunneling • Frequently as an alternative to a full-fledged VPN • A (non-secure) TCP/IP connection of an external application is redirected to the SSH program (client or server) • Forwards it to the other SSH party (server or client) • In turn forwards the connection to the desired destination host • Forwarded connection is encrypted and protected on the path between the SSH client and server only • Uses of SSH port forwarding include accessing database servers, email servers, securing X11, Windows Remote Desktop and VNC connections or even forwarding Windows file shares • Primarily useful for tunneling connections through firewalls • Ordinarily block that type of connection • Encrypting protocols which are not normally encrypted • e.g. VNC

    14. Uses of SSH • ssh and rdesktop • Three computers • Computer to run rdesktop and ssh • Computer to obtain access to a remote network • Computer to display rdesktop • "ssh –L" • log into the middle computer and do nothing on it • Open another shell from the first computer running ssh and type rdesktoplocalhost • This example uses the middle computer to port forward 3389 from the end computer to the first computer. • If on Windows, run ssh using another local port, e.g. • "ssh" • Start the native Windows Remote Desktop client and type localhost:3390 to remote into ""

    15. Uses of SSH • Log into one machine from your local host • Login from there to another machine • Run an X application (eg. xterm, matlab) on the last machine to display on your local display • Especially useful for running X applications on a department host from off campus • Had to connect through another department host which is available for ssh login through the campus firewall • Channel the X-window through a series of logins back to the host at which you are sitting • Best way to do this is to make use of the X11-forwarding feature of ssh • For unix/linux to unix/linux, force an X11-forwarding request with the '-X' option (capitalized x). ssh -X

    16. Uses of SSH • X11-forwarding for through multiple hosts • ssh -X → ssh -X → ssh -X • ensure the tunnel is working every step of the way by running something like xterm on host B then C • If this does not work the -Y may be needed • ssh -X -Y → ssh -X -Y → ssh -X -Y • Use an SSH client that supports dynamic port forwarding (presenting to other programs a SOCKS or HTTP 'CONNECT' proxy interface) • SSH can be used to generally browse the web through an encrypted proxy connection • use the SSH server as a proxy

    17. Uses of SSH • Automated remote monitoring and management of servers • with an SSH client that supports SSH exec requests • frequently embedded in other software, e.g. a network monitoring program • SSH Filesystem • Securely mount a directory on the server • Acts as a filesystem on the local computer • Use normal ssh login on a server

    18. SSH architecture

    19. SSH architecture • The SSH-2 protocol has a clean internal architecture with well-separated layers: • Transport Layer • User Authentication Layer • Connection Layer • Defined in RFC 4251

    20. SSH architecture – Transport Layer • The transport layer (RFC 4253) • Handles initial key exchange and server authentication • Sets up encryption, compression and integrity verification • Exposes to the upper layer an interface for sending and receiving plaintext packets of up to 32,768 bytes each • More can be allowed by the implementation • Transport layer also arranges for key re-exchange • After 1 GB of data has been transferred - or - • After 1 hour has passed • Whichever is sooner

    21. SSH architecture – User Authentication Layer • User authentication layer (RFC 4252) • Handles client authentication • Provides number of authentication methods • Authentication is client-driven • Commonly misunderstood by users • When prompted for a password • May be the SSH client prompting • Not the server • Server responds to client's authentication requests

    22. SSH architecture – User Authentication Layer • Widely used user authentication methods include the following: • "password" • "publickey" • "keyboard-interactive” • GSSAPI authentication

    23. SSH architecture – User Authentication Layer • "password“ style • Method for straightforward password authentication • Includes a facility allowing a password to be changed • Method not implemented by all programs

    24. SSH architecture – User Authentication Layer • "publickey" style • Method for public key-based authentication • Usually supporting at least DSA or RSAkeypairs • Other implementations also supporting X.509 certificates

    25. SSH architecture – User Authentication Layer • "keyboard-interactive" style • Server sends one or more prompts to enter information • Client displays them • Sends back responses keyed-in by the user • Used to provide one-time password authentication such as S/Key or SecurID. • Used by some OpenSSH configurations when PAM is the underlying host authentication provider to effectively provide password authentication • Sometimes leads to inability to log in with a client that supports just the plain "password" authentication method

    26. SSH architecture – User Authentication Layer • GSSAPI authentication methods • Provide an extensible scheme to perform SSH authentication using external mechanisms such as Kerberos 5 or NTLM, providing single sign on capability to SSH sessions. • Used by commercial SSH implementations • Used in organizations • Note: OpenSSH does have a working GSSAPI implementation

    27. SSH architecture – Connection Layer • Connection layer (RFC 4254) • Defines the concept which SSH services are provided: • channels • channel requests • global requests • Single SSH connection can host multiple channels simultaneously • Each transfers data in both directions • Channel requests are used to relay out-of-band channel specific data • Such as the changed size of a terminal window or the exit code of a server-side process

    28. SSH architecture – Connection Layer • SSH client requests a server-side port to be forwarded using a global request • Standard channel types include: • "shell" for terminal shells, SFTP and exec requests (including SCP transfers) • "direct-tcpip" for client-to-server forwarded connections • "forwarded-tcpip" for server-to-client forwarded connections

    29. SSH architecture • Open architecture provides considerable flexibility • Allows SSH to be used for a variety of purposes beyond secure shell • Functionality of the transport layer alone is comparable to TLS • User authentication layer is highly extensible with custom authentication methods; • Connection layer provides the ability to multiplex many secondary sessions into a single SSH connection • a feature comparable to BEEP and not available in TLS

    30. Security cautions

    31. Security cautions • SSH-1 has inherent design flaws which make it vulnerable to man-in-the-middle type attacks • Avoid by explicitly disabling fallback to SSH-1 • Most modern servers and clients support SSH-2 • Some organizations still use software with no support for SSH-2 • SSH-1 cannot always be avoided

    32. Security cautions • In all versions of SSH • Important to verify unknown public keys before accepting them as valid • Accepting an attacker's public key as a valid public key has the effect of disclosing the transmitted password and allowing man in the middle attacks

    33. Security cautions • As with any encrypted protocol: • SSH can be considered a security risk by companies or governments who do not trust their users • Wish to eavesdrop on their communications • SSH has built in tunneling features • make it easier for users to achieve passage of large volumes of information • establish an entry point for unauthorized inward access over a SSH link • Not using the other protocols

    34. How SSH uses public-key cryptography

    35. How SSH uses public-key cryptography (with analogy) • First, a pair of cryptographic keys is generated • One is the private key, the other is the public key. • As an analogy, think of as a matching private-key and a public padlock • The public padlock is what is installed on the remote machine • Used by ssh to authenticate users using the matching private key • As a user of the system, don’t care who can see or copy the padlock (i.e. the public key) • Only the secret private key fits it • Private key is the part you keep secret inside a secure box • Can only be opened with the correct passphrase • When the user wants to access a remote system • opens the secure box with his passphrase • uses the private-key to authenticate him with the padlock on the remote computer • Neither the passphrase nor the private key leave the user's machine • User still needs to trust the local machine • not to scrape his passphrase • copy his private-key while it's out of the secure box

    36. SCP

    37. SCP • Secure Copy • A means of securely transferring computer files using the Secure Shell (SSH) protocol • between a local computer and a remote host • between two remote hosts • SCP can refer to two related things: • SCP protocol • SCP program

    38. SCP protocol • The SCP protocol is similar to the BSD rcp protocol • Unlike rcp, data is encrypted during transfer • Avoid potential packet sniffers extracting usable information from the data packets • Protocol itself does not provide authentication and security • Relies on an underlying protocol, SSH, to provide these features

    39. SCP protocol • SCP can interactively request any passwords or passphrases required to make a connection to a remote host • Unlike rcp which fails in this situation • SCP protocol implements file transfers only • Does by connecting to the host • using SSH • executes an SCP server (scp) • SCP server program is typically the same program as the SCP client

    40. SCP • Base command: • scp [ [user@]host1:]file1 ... [ [user@]host2:]file2 • Complete syntax: • scp[-1246BCpqrv] [-ccipher] [-Fssh_config] [-iidentity_file] [-llimit] [-ossh_option] [-Pport] [-Sprogram] [ [user@]host1:]file1 ... [ [user@]host2:]file2 • Notes: • Can copy: • Remote to local • Local to remote • Remote1 to remote2

    41. SCP protocol • For upload: • Client feeds the server with files to be uploaded • Optionally including their basic attributes • Permissions • Timestamps • An advantage over the common FTP protocol • FTP does not have provision for uploads to include the original date/timestamp attribute

    42. SCP protocol • For downloads • Client sends a request for files or directories to be downloaded • Server feeds the client with its subdirectories and files • Download is server-driven • Imposes a security risk when connected to a malicious server

    43. SCP protocol • For most applications, the SCP protocol is superseded by the more comprehensive SFTP protocol • Also based on SSH

    44. SCP program • Client implementing the SCP protocol • Program to perform secure copying • Most widely used SCP client • CLI scp program • Provided in most SSH implementations • scp program is the secure analog of the rcp command • scp program must be part of all SSH servers that want to provide SCP service • scp functions as SCP server too

    45. SCP program • Some SSH implementations provide the scp2 program • Uses the SFTP protocol instead of SCP • Provides same command line interface as scp • scp is typically a symbolic link to scp2 • Syntax of the scp program is like that of cp: • Simple examples: • scp SourceFileuser@host:directory/TargetFilescp user@host:folder/SourceFileTargetFile

    46. SCP program • As the SCP protocol implements file transfers only, GUI SCP clients are rare • Implementing it requires additional functionality • Directory listing at least • For example, WinSCP defaults to the SFTP protocol. • Even when operating in SCP mode, clients like WinSCP are typically not pure SCP clients • They must use other means to implement the additional functionality • This in turn brings platform-dependency problems • Thus it may not be possible to work with a particular SCP server using a GUI SCP client • Even if you are able to work with the same server using a traditional command line client • More comprehensive tools for managing files over SSH are SFTP clients

    47. SFTP

    48. SFTP • SSH File Transfer Protocol • A network protocol that provides file transfer and manipulation functionality over any reliable data stream • It is typically used with the SSH-2 protocol (TCP port 22) to provide secure file transfer • Intended to be usable with other protocols as well

    49. Capabilities • The SFTP protocol allows for a range of operations on remote files • More like a remote file system protocol • SFTP client's extra capabilities compared to SCP client’s include: • Resuming interrupted transfers • Directory listings • Remote file removal • For the same reason it is reasonable to implement a GUI SFTP client, but not a GUI SCP client

    50. Capabilities • SFTP attempts to be more platform-independent than SCP • With SCP, the expansion of wildcards specified by the client was up to the server • SFTP's design avoids this problem • While SCP was most frequently implemented on Unix platforms, there exist SFTP servers for most platforms • A common misconception is that SFTP is simply FTP run over SSH • In fact it is a new protocol designed from the ground up by the IETF SECSH working group. • It is sometimes confused with Simple File Transfer Protocol