Configure SSH on Windows 10 | Configure SSH Server | Free SSH Server
CSCE 815 Network Security Lecture 26 SSH and SSH Implementation April 24, 2003.
17
CSCE 815 Network Security CSCE 815 Network Security Lecture Lecture 26 26 SSH and SSH Implementation SSH and SSH Implementation April 24, 2003
-
Upload
aldous-hunter -
Category
Documents
-
view
213 -
download
0
Transcript of CSCE 815 Network Security Lecture 26 SSH and SSH Implementation April 24, 2003.
CSCE 815 Network Security CSCE 815 Network Security Lecture 26 Lecture 26CSCE 815 Network Security CSCE 815 Network Security Lecture 26 Lecture 26
SSH and SSH ImplementationSSH and SSH Implementation
April 24, 2003
– 2 – CSCE 815 Sp 03
Machines to AttackMachines to Attack
129.252.140.3129.252.140.3
129.252.140.7129.252.140.7
NOT!!!NOT!!!
129.252.140.1 - gateway129.252.140.1 - gateway
– 3 – CSCE 815 Sp 03
SSH (Secure Shell)SSH (Secure Shell)
http://www.openssh.org/ http://www.openssh.org/
SSH 3.6.1 Released April 1, 2003SSH 3.6.1 Released April 1, 2003
OpenSSH encrypts all traffic (including passwords) to OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection effectively eliminate eavesdropping, connection hijacking, and other network-level attacks hijacking, and other network-level attacks
OpenSSH provides a myriad of secure tunneling OpenSSH provides a myriad of secure tunneling capabilities capabilities E.g. tunneling X connections
OpenSSH provides variety of authentication methods. OpenSSH provides variety of authentication methods.
Port 22 when used over TCP/IP (most common)Port 22 when used over TCP/IP (most common)
– 4 – CSCE 815 Sp 03
SSH PictureSSH Picture
– 5 – CSCE 815 Sp 03
SSH SuiteSSH Suite
ssh replaces telnet and rshssh replaces telnet and rsh
scp (secure copy) which replaces rcpscp (secure copy) which replaces rcp
sftp (secure ftp) which replaces ftpsftp (secure ftp) which replaces ftp
sshd (secure shell daemon) which is the serversshd (secure shell daemon) which is the server
Others: Others: sshssh-add-add, , sshssh-agent-agent, , ssh-keysignssh-keysign, , ssh-keyscanssh-keyscan, , ssh-keygenssh-keygen and sftp-server and sftp-server
Protocols: SSH 1.3 thru SSH 2.0 are supported Protocols: SSH 1.3 thru SSH 2.0 are supported
– 6 – CSCE 815 Sp 03
OpenSSH SSH client configurationOpenSSH SSH client configuration
sshssh__config (5) sshconfig (5) ssh__config SSH client config SSH client configuration files configuration files
$HOME/.ssh/config$HOME/.ssh/config
/etc/ssh/ssh_config/etc/ssh/ssh_config
– 7 – CSCE 815 Sp 03
SSH Protocol 2.0SSH Protocol 2.0
SSH Protocol Architecture - SSH Protocol Architecture - ArchitectureArchitecture describes the describes the overall design of SSH-2 overall design of SSH-2
SSH Transport Layer Protocol - provides a single, full-SSH Transport Layer Protocol - provides a single, full-duplex, flow-controlled, byte-oriented connection duplex, flow-controlled, byte-oriented connection from client to server, with privacy, integrity, and from client to server, with privacy, integrity, and man-in-the-middle protection man-in-the-middle protection
SSH Authentication Protocol - identifies the client to the SSH Authentication Protocol - identifies the client to the server server
SSH Connection Protocol - provides richer, application-SSH Connection Protocol - provides richer, application-support services such as TCP port and X forwarding support services such as TCP port and X forwarding
– 8 – CSCE 815 Sp 03
SSH ArchitectureSSH Architecture
Host Keys - Each server host SHOULD have a host keyHost Keys - Each server host SHOULD have a host key
Two different trust models can be used:Two different trust models can be used:
1.1. client has a local database that associates each host client has a local database that associates each host name with the corresponding public host key name with the corresponding public host key
2.2. host name-to-key association is certified by some host name-to-key association is certified by some trusted certification authority trusted certification authority
All implementations SHOULD provide an option to not All implementations SHOULD provide an option to not accept host keys that cannot be verified. accept host keys that cannot be verified.
Extensibility - should evolve over timeExtensibility - should evolve over time
protocol allows full negotiation of encryption, integrity, protocol allows full negotiation of encryption, integrity, key exchange, compression, and public key key exchange, compression, and public key algorithms and formats algorithms and formats
– 9 – CSCE 815 Sp 03
SSH PacketsSSH Packets
Minimum Packets Size is 28Minimum Packets Size is 28
Negligible for large packets, but for character by Negligible for large packets, but for character by character ala telnet this is significant character ala telnet this is significant
28 + 32(TCP/IP) + ethernet28 + 32(TCP/IP) + ethernet
But minimum ethernet packet payload size is 46But minimum ethernet packet payload size is 46
So the increase over the minimum is 4/46 = ~10%So the increase over the minimum is 4/46 = ~10%
– 10 – CSCE 815 Sp 03
SSH Message Numbers SSH Message Numbers
SSH packets have message numbers in the range 1 to 255. SSH packets have message numbers in the range 1 to 255.
Transport layer protocol: Transport layer protocol: 1 to 19 Transport layer generic (e.g. disconnect, ignore, debug, etc.) 20 to 29 Algorithm negotiation 30 to 49 Key exchange method specific (numbers can be reused for
different authentication methods)
User authentication protocol: User authentication protocol: 50 to 59 User authentication generic 60 to 79 User authentication method specific (numbers can be
reused for different authentication methods)
Connection protocol: Connection protocol: 80 to 89 Connection protocol generic 90 to 127 Channel related messages
Reserved for client protocols: 128 to 191 Reserved for client protocols: 128 to 191
Reserved Local extensions: 192 to 255Reserved Local extensions: 192 to 255
– 11 – CSCE 815 Sp 03
Authentication requestsAuthentication requests
RequestsRequests byte - SSH_MSG_USERAUTH_REQUEST string - user name (in ISO-10646 UTF-8 encoding [RFC2279]) string - service name (in US-ASCII) string - method name (US-ASCII) The rest of the packet is method-specific
ResponseResponse byte SSH_MSG_USERAUTH_FAILURE string “authentications that can continue” boolean partial success
““Authentications that can continue" is a comma-Authentications that can continue" is a comma-separated list of authentication method names that separated list of authentication method names that may productively continue the authentication dialog. may productively continue the authentication dialog.
– 12 – CSCE 815 Sp 03
XWindows Normal ConnectionXWindows Normal Connection
– 13 – CSCE 815 Sp 03
– 14 – CSCE 815 Sp 03
SSH X ConnectionSSH X Connection1.1. SSH attempts to connect to port 22 on remote hostSSH attempts to connect to port 22 on remote host
2.2. SSHD on the machine Remote forks off a child SSHD SSHD on the machine Remote forks off a child SSHD process. If X11 forwarding is enabled, the process process. If X11 forwarding is enabled, the process listens on port 6000 + x (first open one)listens on port 6000 + x (first open one)
3.3. child SSHD child SSHD now forks off the command received from the original SSH
client, usually xterm. SSHD sets the DISPLAY environment xterm to "Remote
4.4. xterm sends all X information to the fake server on xterm sends all X information to the fake server on it's own host it's own host
5.5. fake SSHD-X server encrypts the X information, then fake SSHD-X server encrypts the X information, then sends it to the SSH client on the Local machine. sends it to the SSH client on the Local machine.
6.6. SSH client decrypts the information and sends it to SSH client decrypts the information and sends it to the real X server the real X server
– 15 – CSCE 815 Sp 03
SSH and Proxy Servers in General SSH and Proxy Servers in General
Two methods “-L” and “-R” optionsTwo methods “-L” and “-R” options
ssh -L ssh -L local-portlocal-port::remote-machineremote-machine::remote-portremote-port \ \
remote-machineremote-machine
This forwards a port (local-port) on the local machine This forwards a port (local-port) on the local machine across an encrypted channel to a server port across an encrypted channel to a server port (remote-port) on the remote machine(remote-port) on the remote machine
ssh -R ssh -R remote-portremote-port::remote-machineremote-machine::local-portlocal-port \ \
remote-machineremote-machine
command to have a port on a remote host act as a command to have a port on a remote host act as a proxy for a local portproxy for a local port
– 16 – CSCE 815 Sp 03
– 17 – CSCE 815 Sp 03
SSH ReferencesSSH References
Implementation SSH 1 Implementation SSH 1
http://www.cise.ufl.edu/help-system/sshhttp://www.cise.ufl.edu/help-system/ssh//
SSH 3.2 SSH 3.2 http://www.ssh.com/http://www.ssh.com/
Open SSH http://www.openssh.org/Open SSH http://www.openssh.org/
Protocols http://www.snailbook.com/protocols.html Protocols http://www.snailbook.com/protocols.html
