SSH Tricks - PowerPoint PPT Presentation

About This Presentation
Title:

SSH Tricks

Description:

SSH Tricks Matthew G. Marsh Overview SSH What is it How does it work Discussion of Network Topology Tricks for multiple hosts Keys and config files MultiHop tricks Q ... – PowerPoint PPT presentation

Number of Views:47
Avg rating:3.0/5.0
Slides: 17
Provided by: Matth179
Learn more at: https://www.olug.org
Category:
Tags: ssh | tricks

less

Transcript and Presenter's Notes

Title: SSH Tricks


1
SSH Tricks
  • Matthew G. Marsh

2
Overview
  • SSH
  • What is it
  • How does it work
  • Discussion of Network Topology
  • Tricks for multiple hosts
  • Keys and config files
  • MultiHop tricks
  • QA

3
SSH
  • What is it
  • Secure Shell was developed to solve the two most
    acute problems in the Internet, secure remote
    terminal logins and secure file transfers.
  • Essentially an encrypted Remote Utilities
    replacement
  • How does it work
  • Set up and generation of an encrypted TCP
    connection
  • Authentication can be Password or PubPriv key
  • Yes there are others but that is where the cracks
    are
  • Arbitrary TCP ports - WKP 22
  • In this session we will concentrate on SSH1 using
    key based authentication

4
Simple Examples
  • Two hosts
  • 1 has a sshd running on WKP
  • 2 has a client
  • root_at_2 ssh 1
  • root_at_1s password
  • This allows root to login remotely using a
    password - BAD!
  • Better is to define PermitRootLogin no in the
    sshd_config file

5
Simple Examples
  • Two hosts - preshared key
  • 1 has a sshd running on WKP
  • 2 has a client
  • tech_at_2 ssh 1
  • tech_at_2
  • The way to set this up is as follows
  • tech_at_2 ssh-keygen -t rsa1 -f /home/tech/.ssh/key4
    mac1 -N
  • tech_at_2 scp .ssh/key4mac1.pub tech_at_1/.ssh/author
    ized_keys
  • tech_at_1s password
  • tech_at_2 cat gt .ssh/config
  • Host 1
  • User tech
  • Protocol 1
  • IdentityFile /home/tech/.ssh/key4mac1
  • Hostname 10.1.2.1
  • D

6
A wee bit less Simple Examples
  • Two hosts - preshared key
  • 1 has a sshd running on port 17
  • 2 has a client
  • tech_at_2 ssh 1
  • tech_at_2
  • The way to set this up is as follows
  • tech_at_2 ssh-keygen -t rsa1 -f /home/tech/.ssh/key4
    mac1 -N
  • tech_at_2 scp -P17 .ssh/key4mac1.pub
    tech_at_1/.ssh/authorized_keys
  • tech_at_1s password
  • tech_at_2 cat gt .ssh/config
  • Host 1
  • User tech
  • Port 17
  • Protocol 1
  • IdentityFile /home/tech/.ssh/key4mac1
  • Hostname 10.1.2.1
  • D

7
A wee bit less Simple Examples
  • Three hosts - Assume preshared keys
  • 1 has sshd running on port 17
  • 2 has sshd running on port 27
  • tech_at_3 ssh 2 ssh 1
  • tech_at_1
  • The way to set this up is as follows
  • tech_at_3 cat gt .ssh/config
  • Host 2
  • User tech
  • Port 27
  • Protocol 1
  • IdentityFile /home/tech/.ssh/key4mac2
  • Hostname 10.1.2.2
  • D
  • Note you may need ssh -t 2 ssh -t 1 ...

8
AN4SCD
  • Buy a copy of SSH by Daniel J. Barrett
    Richard E. Silverman pub. OReilly (ISBN
    0-596-00011-1)
  • Read it
  • I use openssl 0.9.7c with openssh
    2.9.9p2-PS2.4.18
  • I do not use any other version of SSH
  • I use Protocol 1 on purpose
  • I use TCP Wrappers w/ IPv6 extensions
  • I keep tight controls using TCP Wrappers

9
AN4SCD - 2
  • Static Compile methods
  • Get the latest openssl
  • 1. Compile it static with the /usr/static
    directory target
  • ./config --openssldir/usr/static
    --prefix/usr/static no-shared
  • 2. Get openssh-2.9.9p2-PS2.4.18
    http//www.paksecured.com
  • ./configure --prefix/usr/static
    --with-ssl-dir/usr/static --with-ipaddr-display
    --with-ipv4-default with-tcp-wrappers
  • compile it and install
  • Edit the sshd config file
  • Make sure you also change the paths for the
    keys!!

10
AN4SCD sshd_config
  • Port 17
  • Protocol 1
  • ListenAddress 192.168.1.1
  • HostKey /usr/static//etc/ssh_host_key
  • KeyRegenerationInterval 3600
  • ServerKeyBits 768
  • SyslogFacility AUTH
  • LogLevel INFO
  • LoginGraceTime 600
  • PermitRootLogin no
  • StrictModes yes
  • RSAAuthentication yes
  • PubkeyAuthentication yes
  • RhostsAuthentication no
  • IgnoreRhosts yes
  • RhostsRSAAuthentication no
  • PasswordAuthentication yes
  • PermitEmptyPasswords no
  • ChallengeResponseAuthentication no

11
Fun Examples - 1
  • Using commands attached to keys
  • On the server define a command in the
    authorized_keys file associated with a key
  • Format is commandmy/command/stringkey data
  • EX
  • command/bin/ls -al /logsABCDEF1234567
  • Then ssh with the appropriate key will only allow
    you to execute this command.
  • Note that this is per key so

12
Fun Examples 1A
  • Each connection performs a different function
  • command/bin/tar C /var zc logs/1024 35
    14011271974199576039639923107445413095443837472597
    34516089771188967767458939385504290626639723367553
    52093456208519164097137651780560357432366574014563
    97953787690189347836390721132781316957494747764442
    37515391657324013921180513478445898911260784215908
    46523123481112885029800203382369752603047612281250
    015390957 mgm_at_mgmlap.paksecured.org
  • command/bin/tar C / zc etc/1024 35
    22011271974199576039639923107445413095443837472597
    34516089771188967767458939385504290626639313208519
    16409713765178056037233675531699057432366574014563
    97953787690189347836390721132781316957494747764442
    37515391657324013921180513478445898911260784215908
    46523123481112885029800203382369752603047612281250
    015390957 mgm_at_mgmlap.paksecured.org
  • command/bin/tar C /home zc mgm/mail/1024 35
    23011271974199576039639923107445413095443837472597
    34516089771188967767458939385504290626639723367553
    16990313209800203382369752603085191640971376517805
    60357432366574014563979537876901893478363907211327
    81316957494747764442375153916573240139211805134784
    45898911260784215908465231234811128850247612281250
    015390957 mgm_at_mgmlap.paksecured.org
  • First one is keytar1
  • Second one is keytar2
  • Third one is keytar3

13
Fun Examples 1B
  • Assuming we have setup the config file then
  • ssh 1 tar zxv
  • Will generate a copy including timestamps and
    permissions of the logs/ directory
  • ssh 2 tar zxv
  • Will generate a backup copy of our remote etc/
    directory (assuming we have permission)

14
Fun Examples - 2
  • MultiBounce Sessions
  • Using the three hosts example from earlier
  • Consider
  • ssh 1 ssh 2 /bin/tar -C /home -zc myhomedir/
    tar -zxv
  • ssh 1 ssh 2 ssh 3 /bin/tar -C /home -zc
    myhomedir/ tar -zxv
  • Note that there are limits

15
Q A
16
This is The
Write a Comment
User Comments (0)
About PowerShow.com