212.3 Secure shell (SSH)
Weight: 4
**Description: **Candidates should be able to configure and secure an SSH daemon. This objective includes managing keys and configuring SSH for users. Candidates should also be able to forward an application protocol over SSH and manage the SSH login.
Key Knowledge Areas:
OpenSSH configuration files, tools and utilities
Login restrictions for the superuser and the normal users
Managing and using server and client keys to login with and without password
Usage of multiple connections from multiple hosts to guard against loss of connection to remote host following configuration changes
Terms and Utilities:
ssh
sshd
/etc/ssh/sshd_config
/etc/ssh/
Private and public key files
PermitRootLogin, PubKeyAuthentication, AllowUsers, PasswordAuthentication, Protocol
As an administrator we need deep knowledge about remote login protocols such as rlogin, rsh , telnet and ssh.
Whats is SSH?
The SSH protocol (also referred to as Secure Shell) is a method for secure remote login from one computer to another. It provides several alternative options for strong authentication, and it protects the communications security and integrity with strong encryption. It is a secure alternative to the non-protected login protocols (such as telnet, rlogin) and insecure file transfer methods (such as FTP).
Typical uses of the SSH protocol are:
providing secure access for users and automated processes
interactive and automated file transfers
issuing remote commands
managing network infrastructure and other mission-critical system components.
How does the ssh protocol work?
The way SSH works is by making use of a client-server model to allow for authentication of two remote systems and encryption of the data that passes between them.
SSH operates on TCP port 22 by default (though this can be changed if needed). The host (server) listens on port 22 (or any other SSH assigned port) for incoming connections.
SSH provides multiple mechanisms for authenticating the server and the client. Two of the commonly used authentication mechanism are password based, and key based authentication. Although password based authentication is also secure, its advisable to use key based authentication instead.
the connection is established by the SSH client connecting to the SSH server. The SSH client drives the connection setup process and uses public key cryptography to verify the identity of the SSH server. After the setup phase the SSH protocol uses strong symmetric encryption and hashing algorithms to ensure the privacy and integrity of the data that is exchanged between the client and server.
What is OpenSSH?
OpenSSH is a free open source set of computer tools used to provide secure and encrypted communication over a computer network by using the ssh protocol. it is developed by the Open BSD group and it is released under Simplified BSD License. Open OpenSSH is so popular among system administrators because of its multi-platform capability and very useful nice features.
All communications and user credentials using OpenSSH are encrypted, they are also protected from man in the middle attacks. If a third party tries to intercept our connection, OpenSSH detects it and informs us about that.
Lets get started, We use CentOS7-1 as our server :
/etc/ssh
OpenSSH has two different sets of configuration files: one for client programs (ssh, scp, and sftp) and one for the server daemon (sshd).
Thesshd_configis the ssh ** daemon**(or ssh server process) configuration file, Whereas, the ssh_config file is the ssh client configuration file. The client configuration file only has bearing on when you use the ssh command to connect to another ssh host . As you can see there are public keys and private keys here with different algorithems and they can be used by SSH to encrypt the session.
RELATIONSHIP OF CONFIGURATION FILES
The SSH server actually reads several configuration files. The sshd_config file specifies the locations of one or more host key files (mandatory) and the location of authorized_keys files for users. It may also refer to a number of other files.
/etc/sshd_config
The OpenSSH server reads a configuration file when it is started. Usually this file is /etc/ssh/sshd_config:
lets talk about some of them:
Port: The port that the remote SSH daemon is running on. This option is only necessary if the remote SSH instance is not running on the default port 22.(If you have a plan to change it do not forget about discretionary access controls. Like selinux or appa rmor )
SyslogFacility : By default, the OpenSSH server logs to the AUTH facility of syslog.
auth - is meant to log authentication and authorization related commands
authpriv - is for non system authorization messages (for security information of a sensitive nature)
all logs are logged to /var/log/auth.log for debian based systems or /var/log/secure for RedHat CentOS based systems
LogLevel: By default OpenSSH logs at the INFO level. If we want to record more information ( such as failed login attempts) we should increase the logging level to VERBOSE.
PermitRootLogin : Specifies whether root can log in over ssh or not . The argument could be:
yes - root is allowed to log in.
without-password - password authentication is disabled for root and root can only login using key pairs.
forced-commands-only - root login with public key authentication will be allowed, but only if the
commandoption has been specified (which may be useful for taking remote backups even if root login is normally not allowed). All other authentication methods are disabled for root.no - root is not allowed to log in.
PubkeyAuthntication : Lets people to loging just using ssh key files without entering password.
**PermitEmptyPassword : **Allow users with empty password get connected to our ssh server.
PasswordAuthentication : Of course we want ssh server authenticate users before lets them get connected, But if we like to force users to autheticate using their key pairs we can set it to No.
Banner : specify a text file based on what we like to be displayed when some one trys to ssh.
**PrintMotd : **Print a message after some one logs in.
**MaxAuthTries : **Specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. It can be over write by PAM if any PAM modules is associated.
By default all users with user accounts can log in trough ssh, but there are two options which can be added to sshd_config file in order to change the default behaviour:
**AllowUsers : **Specify user we like to let them log in trough ssh.(No other user can login)
DenyUsers : Avoid certain users to get login.
ForwardX11 : What is that ?
What is SSH Tunneling / port forwarding ?
SSH tunneling is a method of transporting arbitrary networking data over an encrypted SSH connection. It can be used to add encryption to legacy applications. It can also be used to implement VPNs (Virtual Private Networks) and access intranet services across firewalls.
SSH is a standard for secure remote logins and file transfers over untrusted networks. It also provides a way to secure the data traffic of any given application using port forwarding, basically tunneling any TCP/IP port over SSH. This means that the application data traffic is directed to flow inside an encrypted SSH connection so that it cannot be eavesdropped or intercepted while it is in transit. SSH tunneling enables adding network security to legacy applications that do not natively support encryption.
so SSH port forwarding is a mechanism in SSH for tunneling application ports from the client machine to the server machine, or vice versa. some system administrators and IT professionals use it for opening backdoors into the internal network from their home machines. It can also be abused by hackers and malware to open access from the Internet to the internal network.
There are three types of SSH port forwarding:
Local port forwarding - connections from an SSH client are forwarded, via the SSH server, to a destination server.
Remote port forwarding - connections from an SSH server are forwarded, via the SSH client, to a destination server
Dynamic port forwarding - connections from various programs are forwarded, via the SSH client to an SSH server, and finally to several destination servers.
Okey after this log explanation, lets go back to sshd_config file options .
**X11Forwarding : **It lets us to run graphical programs remotely from the linux server. X11 forwarding needs to be enabled on both the client side and the server side. On the server side,X11Forwarding yesmust specified in /etc/ssh/sshd_config . On the client side, the-X(capital X) option tosshenables X11 forwarding, and you can make this the default (for all connections or for a specific conection) withForwardX11 yesin ~/.ssh/config.
/etc/ssh_config
ssh_config file has similar setting but its for ssh utilities, like scp, sftp. scp for secure copies and aftp for secure ftp.
ssh configuration files precedence
Do not forget that ssh client configuration file has precedence. The ssh program on a host receives its configuration from either the command line or from configuration files ~/.ssh/config and /etc/ssh/ssh_config.
Command-line options take precedence over configuration files. The user-specific configuration file ~/.ssh/config is used next. Finally, the global /etc/ssh/ssh_config file is used. The first obtained value for each configuration parameter will be used.
Configuring SSH Key Based authentication
Till now we have understood how ssh works. As we mentioned when ssh connection is started, the public key of ssh server is tranfered to the client(stored in ./ssh/known_hosts) and the client will use it to continue negotiation with the server and user will be required to get authenticated by sending username and password.
Its possible to omit entring user name and password and get connected to the ssh server using client public and private key.
Lets start by connecting to Centos7-1 from CentOS7-2 and see the keys:
Now lets generate public and private keys for client and copy client public key to the server, ssh-keygen - creates a key pair for public key authentication:
We haven't set passphrase in our demonstration but if we set we would be asked to enter it when we copy it to the server. any how. we use ssh-copy-id - configures a public key as authorized on a server :
ssh-copy-id might not be available in your distro, no problem you can copy the public in a way that you like:
Now lets take a look the server side:
now lets check the result from the client:
and it seems okey.We can copy and paste the keys for other users if you like, but do not forget that these keys give power to users to login with out the password.
Why use passphrase? Why it is for?
We have configured a password less ssh connection using key based authentication. But what would hapenned if our system compromised? An evil hacker would be able to get connected to other servers using key based authentication without knowning the passwords.
Passphrase can help us to avoid this kinds of security issues by requiring a passphrase ath the begining of every ssh keybased authentication. So let clear previous authorized_key, and start:
Now generate a new key pairs with passphrase on the client (Let it over write current private and public key):
Now lets tranfer our new public key to the server:
Lets see the key we have copied on the server:
Now when we ssh to the remote server (CentOS7-1) from our client(CentOS7-2), we are asked to enter our local key passphrase intead of remote user account password:
lets exit and ssh again and again:
as you can see each time we are asked to enter passphrase and that was what we were seeking for inorder to stop a hacker if our system get compromised. There is way to stick passphrase to the current user session and keept if for next ssh connections inorder to avoid entering passphrase again and again:
ssh-agent - agent to hold private key for single sign-on
**ssh-add **- tool to add a key to the agent
And it could happend again and agian :
Until we exit from the bash that uses associated key with that:
we would need to enter passphrase again.
SSH Client tools
Here we want to take a look at most usefull client tools(ssh, scp, sftp) commands:
| SSH commands | Description |
|---|---|
ssh -V | Shows ssh client version |
ssh user1@server1.example.com | Connect to the remote host, add "-v" for verbose mode |
ssh -l user1 server1.example.com | Connect to the remote host, add "-v" for verbose mode. |
ssh user1@server1.example.com <command> | Running <command> on the remote host over ssh |
ssh -X user@server1.example.com | Enable Xforwarding on the clients side, X11Forwarding should be enabled on the server side in sshd_config file. |
SCP Commands
We can use the scp command to copy the files securely between the local host and remote host using the ssh authentication.
Copy file from the localhost to the remotehost:
Copy file from the remotehost to the localhost:
sftp commands
SFTP (SSH File Transfer Protocol) is a secure file transfer protocol. It runs over the SSH protocol. It supports the full security and authentication functionality of SSH.
| sftp commands | Desciption |
|---|---|
sftp user1@server1.example.com | get connected to the sftp server |
sftp> ? | getting help |
sftp> lpwd | Check Present Working Directory |
sftp>ls | Listing files and directories in remote system |
sftp>lls | Listing files and directories in local |
sftp> put local.profile | upload file |
sftp> mput *.txt | upload multiple files |
sftp> get myfile.txt | get a single file |
sftp> mget *.txt | get multiple files |
sftp> cd testdir | switching directory on remote |
sftp> lcd test | switching directory in local |
sftp> mkdir mytestdir | creates directory on remote system |
sftp> lmkdir mydownloads | creates directory on local machine |
sftp > rm mytempfile.txt | remove file |
sftp> rmdir myremotedir | remove directory |
sftp> ! | exit sftp shell |
Sources and additional usefull links: https://www.ssh.com/ssh/protocol/ , https://www.ssh.com/ssh/tunneling/ , https://www.ssh.com/ssh/authorized_keys/ , https://www.ssh.com/ssh/command/ , https://www.ssh.com/ssh/agent , https://www.ssh.com/ssh/add , ... .
Last updated
