Phil Hurvitz [email protected] [email protected] Securing UNIX Servers with the Secure

Phil Hurvitz [email protected] http://[email protected] http://www.nwgeospatial.com

Securing UNIX Servers with the Secure Shell (ssh)

1

• What does any of this have to do with GIS?!

• What this paper is (and is not)

• Who this paper is for (and is not)

• The Secure Shell (ssh)

General Overview



2

• Many organizations, most notably those needing

“industrial strength” GIS, still use UNIX

• Many components of the Network still rely on UNIX servers

What does any of this have to do with GIS?!



3

• An introduction to securing UNIX servers, clients, and

networks with the Secure Shell (ssh)

• A description of typical ssh setup

• An overview of some sample Windows ssh clients

What this paper is



4

• A general discussion of UNIX security

• A detailed introduction to all of ssh functionality

(for details, see http://www.ssh.com)

What this paper is not



5

• Anyone administering UNIX servers

• Anyone using UNIX servers who is concerned about security

Who this paper is for



6

• UNIX security experts

• People not using UNIX as “active” clients or servers

• People using UNIX only as anonymous ftp or http servers

Who this paper is not for



7

• Why use ssh?

• What is ssh?

• How does ssh work?

• Setting up ssh

• Running the ssh as a process on the UNIX server

• User setup (Key generation)

• Tunneling other services through ssh

• Windows ssh Clients

Detailed Overview



8

• Out-of-the-box UNIX networking is inherently insecure

Why Use ssh?

INSECURE !

INSECURE !



9


Why Use ssh?

INSECURE !

INSECURE !



10


Why Use ssh?

INSECURE !

INSECURE !



11


Why Use ssh?

INSECURE !

INSECURE !



12

• Why is out-of-the-box UNIX networking inherently insecure?

• User-IDs and Passwords are sent across the wire in CLEAR TEXT!

Why Use ssh?



13

request for login, X, or file services

service “wakes up”

Client (UNIX, Wintel) Server (UNIX)

request for user-idrequest for password

service offersauthentication challenge

client responds withuser-id & password

user-id and password sent

across wire in clear text

server authenticatesand provides service

client uses service

Out-of-the-box UNIX Networking



14

• Any UNIX machine on the subnet can log user-ids and

passwords from ftp or telnet sessions

• Use of snoop, sniffit, snort, or other packet sniffers

How Insecure is Telnet or ftp?

linux machine running snoop as root

subnet



15


phurvitz

12345671017192552

password: *******



16


space:~tmp/log:172# snoop -i snoop.out

23 0.00026 badass -> lobo TELNET R port=34844 login: 25 1.70087 lobo -> badass TELNET C port=34844 p 28 0.25049 lobo -> badass TELNET C port=34844 h 30 0.03874 lobo -> badass TELNET C port=34844 u 33 0.02809 lobo -> badass TELNET C port=34844 r 36 0.17347 lobo -> badass TELNET C port=34844 v 39 0.06427 lobo -> badass TELNET C port=34844 i 42 0.06775 lobo -> badass TELNET C port=34844 t 45 0.16108 lobo -> badass TELNET C port=34844 z 50 0.04550 lobo -> badass TELNET C port=34844 51 0.00027 badass -> lobo TELNET R port=34844 Password: 53 1.06545 lobo -> badass TELNET C port=34844 f 55 0.20479 lobo -> badass TELNET C port=34844 u 57 0.13032 lobo -> badass TELNET C port=34844 c 59 0.41778 lobo -> badass TELNET C port=34844 k 61 0.19929 lobo -> badass TELNET C port=34844 m 63 0.04144 lobo -> badass TELNET C port=34844 e 65 0.95020 lobo -> badass TELNET C port=34844 ! 75 0.13021 badass -> lobo TELNET R port=34844 Login incorrect\r\n



17


space:~tmp/log:172# snoop -i snoop.out

1 0.00000 lobo -> badass FTP C port=34851 2 0.00046 badass -> lobo FTP R port=34851 3 0.00039 lobo -> badass FTP C port=34851 8 0.10195 badass -> lobo FTP R port=34851 220 wa-node FTP serv 9 0.00034 lobo -> badass FTP C port=34851 10 2.47434 lobo -> badass FTP C port=34851 USER phurvitz\r\n 11 0.00025 badass -> lobo FTP R port=34851 12 0.01501 badass -> lobo FTP R port=34851 331 Password require 13 0.04388 lobo -> badass FTP C port=34851 17 4.49758 lobo -> badass FTP C port=34851 PASS oh-shit\r\n



18

• A method to avoid passing clear text user-ids &

passwords

• A method of using strong (e.g., 1024 bit)

encryption for user authentication

• A replacement for telnet, rsh, rlogin, rcp

• A method of encrypting arbitrary TCP/IP data

transmissions (e.g., X11, ftp, Z39.50)

What is ssh?



19

• Uses public key encryption

• Encryption key is public, but decryption key is private

• User-ids and passwords are never passed in clear text

How Does ssh Work?



20

request for login, X,or file services

ssh service “wakes up”

Client (UNIX, Wintel) Server (UNIX)

request for user-idrequest for passphrase

ssh service offersauthentication challenge

client responds withuser-id & passphrase

user-id and passphrase sent

across wire 1024-bit encrypted

passphrase and public key arecompared against private key

client uses service; subsequentcommunication is encrypted

ssh UNIX Networking



21

• Download

• Compile

• Enable ssh1 compatibility

Setting Up ssh



22

• Visit www.ssh.com or mirror

• Get latest ssh1 and ssh2 server/client tarballs

• Get latest Windows ssh client

Downloading ssh



23

• Compile ssh1

• Compile ssh2

Setting Up ssh

root@badass 175# ./configure --with-xloading cache ./config.cachechecking distribution consistency... donechecking host system type... sparc-sun-solaris2.7...

root@badass 176# makemake all-recursiveMaking all in libMaking all in sshutilMaking all in sshcoreMaking all in sshadt...

root@badass 176# make install...



24

• Enable ssh1

compatibility

Setting Up ssh

root@badass 120# grep -i ssh1 ssh2_config ...Ssh1Compatibility yesSsh1Path /usr/local/bin/ssh1...

root@badass 121# grep -i ssh1 sshd2_config ...Ssh1Compatibility yesSshd1Path /usr/local/bin/ssh1...



25

• Set up as daemon to start at boot or

• Set up as inetd process

• “Encase” in TCP Wrappers

Running ssh as a process on the UNIX server



26

• Create/copy an existing startup script in /etc/init.d

• Create a symlink to S... and K... scripts in /etc/rc3.d

• Start the sshd daemon

• The sshd daemon will respond to incoming ssh requests

• sshd will offer an authentication challenge across an encrypted channel

• sshd will spawn a new shell, but across an encrypted channel

Setting Up ssh as a Daemon



27

• Alter the /etc/inet/inetd.conf file:

ssh stream tcp nowait root \

/usr/local/sbin/sshd sshd -I

• Alter the /etc/inet/services file:

ssh 22/tcp

• Restart the inetd daemon

• A new ssh process will start for each client request

Setting Up ssh as an inetd Process



28

• Compile with TCP Wrapper support./configure \--with-libwrap=/usr/local/lib/libwrap.a

• Alter Makefile-I/PATHOF/tcpwrappersWRAPLIBS = -L/PATHOF/tcpwrappers -lwrap

• Alter /etc/hosts.allow and /etc/hosts.deny

• Run ssh2 as a daemon

• Connections will be logged to /var/log/syslog

“Encasing” ssh in TCP Wrappers



29

• Create key pairs

• Set up important authorization files

• Copy public keys to remote hosts

User Setup



30

• ssh-keygen and/or ssh-keygen2

(creates private key and public key)

• Only owner has private key

• Public key is available to anyone

• Data are encrypted with public key

• Decryption is possible only with the private key

• Private key is encrypted with the passphrase in case of file

system security breach

Create key pairs



31

• copy all personal public keys to ~/.ssh/authorized_keys

Setup of Authorization Files under ssh1



32

• edit a few important files in ~/.ssh2

Setup of Authorization Files under ssh2



33

Tunneling Other Services Through ssh

ssh

MS or UNIX

client

UNIX

server

tcp tcptcptcptcp tcptcptcp tcptcptcp tcp

sniffer

x network is “shielded” by ssh



34

• Native X11 is an insecure channel, however, ...

• X11 can be tunneled through ssh

• X11 forwarding must be compiled in (default)

• DISPLAY variable should not be set manually

• New DISPLAY variable will be “host:X.0” (where X > 0)

• X11 displays will forward from host to client through ssh

• If local X server is running (e.g., eXceed), X displays are

automatically forwarded to PC

• X11 tunneling is default behavior if X11 support is compiled in

ssh +x host

Tunneling X11 Through ssh



35

UNIX client

• Set up a forwarded port

myhost% ssh -L 1234:host:21 host

myhost% ftp localhost 1234

• ftp transmissions take place through encrypted channel

Windows client

• Use client’s tcp forwarding (discussed later for each Windows client)

Tunneling ftp Through ssh



36

• TeraTerm

• MindTerm

• SSH Secure Shell

• Others exist ...

http://www.slurping.com/ssh.html

Windows ssh Clients



37

• Free telnet & ssh1 client

• Uses ssh1 protocol

• Can tunnel services (e.g., X11, ftp)

• Basic TeraTerm:

http://hp.vector.co.jp/authors/VA002416/teraterm.html

• TeraTerm with ssh:

http://www.zipworld.com.au/~roca/ttssh.html

TeraTerm



38

TeraTerm with ssh

ssh support

functionality is just like any basic telnet



39

TeraTerm Port Forwarding

automatic X11 forwarding



40

MindTerm

• Free telnet-like ssh1 client

• Written entirely in Java ( => can be made into a Web client)

• Uses ssh1 protocol


• Built-in scp1 (secure copy)

• Download:

http://www.mindbright.se

• Needs Java client on PC

http://www.sun.com/software/solaris/java/download.html



41

MindTerm



42

MindTerm ftp Tunneling

indicate local port to use

indicate remote port forforwarding

indicate remote hostindicate protocol



43

MindTerm scp (secure copy)

copy from

copy to

recursive to copyentire directories

progress indication

secure copy of files across ssh-encrypted channel



44

SSH Secure Shell

• Free (for non-profit) telnet-like ssh2 client

• Uses ssh2 protocol only (more secure)

• Built-in graphical scp2


• Download:

http://www.ssh.com



45

SSH Secure Shell



46

SSH Secure Shell X11 forwarding



47

SSH Secure Shell ftp (or other port) forwarding



48

local file system

drag-and-drop to host

ssh host file system

SSH Secure Shell scp



49

ssh ftp Forwarding

• Create an ssh local port redirection to the ftp port on remote host

• Use Windows ftp client

• Connect to localhost (127.0.0.1)

• Use local port from redirection (e.g. 1200)

• Use Passive Mode



50

ssh ftp Forwarding



51

Conclusion

• As the Internet grows in size and number of users, expect security to

become more of an issue

• Using ssh can greatly increase the security of your network

• Using ssh is fairly straightforward

• Cost-to-benefit ratio for security is high; software is free, the only

cost is administrator and user time & effort

Documents

Phil Hurvitz [email protected] [email protected] Securing UNIX Servers with the Secure