View
216
Download
0
Category
Tags:
Preview:
Citation preview
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
1
• What does any of this have to do with GIS?!
• What this paper is (and is not)
• Who this paper is for (and is not)
• The Secure Shell (ssh)
General Overview
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
2
• Many organizations, most notably those needing
“industrial strength” GIS, still use UNIX
• Many components of the Network still rely on UNIX servers
What does any of this have to do with GIS?!
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
3
• An introduction to securing UNIX servers, clients, and
networks with the Secure Shell (ssh)
• A description of typical ssh setup
• An overview of some sample Windows ssh clients
What this paper is
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
4
• A general discussion of UNIX security
• A detailed introduction to all of ssh functionality
(for details, see http://www.ssh.com)
What this paper is not
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
5
• Anyone administering UNIX servers
• Anyone using UNIX servers who is concerned about security
Who this paper is for
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
6
• UNIX security experts
• People not using UNIX as “active” clients or servers
• People using UNIX only as anonymous ftp or http servers
Who this paper is not for
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
7
• Why use ssh?
• What is ssh?
• How does ssh work?
• Setting up ssh
• Running the ssh as a process on the UNIX server
• User setup (Key generation)
• Tunneling other services through ssh
• Windows ssh Clients
Detailed Overview
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
8
• Out-of-the-box UNIX networking is inherently insecure
Why Use ssh?
INSECURE !
INSECURE !
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
9
• Out-of-the-box UNIX networking is inherently insecure
Why Use ssh?
INSECURE !
INSECURE !
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
10
• Out-of-the-box UNIX networking is inherently insecure
Why Use ssh?
INSECURE !
INSECURE !
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
11
• Out-of-the-box UNIX networking is inherently insecure
Why Use ssh?
INSECURE !
INSECURE !
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
12
• Why is out-of-the-box UNIX networking inherently insecure?
• User-IDs and Passwords are sent across the wire in CLEAR TEXT!
Why Use ssh?
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
13
request for login, X, or file services
service “wakes up”
Client (UNIX, Wintel) Server (UNIX)
request for user-idrequest for password
service offersauthentication challenge
client responds withuser-id & password
user-id and password sent
across wire in clear text
server authenticatesand provides service
client uses service
Out-of-the-box UNIX Networking
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
14
• Any UNIX machine on the subnet can log user-ids and
passwords from ftp or telnet sessions
• Use of snoop, sniffit, snort, or other packet sniffers
How Insecure is Telnet or ftp?
linux machine running snoop as root
subnet
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
15
How Insecure is Telnet or ftp?
phurvitz
12345671017192552
password: *******
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
16
How Insecure is Telnet or ftp?
space:~tmp/log:172# snoop -i snoop.out
23 0.00026 badass -> lobo TELNET R port=34844 login: 25 1.70087 lobo -> badass TELNET C port=34844 p 28 0.25049 lobo -> badass TELNET C port=34844 h 30 0.03874 lobo -> badass TELNET C port=34844 u 33 0.02809 lobo -> badass TELNET C port=34844 r 36 0.17347 lobo -> badass TELNET C port=34844 v 39 0.06427 lobo -> badass TELNET C port=34844 i 42 0.06775 lobo -> badass TELNET C port=34844 t 45 0.16108 lobo -> badass TELNET C port=34844 z 50 0.04550 lobo -> badass TELNET C port=34844 51 0.00027 badass -> lobo TELNET R port=34844 Password: 53 1.06545 lobo -> badass TELNET C port=34844 f 55 0.20479 lobo -> badass TELNET C port=34844 u 57 0.13032 lobo -> badass TELNET C port=34844 c 59 0.41778 lobo -> badass TELNET C port=34844 k 61 0.19929 lobo -> badass TELNET C port=34844 m 63 0.04144 lobo -> badass TELNET C port=34844 e 65 0.95020 lobo -> badass TELNET C port=34844 ! 75 0.13021 badass -> lobo TELNET R port=34844 Login incorrect\r\n
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
17
How Insecure is Telnet or ftp?
space:~tmp/log:172# snoop -i snoop.out
1 0.00000 lobo -> badass FTP C port=34851 2 0.00046 badass -> lobo FTP R port=34851 3 0.00039 lobo -> badass FTP C port=34851 8 0.10195 badass -> lobo FTP R port=34851 220 wa-node FTP serv 9 0.00034 lobo -> badass FTP C port=34851 10 2.47434 lobo -> badass FTP C port=34851 USER phurvitz\r\n 11 0.00025 badass -> lobo FTP R port=34851 12 0.01501 badass -> lobo FTP R port=34851 331 Password require 13 0.04388 lobo -> badass FTP C port=34851 17 4.49758 lobo -> badass FTP C port=34851 PASS oh-shit\r\n
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
18
• A method to avoid passing clear text user-ids &
passwords
• A method of using strong (e.g., 1024 bit)
encryption for user authentication
• A replacement for telnet, rsh, rlogin, rcp
• A method of encrypting arbitrary TCP/IP data
transmissions (e.g., X11, ftp, Z39.50)
What is ssh?
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
19
• Uses public key encryption
• Encryption key is public, but decryption key is private
• User-ids and passwords are never passed in clear text
How Does ssh Work?
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
20
request for login, X,or file services
ssh service “wakes up”
Client (UNIX, Wintel) Server (UNIX)
request for user-idrequest for passphrase
ssh service offersauthentication challenge
client responds withuser-id & passphrase
user-id and passphrase sent
across wire 1024-bit encrypted
passphrase and public key arecompared against private key
client uses service; subsequentcommunication is encrypted
ssh UNIX Networking
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
21
• Download
• Compile
• Enable ssh1 compatibility
Setting Up ssh
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
22
• Visit www.ssh.com or mirror
• Get latest ssh1 and ssh2 server/client tarballs
• Get latest Windows ssh client
Downloading ssh
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
23
• Compile ssh1
• Compile ssh2
Setting Up ssh
root@badass 175# ./configure --with-xloading cache ./config.cachechecking distribution consistency... donechecking host system type... sparc-sun-solaris2.7...
root@badass 176# makemake all-recursiveMaking all in libMaking all in sshutilMaking all in sshcoreMaking all in sshadt...
root@badass 176# make install...
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
24
• Enable ssh1
compatibility
Setting Up ssh
root@badass 120# grep -i ssh1 ssh2_config ...Ssh1Compatibility yesSsh1Path /usr/local/bin/ssh1...
root@badass 121# grep -i ssh1 sshd2_config ...Ssh1Compatibility yesSshd1Path /usr/local/bin/ssh1...
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
25
• Set up as daemon to start at boot or
• Set up as inetd process
• “Encase” in TCP Wrappers
Running ssh as a process on the UNIX server
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
26
• Create/copy an existing startup script in /etc/init.d
• Create a symlink to S... and K... scripts in /etc/rc3.d
• Start the sshd daemon
• The sshd daemon will respond to incoming ssh requests
• sshd will offer an authentication challenge across an encrypted channel
• sshd will spawn a new shell, but across an encrypted channel
Setting Up ssh as a Daemon
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
27
• Alter the /etc/inet/inetd.conf file:
ssh stream tcp nowait root \
/usr/local/sbin/sshd sshd -I
• Alter the /etc/inet/services file:
ssh 22/tcp
• Restart the inetd daemon
• A new ssh process will start for each client request
Setting Up ssh as an inetd Process
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
28
• Compile with TCP Wrapper support./configure \--with-libwrap=/usr/local/lib/libwrap.a
• Alter Makefile-I/PATHOF/tcpwrappersWRAPLIBS = -L/PATHOF/tcpwrappers -lwrap
• Alter /etc/hosts.allow and /etc/hosts.deny
• Run ssh2 as a daemon
• Connections will be logged to /var/log/syslog
“Encasing” ssh in TCP Wrappers
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
29
• Create key pairs
• Set up important authorization files
• Copy public keys to remote hosts
User Setup
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
30
• ssh-keygen and/or ssh-keygen2
(creates private key and public key)
• Only owner has private key
• Public key is available to anyone
• Data are encrypted with public key
• Decryption is possible only with the private key
• Private key is encrypted with the passphrase in case of file
system security breach
Create key pairs
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
31
• copy all personal public keys to ~/.ssh/authorized_keys
Setup of Authorization Files under ssh1
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
32
• edit a few important files in ~/.ssh2
Setup of Authorization Files under ssh2
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
33
Tunneling Other Services Through ssh
ssh
MS or UNIX
client
UNIX
server
tcp tcptcptcptcp tcptcptcp tcptcptcp tcp
sniffer
x network is “shielded” by ssh
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
34
• Native X11 is an insecure channel, however, ...
• X11 can be tunneled through ssh
• X11 forwarding must be compiled in (default)
• DISPLAY variable should not be set manually
• New DISPLAY variable will be “host:X.0” (where X > 0)
• X11 displays will forward from host to client through ssh
• If local X server is running (e.g., eXceed), X displays are
automatically forwarded to PC
• X11 tunneling is default behavior if X11 support is compiled in
ssh +x host
Tunneling X11 Through ssh
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
35
UNIX client
• Set up a forwarded port
myhost% ssh -L 1234:host:21 host
myhost% ftp localhost 1234
• ftp transmissions take place through encrypted channel
Windows client
• Use client’s tcp forwarding (discussed later for each Windows client)
Tunneling ftp Through ssh
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
36
• TeraTerm
• MindTerm
• SSH Secure Shell
• Others exist ...
http://www.slurping.com/ssh.html
Windows ssh Clients
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
37
• Free telnet & ssh1 client
• Uses ssh1 protocol
• Can tunnel services (e.g., X11, ftp)
• Basic TeraTerm:
http://hp.vector.co.jp/authors/VA002416/teraterm.html
• TeraTerm with ssh:
http://www.zipworld.com.au/~roca/ttssh.html
TeraTerm
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
38
TeraTerm with ssh
ssh support
functionality is just like any basic telnet
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
39
TeraTerm Port Forwarding
automatic X11 forwarding
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
40
MindTerm
• Free telnet-like ssh1 client
• Written entirely in Java ( => can be made into a Web client)
• Uses ssh1 protocol
• Can tunnel services (e.g., X11, ftp)
• Built-in scp1 (secure copy)
• Download:
http://www.mindbright.se
• Needs Java client on PC
http://www.sun.com/software/solaris/java/download.html
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
41
MindTerm
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
42
MindTerm ftp Tunneling
indicate local port to use
indicate remote port forforwarding
indicate remote hostindicate protocol
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
43
MindTerm scp (secure copy)
copy from
copy to
recursive to copyentire directories
progress indication
secure copy of files across ssh-encrypted channel
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
44
SSH Secure Shell
• Free (for non-profit) telnet-like ssh2 client
• Uses ssh2 protocol only (more secure)
• Built-in graphical scp2
• Can tunnel services (e.g., X11, ftp)
• Download:
http://www.ssh.com
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
45
SSH Secure Shell
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
46
SSH Secure Shell X11 forwarding
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
47
SSH Secure Shell ftp (or other port) forwarding
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
48
local file system
drag-and-drop to host
ssh host file system
SSH Secure Shell scp
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
49
ssh ftp Forwarding
• Create an ssh local port redirection to the ftp port on remote host
• Use Windows ftp client
• Connect to localhost (127.0.0.1)
• Use local port from redirection (e.g. 1200)
• Use Passive Mode
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
50
ssh ftp Forwarding
Phil Hurvitz phurvitz@u.washington.edu http://lobo.cfr.washington.eduphil@nwgeospatial.com http://www.nwgeospatial.com
Securing UNIX Servers with the Secure Shell (ssh)
51
Conclusion
• As the Internet grows in size and number of users, expect security to
become more of an issue
• Using ssh can greatly increase the security of your network
• Using ssh is fairly straightforward
• Cost-to-benefit ratio for security is high; software is free, the only
cost is administrator and user time & effort
Recommended