SSH

1
SSH SSL
Peter Burkholder CO-SAGE 14 November 2001
2
Why this talk

• Co-SAGE interest in SSH and security
• 5 Security or security tool usage
• 2 Configuring SSH
• 3 VPN (1 specifically VPN tunneling via SSH)
• Added SSL since it fits some niches better

3
Layer model insecure protocols

• Application layer RSH, Telnet, FTP
• Transport layer TCP, UDP
• Network layer IP, IPX, EtherTalk
• Link layer Ethernet, PPP
• Physical layer CAT-5 cable, Wireless
• Network security? Confidentiality, Integrity,
  and Endpoint Authentication

4
Layer model secured protocols

• Application layer SSH, PGP, Kerberos,
  S-HTTP
• Transport layer SSL/TLS as extension of
  TCP socket model
• Network layer IPSec, IPv6
• Link Layer WEP, PPP/ECP
• Physical layer Alarmed, pressurized
  conduits
• The two approaches we will look at today are
  using SSL(TLS) and SSH.

5
SSL Overview

• SSL (Secure Sockets Layer)
• Protocol built on top of TCP
• Encryption, Host Authentication, Integrity
• Applications can be SSL-enabled
• SSL ports
• https (443), smtps (465), nntps (563), ldaps
  (636), imaps (993), pop3s (995), ftps (989990).
• Netscape SSLv2 in 1994. SSLv3 in 1995. TLS
  (RFC2246) completed in January, 1999.

6
SSH Overview

• SSH Secure SHell
• Application-level protocol (v1v2)
• Encryption, Host user authentication, Integrity
• Port 22 (w/ port tunneling, X-forwarding)
• Designed to replace rsh/rcp
• Tatu Ylonen, first publicly released in July,
  1995. SSHv2 (SECSH) IETF draft published
  February 1997.
• Reportedly 2 million users by late 2000

7
Network Encryption primitives

• Symmetric encryption shared session keys, e.g.
  DES, 3DES, AES-Rijndael, Blowfish
• Asymmetric or public-key encryption RSA,
  ElGamal
• Message digest one-way hash MD5, SHA
• Digital signatures DSS, RSA
• Key Exchange Diffie-Helman

8
SSL, PKI, and Authentication

• The trickiest part of network security is proving
  the identity of the other end of the connection.
  
• For example, I can say that I'm Bill Gates,
  here's my public key, anything I send you with my
  digital signature, you can verify that it is from
  me.
• True, it is from "me", but a) there's no linkage
  between my public key and my claimed identity,
  and b) anyone else who has that private key can
  also claim to be "me".

9
PKI Public Key Infrastructure

• PKI relies on "God" to prove identities, where
  "God" is a Certificate Authority (CA). If I can
  prove my identity to a CA (and pay), I'll be
  issued a Digital Certificate my public key
  signed by the CA's private key identifying
  information.
• If my private key is compromised (or if I fooled
  the CA about my identity), then the CA can add
  the corresponding certificate to a Certificate
  Revocation List (CRL).

10
PKI 2 Certificate Clients

• Certificates are accepted if signed by a root CA.
  CA root certs are often encoded in the client
  software (IE, Netscape, Opera).
• Certificates may also be self-signed or signed by
  an unknown CA. The user must exercise discretion
  in accepting or adding certificates.
• Uses SSL, S/MIME, Signed Software, IpSec/IPv6
  (ISAKMP)
• Failure points Issuing CRL's and "user
  discretion"
• Netcraft 1.5 million servers run SSL, but only
  60,000 have 3rd-party signed certificates

11
OpenSSL Introduction

• SSL RSA's BSAFE, Netscape, Certicom, Sun,...
• OpenSSL is based on Eric A. Young's SSLeay.
• Both a cryptographic library and an SSL
  implemention. BSD-style license.
• "Solid package...but serious lack of
  documentation....SSL implementation is quite
  complex to use properly" ViegaMcGraw2001
• Implements SSLv2, SSLv3 and TLS

12
OpenSSL Generate Keys

• Generate keys
• Only certificate owner knows private key
• Make RSA key pair, and encrypt
• openssl genrsa -des3 1024 gt privkey.pem
• using -des-des3 will encrypt key
• Generate certificate request
• Sign certificate
• Present certificate

13
OpenSSL Certificate Request

• Generate keys
• Generate certificate request
• openssl req -new -key ../private/privkey.pem gt
  www.pburkholder.me.csr
• enter identifying information when prompted --
  the Common Name must match DNS name
• Sign certificate
• Present certificate

14
CA-signed Certificates

• Generate keys
• Generate certificate request
• Certificate signing
• CAs require documentation. E.g.,
• Letter of Authorization
• Proof of Organizational Name / Domain Name
• Money 125 - 895 per year per server
• Test certs (free) signed by untrusted root CA
• Present certificate

15
SSL The Client Perspective
16
OpenSSL Self-signed Certificate

• Generate keys
• Generate certificate request
• Certificate signing
• openssl req -x509 -key ../private/privkey.pem
  -in www.pburkholder.me.csr gt www.pburkholder.me.cr
  t
• I am who I am claim to be
• Clients will generate warnings
• Present certificate

17
SSL Client Unknown Root Cert
18
OpenSSL Using Certificates

• Generate keys
• Generate certificate request
• Certificate signing
• Present certificate
• Modify httpd.conf directives
• SSLCertificateFile SSL/certs/www.pburkholder.me.c
  rt
• SSLCertificateKeyFile SSL/private/privkey.pem
• If encrypted private key, need passphrase on
  start
• Spoofing only requires private key and certificate

19
OpenSSL Roll-your own CA

• For developing own software, or small deployments
• Install root certificate on client browsers
• To Apache httpd.conf add line
• AddType application/x-x509-ca-cert .cacert
• Copy cacert.pem to a web-accessible file, e.g,
  WWW/MyRoot.cacert
• Point browser to URL. Browser will prompt to
  install

20
Installing a Root Certificate
21
SSL Attacks Dug Song's dsniff

• dnsspoof /etc/dnspoof.hosts
• ltmy_host_ipgt login.yahoo.com
• webmitm -d login.yahoo.com make webmitm.cert

22
STunnel

• STunnel wrapper for SSL services.
  (www.stunnel.org)
• Sslwrap -same idea, not as actively developed.
• As with all SSL services, STunnel needs a
  certificate
• openssl req -new -x509 -days 365 -nodes -out
  stunnel.pem -keyout stunnel.pem

23
STunnel POP3 Server Client
HOST A
HOST B
ClientPOP3
POP3 Server
port 110
l
localhost110
port 995
STUNNEL
STUNNEL
24
STunnel POP3 server example

• On Server, an inetd entry to provide pop3 service
  may be something like pop3 stream tcp nowait
  root /usr/sbin/tcpd ipopd
• You can instead put a service on pop3s
  (995) /usr/sbin/stunnel -r localhostpop3 \ -p
  /path/to/stunnel.pem
• STunnel will SSL-encrypt on port 995 (pop3s),
  and tunnel the unencrypted traffic to localhost
• Use /etc/hosts.allow,deny to limit ipop daemon
  to localhost only for SSL-secured POP3 service

25
STunnel on Windows

• Download openssl.dll and ssleay.dll to
  WIN/system stunnel.exe to a convenient place
• Test "stunnel -c -d 110 -r mail.server995"
• As service? Easiest is to create
  stunnel.bat START stunnel -c -d 110 -r
  mail995and run stunnel.bat from Scheduled Tasks
  at user login. But must contend with Command
  window
• Running as a real service requires add'l software

26
STunnel Debugging

• Run STunnel with -D 6 (debug level 6) and -f
  (foreground)
• Use Eric Rescorla's SSLDUMP (rtfm.org)
• ssldump -k ./stunnel.pem -d -i vmnet1 port 995
• see all traffic decrypted
• Note STunnel by default not picky about
  certification

27
SSH

• If SSL is a toolbox, SSH is a Leatherman
• Features
• Encryption AES, ARC4, Blowfish,...
• Secure logins, remote command, file transfer
• Authentication Password, PubKey, Host-based,...
• Access control by host, user
• Key management
• Port-forwarding

28
SSH Protocol Version 1

• Monolithic protocol
• Authentication by KerberosIV, Rhosts,
  RhostsRSA, Public-Key, TIS/SecureID, Password
  (many flavors)
• RSA for authentication and key exchange
• Weaknesses
• CRC-32 integrity, attacks, keystroke monitoring
  (sshow)
• SSH-1 still common Licensing, Cost, and First to
  Market. 2 million users estimated

29
SSH Protocol Version 2

• DSS for authentication, Diffie-Hellman keys
• Supports x.509 PKI certificates

Server
Client
SSH Connection
SSH Connection
SSH Authentication
SSH Authentication
SSH Transport
SSH Transport
TCP/IP, IPX/SPX, etc.
TCP/IP, IPX/SPX, etc.
Ethernet, etc...
PacketLength
PaddingLength
Payload (compressed)
RandomPadding
IntegrityData (MAC)
encrypted
30
SSH Server implementations

• OpenSSH (v 3.0 released Nov. 6)
• SSHv2 and SSHv1
• Standard implementation for this talk
• SSH Communications Security SSH3.0.1
• nix Servers 475 / Windows Servers 565
• Free servers for non-commercial use
• F-Secure SSH 2.4.0 (Unix server client)
• nix Server 594/Windows 834
• ftp//metalab.unc.edu/pub/packages/security/ssh/

31
Compiling Installing

• /dev/random or EGD
• ./configure, make, make install...
• OpenSSH
• Requires zlib, OpenSSL
• ./configure --disable-suid-ssh --with-tcp-wrappers
  --with-pam
• Potential SetUID binaries for host-base auth
• OSSH ssh
• SSH2 ssh-signer

32
Server Configuration

• Command-line opts
• Compile-time flags
• Configuration file (sshd_config)
• /etc/hosts.equiv /etc/shosts.equiv
• key files in CONF/
• ssh_host_dsa_key moduli ltkeygt.pub

• Host Access
• ssh_known_hosts /ssh/known_hosts
• /etc/hosts.allow,deny
• /etc/nologin
• User authentication files
• /.ssh/authorized_keys,
• .rhosts/.shosts
• /etc/pam.d/sshd

33
sshd_config - typical settings

• PermitRootLogin (yes(without-passwdnopwd)forced
  -command-onlyno)
• StrictModes yes
• PubkeyAuthentication yes
• HostbasedAuthentication no v2 /etc/hosts.equiv
• PasswordAuthentication yes
• PermitEmptyPasswords no
• X11Forwarding no ???
• Allow,DenyUsers,Groups luser_at_rem_machine
• Protocol 2

34
Running Server

• Make install runs key generation
• sshd detaches and forks daemons
• sshd -d -p ltsome-portgt is great for testing,
  messages to stderr, doesn't fork
• sshd2 -v -p ltsome-portgt

35
Client basic operation

• SSH remote logins, remote commands
• ssh user_at_remotehost.example.com
• ssh user_at_remotehost "command to run"
• -v option provides connection details
• SCP secure copy
• scp user_at_remoteremote/file ./local/file
• SFTP secure file transfer (a al FTP)
• sftp user_at_remote
• Clients try public-key, then password fallback

36
Using Public-key Authentication

• ssh client sends public key
• if server finds key in .ssh(2)/ltfilegt, encrypts a
  challenge to client
• client with private key, proving ID
• .ssh/.ssh2 path permissions
• ssh pb_at_remote host
• Enter passphrase for key '/home/peter/.ssh/id_dsa'
  

37
Generate Public-key Pairs

• Generate a key-pair for each identity
• ssh-keygen -t dsa (enter passphrase for
  default id )
• use '-f file' to save to different identity
  files
• Concatenate public part of key-pair to remote
  account's .ssh/authorized_keys2
• Place ltpublic-key-filegt in .ssh2/ Add "Key
  ltpublic-key-file" line to .ssh2/authorization
• OpenSSH's ssh-keygen translates SSH2 format

38
Forced commands

• ssh -keygen -f pb_command -t dsa
• /.ssh/authorized_keys2
• fromlthostgt, command"/bin/cat SSH_ORIGINAL_COMMA
  ND" ...key...
• /.ssh2/authorization
• Key pb_command_pubkey no pass-phrase
• Command "/bin/cat SSH2_ORIGINAL_COMMAND"
• ssh -i path/to/pb_command_id pb_at_remote
  "file_to_see"

39
Forced commands continued

• Command gets stdin, args in SSH2_... env var
• Can also set "environment", "fromhost", etc
• Enviroment, host restrictions only if script
  called
• Command executes in user shell, after
  (.profile/.cshrc)
• Unencrypted private keys and forced commands can
  be used for unattended scripting

40
SSH Key Agents

• An ssh-agent process stores keys in memory, and
  clients use it to sign authenticators
• ssh-agent SHELL invoke a subshell -- shell
  dies if agent dies
• eval 'ssh-agent' process sets env and
  detaches, doesn't die on logout
• X
• ssh-agent startx
• .xsession exec ssh-agent ./.xsession-stuff
• ssh-add loads identity files, connect at will!

41
Remote Agent Forwarding
ZERO
ONE
TWO
no private keys pubkey authorized for
pb_at_one SSH_AUTH_.. ssh pb_at_two client uses
socket to zero for auth
pubkey authorized for pb_at_zero I'm in!
eval ssh-agent SSH_AUTH_.. ssh-add ssh
pb_at_one
SSH
SSH
Agent
42
SSH Port Forwarding
MYHOST
REMOTEHOST
POP3Server
POP3Client
l
localhost110
port 22
SSHClient
SSHServer
43
Port Forwarding

• If the TCP client application (whose conx you
  want to forward) is running on local machine, use
  local forwarding. If client is on remote
  machine, use remote forwarding.
• ssh -Lltlocalportgtlocalhostltremportgt
  pb_at_remote
• ssh -Rlt
• X-forwarding happens automatically if server
  accepts local host connections

44
Windows Servers

• SSH2, F-Secure, and OpenSSH ( Cygwin)
• SSH2 command line only, 10 sessions
• VNC server port 5800, runs under Win2k
• Set VNC registry to allow loopback connect
• ssh -L5801localhost5800 peter_at_win2k
• vncviewer localhost5801

45
Windows, Mac Java Clients

• See snailbook.com. Free Mac clients are weak
• My favorites are PuTTY for Windows and Mindterm
  (appgate.com) for anything else

46
File Transfer SFTP

• Handy interface, but s...l...o...w
• netcat 100Mb random data 35s
• sftp 100Mb random data 10m51s
• Barrett Silverman claim 1/4 speed of scp
• I've seen 1/10 of FTP speed

47
SSL SSH Recommendations

• SSH is an essential tool for remote
  administration. OpenSSH excellent SSH2 has some
  better configuration options and more advanced
  features. X-forwarding a great feature.
  ssh-agent/forced-command a boon for scripting
• SSL-enabled apps and PKI becoming ubiquitous. A
  better choice for securing particular apps,
  especially with STunnel

48
Web SSL References

• Thawte http//www.thawte.com
• Thawte.Apache SSL Key and CSR Generation
  Instructions. http//www.thawte.com/certs/\server
  /keygen/apachessl.html
• Frederick Hirsch, SSLeay Certificate Cookbook.
  http//www.ultranet.com/fhirsch/Papers/cook/ssl_c
  ook.html
• Dug Song's dsniff. http//www.monkey.org/dugsong
  /dsniff/
• STunnel
• OpenSSL