Advanced OpenSSH! PLUG Jan 2, 2014 Carlos Aguayo

Similar documents
SSH The Secure Shell

Pro OpenSSH. Michael Stahnke. Apress* =# # w^ l&l ## frsft. *,«.,*

SSH and FTP on Ubuntu WNYLUG Neal Chapman 09/09/2009

Secure Shell. The Protocol

Contents. Part 1 SSH Basics 1. Acknowledgments About the Author Introduction

OpenSSH: Secure Shell

SSH! Keep it secret. Keep it safe

Connectivity using ssh, rsync & vsftpd

Secure access to the DESY network using SSH

File transfer clients manual File Delivery Services

Know your tools SSH. Dariusz Puchalak Dariusz_Puchalak < at > ProbosIT.pl

WinSCP PuTTY as an alternative to F-Secure July 11, 2006

SSH with private/public key authentication

TS-800. Configuring SSH Client Software in UNIX and Windows Environments for Use with the SFTP Access Method in SAS 9.2, SAS 9.3, and SAS 9.

CS615 - Aspects of System Administration

Security Configuration Guide P/N Rev A05

Securing Windows Remote Desktop with CopSSH

10/23/12. Fundamentals of Linux Platform Security. Linux Platform Security. Roadmap. Security Training Course. Module 9 Application Security

PENN. Social Sciences Computing a division of SAS Computing. SAS Computing SSC. Remote Computing. John Marcotte Director of SSC.

Experimental Techniques 8

TELE 301 Network Management. Lecture 16: Remote Terminal Services

A SHORT INTRODUCTION TO BITNAMI WITH CLOUD & HEAT. Version

Overview. Remote access and file transfer. SSH clients by platform. Logging in remotely

Install and configure SSH server

Securing Windows Remote Desktop with CopSSH

CONNECTING TO DEPARTMENT OF COMPUTER SCIENCE SERVERS BOTH FROM ON AND OFF CAMPUS USING TUNNELING, PuTTY, AND VNC Client Utilities

If you prefer to use your own SSH client, configure NG Admin with the path to the executable:

Remote access. Contents

SERVER HARDENING. Presented by: Daniel Waymel and Corrin Thompson at TexSAW 2014 at the University of Texas at Dallas

SSSD and OpenSSH Integration

Configuring for SFTP March 2013

CASHNet Secure File Transfer Instructions

Connecting to Linux From Other Systems

IBM eserver iseries ITSO Technical Forum 2005

ASX SFTP External User Guide

Debian/GNU Linux Remote Services

Introduction à OpenSSH

F-Secure SSH. for Windows. User s Guide

Tighter SSH Security with Two-Factor

Using WinSCP to Transfer Data with Florida SHOTS

Using SFTP on the z/os Platform

MobaXTerm: A good gnome-terminal like tabbed SSH client for Windows / Windows Putty Tabs Alternative

An Overview of the Secure Shell (SSH)

Tunnel VNC through SSH Tutorial Version 1

TELNET CLIENT 5.11 SSH SUPPORT

Exam Questions SY0-401

Using sftp in Informatica PowerCenter

Setting up Kerberos, AFS, and Putty on Windows Vista/Windows 7

Cryptography: RSA and Factoring; Digital Signatures; Ssh

Secure File Transfer Installation. Sender Recipient Attached FIles Pages Date. Development Internal/External None 11 6/23/08

Advanced Network and System Administration

F-Secure. Securing the Mobile Distributed Enterprise. F-Secure SSH User's and Administrator's Guide

SSH, SCP, SFTP, Denyhosts. Süha TUNA Res. Assist.

How to Tunnel Remote Desktop Through SSH on a Windows Computer

Configure Backup Server for Cisco Unified Communications Manager

finger, ftp, host, hostname, mesg, rcp, rlogin, rsh, scp, sftp, slogin, ssh, talk, telnet, users, w, walla, who, write,...

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

WHITE PAPER. Internet File Transfers: Security Holes and How to Fix Them. Contents. Introduction The Problem with FTP... 1

Redpaper. Securing Communications with OpenSSH on IBM i5/os. Front cover. ibm.com/redbooks. Learn how to install, configure, and use SSH with i5/os

Obtaining a user account and password: To obtain a user account, please submit the following information to AJRR staff:

File Transfer Examples. Running commands on other computers and transferring files between computers

There are many different ways in which we can connect to a remote machine over the Internet. These include (but are not limited to):

Connecting to the School of Computing Servers and Transferring Files

Testing New Applications In The DMZ Using VMware ESX. Ivan Dell Era Software Engineer IBM

Network Management Card Security Implementation

OpenVPN over SSH tunneling

Rapid Access Cloud: Se1ng up a Proxy Host

Authentication in a Heterogeneous Environment

CS 640 Introduction to Computer Networks. Network security (continued) Key Distribution a first step. Lecture24

Configuring and Tuning SSH/SFTP on z/os

VHA Innovations Program Future Technology Laboratory. Linux Workstation Remote Desktop Connection Manual

Laboration 3 - Administration

SSH Client Alternatives

Security of information systems secure file transfer

Defeating Firewalls : Sneaking Into Office Computers From Home

Miami University RedHawk Cluster Connecting to the Cluster Using Windows

Guide to the Configuration and Use of SFTP Clients for Uploading Digital Treatment Planning Data to IROC RI

Linux Server Configuration Guidelines

axsguard Gatekeeper Command Line Interface How To v1.6

Online Banking for Business Secure FTP with SSH (Secure Shell) USER GUIDE

MySQL Quick Start Guide

HPCC - Hrothgar Getting Started User Guide

Secure File Multi Transfer Protocol Design

Centers for Medicare and Medicaid Services. Connect: Enterprise Secure Client (SFTP) Gentran. Internet Option Manual

GPFS and Remote Shell

SSH Secure Shell. Administrator s Guide

Access Instructions for United Stationers ECDB (ecommerce Database) 2.0

Back Up Linux And Windows Systems With BackupPC

SSH. Introduction. SSH Private Key

Adobe Marketing Cloud Using FTP and sftp with the Adobe Marketing Cloud

CreationDirect. Clearstream file transfer connectivity solutions

Pragma FortressSSH 5.0

Firewall User's Overview

Active Defense and Prevention

RSA SecurID Token User Guide February 12, 2015

Getting Started with Oracle Data Mining on the Cloud

RETRIEVING NMR DATA JB Stothers NMR Facility Materials Science Addition 0216 Department of Chemistry Western University

Nessus Training Session 2 - Scanning and Reporting

MATLAB on EC2 Instructions Guide

Security Protocols: SSH. Michael E. Locasto University of Calgary

Transcription:

Advanced OpenSSH! PLUG Jan 2, 2014 Carlos Aguayo

Advanced OpenSSH Basic Usage Authentication Methods Keys and Agents Remote X Windows Tunnels and Port Forwarding Client Configuration Server Configuration

Basic Usage Secure access to remote command-line Replaces telnet, rlogin, and rsh Requires support on remote end Remote shell on a firewall or jump host ssh hostname If at first you don t succeed... ssh -v user@hostname

Escape Sequence ssh -e <char> user@hostname Default escape character is the tilde: ~ ~. - terminate connection ~^Z - suspend ssh ~# - list forwarded connections ~& - background ssh ~? - this message ~~ - send the escape character upstream by typing it twice

Basic PuTTY

Authentication Methods Password * Public Key Exchange * GSSAPI (Kerberos) Host equivalence Challenge/Response! Remote host handles authentication

Private and Public Keys New Key Pair Creation: ssh-keygen -t rsa -b 2048 * Choose a memorable passphrase!! - Private key is used by client Default is ~/.ssh/id_rsa - Public key is copied to remote servers Default is ~/.ssh/id_rsa.pub

Public Keys Public Keys in Linux and UNIX: ~/.ssh/known_hosts and ~/.ssh/authorized_keys are checked by sshd on incoming connections - Client presents a checksum based on private key - Server uses public key to validate checksum

Authentication Agents Many different ways of doing agent-based auth ssh-agent in Linux and UNIX Pageant for PuTTY on Windows Some keychain facilities provide ssh agents Can use one or many keys for different uses Even sudo supports it now: pam_ssh_agent_auth

Linux Agent Authentication The agent itself is a background process, invoked as % eval `ssh-agent -s` Runs ssh-agent, which forks and outputs shell commands to set up the environment for ssh -A ssh-add to add key(s) ssh-add -l to list active keys Then, subsequent ssh authentication is relegated back up the chain to the originating ssh client

PuTTY Agent Authentication PuTTY and WinSCP both use Pageant for agent auth Pageant idles in the system tray until a private key is loaded You can load multiple keys, but they have to be.ppk Puttygen is used to import an OpenSSH rsa key It s harder to go the other way!

PuTTY Agent Authentication

Port Forwarding SSH tunnel encapsulates traffic Encryption Compression Remote X Windows VNC example (Linux and putty) Database server example (cmd line)

X11 Forwarding X11 support is built into OpenSSH ssh -X user@host The client s DISPLAY environment variable is passed along to remote shell ssh provides a proxy X server to forward remote display traffic through the tunnel ssh also creates an Xauthority cookie and validate that the forwarded traffic uses this token, not the real Xauth cookie

SSH Tunnel for VNC Remote Laptop vncviewer connecting to Firewalled Server laptop% ssh -L 5901:localhost:5901 user@dbserv dbserv% vncserver :1 -localhost laptop% vncviewer localhost:5901 & Note: TigerVNC s vncviewer includes ssh support, -via flag

PuTTY Tunnel for VNC

Local Tunnel for DB Example: Laptop to DB Server via port-forwarding ssh -L 3306:localhost:3306 dbuser@dbserv Now we make a local connection to mysql mysql -h localhost -u dbuser dbname

Remote Tunnel for DB Ex. 1: Jump host to DB Server ssh -L 3306:localhost:3306 dbuser@dbserv mysql -h localhost -u dbuser dbname Ex. 2: Remote Laptop to DB Server ssh -L 3306:dbserv:3306 user@jumphost mysql -h localhost -u dbuser dbname

scp and sftp Secure remote copy over an ssh tunnel Replaces rcp and ftp Supports compression, as in, ssh -C scp files hostname:remote-dir scp -rc dir hostname:remote-dir Many GUI clients enable drag-n-drop WinSCP for Windows, Cyberduck for Mac

Client Configuration A great many ssh client options can be set in ~/.ssh/options or /etc/ssh/ssh_config Examples: ForwardAgent yes KeepAlive yes ServerAliveInterval 12 RSAAuthentication yes GSSAPIAuthentication no ForwardX11 no

Server Configuration Again, many sshd options can be set in /etc/ssh/sshd_config Examples: Protocol 2 PermitRootLogin no PasswordAuthentication yes GSSAPIAuthentication no X11Forwarding no TCPKeepAlive yes

References - http://www.openssh.org man pages, RFC s, history, etc. - SSH Mastery: OpenSSH, PuTTY, Tunnels, and Keys by Michael W Lucas - http://www.evans.io/posts/ssh-agent-for-sudoauthentication/

Time For Your Questions Carlos Aguayo caguayo@gmail.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information