470 likes | 498 Views
Secure Connections to NERSC Systems Using the Secure Shell (SSH). Jed Donnelley http://www.nersc.gov/~jed 6/21/1999. Using SSH to connect to Unix. Use From: Unix PC/Mac Secure “Telnet” ssh, slogin X Windows automatic manually specified Data Transfer scp, ftp ftp
E N D
Secure Connections to NERSC Systems Using the Secure Shell (SSH) Jed Donnelley http://www.nersc.gov/~jed 6/21/1999
Using SSH to connect to Unix • Use From: UnixPC/Mac • Secure “Telnet” ssh, slogin • X Windows automatic manually specified • Data Transfer scp, ftp ftp • Authentication ssh-keygen Key generation Wizard DataFellows: http://www.datafellows.fi/ Secure Connections to NERSC Systems Using the Secure Shell (SSH)
Basic Facilities Offered by SSH 1. An encrypted channel for control (e.g. “Telnet”) communication. 2. Plumbing (aka forwarding, tunneling): multiplexing of IP forwarded communication across the encrypted channel. (e.g. for X Windows, FTP, POP email, etc.) 3. Authentication: Public key authentication for users and servers. Allows use of a single passphrase rather than multiple passwords. Local Host SSH Client Remote Host SSH Daemon Secure Channel Secure Connections to NERSC Systems Using the Secure Shell (SSH)
Simplest form - a secure “Telnet”(“normal” case) mordor 1: ssh mcurie Host 'mcurie' added to the list of known hosts. Password: ---------------------------------------------------------------------- * * * W A R N I N G W A R N I N G * * * U.S. GOVERNMENT COMPUTER If not authorized to access this system, disconnect NOW. YOU SHOULD HAVE NO EXPECTATION OF PRIVACY. By continuing, you consent to your keystrokes and data content being monitored. … Your terminal type is vt100. Your current working directory is /u/mpccc/jed. % Secure Connections to NERSC Systems Using the Secure Shell (SSH)
Simplest form - a secure “Telnet”(first time connecting to this host) mordor 6: ssh www.nersc.gov Host key not found from the list of known hosts. Are you sure you want to continue connecting (yes/no)? yes Host ’www.nersc.gov' added to the list of known hosts. Creating random seed file ~/.ssh/random_seed. This may take a while. jed@www.nersc.gov’sPassword: Last login: Wed Mar 10 11:07:08 1999 from gondor.nersc.gov No mail. Sun Microsystems Inc. SunOS 5.6 Generic August 1997 ***************************************************** Welcome to the primary NERSC Web server. Please report any problems or concerns to consult@nersc.gov or x8600 ****************************************************** gondor.nersc.gov% Secure Connections to NERSC Systems Using the Secure Shell (SSH)
SSH “Telnet” - a PC/Mac Example Generally recommended Secure Connections to NERSC Systems Using the Secure Shell (SSH)
PC SSH - the Resulting Connection Note: If you set $DISPLAY you will break X forwarding. You can, however, specify a -display option to xclock Secure Connections to NERSC Systems Using the Secure Shell (SSH)
Example: SSH from Unix % ssh killeen jed@killeen's password: ---------------------------------------------------------------------- … Your current working directory is /u/ccc/jed. % printenv DISPLAY killeen:36.0 % xclock & [1] 16332 % Secure Connections to NERSC Systems Using the Secure Shell (SSH)
Advanced Facilities 1. An encrypted channel for control (e.g. “Telnet”) communication. 2. Plumbing (aka forwarding, tunneling): multiplexing of forwarded IP communications across the encrypted channel. (e.g. for X Windows, FTP, POP email, etc.) 3. Authentication: Public key authentication for users and servers.Allows use of a single passphrase rather than multiple passwords. Local Host SSH Client Remote Host SSH Daemon Secure Channel Secure Connections to NERSC Systems Using the Secure Shell (SSH)
SSH Plumbing: IP Forwarding(Tunneling) User Terminal Input Secure Channel User Shell Local Host SSH Client Remote Host SSH Daemon IP Fwd Server IP Fwd Client e.g. X, FTP Non-secure data channel Note: Firewalls may affect this Connection in different directions Secure Connections to NERSC Systems Using the Secure Shell (SSH)
SSH Port Forwarding: FTP example User Terminal Input/output Secure Channel User Shell Local SSH Client Remote SSH Daemon S. port Port Fwd Server, FTP demon D. port Port Fwd Client, FTP client FTP data connection Not secured Secure Connections to NERSC Systems Using the Secure Shell (SSH)
X Windows Forwarding - Automatic Not defaulted on PC Secure Connections to NERSC Systems Using the Secure Shell (SSH)
Configuration for Forwarded FTP Secure Connections to NERSC Systems Using the Secure Shell (SSH)
FTP Data Transfer Configuration PC example: WS_FTP Note: Important for data connections Secure Connections to NERSC Systems Using the Secure Shell (SSH)
When the Data Connection is Established Secure Connections to NERSC Systems Using the Secure Shell (SSH)
When the Data Connection Fails Active/Passive mode failure indication Secure Connections to NERSC Systems Using the Secure Shell (SSH)
Very Similar on a Macintosh Mac example: “Fetch” Connection dialog Remote system file list Secure Connections to NERSC Systems Using the Secure Shell (SSH)
FTP Tunneling under Unix • Requires two windows on your local workstation • In window 1, set up the forwarded port while making a “regular” ssh terminal connection: ssh -L forwarded_port:forwarded_host:host_porthost E.g. % ftp -L 2000:killeen.nersc.gov:21 killeen.nersc.gov SSH on your workstation listens for any outgoing connections using port 2000, and forwards them to port 21 on killeen; this is the FTP server port. • In window 2: % ftp localhost 2000 % ftp myworkstation.lbl.gov 2000 % ftp 127.0.0.1 2000 When prompted to log in, supply password for remote system, e.g. killeen. The connection to your workstation on the forwarded port gets sent to port 21 on killeen, where it’s received by the FTP server. • Only the CONTROL CONNECTION (user name and password) is protected by encryption. Secure Connections to NERSC Systems Using the Secure Shell (SSH)
Secure Copy (scp) Client on Unix Syntax: scp [-aAqQprvBCL] [-S path-to-ssh] [-o ssh-options] [-P port] [-c cipher] [-i identity] [[user@]host1:]filename1 [[user@]host2:]filename2 Example: % scp test.file killeen.nersc.gov:new.file jed@killeen.nersc.gov's password: test.file | 0 KB | 0.0 kB/s | ETA: 00:00:00 | 99% % The entire session is protected by encryption. Secure Connections to NERSC Systems Using the Secure Shell (SSH)
The Fly in the Ointment • The fundamental operation of SSH is the terminal connection • ftp tunneling requires it, so any system that doesn’t allow a shell, won’t allow tunneling (e.g. HPSS) • scp seems to have a similar limitation, since it doesn’t work to HPSS, either • Connecting to HPSS securely is something we’re working on. Right now it requires a two step process to do it securely, using an intermediate machine within NERSC, with the assumption that unsecured transfers between it and HPSS are safe. Secure Connections to NERSC Systems Using the Secure Shell (SSH)
Firewalls • There are many ways to set up firewalls, but they can be lumped into two categories: • “statefull” - connections are remembered and this knowledge may be used in other connections; these are the easiest for users to deal with • “stateless” - connections have no knowledge of other connections; Secure Connections to NERSC Systems Using the Secure Shell (SSH)
SSH Port Forwarding: FTP Example User Terminal Input/output Secure Channel User Shell Local SSH Client Remote SSH Daemon S. port Port Fwd Server, FTP Server D. port Port Fwd Client, FTP Client FTP Data Connection Not secured Secure Connections to NERSC Systems Using the Secure Shell (SSH)
FTP - “Active” (Default) Mode Local Host FTP Client Control Connection Remote Host FTP Server Port 21: listen Connect “PORT <IP ADDR>, <client data>” “STOR <‘filename’>” Data Connection Server Data Connect Client data: listen “filename”’s data ----> Secure Connections to NERSC Systems Using the Secure Shell (SSH)
FTP - “Passive” Mode Local Host FTP Client Control Connection Remote Host FTP Server Port 21: listen Connect “PASV” “PORT <IP ADDR>, <client data>” “STOR <‘filename’>” Data Connection Client Data Connect Server data: listen “filename”’s data ----> Secure Connections to NERSC Systems Using the Secure Shell (SSH)
Firewall Consequences, Active Mode User Terminal Input/output Fails: Secure Channel User Shell Outgoing connection: OK Local SSH Client Remote SSH Daemon Port 22 S. port Dest. port FTP Client FTP Server FTP data connection X Client data: listen Never arrives Data. port Incoming connection - blocked! Secure Connections to NERSC Systems Using the Secure Shell (SSH)
Firewall Consequences, Passive Mode Succeeds: User Terminal Input/output Secure Channel User Shell Outgoing connection: OK Local SSH Client Remote SSH Daemon Port 22 “PASV” S. port Dest. port FTP Client FTP Server FTP data connection Data. Port: listen Client data: connect Outgoing connection - OK! Secure Connections to NERSC Systems Using the Secure Shell (SSH)
“Local” Connections, Local Host What is a “local” connection? 127.0.0.1 or mystation.lbl.gov or ? Secure Connections to NERSC Systems Using the Secure Shell (SSH)
127.0.0.1 as “Active” “Local Host” User Terminal Input/output Fails: Secure Channel User Shell Local SSH Client Remote SSH Daemon Port 22 S. port Dest. port FTP Client FTP Server FTP data connection Outgoing connection - Nobody home? Send Data. port Client data: listen Never arrives Secure Connections to NERSC Systems Using the Secure Shell (SSH)
<IP Addr> as “Active “Local Host” User Terminal Input/output Succeeds: Secure Channel User Shell Local SSH Client Remote SSH Daemon Port 22 S. port Dest. port FTP Client FTP Server FTP data connection to <IP Addr> OK Send Data. port Client data: listen OK Secure Connections to NERSC Systems Using the Secure Shell (SSH)
SSH2 The SSH2 protocol is being standardized by the IETF and Will shortly become an official standard. The upcoming Internet standard is called SECSH. The SECSH working group at IETF is defining the SSH 2.x protocol. The goal of the working group is to define an IETF standards track protocol that will be used by future versions of SSH. Secure Connections to NERSC Systems Using the Secure Shell (SSH)
F-Secure SSH Terminal FSecure SSH Terminal provides the user with secure login connections over untrusted networks. FSecure SSH Terminal acts as a replacement for the telnet protocol. The Terminal uses the cryptographic authentication, automatic session encryption, and integrity protection methods that are defined by the SSH protocol. FSecure SSH Terminal fully supports VT100 terminal emulation. Secure Connections to NERSC Systems Using the Secure Shell (SSH)
F-Secure SSH Tunnel FSecure SSH Tunnel can be used to create local proxy servers for remote TCP/IP services. The service can be one of the Internet protocols: pop, smtp (used by e-mail software), http (used by Web browsers), etc. or almost any other TCP/IP based service (e.g. a TCP/IP connection to an RDBMS server). The local proxy server created by the FSecure SSH Tunnel listens for a socket on the desired port, forwards the request and data over the secure channel, and instructs the FSecure SSH Server to make the connection to the specified service on the remote machine. Secure Connections to NERSC Systems Using the Secure Shell (SSH)
SSH2 Protocol Considerations • The SSH2 Server can be configured to spawn an SSH1 protocol handler. • The SSH2 protocol is safer and the SSH2 client has more capability (sftp) • Why not support SSH2? • Cost? ~2 person months (est. from Systems Group) • Performance for SSH1 support? Only a possible problem for very interactive applications. Secure Connections to NERSC Systems Using the Secure Shell (SSH)
SSH1/SSH2 Compatibility - PCs Font/color codes: ! - Works !!! - Works, compatibility O - Fails small italics - untested !! - Works, server fork ? - We don’t know Secure Connections to NERSC Systems Using the Secure Shell (SSH)
Last Advanced Facility 1. An encrypted channel for control (e.g. “Telnet”) communication. 2. Plumbing: multiplexing of IP forwarded communication across the encrypted channel. (e.g. for X Windows, FTP, POP email, etc.) 3. Authentication: Public key authentication for users and servers. Allows use of a single passphrase rather than multiple passwords. SSH client SSH Demon Secure Channel Secure Connections to NERSC Systems Using the Secure Shell (SSH)
Background: Single Key Encryption Single Key (traditional) Encryption Clear Text Clear Text Cipher Text WE hold these Truths to be self-evident, that all Men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the Pursuit of Happiness -- That to secure these Rights, Governments are instituted among Men, deriving their just Powers from the Consent of the Governed, that whenever any Form of Government becomes destructive of these Ends, it is the Right of the People to alter or to abolish it, and to institute new Government, laying its Foundation on such Principles, and organizing its Powers in such Form, as to them shall seem most likely to effect their Safety and Happiness... WE hold these Truths to be self-evident, that all Men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the Pursuit of Happiness -- That to secure these Rights, Governments are instituted among Men, deriving their just Powers from the Consent of the Governed, that whenever any Form of Government becomes destructive of these Ends, it is the Right of the People to alter or to abolish it, and to institute new Government, laying its Foundation on such Principles, and organizing its Powers in such Form, as to them shall seem most likely to effect their Safety and Happiness... ;lo4i50m;lkxiujermgldorjgmnkXjnboiu409u09u0ojfoe9u9jfdr9ue0ndlifbnod8rug039uy03updjo384h03ptr7q24opogmeojodijb0r96uy0984upownv9se8yp094imu[398jbndiuyfw8oy409umjh;pr9n0pdi6u048u98nlncvksh.vl.ksdjgo845yut9w4ytowihgoioseynonsilejh;o4u5b;obmjtho;ruh0596umbrijnmh9r8uhi5t09suv9w7tori83nytvowbj4;hmdrp/;okx;lkmnsoudgo8w746ty049umyowiemrhglidufhbnod9upo9w847y594oj hlrjntbloidhrngo9n87se5m9w4umj;yobe59u6h9osejmg;oeiuyp940uy;w94um5t98seynt9o84wu9o8rumj;oeijgpm9se8rumtp0m9w45muy9o8sreyG9pser8um04u50u5y4098uy40u0095uy04uli8ult9o4iu409upe95uy0ej0e9roijo98u08u09u0495uy09u049u09u... Encrypt using the Decrypt using the Shared Secret Key oijh238ysoid93ww8u38 Shared Secret Key oijh238ysoid93ww8u38 Examples include DES, triple DES, Idea, Blowfish Secure Connections to NERSC Systems Using the Secure Shell (SSH)
Public Key Encryption Public Key (dual key) Encryption Clear Text Clear Text Cipher Text WE hold these Truths to be self-evident, that all Men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the Pursuit of Happiness -- That to secure these Rights, Governments are instituted among Men, deriving their just Powers from the Consent of the Governed, that whenever any Form of Government becomes destructive of these Ends, it is the Right of the People to alter or to abolish it, and to institute new Government, laying its Foundation on such Principles, and organizing its Powers in such Form, as to them shall seem most likely to effect their Safety and Happiness... WE hold these Truths to be self-evident, that all Men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the Pursuit of Happiness -- That to secure these Rights, Governments are instituted among Men, deriving their just Powers from the Consent of the Governed, that whenever any Form of Government becomes destructive of these Ends, it is the Right of the People to alter or to abolish it, and to institute new Government, laying its Foundation on such Principles, and organizing its Powers in such Form, as to them shall seem most likely to effect their Safety and Happiness... ;lo4i50m;lkxiujermgldorjgmnkXjnboiu409u09u0ojfoe9u9jfdr9ue0ndlifbnod8rug039uy03updjo384h03ptr7q24opogmeojodijb0r96uy0984upownv9se8yp094imu[398jbndiuyfw8oy409umjh;pr9n0pdi6u048u98nlncvksh.vl.ksdjgo845yut9w4ytowihgoioseynonsilejh;o4u5b;obmjtho;ruh0596umbrijnmh9r8uhi5t09suv9w7tori83nytvowbj4;hmdrp/;okx;lkmnsoudgo8w746ty049umyowiemrhglidufhbnod9upo9w847y594oj hlrjntbloidhrngo9n87se5m9w4umj;yobe59u6h9osejmg;oeiuyp940uy;w94um5t98seynt9o84wu9o8rumj;oeijgpm9se8rumtp0m9w45muy9o8sreyG9pser8um04u50u5y4098uy40u0095uy04uli8ult9o4iu409upe95uy0ej0e9roijo98u08u09u0495uy09u049u09u... Encrypt using the Decrypt using the Public Key 80988989228302098770349850394803980837 Private Key 9837938798379783903 Some Public key schemes have the useful feature: Pvt(Pub(Data) = Pub(Pvt(Data) = Data (E.g. RSA) Secure Connections to NERSC Systems Using the Secure Shell (SSH)
RSA Public Key Generation Pick two prime numbers, p and q, and compute n = pq. Next, choose d < n such that d is relatively prime to p-1 and q-1. Now, find e such that d*e -1 is divisible by (p-1)(q-1) . The number n iscalled the modulus and the key pairs are (d, n) and (e, n). For example, if you pick p = 23 and q = 29, then n = 667. Choose d = 53, giving e = 93. The key pairs are then (53, 667) and (93, 667). Secure Connections to NERSC Systems Using the Secure Shell (SSH)
RSA Public Key Encryption The "public key" is the pair (p*q, e) The “private key” is the pair (p*q, d) Plain text T must be a number between 0 and n-1 = p*q-1. The encryption function is encrypt(T) = (T^e) mod p*q = C The decryption function is decrypt(C) = (C^d) mod p*q decrypt(encrypt(T)) = encrypt(decrypt(T) = T Secure Connections to NERSC Systems Using the Secure Shell (SSH)
Server Key Discussion User Terminal Input User Shell SSH client SSH Demon Secure Channel IP Fwd Server IP Fwd Client e.g. X FTP Server: Private Key Public Key Secure Connections to NERSC Systems Using the Secure Shell (SSH)
Example Output for a New Host % ssh killeen Host key not found from the list of known hosts. Are you sure you want to continue connecting (yes/no)? yes Host 'killeen' added to the list of known hosts. jed@killeen's password: ---------------------------------------------------------------------- … Your current working directory is /u/ccc/jed. % Secure Connections to NERSC Systems Using the Secure Shell (SSH)
~<username>/.ssh/known_hosts Example entry in jed/.ssh/known_hosts: killeen 1024 37 705325930642807236155564174058288088509433716307985164803840 4543720554999191917517478645773148302567656570907357366598312001346457953433 8113231393286414542817887873620249521301011281291251294893172579641922785486 2900150139148456014559802540031948689674063297709082139734061659587439275589 32541915106864908137 Secure Connections to NERSC Systems Using the Secure Shell (SSH)
User (Client) Key Discussion User Terminal Input User Shell SSH client SSH Demon Secure Channel IP Fwd Server IP Fwd Client e.g. X FTP Client: Private Key Public Key Server: Private Key Public Key Secure Connections to NERSC Systems Using the Secure Shell (SSH)
Example Key Generation, Unix gondor.nersc.gov% ssh-keygen Initializing random number generator... Generating p: ...................................++ (distance 524) Generating q: ........................++ (distance 280) Computing the keys... Testing the keys... Key generation complete. Enter file in which to save the key (/u/ccc/jed/.ssh/identity): Enter passphrase: Enter the same passphrase again: Your identification has been saved in /u/ccc/jed/.ssh/identity. Your public key is: 1024 37 141065829193088583535393787336236519596422356561555617621686481111309766411198772661982321105598609309699536285550930419740866537251689728318439216288854655452937112522267785457094285051527541171601963234454922870814357588148505347811819557940284482322861085587046666885623959789222189095197602745618669956589 jed@gondor.nersc.gov Your public key has been saved in /u/ccc/jed/.ssh/identity.pub gondor.nersc.gov% Secure Connections to NERSC Systems Using the Secure Shell (SSH)
~<username>/.ssh/authorized_keys Copied from <source>:~<username>/.ssh/identity.pub Example entry in <destination>:~jed/.ssh/authorized_keys: 1024 37 141065829193088583535393787336236519596422356561555617621686481111309766 4111987726619823211055986093096995362855509304197408665372516897283184392162888 5465545293711252226778545709428505152754117160196323445492287081435758814850534 7811819557940284482322861085587046666885623959789222189095197602745618669956589 jed@gondor.nersc.gov Secure Connections to NERSC Systems Using the Secure Shell (SSH)
Client Authentication Using RSA Secure Connections to NERSC Systems Using the Secure Shell (SSH)
For Unix, ssh-agent, ssh-add gondor.nersc.gov% ssh-agent csh gondor.nersc.gov% ssh-add Need passphrase for /u/ccc/jed/.ssh/identity (jed@gondor.nersc.gov). Enter passphrase: Identity added: /u/ccc/jed/.ssh/identity (jed@gondor.nersc.gov) gondor.nersc.gov% ssh mcurie ---------------------------------------------------------------------- * * * W A R N I N G W A R N I N G * * * … gondor.nersc.gov% scp test.file mcurie:ssh.file gondor.nersc.gov% printenv SSH_AUTH_SOCK=/tmp/ssh-jed/agent-socket-19174 SSH_AGENT_PID=19175 gondor.nersc.gov% Secure Connections to NERSC Systems Using the Secure Shell (SSH)