Difference between revisions of "Ssh"

From Hackepedia
Jump to navigationJump to search
 
(2 intermediate revisions by 2 users not shown)
Line 3: Line 3:
 
SSH stands for "Secure Shell" and was first written by a Finnish computer scientist named Tatu Ylonen.  Mr. Ylonen went on to found [http://www.ssh.com SSH Communications] which continues developing the ssh program.  The program uses both symmetric and assymetric [[cryptography]] in order to keep the [[OSI]] session layer secure from session [[hijacking]] and [[sniffing]].
 
SSH stands for "Secure Shell" and was first written by a Finnish computer scientist named Tatu Ylonen.  Mr. Ylonen went on to found [http://www.ssh.com SSH Communications] which continues developing the ssh program.  The program uses both symmetric and assymetric [[cryptography]] in order to keep the [[OSI]] session layer secure from session [[hijacking]] and [[sniffing]].
  
=== Public Key Differences ===
+
== Public Key Differences ==
  
 
There are three versions used in SSH.  One for v1 protocol, and two for v2.
 
There are three versions used in SSH.  One for v1 protocol, and two for v2.
Line 15: Line 15:
 
Which is the right one for you?  Since the RSA patent has expired it is recommended by most of the OpenSSH team to stay with RSA keys since they have been around longer and are more known in terms of their strengths and weakness.   
 
Which is the right one for you?  Since the RSA patent has expired it is recommended by most of the OpenSSH team to stay with RSA keys since they have been around longer and are more known in terms of their strengths and weakness.   
  
=== The OpenSSH Fork ===
+
== The OpenSSH Fork ==
  
 
[http://www.openssh.com OpenSSH] was forked from a free version of SSH 1.2.12 and shipped with the [[OpenBSD]] 2.6 system.  It has gained popularity among many vendors and is shipped with their products as well.  [http://ssh.com/ Tatu Ylonen's company] took OpenSSH to court but lost.
 
[http://www.openssh.com OpenSSH] was forked from a free version of SSH 1.2.12 and shipped with the [[OpenBSD]] 2.6 system.  It has gained popularity among many vendors and is shipped with their products as well.  [http://ssh.com/ Tatu Ylonen's company] took OpenSSH to court but lost.
  
=== Cool SSH Tricks ===
+
== Cool SSH Tricks ==
  
 
Modern SSH clients and servers allow you to do some pretty nifty tricks. The most common is [http://en.tldp.org/HOWTO/XDMCP-HOWTO/ssh.html X11 Port Forwarding].  You can also [http://www.coder.com/daniel/kwlug/ssh-tricks/slide010.html forward arbitrary ports], and [http://www.coder.com/daniel/kwlug/ssh-tricks/slide006.html compress] files when transfering them over the network (all in addition to encrypting the data).  One really nifty trick is to [[FlexLMForwarding| forward FlexLM]] connections. Another popular trick is [[ssh-keygen|passphraseless key exchange]].
 
Modern SSH clients and servers allow you to do some pretty nifty tricks. The most common is [http://en.tldp.org/HOWTO/XDMCP-HOWTO/ssh.html X11 Port Forwarding].  You can also [http://www.coder.com/daniel/kwlug/ssh-tricks/slide010.html forward arbitrary ports], and [http://www.coder.com/daniel/kwlug/ssh-tricks/slide006.html compress] files when transfering them over the network (all in addition to encrypting the data).  One really nifty trick is to [[FlexLMForwarding| forward FlexLM]] connections. Another popular trick is [[ssh-keygen|passphraseless key exchange]].
Line 25: Line 25:
 
== Travel ==
 
== Travel ==
  
If you're lucky enough to have a [[shell]] account at home via ssh, you might want to use your home (or co-lo) machine while travelling instead of a potentially hostile network. This is accomplished by adding the -D flag to start a SOCKS proxy.
+
To use this, you'll need a [[shell]] account. This can be on a server you're running at home, or a machine that you trust. SOCKS mode is accomplished by adding the -D flag to start a SOCKS proxy.
  
 
  $ ssh [[Variables|$home_machine]] -D127.0.0.1:8080
 
  $ ssh [[Variables|$home_machine]] -D127.0.0.1:8080
  
Now in firefox I enter a SOCKS proxy of 127.0.0.1 with port 8080 and it will appear to any website I visit that I am at home, not at my remote location!
+
Now in firefox I enter a SOCKS proxy of 127.0.0.1 with port 8080 and it will appear to any website I visit that I am at home, not at my remote location! You can do this in any applications you wish ([[Firefox]],[[Thunderbird]] or [[Pidgin]] for example, or you can use this as a [[VPN]] for all applications.
 +
 
 +
 
 +
== Lessons learned from Enigma ==
 +
 
 +
In world war 2 the germans used a cipher mechanism called [[enigma]] to secure their communications.  Little did they know the british were able to read through this ciphertext and gain plain knowledge of everything being written.  Enigma was a lazy concept, it allowed comforts on part of the operator and it was so complex that noone on the german side questioned it because they probably were too lazy to dig up dirt. 
 +
 
 +
The same can be said for SSH, don't get lazy.  Don't reuse private/public keys for passwordless access across systems.  So far the public knows not of a case where it's possible to derive a private key from a public key.  But we have a threat looming... quantum computers.  If they manage to make this easy all security over public/private keys is diminished.  It may even be safer to just use passwords (that are good! not simple ones).  Stay vigilant my crypto heros, ssh shouldn't make you lazy!
 +
 
 +
== Rotate keys with ansible ==
 +
 
 +
Generate your new keys:
 +
 
 +
$ ssh-keygen -t rsa -b 4096 -C "ansible 2021" -f "ansible2021"
 +
 
 +
The following is dangerous in that you could get locked out of a remote system. For testing, I did --limit='server_one' in ansible to test on one host only, and I was manually ssh'd into that machine in case I did something wrong and had to manually replace my ssh key.
 +
 
 +
The following playbook assumes that your local username is localuser and in your hosts.yaml file you use ansible_user as the username:
 +
 
 +
'''
 +
---
 +
- hosts: all
 +
  tasks:
 +
    - authorized_key:
 +
        user: <nowiki>"{{ ansible_user }}" </nowiki>
 +
        state: present
 +
        key: <nowiki>"{{ lookup('file', '/home/localuser/.ssh/ansible2021.pub') }}" </nowiki>
 +
        exclusive: True
 +
 
 +
'''
 +
 
 +
Remove exclusive: True if you don't want to clobber/remove all existing ssh keys listed in authorized_keys, but simply want to add your new one!

Latest revision as of 12:03, 9 March 2021

Socket.jpg

SSH stands for "Secure Shell" and was first written by a Finnish computer scientist named Tatu Ylonen. Mr. Ylonen went on to found SSH Communications which continues developing the ssh program. The program uses both symmetric and assymetric cryptography in order to keep the OSI session layer secure from session hijacking and sniffing.

Public Key Differences

There are three versions used in SSH. One for v1 protocol, and two for v2.

  • RSA1 is referred to as the original RSA key used for v1 protocols. These keys were used to encrypt the communications.
  • RSA is referred to as the v2 protocol. This is used for signing the channel only since the underlying protocol is now handled by a different means.
  • DSA was added to v2 protocol after RSA Security assured patent rights, and the IETF included DSA to allow for patent free implementation. Note: Due to how DSA works it requires a lot more good enthropy to be secure compared to RSA.

Which is the right one for you? Since the RSA patent has expired it is recommended by most of the OpenSSH team to stay with RSA keys since they have been around longer and are more known in terms of their strengths and weakness.

The OpenSSH Fork

OpenSSH was forked from a free version of SSH 1.2.12 and shipped with the OpenBSD 2.6 system. It has gained popularity among many vendors and is shipped with their products as well. Tatu Ylonen's company took OpenSSH to court but lost.

Cool SSH Tricks

Modern SSH clients and servers allow you to do some pretty nifty tricks. The most common is X11 Port Forwarding. You can also forward arbitrary ports, and compress files when transfering them over the network (all in addition to encrypting the data). One really nifty trick is to forward FlexLM connections. Another popular trick is passphraseless key exchange.

Travel

To use this, you'll need a shell account. This can be on a server you're running at home, or a machine that you trust. SOCKS mode is accomplished by adding the -D flag to start a SOCKS proxy.

$ ssh $home_machine -D127.0.0.1:8080

Now in firefox I enter a SOCKS proxy of 127.0.0.1 with port 8080 and it will appear to any website I visit that I am at home, not at my remote location! You can do this in any applications you wish (Firefox,Thunderbird or Pidgin for example, or you can use this as a VPN for all applications.


Lessons learned from Enigma

In world war 2 the germans used a cipher mechanism called enigma to secure their communications. Little did they know the british were able to read through this ciphertext and gain plain knowledge of everything being written. Enigma was a lazy concept, it allowed comforts on part of the operator and it was so complex that noone on the german side questioned it because they probably were too lazy to dig up dirt.

The same can be said for SSH, don't get lazy. Don't reuse private/public keys for passwordless access across systems. So far the public knows not of a case where it's possible to derive a private key from a public key. But we have a threat looming... quantum computers. If they manage to make this easy all security over public/private keys is diminished. It may even be safer to just use passwords (that are good! not simple ones). Stay vigilant my crypto heros, ssh shouldn't make you lazy!

Rotate keys with ansible

Generate your new keys:

$ ssh-keygen -t rsa -b 4096 -C "ansible 2021" -f "ansible2021"

The following is dangerous in that you could get locked out of a remote system. For testing, I did --limit='server_one' in ansible to test on one host only, and I was manually ssh'd into that machine in case I did something wrong and had to manually replace my ssh key.

The following playbook assumes that your local username is localuser and in your hosts.yaml file you use ansible_user as the username:

---
- hosts: all
 tasks: 
    - authorized_key:
        user: "{{ ansible_user }}" 
        state: present
        key: "{{ lookup('file', '/home/localuser/.ssh/ansible2021.pub') }}" 
        exclusive: True

Remove exclusive: True if you don't want to clobber/remove all existing ssh keys listed in authorized_keys, but simply want to add your new one!