3. Definition-I Common used one
«The Secure Shell Protocol (SSH) is a protocol
for secure remote login and other secure
network services over an insecure network»
Ylonen & Lonvick
Standards Track
SSH Communications Security Corp C. Lonvick, Ed.
Cisco Systems, Inc.
January 2006
cagriCOM08 | Information Security
4. Definition-II More detatiled one
«Secure Shell (SSH) is a cryptographic network protocol for
secure data communication, remote shell services or command
execution and other secure network services between two
networked computers that connects, via a secure channel over an
insecure network, a server and a client
(running SSH server and SSH client programs, respectively).»
Ylonen & Lonvick
Standards Track
SSH Communications Security Corp wikipedia
cagriCOM08 | Information Security
5. Definition-III Structure
cagriCOM08 | Information Security
6. What SSH does
SecureSHell handles the set up and generation
of an encrypted TCP connection.
cagriCOM08 | Information Security
7. What SSH does: which means…
.......
-SSH can handle secure remote logins (ssh)
-SSH can handle secure file copy (scp)
-SSH can even drive secure FTP (sftp)
cagriCOM08 | Information Security
8. Core SSH programs
ssh client
sshd server
sftc transfer-line
«if sshd is not running you will not
be able to connect to it with ssh»
cagriCOM08 | Information Security
10. I Password Authentication
Example without SSH Keys Prompts for Password
you server you server
ssh sshd ssh sshd
you> ssh mac-1
password: ****
other>
cagriCOM08 | Information Security
11. II Key-pair Authentication
Example without SSH Keys
you server
ssh sshd
cagriCOM08 | Information Security
12. II Key-pair Authentication
Example without SSH Keys
you ? server
ssh sshd server> ssh –keygen
First of all Generate keys
cagriCOM08 | Information Security
13. II Key-pair Authentication public/private key-pair
you
~/.ssh/id_rsa
~/.ssh/id_rsa.pub
cagriCOM08 | Information Security
14. II Key-pair Authentication public/private key-pair
Private Key: id_rsa
you
you
~/.ssh/id_rsa
~/.ssh/id_rsa.pub ~/.ssh/id_rsa
~/.ssh/id_rsa.pub
Private keys should be
kept secret, do not
share them with anyone
cagriCOM08 | Information Security
15. II Key-pair Authentication public/private key-pair
Private Key: id_rsa Public Key: id_rsa.pub
you
you you
~/.ssh/id_rsa
~/.ssh/id_rsa.pub ~/.ssh/id_rsa ~/.ssh/id_rsa
~/.ssh/id_rsa.pub ~/.ssh/id_rsa.pub
Private keys should be
Public keys are meant to
kept secret, do not
be shared.
share them with anyone
cagriCOM08 | Information Security
16. II Key-pair Authentication public/private key-pair
Copy Public Key to server
you server
~/.ssh/id_rsa
~/.ssh/id_rsa.pub
cagriCOM08 | Information Security
17. II Key-pair Authentication public/private key-pair
Copy Public Key to server
you server
~/.ssh/id_rsa
~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
cagriCOM08 | Information Security
18. II Key-pair Authentication public/private key-pair
No password required!
you server
ssh sshd
you> ssh server
other>
cagriCOM08 | Information Security
19. III Host-based Authentication
• Doesn’t require user credentials (password or key)
• Provides trust based on hostname and user id
• User id on both system has to be the same
• Disabled by default -- not that useful
cagriCOM08 | Information Security
20. SSH Basics Configuration Files [CF]
Server CF Client CF
sshd config: /etc/sshd_config ssh config: /etc/ssh_config
system-side
user-specific ssh config: ~/.ssh/config
Based on installation method system config locations may vary.
example: macports installs in /opt/local/etc/ssh/
cagriCOM08 | Information Security
21. SSH Basics Secure Logins
Login Example #1 Login Example #2
ssh user@example.com ssh example.com
Login Example #3 Login Example #4
ssh -p 45000 example.com ssh example.com<command here>
ssh example.com ls –l
ssh example.com hostname
cagriCOM08 | Information Security
22. SSH Basics Agent / Key Forwarding
Example without SSH Keys
server-1
you
server-2
cagriCOM08 | Information Security
25. SSH Basics Agent / Key Forwarding
[updated example] you to server-1 to server-2
you> ssh -keygen
you server-1 Copy public key to
Authorized_key ~/.ssh/authorized_keys
on each remote host
id_rsa.pub
id_rsa server-2
Authorized_key
cagriCOM08 | Information Security
28. SSH Basics Agent / Key Forwarding
you to server-1 to server-2
you> ssh server-1
server-1>
you server-1 Success
Authorized_key
you> ssh server-2
id_rsa.pub password>
id_rsa server-2 password required at
Authorized_key
the second step!
cagriCOM08 | Information Security
29. SSH Basics Enter Agent / Key Forwarding
SSH Key Gets Forwarded
you server-1
id_rsa.pub
id_rsa server-2
cagriCOM08 | Information Security
30. SSH Basics Enter Agent / Key Forwarding
Command Line Agent Forwarding
ssh -A example.com
Use -A to explicitly turn off
forwarding for a ssh session.
cagriCOM08 | Information Security
31. SSH Basics Port Forwarding
Local Port Forwarding Example
you server-1 server-2
sshd www
Private Network
cagriCOM08 | Information Security
32. SSH Basics Port Forwarding
you to www on server-2
you server-1 server-2
sshd www
public IP local IP
local IP
Private Network
cagriCOM08 | Information Security
33. SSH Basics Port Forwarding
Can’t access server-2 directly
you server-1 server-2
sshd www
public IP local IP
local IP
Private Network
cagriCOM08 | Information Security
34. SSH Basics Port Forwarding
With Local Port Forwarding
you server-1 server-2
sshd www
public IP local IP
local IP
you> ssh -L 8000:server-2:80 server-1
server-1>
success
cagriCOM08 | Information Security
35. SSH Basics Port Forwarding
A Tunnel is Made!
you server-1 server-2
sshd www
public IP local IP
local IP
you> ssh -L 8000:server-2:80 server-1
server-1>
success
cagriCOM08 | Information Security
36. SSH Basics Port Forwarding
server-2 doesn’t have to run sshd
you server-1 server-2
sshd www
public IP local IP
local IP
cagriCOM08 | Information Security
37. SSH Basics Port Forwarding
Command Line Local Port Forwarding
ssh -L localport:host:hostport example.com
localport is the port on your machine,
host is the remote server to tunnel to,
hostport is the port on the remote server to tunnel to
cagriCOM08 | Information Security
38. SSH Basics Port Forwarding
Sharing Tunnel
you server-1 server-2
sshd www
public IP local IP
local IP
another you> ssh -L 8000:server-2:80 -g server-1
server-1>
success
cagriCOM08 | Information Security
39. SSH Basics Port Forwarding
Command Line Local Port Forwarding
ssh -L localport:host:hostport -g example.com
-g allows others to connect to your forwarded port
cagriCOM08 | Information Security
40. SSH Basics Port Forwarding
Host Configured
Host inspire.staging
LocalForward 8000:server-2:80
Per-User ~/.ssh/config
System-wide /etc/ssh_config
Friday, September
cagriCOM08 | Information Security
41. SSH Basics Port Forwarding
SSH Server has final say!
AllowTcpForwarding no
System-wide /etc/sshd_config
Defaults to “yes” -- so pretty much ignore.
cagriCOM08 | Information Security
42. References
SSHSecure Shell forWorkstations Windows Client version 3.2.9 User Manual
Güvenli kanallardan iletişim ( SSH ) User Manual
http://en.wikipedia.org/wiki/Secure_SHell
http://en.wikipedia.org/wiki/Secure_channel
http://doctus.org/forum.php?s=ec689fc4bdb4dd0cc895cbdbd298cc3b
http://www.openssh.org/txt/
ftp://ftp.itu.edu.tr/Utility/SSH Secure Shell/
http://www.javakursu.net/sshnedir
cagriCOM08 | Information Security