Send the link below via email or IMCopy
Present to your audienceStart remote presentation
- Invited audience members will follow you as you navigate and present
- People invited to a presentation do not need a Prezi account
- This link expires 10 minutes after you close the presentation
- A maximum of 30 users can follow your presentation
- Learn more about this feature in our knowledge base article
Encrypt Your Connections with SSH
Transcript of Encrypt Your Connections with SSH
(using SSH, of course!) Beastie is very wise SSH Client "ssh (SSH client) is a program for logging into a remote machine and for executing commands on a remote machine. It is intended to replace rlogin and rsh, and provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP ports can also be forwarded over the secure channel." -- ssh(1) man page Interesting options Server Configuration sshd reads configuration from OpenSSH exists because of the work by
OpenBSD developers Beastie, the BSD daemon,
is copyright Marshall Kirk McKusick,
permission to use
"within the bounds of good taste" -A Enables forwarding of the authentication agent connection.
This means that users with the ability to bypass file permissions on the remote host have that ability on the local host as well.
In other words: Root on the server PWNs your laptop with -A -a Disables authentication forwarding.
(Saves you from the evil, pwnful root on that server.) -c cipher_spec Selects the encryption specification for this connection.
On SSH1 you can only pick on of DES, 3DES, or blowfish.
(3DES is the default)
On SSH2 you can give a comma delimited list in the order of your preference. SSH2 ported ciphers are:
“3des-cbc”, “aes128-cbc”, “aes192-cbc”,“aes256-cbc”, “aes128-ctr”, “aes192-ctr”, “aes256-ctr”, “arcfour128”, “arcfour256”, “arcfour”, “blowfish-cbc”, and “cast128-cbc”.
The default is:
aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour -D port "Dynamic" Whenever a connection is made to this port, the connection is forwarded through the secure channel. The protocol requested determines the remote port. -e esc_char Selects the escape character.
The escape character can do clever things... ~. Disconnect.
~^Z Background ssh.
~# List forwarded connections.
~& Background ssh at logout when waiting for forwarded connection / X11 sessions to terminate.
~? Display a list of escape characters.
~B Send a BREAK to the remote system (only useful for SSH protocol version 2 and if the peer supports it).
~C Open command line. Currently this allows the addition of port forwardings using the -L, -R and -D options (see above). It also allows the cancellation of existing remote port-forwardings using -KR[bind_address:]port. !command allows the user to execute a local command if the PermitLocalCommand option is enabled in ssh_config(5). Basic help is available, using the -h option.
~R Request rekeying of the connection (only useful for SSH protocol version 2 and if the peer supports it). -F config_file Lets you use a special per-user configuration file for this connection. This is much easier if you have a lot of options than using a whole string of -o options. Your default per-user config file lives at:
The default system-wide config file lives at:
/etc/ssh/ssh_config -f Places SSH in the background before it runs the command. Example: ssh -f myhost.com xterm -g Remote hosts can connect to local forwarded ports.
This should be generally avoided. It gives access to local forwarded ports to your entire network -- potentially the whole Internet! -i identity_file Allows you to choose a non-standard identity file (public key) The default public key in SSH1 lives at:
SSH2 looks for your public key in:
in that order -L & -R The magic of port forwarding! How it works: -L <local port>:<remote host>:<remote port> Examples: ssh -L 3306:mysql.mycomputer.com:3306 firstname.lastname@example.org This will allow you to use a gui on your local computer to connect to mysql on the remote computer, ssh -L 8025:smtp.homeisp.net:25 email@example.com This will allow you to send email using your local client and your mail server's smtp even though your mail server won't send mail that comes from anywhere but localhost. Remember to tell your email client to send mail on port 8025. -R does the same in reverse! ssh -R 8022:localhost:22 firstname.lastname@example.org At work you type: At home you type: ssh -p 8022 username@localhost And poof!
Now you are connected to your work computer from home!! 2 things to know about this: Remember to use the username of the server you are logging into, not your localhost username. It only *looks* like you are logging into localhost. You are actually logging into the server you ran the reverse port forwarding command on earlier.
You will end up with a different key for localhost than you expect for your *real* localhost. To fix this, go into your known_hosts file and delete the localhost line. ssh -D 9999 email@example.com This is a SOCKS5 proxy. Start it like this: -o can be used to run options in the style used in the config file Example: ssh -o "VerifyHostKeyDNS ask" host.example.com -p port The default port for ssh is 22.
Closing port 22 and running the ssh daemon on a different port can cut down on intrusion attempts. Also, following a reverse port forwarding, the -p option lets you get to your remote server. Example: ssh -p 32200 firstname.lastname@example.org Apps with SSH scp Copy a file from a local computer to a location on a remote server:
scp index.php email@example.com:/var/httpdocs/index.php
Here's an example of how to copy a whole directory from a local computer to a remote server:
scp -r httpdocs/. firstname.lastname@example.org:/var/httpdocs/.
Copy a file from a remote computer with a weird port and put it in the current local directory:
scp -p 32200 email@example.com:/var/httpdocs/file.py . sftp Like regular ftp, only over an encrypted SSH connection. -X X11 forwarding Example: ssh -X firstname.lastname@example.org This allows you to run GUI programs on the remote server, but with all the GUI bits visible on your local computer. For instance, you would use this if you wanted to use gnumeric on the server via ssh connection.
CAUTION!! -X gives root to those who have root on the server, just like -A does. Use -Y for trusted X11 forwarding. -Y Trusted X11 forwarding Make sure server config has these lines: X11Forwarding yes
X11UseLocalhost yes Getting Started Create a Key ssh-keygen -t dsa Generating public/private dsa key pair.
Enter file in which to save the key (/home/localuser/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/localuser/.ssh/id_dsa.
Your public key has been saved in /home/localuser/.ssh/id_dsa.pub.
The key fingerprint is:
93:58:20:56:72:d7:bd:14:86:9f:42:aa:82:3d:f8:e5 email@example.com Pick a memorable, but unguessable passphrase. A quote, but not a famous one. Inside jokes can work, too. Make it long enough to be difficult to break. Client Configuration SSH Server "An SSH server is a software program which uses the secure shell protocol to accept connections from remote computers. SFTP/SCP file transfers and remote terminal connections are popular use cases for a SSH server." -- Wikipedia For man help with your ssh server, try: man sshd_config How it works "SSH uses public-key cryptography to authenticate the remote computer and allow it to authenticate the user, if necessary." - Wikipedia The first time you log into a remote machine the fingerprint is shown to the local user.
Once the fingerprint is accepted (manually or automatically) and the remote machine has accepted the local user's identity file (automatically), the rest of the traffic between the to machines over SSH is encrypted.
SSH then uses one of 5 authentication methods to determine if the local machine user has permission to login to the remote machine. How do I know if the fingerprint is right? Well, theoretically... You should be able to look up a key using the additional resource record, SSHFP in the DNS zonefile of a server with the command ssh -o "VerifyHostKeyDNS ask" host.example.com Not every server has that information in the DNS zonefile, however.
Instead, ask the server admin to send you the output from ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key On the client:
# ssh -f -w 0:1 192.168.1.15 true
# ifconfig tun0 10.1.1.1 10.1.1.2 netmask 255.255.255.252
# route add 10.0.99.0/24 10.1.1.2
On the server:
# ifconfig tun1 10.1.1.2 10.1.1.1 netmask 255.255.255.252
# route add 10.0.50.0/24 10.1.1.1 -w local_tun:remote_tun Tunnel device forwarding SSH obtains config data in the following order: Command-line options
~/.ssh/config (user's config file)
/etc/ssh/ssh_config (system config file) One useful ~/.ssh/config setup: Host *
ServerAliveCountMax 10 /etc/ssh/sshd_config Best advice for learning about config files is to open one up and look at it. Subsystem sftp /usr/lib/openssh/sftp-server Example of line in server config file to set up sftp: Who did this?! Lisha Sterling,
Education Hacker Teaching online, at hackerspaces and tech salons
Udemy, School Factory, Mothership HackerMoms, TechLiminal...
Supporting humanitarian hacks with Geeks Without Bounds
The BrainMeats! Podcast and
School Factory's Teachers' Conference 20 years professional experience Now programming, sysadmin, project and team management.
Wells Fargo Bank, Edusoft, Amazon, fring, Dassa Games... lishevita
Skype Contact: Thank you! http://alwayssababa.com