secure connections to nersc systems using the secure shell (ssh) jed donnelley jed 6/21/1999
TRANSCRIPT
Secure Connections to NERSC Systems
Using the Secure Shell (SSH)
Jed Donnelley
http://www.nersc.gov/~jed
6/21/1999
June 2000Secure Connections to NERSC Systems
Using the Secure Shell (SSH) 2
Using SSH to connect to Unix
• Use From: Unix PC/Mac
• Secure “Telnet” ssh, slogin
• X Windows automatic manually specified
• Data Transfer scp, ftp ftp
• Authentication ssh-keygen Key generation
Wizard
DataFellows: http://www.datafellows.fi/
June 2000Secure Connections to NERSC Systems
Using the Secure Shell (SSH) 3
Basic Facilities Offered by SSH
1. An encrypted channel for control (e.g. “Telnet”) communication.
2. Plumbing (aka forwarding, tunneling): multiplexing of IP forwarded communication across the encrypted channel.
(e.g. for X Windows, FTP, POP email, etc.)
3. Authentication: Public key authentication for users and servers. Allows use of a single passphrase rather than multiple passwords.
LocalHostSSH
Client
RemoteHostSSH
Daemon
Secure
Channel
June 2000Secure Connections to NERSC Systems
Using the Secure Shell (SSH) 4
Simplest form - a secure “Telnet”(“normal” case)
mordor 1: ssh mcurie
Host 'mcurie' added to the list of known hosts.
Password:
----------------------------------------------------------------------
* * * W A R N I N G W A R N I N G * * *
U.S. GOVERNMENT COMPUTER
If not authorized to access this system, disconnect NOW.
YOU SHOULD HAVE NO EXPECTATION OF PRIVACY. By continuing, you
consent to your keystrokes and data content being monitored.
…
Your terminal type is vt100.
Your current working directory is /u/mpccc/jed.
%
June 2000Secure Connections to NERSC Systems
Using the Secure Shell (SSH) 5
Simplest form - a secure “Telnet”(first time connecting to this host)
mordor 6: ssh www.nersc.gov
Host key not found from the list of known hosts.
Are you sure you want to continue connecting (yes/no)? yes
Host ’www.nersc.gov' added to the list of known hosts.
Creating random seed file ~/.ssh/random_seed. This may take a while.
[email protected]’s Password:
Last login: Wed Mar 10 11:07:08 1999 from gondor.nersc.gov
No mail.
Sun Microsystems Inc. SunOS 5.6 Generic August 1997
*****************************************************
Welcome to the primary NERSC Web server.
Please report any problems or concerns to [email protected] or x8600
******************************************************
gondor.nersc.gov%
June 2000Secure Connections to NERSC Systems
Using the Secure Shell (SSH) 6
SSH “Telnet” - a PC/Mac Example
Generally recommended
June 2000Secure Connections to NERSC Systems
Using the Secure Shell (SSH) 7
PC SSH - the Resulting Connection
Note: If you set
$DISPLAY you will
break X forwarding.
You can, however,
specify a -display
option to xclock
June 2000Secure Connections to NERSC Systems
Using the Secure Shell (SSH) 8
Example: SSH from Unix
% ssh killeen
jed@killeen's password:
----------------------------------------------------------------------
…
Your current working directory is /u/ccc/jed.
% printenv DISPLAY
killeen:36.0
% xclock &
[1] 16332
%
June 2000Secure Connections to NERSC Systems
Using the Secure Shell (SSH) 9
Advanced Facilities
1. An encrypted channel for control (e.g. “Telnet”) communication.
2. Plumbing (aka forwarding, tunneling): multiplexing of forwarded IP communications across the encrypted channel. (e.g. for X Windows, FTP, POP email, etc.)
3. Authentication: Public key authentication for users and servers. Allows use of a single passphrase rather than multiple passwords.
LocalHostSSH
Client
RemoteHostSSH
Daemon
Secure
Channel
June 2000Secure Connections to NERSC Systems
Using the Secure Shell (SSH) 10
SSH Plumbing: IP Forwarding(Tunneling)
LocalHostSSH
Client
RemoteHostSSH
Daemon
Secure
Channel
User
Terminal
InputUserShell
IPFwd
Cliente.g. X,FTP
IPFwd
ServerNon-secure data channelNote: Firewalls may affect thisConnection in different directions
June 2000Secure Connections to NERSC Systems
Using the Secure Shell (SSH) 11
SSH Port Forwarding: FTP example
LocalSSH
Client
RemoteSSH
Daemon
Secure
Channel
User
Terminal
Input/outputUserShell
PortFwd
Client,FTP
client
PortFwd
Server,FTP
demon
S. port
D. port
FTP data connection
Not secured
June 2000Secure Connections to NERSC Systems
Using the Secure Shell (SSH) 12
X Windows Forwarding - Automatic
Not defaulted on PC
June 2000Secure Connections to NERSC Systems
Using the Secure Shell (SSH) 13
Configuration for Forwarded FTP
June 2000Secure Connections to NERSC Systems
Using the Secure Shell (SSH) 14
FTP Data Transfer Configuration
Note: Important for data connections
PC example: WS_FTP
June 2000Secure Connections to NERSC Systems
Using the Secure Shell (SSH) 15
When the Data Connection is Established
June 2000Secure Connections to NERSC Systems
Using the Secure Shell (SSH) 16
When the Data Connection Fails
Active/Passive mode failure indication
June 2000Secure Connections to NERSC Systems
Using the Secure Shell (SSH) 17
Very Similar on a Macintosh
Mac example: “Fetch”
Connection dialog Remote system file list
June 2000Secure Connections to NERSC Systems
Using the Secure Shell (SSH) 18
FTP Tunneling under Unix
• Requires two windows on your local workstation• In window 1, set up the forwarded port while making a “regular” ssh
terminal connection:ssh -L forwarded_port:forwarded_host:host_port hostE.g.% ftp -L 2000:killeen.nersc.gov:21 killeen.nersc.govSSH on your workstation listens for any outgoing connections using port 2000,
and forwards them to port 21 on killeen; this is the FTP server port.
• In window 2:% ftp localhost 2000% ftp myworkstation.lbl.gov 2000% ftp 127.0.0.1 2000When prompted to log in, supply password for remote system, e.g. killeen.The connection to your workstation on the forwarded port gets sent to port 21 on
killeen, where it’s received by the FTP server.
• Only the CONTROL CONNECTION (user name and password) is protected by encryption.
June 2000Secure Connections to NERSC Systems
Using the Secure Shell (SSH) 19
Secure Copy (scp) Client on Unix
Syntax:scp [-aAqQprvBCL] [-S path-to-ssh] [-o ssh-options]
[-P port] [-c cipher] [-i identity]
[[user@]host1:]filename1 [[user@]host2:]filename2
Example:% scp test.file killeen.nersc.gov:new.file
[email protected]'s password:
test.file | 0 KB | 0.0 kB/s | ETA: 00:00:00 | 99%
%
The entire session is protected by encryption.
June 2000Secure Connections to NERSC Systems
Using the Secure Shell (SSH) 20
The Fly in the Ointment
• The fundamental operation of SSH is the terminal connection• ftp tunneling requires it, so any system that doesn’t allow a
shell, won’t allow tunneling (e.g. HPSS)• scp seems to have a similar limitation, since it doesn’t work
to HPSS, either
• Connecting to HPSS securely is something we’re working on. Right now it requires a two step process to do it securely, using an intermediate machine within NERSC, with the assumption that unsecured transfers between it and HPSS are safe.
June 2000Secure Connections to NERSC Systems
Using the Secure Shell (SSH) 21
Firewalls
• There are many ways to set up firewalls, but they can be lumped into two categories:• “statefull” - connections are remembered and this knowledge may
be used in other connections; these are the easiest for users to deal with
• “stateless” - connections have no knowledge of other connections;
June 2000Secure Connections to NERSC Systems
Using the Secure Shell (SSH) 22
SSH Port Forwarding: FTP Example
LocalSSH
Client
RemoteSSH
Daemon
Secure
Channel
User
Terminal
Input/outputUserShell
PortFwd
Client,FTP
Client
PortFwd
Server,FTP
Server
S. port
D. port
FTP Data Connection
Not secured
June 2000Secure Connections to NERSC Systems
Using the Secure Shell (SSH) 23
FTP - “Active” (Default) Mode
LocalHostFTP
Client
RemoteHostFTP
ServerData Connection
Control ConnectionConnect
Server Data
Connect
Port 21:
listen
“PORT <IP ADDR>, <client data>”
Client data:
listen
“STOR <‘filename’>”
“filename”’s data ---->
June 2000Secure Connections to NERSC Systems
Using the Secure Shell (SSH) 24
FTP - “Passive” Mode
LocalHostFTP
Client
RemoteHostFTP
ServerData Connection
Control ConnectionConnect
Client Data
Connect
Port 21:
listen
“PORT <IP ADDR>, <client data>”
Server data:
listen
“STOR <‘filename’>”
“filename”’s data ---->
“PASV”
June 2000Secure Connections to NERSC Systems
Using the Secure Shell (SSH) 25
Firewall Consequences, Active Mode
LocalSSH
Client
RemoteSSH
Daemon
Secure
Channel
User
Terminal
Input/outputUserShell
S. port
Dest. port
FTP data connectionFTPServer
Data. portX
Port 22
Outgoingconnection: OK
Incomingconnection - blocked!
FTPClient
Client data:
listen
Never arrives
Fails:
June 2000Secure Connections to NERSC Systems
Using the Secure Shell (SSH) 26
Firewall Consequences, Passive Mode
LocalSSH
Client
RemoteSSH
Daemon
Secure
Channel
User
Terminal
Input/outputUserShell
S. port
Dest. port
FTP data connectionFTPServer
Data. Port:
listen
Port 22
Outgoingconnection: OK
Outgoingconnection - OK!
FTPClient
Client data:
connect
“PASV”
Succeeds:
June 2000Secure Connections to NERSC Systems
Using the Secure Shell (SSH) 27
“Local” Connections, Local Host
What is a “local” connection? 127.0.0.1 or mystation.lbl.gov or ?
June 2000Secure Connections to NERSC Systems
Using the Secure Shell (SSH) 28
127.0.0.1 as “Active” “Local Host”
LocalSSH
Client
RemoteSSH
Daemon
Secure
Channel
User
Terminal
Input/outputUserShell
S. port
FTP data connection
Port 22
Outgoingconnection - Nobody home?
FTPClient
Dest. port
FTPServer
Fails:
Client data:
listen
Never arrives
Send
Data. port
June 2000Secure Connections to NERSC Systems
Using the Secure Shell (SSH) 29
<IP Addr> as “Active “Local Host”
LocalSSH
Client
RemoteSSH
Daemon
Secure
Channel
User
Terminal
Input/outputUserShell
S. port
FTP data connection
to <IP Addr>
OK
Port 22
FTPClient
Dest. port
FTPServer
Client data:
listen
OK
Send
Data. port
Succeeds:
June 2000Secure Connections to NERSC Systems
Using the Secure Shell (SSH) 30
SSH2
The SSH2 protocol is being standardized by the IETF and
Will shortly become an official standard. The upcoming
Internet standard is called SECSH. The SECSH working
group at IETF is defining the SSH 2.x protocol. The goal of
the working group is to define an IETF standards track
protocol that will be used by future versions of SSH.
June 2000Secure Connections to NERSC Systems
Using the Secure Shell (SSH) 31
F-Secure SSH Terminal
F Secure SSH Terminal provides the user with secure
login connections over untrusted networks. F Secure
SSH Terminal acts as a replacement for the telnet protocol.
The Terminal uses the cryptographic authentication,
automatic session encryption, and integrity protection
methods that are defined by the SSH protocol. F Secure
SSH Terminal fully supports VT100 terminal emulation.
June 2000Secure Connections to NERSC Systems
Using the Secure Shell (SSH) 32
F-Secure SSH Tunnel
F Secure SSH Tunnel can be used to create local proxy
servers for remote TCP/IP services. The service can be one
of the Internet protocols: pop, smtp (used by e-mail software),
http (used by Web browsers), etc. or almost any other TCP/IP
based service (e.g. a TCP/IP connection to an RDBMS server).
The local proxy server created by the F Secure SSH Tunnel
listens for a socket on the desired port, forwards the request
and data over the secure channel, and instructs the F Secure
SSH Server to make the connection to the specified service on
the remote machine.
June 2000Secure Connections to NERSC Systems
Using the Secure Shell (SSH) 33
SSH2 Protocol Considerations
• The SSH2 Server can be configured to spawn an SSH1 protocol handler.
• The SSH2 protocol is safer and the SSH2 client has more capability (sftp)
• Why not support SSH2?
• Cost? ~2 person months (est. from Systems Group)
• Performance for SSH1 support? Only a possible problem for very interactive applications.
June 2000Secure Connections to NERSC Systems
Using the Secure Shell (SSH) 34
SSH1/SSH2 Compatibility - PCs
Windows Macintosh Unix Client
Server SSH1 SSH2 SFTP SSH1 SSH2 SFTP SSH1 SSH2 SCP SFTP
SSH1D ! O O ! O O ! !!! ! O
SSH2D !! ! ! !! ! ! !! ! ? !
Font/color codes:
! - Works !!! - Works, compatibilityO - Fails small italics - untested!! - Works, server fork ? - We don’t know
June 2000Secure Connections to NERSC Systems
Using the Secure Shell (SSH) 35
Last Advanced Facility
1. An encrypted channel for control (e.g. “Telnet”) communication.
2. Plumbing: multiplexing of IP forwarded communication across the encrypted channel.
(e.g. for X Windows, FTP, POP email, etc.)
3. Authentication: Public key authentication for users and servers. Allows use of a single passphrase rather than multiple passwords.
SSHclient
SSHDemon
Secure
Channel
June 2000Secure Connections to NERSC Systems
Using the Secure Shell (SSH) 36
Background: Single Key Encryption
Single Key (traditional) Encryption
WE hold these Truths to be self-evident, that all Men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the Pursuit of Happiness -- That to secure these Rights, Governments are instituted among Men, deriving their just Powers from the Consent of the Governed, that whenever any Form of Government becomes destructive of these Ends, it is the Right of the People to alter or to abolish it, and to institute new Government, laying its Foundation on such Principles, and organizing its Powers in such Form, as to them shall seem most likely to effect their Safety and Happiness...
Clear Text
Shared Secret Key
oijh238ysoid93ww8u38
Encrypt using the
WE hold these Truths to be self-evident, that all Men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the Pursuit of Happiness -- That to secure these Rights, Governments are instituted among Men, deriving their just Powers from the Consent of the Governed, that whenever any Form of Government becomes destructive of these Ends, it is the Right of the People to alter or to abolish it, and to institute new Government, laying its Foundation on such Principles, and organizing its Powers in such Form, as to them shall seem most likely to effect their Safety and Happiness...
Shared Secret Key
oijh238ysoid93ww8u38
Decrypt using the
;lo4i50m;lkxiujermgldorjgmnkXjnboiu409u09u0ojfoe9u9jfdr9ue0ndlifbnod8rug039uy03updjo384h03ptr7q24opogmeojodijb0r96uy0984upownv9se8yp094imu[398jbndiuyfw8oy409umjh;pr9n0pdi6u048u98nlncvksh.vl.ksdjgo845yut9w4ytowihgoioseynonsilejh;o4u5b;obmjtho;ruh0596umbrijnmh9r8uhi5t09suv9w7tori83nytvowbj4;hmdrp/;okx;lkmnsoudgo8w746ty049umyowiemrhglidufhbnod9upo9w847y594oj hlrjntbloidhrngo9n87se5m9w4umj;yobe59u6h9osejmg;oeiuyp940uy;w94um5t98seynt9o84wu9o8rumj;oeijgpm9se8rumtp0m9w45muy9o8sreyG9pser8um04u50u5y4098uy40u0095uy04uli8ult9o4iu409upe95uy0ej0e9roijo98u08u09u0495uy09u049u09u...
Clear TextCipher Text
Examples include DES, triple DES, Idea, Blowfish
June 2000Secure Connections to NERSC Systems
Using the Secure Shell (SSH) 37
Public Key Encryption
Public Key (dual key) Encryption
WE hold these Truths to be self-evident, that all Men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the Pursuit of Happiness -- That to secure these Rights, Governments are instituted among Men, deriving their just Powers from the Consent of the Governed, that whenever any Form of Government becomes destructive of these Ends, it is the Right of the People to alter or to abolish it, and to institute new Government, laying its Foundation on such Principles, and organizing its Powers in such Form, as to them shall seem most likely to effect their Safety and Happiness...
Clear Text
Public Key80988989228302098770349850394803980837
Encrypt using the
WE hold these Truths to be self-evident, that all Men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the Pursuit of Happiness -- That to secure these Rights, Governments are instituted among Men, deriving their just Powers from the Consent of the Governed, that whenever any Form of Government becomes destructive of these Ends, it is the Right of the People to alter or to abolish it, and to institute new Government, laying its Foundation on such Principles, and organizing its Powers in such Form, as to them shall seem most likely to effect their Safety and Happiness...
Private Key9837938798379783903
Decrypt using the
;lo4i50m;lkxiujermgldorjgmnkXjnboiu409u09u0ojfoe9u9jfdr9ue0ndlifbnod8rug039uy03updjo384h03ptr7q24opogmeojodijb0r96uy0984upownv9se8yp094imu[398jbndiuyfw8oy409umjh;pr9n0pdi6u048u98nlncvksh.vl.ksdjgo845yut9w4ytowihgoioseynonsilejh;o4u5b;obmjtho;ruh0596umbrijnmh9r8uhi5t09suv9w7tori83nytvowbj4;hmdrp/;okx;lkmnsoudgo8w746ty049umyowiemrhglidufhbnod9upo9w847y594oj hlrjntbloidhrngo9n87se5m9w4umj;yobe59u6h9osejmg;oeiuyp940uy;w94um5t98seynt9o84wu9o8rumj;oeijgpm9se8rumtp0m9w45muy9o8sreyG9pser8um04u50u5y4098uy40u0095uy04uli8ult9o4iu409upe95uy0ej0e9roijo98u08u09u0495uy09u049u09u...
Clear TextCipher Text
Some Public key schemes have the useful feature:Pvt(Pub(Data) = Pub(Pvt(Data) = Data
(E.g. RSA)
June 2000Secure Connections to NERSC Systems
Using the Secure Shell (SSH) 38
RSA Public Key Generation
Pick two prime numbers, p and q, and compute n = pq.
Next, choose d < n such that d is relatively prime to p-1 and q-1.
Now, find e such that d*e -1 is divisible by (p-1)(q-1) .
The number n iscalled the modulus and the key pairs are (d, n)
and (e, n).
For example, if you pick p = 23 and q = 29, then n = 667.
Choose d = 53, giving e = 93.
The key pairs are then (53, 667) and (93, 667).
June 2000Secure Connections to NERSC Systems
Using the Secure Shell (SSH) 39
RSA Public Key Encryption
The "public key" is the pair (p*q, e)
The “private key” is the pair (p*q, d)
Plain text T must be a number between 0 and n-1 = p*q-1.
The encryption function is encrypt(T) = (T^e) mod p*q = C
The decryption function is decrypt(C) = (C^d) mod p*q
decrypt(encrypt(T)) = encrypt(decrypt(T) = T
June 2000Secure Connections to NERSC Systems
Using the Secure Shell (SSH) 40
Server Key Discussion
SSHclient
SSHDemon
Secure
Channel
User
Terminal
InputUserShell
IPFwd
Cliente.g. XFTP
IPFwd
Server
Server:
Private Key
Public Key
June 2000Secure Connections to NERSC Systems
Using the Secure Shell (SSH) 41
Example Output for a New Host
% ssh killeen
Host key not found from the list of known hosts.
Are you sure you want to continue connecting (yes/no)? yes
Host 'killeen' added to the list of known hosts.
jed@killeen's password:
----------------------------------------------------------------------
…
Your current working directory is /u/ccc/jed.
%
June 2000Secure Connections to NERSC Systems
Using the Secure Shell (SSH) 42
~<username>/.ssh/known_hosts
Example entry in jed/.ssh/known_hosts:
killeen 1024 37 705325930642807236155564174058288088509433716307985164803840
4543720554999191917517478645773148302567656570907357366598312001346457953433
8113231393286414542817887873620249521301011281291251294893172579641922785486
2900150139148456014559802540031948689674063297709082139734061659587439275589
32541915106864908137
June 2000Secure Connections to NERSC Systems
Using the Secure Shell (SSH) 43
User (Client) Key Discussion
SSHclient
SSHDemon
Secure
Channel
User
Terminal
InputUserShell
IPFwd
Cliente.g. XFTP
IPFwd
Server
Server:
Private Key
Public Key
Client:
Private Key
Public Key
June 2000Secure Connections to NERSC Systems
Using the Secure Shell (SSH) 44
Example Key Generation, Unix
gondor.nersc.gov% ssh-keygen
Initializing random number generator...
Generating p: ...................................++ (distance 524)
Generating q: ........................++ (distance 280)
Computing the keys...
Testing the keys...
Key generation complete.
Enter file in which to save the key (/u/ccc/jed/.ssh/identity):
Enter passphrase:
Enter the same passphrase again:
Your identification has been saved in /u/ccc/jed/.ssh/identity.
Your public key is:
1024 37 141065829193088583535393787336236519596422356561555617621686481111309766411198772661982321105598609309699536285550930419740866537251689728318439216288854655452937112522267785457094285051527541171601963234454922870814357588148505347811819557940284482322861085587046666885623959789222189095197602745618669956589 [email protected]
Your public key has been saved in /u/ccc/jed/.ssh/identity.pub
gondor.nersc.gov%
June 2000Secure Connections to NERSC Systems
Using the Secure Shell (SSH) 45
~<username>/.ssh/authorized_keys
Copied from <source>:~<username>/.ssh/identity.pub
Example entry in <destination>:~jed/.ssh/authorized_keys:
1024 37 141065829193088583535393787336236519596422356561555617621686481111309766
4111987726619823211055986093096995362855509304197408665372516897283184392162888
5465545293711252226778545709428505152754117160196323445492287081435758814850534
7811819557940284482322861085587046666885623959789222189095197602745618669956589 [email protected]
June 2000Secure Connections to NERSC Systems
Using the Secure Shell (SSH) 46
Client Authentication Using RSA
June 2000Secure Connections to NERSC Systems
Using the Secure Shell (SSH) 47
For Unix, ssh-agent, ssh-add
gondor.nersc.gov% ssh-agent csh
gondor.nersc.gov% ssh-add
Need passphrase for /u/ccc/jed/.ssh/identity ([email protected]).
Enter passphrase:
Identity added: /u/ccc/jed/.ssh/identity ([email protected])
gondor.nersc.gov% ssh mcurie
---------------------------------------------------------------------- * * * W A R N I N G W A R N I N G * * *
…
gondor.nersc.gov% scp test.file mcurie:ssh.file
gondor.nersc.gov% printenv
SSH_AUTH_SOCK=/tmp/ssh-jed/agent-socket-19174
SSH_AGENT_PID=19175
gondor.nersc.gov%