SlideShare a Scribd company logo
1 of 43
Secure SHell
         Ecrypted command-line communication

cagriCOM08 | Information Security
Content
@     Definitions
@     What SSH Does
@     Core SSH programs
@     SSH Authentication Methods
     @     Password
     @     Public/private keypair
     @     Host-based authentication
@     SHH Basics
     @     Configuration Files [CF]
     @     Secure Logins
     @     Agent / Key Forwarding
     @     Enter Agent / Key Forwarding
     @     Port Forwarding
@     Conclusion

cagriCOM08 | Information Security
Definition-I                  Common used one


   «The Secure Shell Protocol (SSH) is a protocol
     for secure remote login and other secure
    network services over an insecure network»
                                                 Ylonen & Lonvick
                                                   Standards Track
SSH Communications Security Corp                    C. Lonvick, Ed.
                                                Cisco Systems, Inc.
                                                      January 2006


cagriCOM08 | Information Security
Definition-II                 More detatiled one

     «Secure Shell (SSH) is a cryptographic network protocol for
    secure data communication, remote shell services or command
       execution and other secure network services between two
   networked computers that connects, via a secure channel over an
                insecure network, a server and a client
     (running SSH server and SSH client programs, respectively).»
                                                        Ylonen & Lonvick
                                                         Standards Track
SSH Communications Security Corp                           wikipedia

cagriCOM08 | Information Security
Definition-III                 Structure




cagriCOM08 | Information Security
What SSH does



SecureSHell handles the set up and generation
      of an encrypted TCP connection.



cagriCOM08 | Information Security
What SSH does:                      which means…


.......
-SSH can handle secure remote logins (ssh)
-SSH can handle secure file copy (scp)
-SSH can even drive secure FTP (sftp)


cagriCOM08 | Information Security
Core SSH programs


                        ssh             client
                       sshd             server
                        sftc            transfer-line


               «if sshd is not running you will not
               be able to connect to it with ssh»
cagriCOM08 | Information Security
SSH Authentication Methods


$ Password
$ Public/private keypair
$ Host-based authentication


cagriCOM08 | Information Security
I       Password Authentication
      Example without SSH Keys                 Prompts for Password
     you                            server    you                  server




     ssh                            sshd     ssh                   sshd
                                             you>      ssh mac-1
                                             password: ****
                                             other>

cagriCOM08 | Information Security
II       Key-pair Authentication

  Example without SSH Keys
   you                              server



  ssh                           sshd




cagriCOM08 | Information Security
II       Key-pair Authentication

  Example without SSH Keys
   you             ?            server



  ssh                               sshd   server> ssh –keygen


 First of all Generate keys


cagriCOM08 | Information Security
II       Key-pair Authentication public/private key-pair

             you



~/.ssh/id_rsa
~/.ssh/id_rsa.pub




cagriCOM08 | Information Security
II       Key-pair Authentication public/private key-pair

                                Private Key: id_rsa
             you
                                            you


~/.ssh/id_rsa
~/.ssh/id_rsa.pub                   ~/.ssh/id_rsa
                                    ~/.ssh/id_rsa.pub

                                Private keys should be
                                kept secret, do not
                                share them with anyone

cagriCOM08 | Information Security
II       Key-pair Authentication public/private key-pair

                                Private Key: id_rsa      Public Key: id_rsa.pub
             you
                                            you                     you


~/.ssh/id_rsa
~/.ssh/id_rsa.pub                   ~/.ssh/id_rsa         ~/.ssh/id_rsa
                                    ~/.ssh/id_rsa.pub     ~/.ssh/id_rsa.pub

                                Private keys should be
                                                         Public keys are meant to
                                kept secret, do not
                                                         be shared.
                                share them with anyone

cagriCOM08 | Information Security
II       Key-pair Authentication public/private key-pair

                            Copy Public Key to server

               you                                      server



   ~/.ssh/id_rsa
   ~/.ssh/id_rsa.pub



cagriCOM08 | Information Security
II       Key-pair Authentication public/private key-pair

                            Copy Public Key to server

               you                                         server



   ~/.ssh/id_rsa
   ~/.ssh/id_rsa.pub                           ~/.ssh/authorized_keys



cagriCOM08 | Information Security
II       Key-pair Authentication public/private key-pair

                              No password required!

               you                                           server

                        ssh                           sshd

                                    you> ssh server
                                    other>


cagriCOM08 | Information Security
III       Host-based Authentication


•      Doesn’t require user credentials (password or key)
•      Provides trust based on hostname and user id
•      User id on both system has to be the same
•      Disabled by default -- not that useful



cagriCOM08 | Information Security
SSH Basics Configuration Files [CF]

                Server CF                               Client CF
 sshd config: /etc/sshd_config                      ssh config: /etc/ssh_config
                                          system-side

                                          user-specific ssh config: ~/.ssh/config




           Based on installation method system config locations may vary.
                example: macports installs in /opt/local/etc/ssh/
cagriCOM08 | Information Security
SSH Basics Secure Logins

           Login Example #1             Login Example #2
  ssh user@example.com                 ssh example.com
          Login Example #3              Login Example #4

 ssh -p 45000 example.com ssh example.com<command here>
                                      ssh example.com ls –l
                                    ssh example.com hostname
cagriCOM08 | Information Security
SSH Basics Agent / Key Forwarding
                                Example without SSH Keys
                                    server-1

     you

                                    server-2



cagriCOM08 | Information Security
SSH Basics Agent / Key Forwarding
                                    you> ssh server-1
                                     server-1           you> ssh server-1
                                                        password:
     you
                                                        Password required
                                     server-2



cagriCOM08 | Information Security
SSH Basics Agent / Key Forwarding
                                    you> ssh server-2
                                     server-1           you> ssh server-2
                                                        password:
     you
                                                        Password required
                                     server-2



cagriCOM08 | Information Security
SSH Basics Agent / Key Forwarding
 [updated example]                     you to server-1 to server-2
                                                            you> ssh -keygen

     you                                       server-1     Copy public key to
                                    Authorized_key          ~/.ssh/authorized_keys
                                                            on each remote host

   id_rsa.pub
   id_rsa                                     server-2
                                    Authorized_key
cagriCOM08 | Information Security
SSH Basics Agent / Key Forwarding
                                    you> ssh server-1
                                                        you> ssh server-1
                                                        server-1>
     you                                   server-1
                                                        Success


                                          server-2

cagriCOM08 | Information Security
SSH Basics Agent / Key Forwarding
                                    you> ssh server-2
                                                        you> ssh server-2
                                                        server-2>
     you                                   server-1
                                                        Success


                                          server-2

cagriCOM08 | Information Security
SSH Basics Agent / Key Forwarding
                               you to server-1 to server-2
                                                          you> ssh server-1
                                                          server-1>
     you                                       server-1   Success
                                    Authorized_key

                                                          you> ssh server-2
   id_rsa.pub                                             password>
   id_rsa                                     server-2    password required at
                                    Authorized_key
                                                          the second step!
cagriCOM08 | Information Security
SSH Basics Enter Agent / Key Forwarding
                            SSH Key Gets Forwarded



     you                              server-1


   id_rsa.pub
   id_rsa                            server-2

cagriCOM08 | Information Security
SSH Basics Enter Agent / Key Forwarding
                   Command Line Agent Forwarding
                                    ssh -A example.com




                         Use -A to explicitly turn off
                        forwarding for a ssh session.

cagriCOM08 | Information Security
SSH Basics Port Forwarding
                     Local Port Forwarding Example
       you                          server-1                server-2
                                          sshd       www




                                          Private Network


cagriCOM08 | Information Security
SSH Basics Port Forwarding
                             you to www on server-2
       you                          server-1                      server-2
                                                sshd       www

                                    public IP                     local IP
                                    local IP


                                                Private Network

cagriCOM08 | Information Security
SSH Basics Port Forwarding
                        Can’t access server-2 directly
       you                          server-1                      server-2
                                                sshd       www

                                    public IP                     local IP
                                    local IP


                                                Private Network

cagriCOM08 | Information Security
SSH Basics Port Forwarding
                         With Local Port Forwarding
       you                          server-1                 server-2
                                                sshd   www

                                    public IP                local IP
                                    local IP
 you> ssh -L 8000:server-2:80 server-1
 server-1>
 success
cagriCOM08 | Information Security
SSH Basics Port Forwarding
                                    A Tunnel is Made!
       you                            server-1                 server-2
                                                  sshd   www

                                      public IP                local IP
                                      local IP
 you> ssh -L 8000:server-2:80 server-1
 server-1>
 success
cagriCOM08 | Information Security
SSH Basics Port Forwarding
                   server-2 doesn’t have to run sshd
       you                          server-1                 server-2
                                                sshd   www
                                    public IP                local IP
                                    local IP




cagriCOM08 | Information Security
SSH Basics Port Forwarding
               Command Line Local Port Forwarding

        ssh -L localport:host:hostport example.com

 localport is the port on your machine,
 host is the remote server to tunnel to,
 hostport is the port on the remote server to tunnel to



cagriCOM08 | Information Security
SSH Basics Port Forwarding
                                    Sharing Tunnel
       you                           server-1                   server-2
                                                 sshd     www

                                     public IP                  local IP
                                     local IP

    another                   you> ssh -L 8000:server-2:80 -g server-1
                              server-1>
                              success
cagriCOM08 | Information Security
SSH Basics Port Forwarding
               Command Line Local Port Forwarding

      ssh -L localport:host:hostport -g example.com

 -g allows others to connect to your forwarded port




cagriCOM08 | Information Security
SSH Basics Port Forwarding
                                    Host Configured

 Host inspire.staging
 LocalForward 8000:server-2:80
 Per-User ~/.ssh/config
 System-wide /etc/ssh_config
 Friday, September



cagriCOM08 | Information Security
SSH Basics Port Forwarding
                             SSH Server has final say!

 AllowTcpForwarding no

 System-wide /etc/sshd_config
 Defaults to “yes” -- so pretty much ignore.




cagriCOM08 | Information Security
References
SSHSecure Shell forWorkstations Windows Client version 3.2.9 User Manual
Güvenli kanallardan iletişim ( SSH ) User Manual

http://en.wikipedia.org/wiki/Secure_SHell
http://en.wikipedia.org/wiki/Secure_channel
http://doctus.org/forum.php?s=ec689fc4bdb4dd0cc895cbdbd298cc3b
http://www.openssh.org/txt/
ftp://ftp.itu.edu.tr/Utility/SSH Secure Shell/
http://www.javakursu.net/sshnedir




cagriCOM08 | Information Security
Thanks For Attention
cagriCOM08

More Related Content

What's hot

Dhcp & dhcp relay agent in cent os 5.3
Dhcp & dhcp relay agent in cent os 5.3Dhcp & dhcp relay agent in cent os 5.3
Dhcp & dhcp relay agent in cent os 5.3
Sophan Nhean
 
Presentation On Group Policy in Windows Server 2012 R2 By Barek-IT
Presentation On Group Policy in Windows Server 2012 R2 By Barek-ITPresentation On Group Policy in Windows Server 2012 R2 By Barek-IT
Presentation On Group Policy in Windows Server 2012 R2 By Barek-IT
Md. Abdul Barek
 

What's hot (20)

Ssh (The Secure Shell)
Ssh (The Secure Shell)Ssh (The Secure Shell)
Ssh (The Secure Shell)
 
Introduction To SELinux
Introduction To SELinuxIntroduction To SELinux
Introduction To SELinux
 
Ssh
SshSsh
Ssh
 
Port forwarding
Port forwardingPort forwarding
Port forwarding
 
Networking in linux
Networking in linuxNetworking in linux
Networking in linux
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
 
CloudStack Networking
CloudStack NetworkingCloudStack Networking
CloudStack Networking
 
Linux User Management
Linux User ManagementLinux User Management
Linux User Management
 
HashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesHashiCorp's Vault - The Examples
HashiCorp's Vault - The Examples
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
 
Volume Encryption In CloudStack
Volume Encryption In CloudStackVolume Encryption In CloudStack
Volume Encryption In CloudStack
 
Networking in Telecommunication (signalling, tcp, ucp, ss7, sctp, sigtran)
Networking in Telecommunication (signalling, tcp, ucp, ss7, sctp, sigtran)Networking in Telecommunication (signalling, tcp, ucp, ss7, sctp, sigtran)
Networking in Telecommunication (signalling, tcp, ucp, ss7, sctp, sigtran)
 
Building IAM for OpenStack
Building IAM for OpenStackBuilding IAM for OpenStack
Building IAM for OpenStack
 
Dhcp & dhcp relay agent in cent os 5.3
Dhcp & dhcp relay agent in cent os 5.3Dhcp & dhcp relay agent in cent os 5.3
Dhcp & dhcp relay agent in cent os 5.3
 
Linux and firewall
Linux and firewallLinux and firewall
Linux and firewall
 
VMware vSphere Networking deep dive
VMware vSphere Networking deep diveVMware vSphere Networking deep dive
VMware vSphere Networking deep dive
 
Zero trust in a multi tenant environment
Zero trust in a multi tenant environment  Zero trust in a multi tenant environment
Zero trust in a multi tenant environment
 
Presentation On Group Policy in Windows Server 2012 R2 By Barek-IT
Presentation On Group Policy in Windows Server 2012 R2 By Barek-ITPresentation On Group Policy in Windows Server 2012 R2 By Barek-IT
Presentation On Group Policy in Windows Server 2012 R2 By Barek-IT
 
Linux
LinuxLinux
Linux
 
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
 

Viewers also liked

Practical unix utilities for text processing
Practical unix utilities for text processingPractical unix utilities for text processing
Practical unix utilities for text processing
Anton Arhipov
 
Unix command-line tools
Unix command-line toolsUnix command-line tools
Unix command-line tools
Eric Wilson
 
Top 100 Linux Interview Questions and Answers 2014
Top 100 Linux Interview Questions and Answers 2014Top 100 Linux Interview Questions and Answers 2014
Top 100 Linux Interview Questions and Answers 2014
iimjobs and hirist
 

Viewers also liked (20)

PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
Practical Example of grep command in unix
Practical Example of grep command in unixPractical Example of grep command in unix
Practical Example of grep command in unix
 
Web Application Security: Introduction to common classes of security flaws an...
Web Application Security: Introduction to common classes of security flaws an...Web Application Security: Introduction to common classes of security flaws an...
Web Application Security: Introduction to common classes of security flaws an...
 
How to Setup A Pen test Lab and How to Play CTF
How to Setup A Pen test Lab and How to Play CTF How to Setup A Pen test Lab and How to Play CTF
How to Setup A Pen test Lab and How to Play CTF
 
Secure shell protocol
Secure shell protocolSecure shell protocol
Secure shell protocol
 
Sed & awk the dynamic duo
Sed & awk   the dynamic duoSed & awk   the dynamic duo
Sed & awk the dynamic duo
 
Unix Command Line Productivity Tips
Unix Command Line Productivity TipsUnix Command Line Productivity Tips
Unix Command Line Productivity Tips
 
Learning sed and awk
Learning sed and awkLearning sed and awk
Learning sed and awk
 
Practical unix utilities for text processing
Practical unix utilities for text processingPractical unix utilities for text processing
Practical unix utilities for text processing
 
class12_Networking2
class12_Networking2class12_Networking2
class12_Networking2
 
Unix command-line tools
Unix command-line toolsUnix command-line tools
Unix command-line tools
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHP
 
Defeating The Network Security Infrastructure V1.0
Defeating The Network Security Infrastructure  V1.0Defeating The Network Security Infrastructure  V1.0
Defeating The Network Security Infrastructure V1.0
 
Secure Shell(ssh)
Secure Shell(ssh)Secure Shell(ssh)
Secure Shell(ssh)
 
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
 
Top 100 Linux Interview Questions and Answers 2014
Top 100 Linux Interview Questions and Answers 2014Top 100 Linux Interview Questions and Answers 2014
Top 100 Linux Interview Questions and Answers 2014
 
RHCE FINAL Questions and Answers
RHCE FINAL Questions and AnswersRHCE FINAL Questions and Answers
RHCE FINAL Questions and Answers
 
Linux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsLinux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old Secrets
 
Linux Systems Performance 2016
Linux Systems Performance 2016Linux Systems Performance 2016
Linux Systems Performance 2016
 
Broken Linux Performance Tools 2016
Broken Linux Performance Tools 2016Broken Linux Performance Tools 2016
Broken Linux Performance Tools 2016
 

Similar to Secure SHell

Presentation nix
Presentation nixPresentation nix
Presentation nix
fangjiafu
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
fangjiafu
 
SSH for pen-testers
SSH for pen-testersSSH for pen-testers
SSH for pen-testers
E D Williams
 
Configuring Secure Shell on Routers and Switches Running Cisco IO
Configuring Secure Shell on Routers and Switches Running Cisco IOConfiguring Secure Shell on Routers and Switches Running Cisco IO
Configuring Secure Shell on Routers and Switches Running Cisco IO
Hoàng Hải Nguyễn
 
Unit 13 network client
Unit 13 network clientUnit 13 network client
Unit 13 network client
root_fibo
 
Ssh
SshSsh
Ssh
gh02
 

Similar to Secure SHell (20)

Intro to SSH
Intro to SSHIntro to SSH
Intro to SSH
 
SSH how to 2011
SSH how to 2011SSH how to 2011
SSH how to 2011
 
Ssh that wonderful thing
Ssh that wonderful thingSsh that wonderful thing
Ssh that wonderful thing
 
How to increase security with SSH
How to increase security with SSHHow to increase security with SSH
How to increase security with SSH
 
SSH.pdf
SSH.pdfSSH.pdf
SSH.pdf
 
Introduction to SSH & PGP
Introduction to SSH & PGPIntroduction to SSH & PGP
Introduction to SSH & PGP
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
 
How To Setup SSH Keys on CentOS 7
How To Setup SSH Keys on CentOS 7How To Setup SSH Keys on CentOS 7
How To Setup SSH Keys on CentOS 7
 
Sshstuff
SshstuffSshstuff
Sshstuff
 
Configure ssh cell
Configure ssh cellConfigure ssh cell
Configure ssh cell
 
SSH for pen-testers
SSH for pen-testersSSH for pen-testers
SSH for pen-testers
 
Windowshadoop
WindowshadoopWindowshadoop
Windowshadoop
 
Meeting 5.2 : ssh
Meeting 5.2 : sshMeeting 5.2 : ssh
Meeting 5.2 : ssh
 
Configuring Secure Shell on Routers and Switches Running Cisco IO
Configuring Secure Shell on Routers and Switches Running Cisco IOConfiguring Secure Shell on Routers and Switches Running Cisco IO
Configuring Secure Shell on Routers and Switches Running Cisco IO
 
Unit 13 network client
Unit 13 network clientUnit 13 network client
Unit 13 network client
 
SSh_part_1.pptx
SSh_part_1.pptxSSh_part_1.pptx
SSh_part_1.pptx
 
Securing Network Access with Open Source solutions
Securing Network Access with Open Source solutionsSecuring Network Access with Open Source solutions
Securing Network Access with Open Source solutions
 
Ssh
SshSsh
Ssh
 
Using Secure Shell on Linux: What Everyone Should Know
Using Secure Shell on Linux: What Everyone Should KnowUsing Secure Shell on Linux: What Everyone Should Know
Using Secure Shell on Linux: What Everyone Should Know
 

Recently uploaded

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 

Recently uploaded (20)

DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 

Secure SHell

  • 1. Secure SHell Ecrypted command-line communication cagriCOM08 | Information Security
  • 2. Content @ Definitions @ What SSH Does @ Core SSH programs @ SSH Authentication Methods @ Password @ Public/private keypair @ Host-based authentication @ SHH Basics @ Configuration Files [CF] @ Secure Logins @ Agent / Key Forwarding @ Enter Agent / Key Forwarding @ Port Forwarding @ Conclusion cagriCOM08 | Information Security
  • 3. Definition-I Common used one «The Secure Shell Protocol (SSH) is a protocol for secure remote login and other secure network services over an insecure network» Ylonen & Lonvick Standards Track SSH Communications Security Corp C. Lonvick, Ed. Cisco Systems, Inc. January 2006 cagriCOM08 | Information Security
  • 4. Definition-II More detatiled one «Secure Shell (SSH) is a cryptographic network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that connects, via a secure channel over an insecure network, a server and a client (running SSH server and SSH client programs, respectively).» Ylonen & Lonvick Standards Track SSH Communications Security Corp wikipedia cagriCOM08 | Information Security
  • 5. Definition-III Structure cagriCOM08 | Information Security
  • 6. What SSH does SecureSHell handles the set up and generation of an encrypted TCP connection. cagriCOM08 | Information Security
  • 7. What SSH does: which means… ....... -SSH can handle secure remote logins (ssh) -SSH can handle secure file copy (scp) -SSH can even drive secure FTP (sftp) cagriCOM08 | Information Security
  • 8. Core SSH programs ssh client sshd server sftc transfer-line «if sshd is not running you will not be able to connect to it with ssh» cagriCOM08 | Information Security
  • 9. SSH Authentication Methods $ Password $ Public/private keypair $ Host-based authentication cagriCOM08 | Information Security
  • 10. I Password Authentication Example without SSH Keys Prompts for Password you server you server ssh sshd ssh sshd you> ssh mac-1 password: **** other> cagriCOM08 | Information Security
  • 11. II Key-pair Authentication Example without SSH Keys you server ssh sshd cagriCOM08 | Information Security
  • 12. II Key-pair Authentication Example without SSH Keys you ? server ssh sshd server> ssh –keygen First of all Generate keys cagriCOM08 | Information Security
  • 13. II Key-pair Authentication public/private key-pair you ~/.ssh/id_rsa ~/.ssh/id_rsa.pub cagriCOM08 | Information Security
  • 14. II Key-pair Authentication public/private key-pair Private Key: id_rsa you you ~/.ssh/id_rsa ~/.ssh/id_rsa.pub ~/.ssh/id_rsa ~/.ssh/id_rsa.pub Private keys should be kept secret, do not share them with anyone cagriCOM08 | Information Security
  • 15. II Key-pair Authentication public/private key-pair Private Key: id_rsa Public Key: id_rsa.pub you you you ~/.ssh/id_rsa ~/.ssh/id_rsa.pub ~/.ssh/id_rsa ~/.ssh/id_rsa ~/.ssh/id_rsa.pub ~/.ssh/id_rsa.pub Private keys should be Public keys are meant to kept secret, do not be shared. share them with anyone cagriCOM08 | Information Security
  • 16. II Key-pair Authentication public/private key-pair Copy Public Key to server you server ~/.ssh/id_rsa ~/.ssh/id_rsa.pub cagriCOM08 | Information Security
  • 17. II Key-pair Authentication public/private key-pair Copy Public Key to server you server ~/.ssh/id_rsa ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys cagriCOM08 | Information Security
  • 18. II Key-pair Authentication public/private key-pair No password required! you server ssh sshd you> ssh server other> cagriCOM08 | Information Security
  • 19. III Host-based Authentication • Doesn’t require user credentials (password or key) • Provides trust based on hostname and user id • User id on both system has to be the same • Disabled by default -- not that useful cagriCOM08 | Information Security
  • 20. SSH Basics Configuration Files [CF] Server CF Client CF sshd config: /etc/sshd_config ssh config: /etc/ssh_config system-side user-specific ssh config: ~/.ssh/config Based on installation method system config locations may vary. example: macports installs in /opt/local/etc/ssh/ cagriCOM08 | Information Security
  • 21. SSH Basics Secure Logins Login Example #1 Login Example #2 ssh user@example.com ssh example.com Login Example #3 Login Example #4 ssh -p 45000 example.com ssh example.com<command here> ssh example.com ls –l ssh example.com hostname cagriCOM08 | Information Security
  • 22. SSH Basics Agent / Key Forwarding Example without SSH Keys server-1 you server-2 cagriCOM08 | Information Security
  • 23. SSH Basics Agent / Key Forwarding you> ssh server-1 server-1 you> ssh server-1 password: you Password required server-2 cagriCOM08 | Information Security
  • 24. SSH Basics Agent / Key Forwarding you> ssh server-2 server-1 you> ssh server-2 password: you Password required server-2 cagriCOM08 | Information Security
  • 25. SSH Basics Agent / Key Forwarding [updated example] you to server-1 to server-2 you> ssh -keygen you server-1 Copy public key to Authorized_key ~/.ssh/authorized_keys on each remote host id_rsa.pub id_rsa server-2 Authorized_key cagriCOM08 | Information Security
  • 26. SSH Basics Agent / Key Forwarding you> ssh server-1 you> ssh server-1 server-1> you server-1 Success server-2 cagriCOM08 | Information Security
  • 27. SSH Basics Agent / Key Forwarding you> ssh server-2 you> ssh server-2 server-2> you server-1 Success server-2 cagriCOM08 | Information Security
  • 28. SSH Basics Agent / Key Forwarding you to server-1 to server-2 you> ssh server-1 server-1> you server-1 Success Authorized_key you> ssh server-2 id_rsa.pub password> id_rsa server-2 password required at Authorized_key the second step! cagriCOM08 | Information Security
  • 29. SSH Basics Enter Agent / Key Forwarding SSH Key Gets Forwarded you server-1 id_rsa.pub id_rsa server-2 cagriCOM08 | Information Security
  • 30. SSH Basics Enter Agent / Key Forwarding Command Line Agent Forwarding ssh -A example.com Use -A to explicitly turn off forwarding for a ssh session. cagriCOM08 | Information Security
  • 31. SSH Basics Port Forwarding Local Port Forwarding Example you server-1 server-2 sshd www Private Network cagriCOM08 | Information Security
  • 32. SSH Basics Port Forwarding you to www on server-2 you server-1 server-2 sshd www public IP local IP local IP Private Network cagriCOM08 | Information Security
  • 33. SSH Basics Port Forwarding Can’t access server-2 directly you server-1 server-2 sshd www public IP local IP local IP Private Network cagriCOM08 | Information Security
  • 34. SSH Basics Port Forwarding With Local Port Forwarding you server-1 server-2 sshd www public IP local IP local IP you> ssh -L 8000:server-2:80 server-1 server-1> success cagriCOM08 | Information Security
  • 35. SSH Basics Port Forwarding A Tunnel is Made! you server-1 server-2 sshd www public IP local IP local IP you> ssh -L 8000:server-2:80 server-1 server-1> success cagriCOM08 | Information Security
  • 36. SSH Basics Port Forwarding server-2 doesn’t have to run sshd you server-1 server-2 sshd www public IP local IP local IP cagriCOM08 | Information Security
  • 37. SSH Basics Port Forwarding Command Line Local Port Forwarding ssh -L localport:host:hostport example.com localport is the port on your machine, host is the remote server to tunnel to, hostport is the port on the remote server to tunnel to cagriCOM08 | Information Security
  • 38. SSH Basics Port Forwarding Sharing Tunnel you server-1 server-2 sshd www public IP local IP local IP another you> ssh -L 8000:server-2:80 -g server-1 server-1> success cagriCOM08 | Information Security
  • 39. SSH Basics Port Forwarding Command Line Local Port Forwarding ssh -L localport:host:hostport -g example.com -g allows others to connect to your forwarded port cagriCOM08 | Information Security
  • 40. SSH Basics Port Forwarding Host Configured Host inspire.staging LocalForward 8000:server-2:80 Per-User ~/.ssh/config System-wide /etc/ssh_config Friday, September cagriCOM08 | Information Security
  • 41. SSH Basics Port Forwarding SSH Server has final say! AllowTcpForwarding no System-wide /etc/sshd_config Defaults to “yes” -- so pretty much ignore. cagriCOM08 | Information Security
  • 42. References SSHSecure Shell forWorkstations Windows Client version 3.2.9 User Manual Güvenli kanallardan iletişim ( SSH ) User Manual http://en.wikipedia.org/wiki/Secure_SHell http://en.wikipedia.org/wiki/Secure_channel http://doctus.org/forum.php?s=ec689fc4bdb4dd0cc895cbdbd298cc3b http://www.openssh.org/txt/ ftp://ftp.itu.edu.tr/Utility/SSH Secure Shell/ http://www.javakursu.net/sshnedir cagriCOM08 | Information Security