Ssh that wonderful thing
Upcoming SlideShare
Loading in...5
×
 

Ssh that wonderful thing

on

  • 929 views

Lynx Consultants training into SSH

Lynx Consultants training into SSH

Statistics

Views

Total Views
929
Slideshare-icon Views on SlideShare
916
Embed Views
13

Actions

Likes
0
Downloads
4
Comments
0

2 Embeds 13

http://www.linkedin.com 10
https://www.linkedin.com 3

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Ssh that wonderful thing Ssh that wonderful thing Presentation Transcript

    • Marc  Cluet  –  Lynx  Consultants  How  I  learned  to  stop  worrying  and  love  the  shell  
    • What we’ll cover?¡  Understand  how  SSH  works  ¡  Get  a  clear  picture  of  how  ssh  bastion  hosts  work  ¡  Be  able  to  do  more  awesome  stuff  with  SSH!  Lynx  Consultants  ©  2013  
    • What is SSH?¡  Secure  Shell  (SSH)  is  a  cryptographic  network  protocol  for  secure  data  communication,  remote  shell  services  or  command  execution  and  other  secure  network  services  between  two  networked  computers  that  it  connects  via  a  secure  channel  over  an  insecure  network:  a  server  and  a  client  (running  SSH  server  and  SSH  client  programs,  respectively).[1]  The  protocol  specification  distinguishes  two  major  versions  that  are  referred  to  as  SSH-­‐1  and  SSH-­‐2….  *whew*  Lynx  Consultants  ©  2013  
    • But really, what is SSH?¡  SSH  opens  a  terminal  connection  to  a  remote  host  ¡  It  does  so  using  cryptography  to  avoid  any  break  or  leak  in  communication  ¡  It  is  a  very  powerful  tool  for  remote  execution  ¡  It  is  awesome!  Lynx  Consultants  ©  2013  
    • How does SSH create a connection?¡  You  run  your  SSH  command  ssh  user@host  ¡  SSH  client  connects  to  host  ¡  SSH  client  negotiates  with  host  crypto  and  version  ¡  SSH  host  requests  authentication  (password,  certificates)  ¡  SSH  client  replies  with  the  crypto  challenge  ¡  Communication  is  open!  Lynx  Consultants  ©  2013  
    • Authentication methods¡  Password  §   Typical  manual  password  §   Turing  keyboard  test  ¡  Certificates  §   Public  Key  certificates  (RSA1,  RSA,  DSA,  GSS)  §   Host-­‐based  certificates  Lynx  Consultants  ©  2013  
    • Certificates¡  A  certificate  ensures  your  identity  by  providing  a  crypto  key  divided  in  public  and  private  parts  (asymmetric  cryptography)  ¡  A  public  crypto  key  can  be  shared  and  is  mathematically  linked  to  the  private  key  ¡  A  private  key  shouldn’t  be  shared  and  is  able  to  unlock  and  decipher  the  ciphertext  Lynx  Consultants  ©  2013  
    • Certificates¡  A  certificate  can  be  generated  for  each  host  or  group  of  hosts  you  want  to  access  ¡  Each  certificate  can  and  should  be  protected  by  a  password  for  extra  security  ¡  Certificates  are  easy  to  revoke,  so  in  case  of  any  incident  a  new  certificate  can  be  generated  Lynx  Consultants  ©  2013  
    • Certificates¡  Run  the  command  §  ssh-­‐keygen  –t  rsa  ~/.ssh/id_foryournetwork  ¡  This  will  create  a  unique  certificate  for  network  hosts  ¡  All  your  other  hosts  or  keys  (github,  etc)  are  safely  different  Lynx  Consultants  ©  2013  
    • Security risks of running aninfrastructure¡  If  we  leave  password  authentication  open  we’re  subject  to  dictionary  attacks  §  The  whole  system  strength  is  defined  by  the  weakest  password  ¡  Each  host  that  has  ssh  open  is  another  security  risk  ¡  All  this  can  be  resolved  by  Bastion  Hosts!  Lynx  Consultants  ©  2013  
    • What is a Bastion Host?Lynx  Consultants  ©  2013  
    • What is a Bastion Host?¡  A  Bastion  Host  sits  between  two  networks,  one  trusted  and  one  untrusted  ¡  It  regulates  traffic  between  those  networks,  highlighting  any  malicious  traffic  and  refusing  it  ¡  It  is  the  first  line  of  defence  in  a  system  Lynx  Consultants  ©  2013  
    • SSH Configuration¡  Here’s  an  example  # Config to access bastion host!Host bastionhost!!User myuser!!IdentityFile ~/.ssh/id_mynetwork!!Hostname 1.2.3.4!Lynx  Consultants  ©  2013  
    • How to Diagnose connections¡  Always  run  ssh  –v  (-­‐v  for  verbose)  ¡  Make  sure  you  test  each  point  of  your  connection  Lynx  Consultants  ©  2013  
    • How to Diagnose connections¡  Always  run  ssh  –v  (-­‐v  for  verbose)  ¡  Make  sure  you  test  each  point  of  your  connection  §  First  bastion  host  §  Then  proceed  further  up  ¡  Regular  issues  §  Lack  of  Certificate  §  DNS  problem  §  Internets  is  broken  Lynx  Consultants  ©  2013  
    • Awesome Stuff – Port Redirection¡  You  can  redirect  a  port  from  your  machine  to  the  remote  host  or  the  other  way  around  §   -­‐L  myport:destination:destport  ▪  Forwards  a  connection  made  to  localhost  8080  to  myhost  port  80  (-­‐L  8080:myhost:80)  Lynx  Consultants  ©  2013  
    • Awesome Stuff – Port Redirection¡  You  can  redirect  a  port  from  your  machine  to  the  remote  host  or  the  other  way  around  §   -­‐R  remoteport:destination:destport  ▪  Forwards  a  connection  made  to  destination  port  8080  to  localhost  port  80  (-­‐R  80:myhost:8080)  Lynx  Consultants  ©  2013  
    • Awesome Stuff – Socks Proxy¡  You  can  create  a  SOCKS  Proxy  transparently  with  SSH  §  This  will  allow  you  to  navigate  the  remote  network  as  if  it  was  your  own  ¡  ssh  –D2222  user@myhost  ¡  Configure  your  browser  to  use  a  SOCKS  proxy  at  localhost  port  2222  ¡  Navigate  to  all  internal  network  pages!  Lynx  Consultants  ©  2013  
    • Questions?Lynx  Consultants  ©  2013