From Seán Boran, Last Edited: 21 novembre 2001

SSH notes

SSH is a secure, comfortable way of logging into UNIX machines, 
remotely copying files, running remote X11 and TCP socket tunnels.

Get rid of ftp/telnet/rlogin/rsh and use SSH now!

Note: This article is old, please refer to the newer SSH-Part I and Part II.

Contents:

SSH Overview:
        Advantages
        Disadvantages
Implementations

Tweaking

References


SSH (Secure SHell)

Secure Shell (SSH) is authored by Tatu Yionen, Espoo, Finland and is a secure replacement for Telnet, rlogin, rcp, rsh and provides secured TCP tunnels. Optional compression of traffic is provided and can also be used together with many Authentication schemes such as SecurID, Kerberos, S/KEY to provide a highly secure remote access point to UNIX servers.
Efforts are underway to make SSH an official Internet Standard, see www.ietf.org/html.charters/secsh-charter.html .

It is very well designed, supports numerous encryption algorithms, is backward compatible with the Berkeley "r" commands and supports automatic encryption of X sessions.
The following is an extract from the SSH FAQ:

What is ssh?
Ssh (Secure Shell) is a program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over insecure channels. It is intended as a replacement for rlogin, rsh, and rcp. Additionally, ssh provides secure X connections and secure forwarding of arbitrary TCP connections.

Why should I use it?
* The traditional BSD 'r' - commands (rsh, rlogin, rcp) are vulnerable to different kinds of attacks. Somebody who has root access to machines on the network, or physical access to the wire, can gain unauthorised access to systems in a variety of ways. It is also possible for such a person to log all the traffic to and from your system, including passwords (which ssh never sends in the clear).
* The X Window System also has a number of severe vulnerabilities. With ssh, you can create secure remote X sessions which are transparent to the user. As a side effect, using remote X clients with ssh is more convenient for users.
* Users can continue to use old .rhosts and /etc/hosts.equiv files; changing over to ssh is mostly transparent for them. If a remote site does not support ssh, a fallback mechanism to rsh is included.

What kinds of attacks does ssh protect against?
* IP spoofing, where a remote host sends out packets which pretend to come from another, trusted host. Ssh even protects against a spoofer on the local network, who can pretend he is your router to the outside.
* IP source routing, where a host can pretend that an IP packet comes from another, trusted host.
* DNS spoofing, where an attacker forges name server records.
* Interception of clear-text passwords and other data by intermediate hosts.
* Manipulation of data by people in control of intermediate hosts.
* Attacks based on listening to X authentication data and spoofed connection to the X11 server.
The above only holds if you actually use encryption. Ssh does have an option to use encryption of type "none" this is only for debugging purposes, and should not be used.

What kind of attacks does ssh not protect against?
* Ssh will not help you with anything that compromises your host's security in some other way. Once an attacker has gained root access to a machine, he can then subvert ssh, too.
* If somebody malevolent has access to your home directory, then security is non-existent. This is very much the case if your home directory is exported via NFS.

How does it work?
All communications are encrypted using IDEA or one of several other ciphers (three-key triple-DES, DES, RC4-128, TSS, Blowfish). Encryption keys are exchanged using RSA, and data used in the key exchange is destroyed every hour (keys are not saved anywhere). Every host has an RSA key which is used to authenticate the host. Encryption is used to protect against IP-spoofing;
public key authentication is used to protect against DNS and routing spoofing.
* RSA keys are also used to authenticate hosts.

Advantages:

Disadvantages:


IMPLEMENTATIONS

SSH for UNIX & Linux

SSH1 for UNIX is available as a free or commercial product (from DataFellows):

SSH2

SSH2 is the new protocol version, submitted to the IETF for approval. It includes sftp, an SSH2 tunnelled ftp. SSH2 uses separate config files to SSH1 (e.g. /etc/ssh2/ssh2_config), but can call SSH1 if a client requests SSH1 protocols and SSHD1 is available.

 

Java SSH clients (free/commercial)

Windows

I have to admit that my favourite SSH client for Windows is now MindTerm (see above) after 2 years using DataFellows F-Secure SSH.

Free Windows SSH Clients

  1. TTSSH (TeraTerm SSH)
    • TTSSH is an SSH add on (DLL) to TeraTerm Pro (a free terminal emulation package) .
      TTSSH www.zip.com.au/~roca/ttssh.html
      TeraTerm http://hp.vector.co.jp/authors/VA002416/teraterm.html  
    • Version 1.4 of TTSSH (Dec'98) includes the following features: Compatible with SSH protocol version 1.5 Ciphers: 3DES, IDEA, Blowfish, DES, RC4 Server authentication using the ssh_known_hosts database (including the option of adding a server's key to the database) Authentication using password, RSA, rhosts and rhosts+RSA. Compression support. Connection forwarding, including full support for X connection forwarding.
    • Note that the older V1.2 did not have X11 or port forwarding.
    • I've tested V1.4 and am impressed, but it doesn't have the ftp tunnelling of MindTerm. TeraTerm is a nice terminal emulation too, offering a good GUI and features such as session logging and custom key mapping.
      Tip: set TERATERM_EXTENSIONS=1 in your environment (so that Teraterm enables extensions and presents SSH by default) and edit teraterm.ini to change a few defaults.
      TBD: where is the client key generated (Keygen), so that the server can authenticate the client on the host level?
  2. See Mindterm above.
  3. Most of the following use the Cygnus Win32 libraries, you'll need usertools.exe from sourceware.cygnus.com/cygwin/download.html
  4. Raju Mathur/Gordon Chaffee wrote a Win32 patch for ssh-1.2.14, the binaries are in ftp://ftp.cs.hut.fi/pub/ssh/contrib/. There's also a ssh-1_2_22-Win32-Beta1.
    Notes:
    • You'll need to create a c:\ssh\etc directory to keep your ssh_config, ssh_host_key, and ssh_host_key.pub in. You need to generate the keys on your Unix box with ssh-keygen (bug: ssh-keygen doesn't work on NT)
    • Next, make sure your HOME environment variable is set. On NT, this can be done via the Control Panel->System.
    • Create a <HOME>\.ssh directory (don't forget the dot). Copy (ftp) your identity and identity.pub files in this subdirectory (these 2 files were generated by ssh-keygen on the unix box)
    • Setting up ssh to work without requiring any passwords: You need a destination machine to trust the source machine. So .ssh/Identity.pub (public key) of the source machine needs to be appended to the list of keys in .ssh/authorized_keys on the destination machine.
  5. A version based on 1.2.20 that hasn't been further developed, is at http://guardian.htu.tuwien.ac.at/therapy/ssh/
  6. Cedomir Igaly offers a free 16 and 32 bit version without sources. It uses Peter Gutmann's cryptographic library on Garbo. See www.doc.ic.ac.uk/~ci2/ssh
  7. Simon Tatham has developed PuTTY, a free Win32 Telnet/SSH Client. It is at beta v0.47 www.chiark.greenend.org.uk/~sgtatham/putty.html .

 

Commercial SSH for Windows

F-Secure SSH for Windows (16 and 32 bit)

Datafellows produce a commercial implementation of  SSH.  Recommended.
This PC version allows encrypted "Telnet" sessions and secure TCP socket connections (including X11) with UNIX servers running SSH. See also www.datafellows.com/f-secure.

Advantages:

Problems:

VanDyke SSH for Win32 (U.S. users only)

VanDyke offer a 32bit client that is user friendly, but obviously is U.S. export restricted. It a worring option: it allows users to save password to allow "easier" login. See  www.vandyke.com/products/securecrt/index.html  

 

Others

Mac Versions

Palm Pilot

VAX


TWEAKING

SSH (Secure Shell)  VPNs

  1. SSH1:
  2. The new SSH2 is more suited to general VPNs. TBD.

 

Compiling & Installing SSH

Compiling SSH1 for UNIX, is straight forward. Assuming we want the standard options and wish to install in /usr/bin and /usr/sbin (the default is /usr/local/bin & sbin):

gzcat ssh-1.2.26.tar.gz | tar xf -
cd ssh-1.2.27
./configure --prefix=/usr --without-none --without-rsh
make
make install

The SSH daemon will have to be added to one of the system startup files, is is not done by "make install". An example for Solaris to be copied to /etc/rc2.d is S10sshd.

Compilation options that might be useful:

--without-none never allow clear text (unencrypted) communication in the case where one of the servers has no key.
--without-rsh never allow rshell rhosts as an option when a server has no key.

IRIX 5:    ./configure --prefix=/usr/bsd --sbindir=/usr/bsd --bindir=/usr/bsd
SunOS  ./configure --prefix=/usr/local --sbindir=/usr/local/bin
Socks5 proxing support: -with-socks5=/usr/local/lib
Solaris2 with SecurID:
    ./configure --prefix=/usr --with-securid=../ace
    vi Makefile, add -lsocket to the line: LIBS = ../ace/sdiclient.a -lnsl -L/usr/local/lib
    vi sshd.h, and add the line: #include <ulimit.h>
    make install
    vi /etc/securid.users (lists all the users with cards, one per line).

Installing on a number of machines

To make life easier, compile on (say) one solaris machine as above, then create a tar file of the binaries (in the C-Shell):

tar cvf ssh_bin.tar /usr/bin/{ssh,ssh1,scp,scp1,slogin,slogin1,ssh-keygen1,ssh-keygen,ssh-agent1,ssh-agent,ssh-add1,ssh-add,ssh-askpass1,ssh-askpass,make-ssh-known-hosts1,make-ssh-known-hosts}
tar uvf ssh_bin.tar /etc/{sshd_config,ssh_config}
tar uvf ssh_bin.tar /etc/rc2.d/{S10sshd,K10sshd} /etc/init.d/sshd
tar uvf ssh_bin.tar /usr/sbin/{sshd,sshd1}
tar uvf ssh_bin.tar /usr/man/man1/{ssh-keygen.1,ssh-agent.1,ssh-add.1,ssh.1,ssh1.1,slogin.1,slogin1.1,scp.1,scp1.1,make-ssh-known-hosts.1} /usr/man/man8/{sshd.8,sshd1.8}
compress ssh_bin.tar

Copy ssh_bin.tar.Z to the new target system, backup any existing config files, extract in root, "rehash" (if using csh) and then generate a host key:
     ssh-keygen -b 1024 -f /etc/ssh_host_key -N '';

Add the ssh service, by adding the following to /etc/services:
     ssh 22/tcp           # Secure Shell

Start the ssh daemon:
      sh /etc/rc2.d/S10sshd start

SSH configuration

VNC via SSH

Virtual Network Computing is a "remote control" program that allows you to see and use the desktop of another machine (NT, Win95, UNIX) over the network. It could also be used for teleworking over insecure networks such as the internet. Or SSH can be used to encrypt the VNC communications and hence increase it's security.

PC Anywhere via SSH

PCAnywhere is another remote control program like VNC above, except it's limited to PCs. the newer versions use port 5631 and 5632, but forwarding these over SSH and then asking PCAny to connect to localhost doesn't work.

TBD: find out how to get PCAnywhere going over SSH.


References


Back to the IT Security Cookbook