ssh and scp Eric McCreath
2 ssh "ssh (SSH client) is a program for logging into a remote machine and for executing commands on a remote machine. It is intended to replace rlogin and rsh, and provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP ports can also be forwarded over the secure channel. ssh connects and logs into the specified hostname (with optional user name). The user must prove his/her identity to the remote machine using one of several methods depending on the protocol version used" - from the ssh manual (man page)
3 Authentication ssh uses a client server model. The server on the remote machine you wish to log into listens on port 22 for clients to connect. When the client connects with the server a secret session key is agreed by both parties. This session key is used for encrypting communication between the client and the server. This session key is never passed between the client and server. Rather, a Diffie-Hellman approach is used. ssh can use a number of authentication approaches. The main ones are: password based authentication (assuming the remote machine permits this), public key authentication.
4 Symetric Key Cryptography In symmetric key cryptography the same key is used for encryption and decryption of a message. Common symetric key approaches are: DES, 3DES, AES, and TwoFish. Alice Bob
Diffie-Hellman-Merkle key Exchange Scheme 5 The problem with symmetric key cryptography is "How do you share keys over an unsecured channel?" In about 1976 Diffie, Hellman and Merkle came up with what is known as the Diffie-Hellman-Merkle key exchange scheme. Alice???? Bob Eve
Diffie-Hellman-Merkle key Exchange Scheme 6 Alice Alice thinks up a random number, say 4. This is not shared. Both Alice and Bob know the number 5 and 7 (we can assume Eve may also know them) Bob Bob also thinks up a random number, say 3. This is not shared. 5^4 (mod 7) =2 5^3 (mod 7) = 6 2 6 6^4 (mod 7) = 1 2^3 (mod 7) = 1 So both Alice and Bob share the same key, namely 1. Even if Eve sees 5,7,2, and 6, because "a^x (mod b)" is easy to calculate but hard to invert it is difficult for Eve to work out the shared key.
Asymetric Key Cryptography In asymmetric key cryptography two keys are used. encryption and a different one for decryption. One for Alice Bob In 1973 Diffie came up with this great idea of using two different keys. In 1977 Rivest, Shamir and Adleman worked out a way of implementing it (RSA). 7
8 password authentication password ssh sshd client password server PAM Strengths: simple - you don't need to store or maintain keys so you can log in from different clients, generally people will have a password on a unix based system when they obtain an account. Weaknesses: people forget their passwords people use the same password for different systems passwords can be guessed
9 Public Key Authentication ssh_keygen private key public key passphrase ~/.ssh/authorized_keys ssh encrypted private key sshd passphrase private key public key remote login client server
10 Public Key Authentication Public Key Authentication provides you with 2 factors. Namely, something you know, the passphrase, and something you have, the encrypted private key. This approach, combined with an authentication agent, such as ssh-agent, provides one with a convenient and secure way of accessing a remote machine. Weaknesses of this approach include: the server can not check that strong passphrases are used (or even if a passphrases is used at all!) if someone is able to alter the authorized_keys file then they could include an extra key which may not be detected.
11 authorized_keys The ~/.ssh/authorized_keys file holds a list of public keys that are authorized for logging in as the user. Lines starting with "#" are ignored, and can be used for comments. Each line in the file has: options [which are optional], key type, encoded public key, and a comment. Options are comma separated without spaces and can be used to control and constrain what the user can assess with that particular key. Two useful options include: command="command" which specifies the command to be used when this key is used, from="pattern-list" which only permits authentication from particular host name or IP address. see: 'man sshd' for the details of the format and options.
12 ssh_config The ssh "-i" option enables you to select a specific private key to use. Note the default is ~/.ssh/id_rsa or ~/.ssh/id_dsa. Also a configuration file may be used to control which private key to use for which server.
13 scp and rsync The scp command uses ssh to provide a secure remote file copy program. The command line option works in a similar way to the normal cp command however you man also specify a remote user and host. e.g. To copy a file to my RSCS account I could: $ scp file.txt u1234567@partch.anu.edu.au: rsync is a fast and versatile tool for copying files and directories. It is designed to reduce the amount of data sent over the Internet by only sending the files that are different. It may use ssh as the remote-shell program for the transport. It was originally developed by our own Andrew Tridgell and Paul Mackerras.
14 Port Forwarding ssh enables you to forward ports between a client machine and a remote server. This enables you to obtain a secure connection for what may be an insecure service. It also enables you to access resources that sit behind a firewall. For e.g. Say I run a web server at home for sharing files between my various devices. It sits behind a firewall so it is not exposed to the internet. However, I do permit ssh (port 22) access from external machines to my home server. If I wanted to access my home web server from work, I could create a tunnel using ssh with: % ssh -L 5432:localhost:80 myname@myhomecomputeripaddress X11 forwarding can be done (if the server permits) using ssh.