Using Secure Shell on Linux: What Everyone Should Know

Using SSH on LinuxEveryone Should Know This

Jared JenningsSenior ConsultantData Technique, [email protected]

Aaron BurgemeisterTechnical Support EngineerNovell, [email protected]

mailto:[email protected]


© Novell, Inc. All rights reserved.2

What is SSH?

SSH is a Network Protocol

– NAT Friendly

– Secure

Cross-platform Support


SSH Experience?

• Heard of it?

• Used it?

• Tunneled?

• Forwarded GUI?

• Remote commands?

• File copies (scp or rsync over ssh)?

• Authentication other than passwords (keys, GSSAPI)?

• Came here just to find presenter inaccuracies?


Accessibility

Fast

Allows data to be exchanged securely

– Port forwarding

– GUI forwarding

Why Use SSH?


SSH CommandsOn Linux and Mac

SSH is standard on Linux, Unix and Mac

SSH SCP


Available SSH Tools on Windows

• Putty– http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

• http://www.chiark.greenend.org.uk/~sgtatham/putty– PLINK (great for scripting uses)– PAGENT (key material management)– pscp (file management)

http://www.chiark.greenend.org.uk/~sgtatham/putty


Available SSH Tools on Windows

WinSCP– http://winscp.net/eng/index.php

XMING– http://sourceforge.net/projects/xming

Cygwin– http://www.cygwin.com/

http://sourceforge.net/projects/xming

http://www.cygwin.com/


SSH Server (Daemons)

• The SSH daemon is supported by all OS's– Linux/Unix/Mac X– Windows must use third-party software to run the Daemon– NetWare® 6.5 sp3 or greater

• Multiple authentication back-ends– Using PAM authentication

> Novell® eDirectory™, files, OpenLDAP

• Multiple authentication methods– Password; Public Key– Challenge/Response– Kerberos– Host-based

How Can SSH Be Used?


Basic SSH Connection

• Access files

• Control remote system

> ssh sshsvr.com -l ab #explicit > ssh [email protected] #simple



Tunneling with SSH

SSH can tunnel just about any TCP traffic (IPv4 or Ipv6)

Local forwarding/remote forwarding

Local forwarding– Involves forwarding a socket from the client to the server

Remote forwarding– Involves forwarding a socket from the server to the client


Benefits of tunneling

Connection from client to server is secure

– Regular connections from client to server may not otherwise be secure – rsync, http, etc.

Access an otherwise-inaccessible network

– Similar to a VPN, but without as much setup

– Access a single system with access to secure apps

Tunneling with SSHPuposes/Security


Tunneling with SSHDetails

One side opens an address/port on the specified listening side

See the (by default) localhost-listening socket with netstat

SSH takes all TCP data from that address/port and sends it through the established, doing-whatever-else, SSH connection.

The opposite side sends the TCP data to the destination address/port as specified during the connection setup.

The TCP client, whose traffic is tunneled, thinks it is talking to the SSH machine on the listening side of the tunnel.

The TCP server, whose traffic is tunneled, thinks the SSH machine at the end of the tunnel is the TCP client.

Everything outside of the SSH participants and the TCP client and server just sees a single SSH connection sending data from time to time


HTTP (Web Server)

SSH Server

Client in Insecure Land

WebServer

Firewall Forwarding SSH

sh [email protected] -L 1080:http_server:80


HTTP Making a Connection

Making the SSH connection

Pointing the web browser to the site

http://localhost:1080/rest/of/the/url.html

ssh sshsvr.com -L 1080:http_server:80


Novell® GroupWise®

ssh [email protected] -L 1677:groupWise_server:1677


Novell® GroupWise® Making a Connection


Starting the Novell GroupWise client

grpwise.exe -ipa=localhost -ipp=1677

ssh [email protected] -L 1677:groupWise_server:1677


Remote Desktop (RDP)Making a Connection


Starting the Linux RDP client

rdesktop localhost:13389

ssh [email protected] -L 13389:WindowsServer:3389


Multiple Connections

ssh [email protected] -L 1080:http_server:80 -L 3389:broken_windows:3389 -L 19001:groupwise_server:1677

SingleTunnel Point

MultipleDestinations

MultiplePorts

Redirecting X (GUI)


Redirecting the “GUI”

Redirecting the graphical screens of the remote computer, installation, application, to the local computer

Very Simple Redirect Skype

Redirect theGroupWise® Installer


From Linux/Mac to Linux

• Very simple• Native support• Redirect

– YaST – SUSE® Linux setup tool

– Skype – VoIP application

– Installs – anything else

ssh [email protected] -X


From Windows to Linux

• Not as simple• No native support• Still worksEnable X redirection and use one of the following X servers:

– xming> http://sourceforge.net/projects/xming

– XwinLogon> http://www.calcmaster.net/visual-c++/xwinlogon/

– LabF's WinaXe> http://www.labf.com/winaxeplus/index.html

http://www.calcmaster.net/visual-c++/xwinlogon/

Copying Files with SSH


Simple File Copy with SSH

• Very simple

• Fairly fast

• Secure

• Supports entire directory structures

• Same syntax as cp (copy) except with a host

– Can actually function as a local cp command

cp ./file [email protected]:/home/ab/ #here to there scp [email protected]:/home/ab/file ./ #there to here


RSYNC Over SSH

• Very simple

• Requires RSYNC client

• Synchronizes whole folder structures

rsync -avz -e ssh source_dir [email protected]:/dest_path

Running Remote Commands with SSH


Commands Run Remotely

• Output returned to client machine sending command

• Makes connection, runs, and exits

• Useful for monitoring/configuring/patching remote machines

ssh ab@ssh_svr 'ps aux' ssh -t ab@ssh_svr 'top -d1 -n1'

Key Material Management and Usage


Key Material

• Makes the authentication MORE secure– Disable passwords to prevent successful brute-forcing

• Allows for un-prompted authentication– Immediate access to the system; automated scripting possible– Provide access to the system without ever giving out the

password; can also change identities or use multiples

Steps Involved: 1. Generate the client keys 2. Copying the public key to the remote machine 3. Login as usual

SSH Proxy Server


SSH to Proxy Traffic

• Uses:

– Lets you access content despite your client-side filters

– Lets you access proxy-enabled services securely

– Does NOT proxy DNS requests unless the DNS-using application knows to send DNS via the same connection

– #connect and use 5555 as the SOCKS port locally

– #then forward all proxy-able data through ssh_svr.com

– ssh ab@ssh_svr.com -D 5555


SSH to Proxy Traffic - Browser

• Configure your browser's proxy to point to

– 127.0.0.1:5555

– (or whichever socket

is configured to listen

on the client side)

Do not configure other fields to use this!!

SSH Troubleshooting


SSH Troubleshooting

• Understand the technology and feature– TCP-based– Tunneling/proxying opens sockets– X-forwarding requires X libraries on the forwarding side, X-

server on the forwarded side– Authentication can happen in multiple ways

• Test another system– Maybe client or server is a lemon, e.g. running Windows :-)

• Use the -v[v[v]] options from the command line– More 'v' mean more-verbose... lots of good data in here– Get a baseline BEFORE it breaks


Demo

• Novell® Remote

– Give access to specific services in a restricted environment

– Useful for support to access environments behind firewall

– Share access to a VM environment (NAT, Host-only)

• Audience Demo

– Requirement: Network Access; support.novell.com account preferably

Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

Documents

Using Secure Shell on Linux: What Everyone Should Know