Intro to SSH
Your SlideShare is downloading.
×
More Related Content
Slideshows for you (19)
Similar to Ssh that wonderful thing (20)
More from Marc Cluet (20)
Recently uploaded (20)
Ssh that wonderful thing
- 1. Marc Cluet – Lynx Consultants How I learned to stop worrying and love the shell
- 2. What we’ll cover? ¡ Understand how SSH works ¡ Get a clear picture of how ssh bastion hosts work ¡ Be able to do more awesome stuff with SSH! Lynx Consultants © 2013
- 3. What is SSH? ¡ Secure Shell (SSH) is a cryptographic network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network: a server and a client (running SSH server and SSH client programs, respectively).[1] The protocol specification distinguishes two major versions that are referred to as SSH-‐1 and SSH-‐2…. *whew* Lynx Consultants © 2013
- 4. But really, what is SSH? ¡ SSH opens a terminal connection to a remote host ¡ It does so using cryptography to avoid any break or leak in communication ¡ It is a very powerful tool for remote execution ¡ It is awesome! Lynx Consultants © 2013
- 5. How does SSH create a connection? ¡ You run your SSH command ssh user@host ¡ SSH client connects to host ¡ SSH client negotiates with host crypto and version ¡ SSH host requests authentication (password, certificates) ¡ SSH client replies with the crypto challenge ¡ Communication is open! Lynx Consultants © 2013
- 6. Authentication methods ¡ Password § Typical manual password § Turing keyboard test ¡ Certificates § Public Key certificates (RSA1, RSA, DSA, GSS) § Host-‐based certificates Lynx Consultants © 2013
- 7. Certificates ¡ A certificate ensures your identity by providing a crypto key divided in public and private parts (asymmetric cryptography) ¡ A public crypto key can be shared and is mathematically linked to the private key ¡ A private key shouldn’t be shared and is able to unlock and decipher the ciphertext Lynx Consultants © 2013
- 8. Certificates ¡ A certificate can be generated for each host or group of hosts you want to access ¡ Each certificate can and should be protected by a password for extra security ¡ Certificates are easy to revoke, so in case of any incident a new certificate can be generated Lynx Consultants © 2013
- 9. Certificates ¡ Run the command § ssh-‐keygen –t rsa ~/.ssh/id_foryournetwork ¡ This will create a unique certificate for network hosts ¡ All your other hosts or keys (github, etc) are safely different Lynx Consultants © 2013
- 10. Security risks of running an infrastructure ¡ If we leave password authentication open we’re subject to dictionary attacks § The whole system strength is defined by the weakest password ¡ Each host that has ssh open is another security risk ¡ All this can be resolved by Bastion Hosts! Lynx Consultants © 2013
- 11. What is a Bastion Host? Lynx Consultants © 2013
- 12. What is a Bastion Host? ¡ A Bastion Host sits between two networks, one trusted and one untrusted ¡ It regulates traffic between those networks, highlighting any malicious traffic and refusing it ¡ It is the first line of defence in a system Lynx Consultants © 2013
- 13. SSH Configuration ¡ Here’s an example # Config to access bastion host! Host bastionhost! !User myuser! !IdentityFile ~/.ssh/id_mynetwork! !Hostname 1.2.3.4! Lynx Consultants © 2013
- 14. How to Diagnose connections ¡ Always run ssh –v (-‐v for verbose) ¡ Make sure you test each point of your connection Lynx Consultants © 2013
- 15. How to Diagnose connections ¡ Always run ssh –v (-‐v for verbose) ¡ Make sure you test each point of your connection § First bastion host § Then proceed further up ¡ Regular issues § Lack of Certificate § DNS problem § Internets is broken Lynx Consultants © 2013
- 16. Awesome Stuff – Port Redirection ¡ You can redirect a port from your machine to the remote host or the other way around § -‐L myport:destination:destport ▪ Forwards a connection made to localhost 8080 to myhost port 80 (-‐ L 8080:myhost:80) Lynx Consultants © 2013
- 17. Awesome Stuff – Port Redirection ¡ You can redirect a port from your machine to the remote host or the other way around § -‐R remoteport:destination:destport ▪ Forwards a connection made to destination port 8080 to localhost port 80 (-‐R 80:myhost:8080) Lynx Consultants © 2013
- 18. Awesome Stuff – Socks Proxy ¡ You can create a SOCKS Proxy transparently with SSH § This will allow you to navigate the remote network as if it was your own ¡ ssh –D2222 user@myhost ¡ Configure your browser to use a SOCKS proxy at localhost port 2222 ¡ Navigate to all internal network pages! Lynx Consultants © 2013
- 19. Questions? Lynx Consultants © 2013
