Replacing telnet/rlogin/rsh with SSH
See also Part II (OpenSSH)
By Sean Boran
www.boran.com/security/sp/ssh-part1.html
This article presents an overview of SSH, the Secure SHell. This is the first in a two part series, introducing SSH and implementations, except OpenSSH & OSSH which are presented in an accompanying Part2.
Recent changes:
04.Nov.09 Add Absolute telnet Putty+winscp are still my favourites... See also the change history section |
SSH is useful, easy to use and so much more secure than the archaic telnet/rlogin/rsh, that no UNIX/Linux system should be installed without it.
Dec. 2002 (3 years after this page was first published) it's great that most Linux / Unix vendors have followed the example of OpenBSD & SuSE and bundled SSH with the OS. SSH has become the standard workhose for many sysadmin tasks, but has also had security bugs, possibly making your system more insecure than if using a simple telnet! Even SSH is not immune to the tiring vulnerability-patch-update cycle. So keep your SSH servers up to date.....
Italian Readers: Please note that an earlier version of this article has been translated into Italian [9].
Secure Shell (SSH) was originally authored by Tatu Ylönen, Finland, is a secure replacement for Telnet, rlogin, rcp, rsh and provides secured TCP tunnels. Optional compression of traffic is provided and can also be used together with many Authentication schemes such as SecurID, Kerberos and S/KEY to provide a highly secure remote access point to UNIX servers.
SSH1 was the first implementation (protocol v1.2 and v1.5) that was free in the earlier days, but licensing has become very restrictive, SSH Communications and DataFellows [3] are trying to get people to move to the newer commercial SSH2. OpenSSH (a free alternative discussed in [1]) supports both v1 and v2 protocols.
The Telnet, rlogin, rcp, rsh commands have a number of security weakness: all communications are in clear text and no machine authentication takes place. These commands are open to eavesdropping and tcp/ip address spoofing. A second key UNIX tool, the X11 windows system, also communicates in clear text, uses dynamic ports (making packet filtering difficult) and has a difficult-to-use access control mechanism "xhosts" and "xauth", that few users understand and hence X11 access control is often insecure on UNIX desktops.
SSH uses public/private key RSA authentication to check the identity of communicating peer machines, encryption of all data exchanged (with strong algorithms such as blowfish, 3DES, IDEA etc.). Backwards compatibility to rlogin/rsh and their trust files (rhosts, hosts.equiv) is provided to allow communication with non SSH servers. Optionally, an encrypted tunnel for X11 communications can be automatically setup by SSH (using the xauth access control and DISPLAY environment variable).
So SSH protects against:
SSH does not protect against:
SSH can be used to log-in securely into another computer over a network, execute commands on a remote machine, and copy files from one machine to another. SSH provides strong authentication and secure communications over insecure channels. It is intended as a replacement for rlogin, rsh, and rcp. Additionally, SSH provides secure X11 connections and secure forwarding of arbitrary TCP connections.
SSH2 is the newer protocol version, submitted to the IETF for approval by SSH Communications [3]. It is rewritten (improved cryptography) and is designed for more general purpose VPNs. SSH2:
Today there are many versions of SSH, some implement client only, some both client and server. Commercial, freeware and "restricted freeware" licensing is in use. The original SSH (SSH1) implemented by Tatu Ylönen was free, but versions later than 1.2.12 have restrictive licensing. The last more-or-less free SSH1 v1.2.27 indicates that it may only be used for non-commercial purposes only, but it would seem that most situations would allow free usage:
For commercial licensing please contact Data Fellows, Ltd. Data Fellows has exclusive licensing rights for the technology for commercial purposes.....
You may use the program for non-commercial purposes only, meaning that the program must not be sold commercially as a separate product, as part of a bigger product or project, or otherwise used for financial gain without a separate license...
Use by individuals and non-profit organizations is always allowed...
Companies are permitted to use this program as long as it is not used for revenue- generating purposes..
The latest SSH1, v1.2.31 has the same restrictive licensing as SSH2, basically meaning it is only free for non-profit organisations:
NON-COMMERCIAL: any use that takes place in commercial, governmental, military, or similar organizations and where a salary or similar monetary compensation is paid, unless the use can be considered to be EDUCATIONAL USE or is purely for charity.
These means that for most of use SSH1 and SSH2 cannot be used freely, which explains why OpenSSH is becoming the predominant SSH server in use. [1]
Commercial versions are produced by DataFellows/SSH Communications and cost about $99
for clients and $500 for servers (the NT server is a shocking $850).
SSH contains strong cryptography (no weak versions exist), which make it a no-no to export from the U.S., under the current regulations (which will hopefully change in the coming months). Luckily, SSH1 was developed in Finland meaning export to the U.S. and the rest of the world is no problem.
The RSA algorithm is patented in the U.S., but the patent expired in September 2000, so U.S. users of SSH no longer have to use RSAREF, the official RSA library or pay royalties to RSA.
Hopefully, more U.S. Operating System vendors will bundle SSH with their products soon. OpenBSD, RedHat and SUSE. Linux all bundle OpenSSH.
The IDEA algorithm is patented by Ascom in Switzerland (and only free for non-commercial use), is used by SSH, but it can be disabled when compiling the SSH server.
The following is a list of vulnerabilities found in different SSH implementations, see [2] for links to more detailed discussions of this issues on SecurityFocus.
SSH1 for UNIX is available as a free [5] or commercial product [3]. It is the "original" SSH, but is not being further developed at the moment (except for fixes). The emphasis is now on the commercial SSH2.
SSH2 [3] is a commercial product for UNIX, Windows or Mac. There is a free SSH2 version for non-commercial use, but licensing is pretty restrictive.
LSH: Efforts are underway to develop LSH, a free version of SSH2 - see http://www.net.lut.ac.uk/psst.
FreSSH: Unlike various other SSH implementations already available for Unix, it does not trace its ancestry to the original SSH code written by Tatu Ylonen. FreSSH currently implements SSH protocol version 1.5, with extensions which offer enhanced security when both sides of a connection are running FreSSH. The current version is v0.81 (15.Feb.01), a pre-release. It only runs on UNIX systems with a /dev/random. See http://www.fressh.org
sftp: is an ftp client and server that runs over an SSH tunnel. Currently at v0.7, it runs on Linux and NetBSD. http://www.xbill.org/sftp
Mindterm is a free (GPL) SSH client written in 100% pure Java. It can be run as a
stand-alone program or as an applet in a webpage. It can be run with or without a GUI. It
has other useful features: scp - file copying and a special ftp tunnel which works with
"ordinary" ftpd's "behind" the sshd.
Mindterm is my 2nd favourite SSH client after pscp/putty (see pscp)
- it would be my favourite if the latest version was completely free...
There are several versions, see www.appgate.com/mindterm which the author has been using for since December 1999 months as a standalone application.
- V2.3.1 is the current version, free for "up to 100 users". Works fine.
- V2 is stable, licensing is free except for "multi-user corporate usage". SSH2 protocol is well supported, terminal handling of International keyboard works correctly, but there are problems with the '!' character.
- v1.21 does not handle characters like \@[] properly on international keyboards. 'scp' works better than v1.15, but it still buggy.
- v1.15 is older, but special characters like \@[] work correctly on international keyboards. However scp is buggier and I often get spurious tildes "~" when typing quickly.
- v2.0 rc2 has a faulty SCP, still has problems with the '!' character and 'clone' does not always work. Otherwise it's very good indeed.
Tip for Windows users:
- I have a zip that includes mindterm, java, putty, pscp, ixplorer, winscp. However I don't update it that often, so check the versions used..
mindterm_install.zip
Advantages:
Problems:
Suggested Improvements:
Aside: the OpenSSH crew have started keeping track of various Windows implementations, see http://www.openssh.org/windows.html
Recently a few NT SSH servers have popped up. These new beasts are interesting, but either difficult to setup or no so easy to use.
SSH daemon for NT #1
http://www.shebeen.com/files/sshdnt.zip
This is the first SSH server I've come across for NT and looks interesting. It is without source code, but seems to be UNIX SSH 1.2.26 ported used the Cygnus libraries and uses UNIX-like configuration files.
ssh-keygen -b 1024 -f /usr/local/etc/ssh_host_key -N ''
sshd
pscp -v joe_bloggs@localhost:/cmd.exe
SSH daemon for NT #2
http://marvin.criadvantage.com/caspian/Software/SSHD-NT/default.php
http://www.lexa.ru/sos
An NT SSH server, with a slightly different focus. It is based on Sergey Okhapkin's SSH1.2.26 port, which uses the Cygnus libraries and UNIX-like configuration files. Diffs are available from the original SSH sources. Below we test v1.02.
plink -v joe_bloggs@localhost
pscp -v joe_bloggs@localhost:/cmd.exe
SSH daemon for NT #3: OpenSSH + Cygnus
OpenSSH can also be persuaded to run as a server on Windows. This is discussed in Part II of this article.
I've not tried this product but it looks promising. http://www.bitvise.com/winsshd.html
"WinSSHD is a Windows NT4/2000/XP SSH Secure Shell 2 server that supports the following SSH2 services:
- secure remote login with console (VT100 and xterm with colour support out of the box, as well as many other terminal emulations); secure remote login with GUI (see Using WinSSHD with WinVNC);
- secure file transfer using the SFTP protocol - WinSSHD's integrated SFTP server replaces FTP seamlessly with clients such as ssh.com's SSH2 client, or CuteFTP Pro;
- secure file transfer using the SCP protocol;
- secure TCP/IP port forwarding: most TCP/IP connections can be secured with SSH2.
Also, WinSSHD is:
- well-integrated with the Windows NT/2000/XP platform; compatible with Windows domains - works well with local as well as domain users;
- easy to install: it uses the standard Windows Installer installation mechanism;
- simple to configure and maintain
- available for a free 30-day evaluation period. The cost of a WinSSHD license is USD 29.95 for personal use, and USD 99.95 for business use."
SSH daemon for NT #5: F-Secure & SSH CommunicationsCommercial product exist from F-Secure and from SSH communications [3]. They cost $850.- and $595.-per seat. A brief test of the SSH communications versions worked just OK for remote terminal access. The default configuration is quite permissive and I have problems getting scp (file copy to work), interactions with OpenSSH is very bad. Test it before you buy.
See also a review at: http://www.networkcomputing.com/1206/1206sp3.html
Further reading on NT SSH servers:
http://www.certaintysolutions.com/tech-advice/ssh_on_nt.html
Macintosh SSH Versions
- NiftyTelnet SSH is a free ssh client for MacOS. It is an enhanced version of NiftyTelnet.
Datafellows produce a commercial Mac client: http://www.datafellows.com/f-secure.
- Another is MacSSH www.macssh.com
- dataComet-Secure, www.databeast.com
This commercial packages costing around $60 provides terminal emulation over SSH, Telnet, and dialup connections, supporting both SSH1 and SSH2. Telnet sessions offer Kerberos 5 and SOCKS v4 security options. (NOTE: SSH port forwarding is not yet supported.) dataComet-Secure emulates colour VT100 - VT320, PC-ANSI, SCO-ANSI, and IBM-3279 terminals, with file transfer support for SCP, X/Y/ZModem, and IBM IND$FILE. Sessions can be scripted using AppleScript and built-in macro support, with automatic macro recording and an easy-to-use key re-mapping dialog.
Other Architectures
- Matthias L. Jugel and Marcus Meißner have developed a Java Telnet Application/Applet. http://www.mud.de/se/jta
- Cédric Gourio also developed a Java based SSH, java-ssh, for his diploma - http://www.cl.cam.ac.uk/~fapp2/software/java-ssh
- Based java-ssh, Rob Pitman has developed
JSSH
, which is not a complete GUI client, but a Java "component" designed to allow a developer to embed SSH functionality into a larger application.
http://www.pitman.co.za/projects/jssh/index.html
- Palm Pilot
Top Gun ssh 1.2 at www.isaac.cs.berkeley.edu/pilot or ftp.zedz.net/pub/crypto outside the US.
- Windows CE: Mov Software has released sshCE. www.movsoftware.com/sshce.htm
- BeOS: The BeOS R4 port of SSH1 for Intel and PowerPC is available from www.be.com/beware/Network/ssh.html
- OS/2: See ftp://hobbes.nmsu.edu/pub/os2/apps/internet/telnet/client/ssh-1.2.27-b1.zip for OS/2 Warp 3+.
- VAX/OpenVMS
David Jones has created an OpenVMS SSH1 server http://www.er6.eng.ohio-state.edu/~jonesd/ssh.
Christer Weinigel and Richard Levitte have created an OpenVMS SSH1 client http://www.free.lp.se/fish.
- Nokia firewalls (based on Firewall-1 and a hardened FreeBSD) have an SSH option - use it and disable telnet/ftp!
- "LADON, A Distributed Authentication System for SSH using DNSSEC"
http://www.cs.jhu.edu/~smang/sshproject.html
- ScanSSH: What SSH servers are installed on your network?
Provos - http://www.monkey.org/~provos/scanssh
ScanSSH scans a list of addresses and networks for running SSH servers and their version numbers.
- Windows CE: PockeTTY provides Telnet, SSH and Serial access on PDAs.
http://www.dejavusoftware.com/pocketty/index.html
Compiling & Configuration
SSH1 CompilationNote this section is old: you really should not be using SSH1. Move to OpenSSH, which is discussed in Part II of this article.
- SSH1 comes preinstalled on SuSE Linux 6.3 and OpenBSD 2.6.
- Compiling SSH1 for UNIX (the following examples are for Solaris) is straight forward. Assuming we want the standard options, but want to disable clear text, the old RSH/rlogin and avoid the IDEA algorithm:
gzcat ssh-1.2.30.tar.gz | tar xf -
cd ssh-1.2.30; ./configure --prefix=/usr --without-none --without-rsh --without-idea
make
make install
Note: There were problems compiling 1.2.30 on Solaris Intel, but v1.2.27 works fine (but it has security problems when used with Kerberos).
- SSH startup files: the SSH daemon will have to be added to one of the system startup files, it is not done by "make install".
- An example for Solaris would be to create a startup file /etc/rc2.d/S10sshd.
- For Red Hat Startup, copy a startup file (example sshd) to /etc/rc.d/init.d/ssh and setup links:
chkconfig --add ssh
- useful compilation options:
--without-idea Don't use the patented IDEA algorithm
--without-none: never allow clear text (unencrypted) communication if one of the servers has no key.
--without-rsh: never allow rsh rhosts as an option when a server has no key.
--prefix=/usr/bsd --sbindir=/usr/bsd --bindir=/usr/bsd : Installation in non standard locations.
--with-securid=../ace Add SecurID authentication support (you need the ACE libs)
--with-socks5=/usr/local/lib Socks5 proxing support
- Preparing a binary install package: To make life easier, compile on (say) one machine as above, then create a tar file of the binaries (in the C-Shell). The following also assume that you have copied some SSH documents such as the FAQ to /usr/local/ssh-docs.
tar cvf ssh_bin.tar /usr/local/bin/{ssh,ssh1,scp,scp1,slogin}
tar uvf ssh_bin.tar /usr/local/bin/{ssh-keygen1,ssh-keygen,ssh-agent1,ssh-agent}
tar uvf ssh_bin.tar /usr/local/bin/{ssh-add1,ssh-add,ssh-askpass1,ssh-askpass}
tar uvf ssh_bin.tar /usr/local/bin/{make-ssh-known-hosts1,make-ssh-known-hosts}
tar uvf ssh_bin.tar /etc/{sshd_config,ssh_config}
tar uvf ssh_bin.tar /etc/rc2.d/{S10sshd,K10sshd} /etc/init.d/sshd
tar uvf ssh_bin.tar /usr/local/sbin/{sshd,sshd1}
tar uvf ssh_bin.tar /usr/local/man/man1/{ssh-keygen.1,ssh-agent.1,ssh-add.1,ssh.1,ssh1.1,slogin.1,slogin1.1,scp.1,scp1.1,make-ssh-known-hosts.1} /usr/local/man/man8/{sshd.8,sshd1.8}
tar uvf ssh_bin.tar /usr/local/ssh-docs
compress ssh_bin.tar- Installing on a number of machines:
Copy ssh_bin.tar.Z (created in the last step) to the new target system,
backup any existing config files,
extract in root, "rehash" (if using csh) and then generate a host key:
ssh-keygen -b 1024 -f /etc/ssh_host_key -N '';
Add the ssh service, by adding the following to /etc/services:
ssh 22/tcp # Secure Shell
Start the ssh daemon:
sh /etc/rc2.d/S10sshd start
- BSD (OpenBSD, FreeBSD):
On OpenBSD 2.6, OpenSSH is already installed, but let's say you want to install SSH1 or have an older version of OpenBSD and are not resident in the U.S., then either
- Install the binary package for the appropriate OS version and architecture
pkg_add ftp.openbsd.org/pub/OpenBSD/2.6/packages/sparc/ssh-intl-1.2.27.tgz- Or get the sources and compile:
- Update your ports listing if needed, but be aware that this takes time and you should select your CVS target server carefully (see www.openbsd.org/anoncvs.html):
setenv CVSROOT anoncvs@anoncvs.ca.openbsd.org:/cvs
For a new ports listing: cd /usr; cvs -q get ports
To update an existing version: cd /usr; cvs -q update ports
- See what ssh versions are available:
cd /usr/ports; make search key=ssh
This reports that ssh-1.2.27 is available (for example) in /usr/ports/security/ssh
- cd /usr/ports/security/ssh;
make all install USA_RESIDENT=no;
- This should download the source, plus a patch and compile it. If there are make problems, update the ports listing (above) and rebuild. Use "pkg_info" to verify that it is registered as being installed on the system, it can later be deleted with "pkg_delete".
SSH1 configuration
- Configuration files: The server has a configuration file /etc/sshd_config, the client reads a configuration file /etc/ssh_config, which gives site-wide defaults for various options. Options in this file can be overridden by per-user configuration files (in ~user/.ssh directory).
- Server: Configure the ssh daemon so that access is restricted to named hosts with known public keys (/etc/ssh_known_hosts) and rhosts authentication is disabled. See commented example /etc/sshd_config, In particular, look at options such as:
- The StrictHostKeyChecking option can be used to prevent logins to machines whose host key is not known or has changed. If this flag is set to "yes", ssh will never automatically add host keys to the /etc/ssh_known_host or $HOME/.ssh/known_hosts file, and refuses to connect hosts whose host key has changed. This provides maximum protection against trojan horse attacks. For many Administrator situations setting this flag to "ask" to prompt the user about whether to add the key to the known list of hosts is ideal.
- RhostsRSAAuthentication when set to yes, allows ~/.shosts to define trust relationships. It may be set to "yes", "nopwd", or "no". The "nopwd" value disables password-authenticated root logins, unless there is an .shosts allowing access without a password.
Root login with RSA authentication when the "command" option has been specified will be allowed regardless of the value of this setting (which may be useful for taking remote backups even if root login is normally not allowed.
- An empty config file can be placed in the users home directory owned by root and writeable only by root. This will force the system wide settings for all users (well, the user could still move the file, he won't do it accidentally).
- /etc/ssh_known_hosts format: "hostname(s) bits exponent modulus comment", e.g.
host1,host1.mydomain.com,localhost 1024 37 8745374658736578563745632786 70932641542043272345452372372979237842723040482329039649090525590 78525058815952993236732229527290793573967323290331586355947509385
68764576378465346783687563487634875638947894678934053640346834787 root@host1
- Logging in without passwords:
- Avoid if possible, but if necessary setup carefully. Use .shosts rather than .rhosts. Make sure trust files have mode 400. Don't use trust on NFS shared home directories. There are two methods of trust I can recommend: using /.shosts or using .ssh/authorized_keys. Both have advantages and disadvantages.
- RhostsRSA Authentication: For example, to set up /.shosts root trust from host A to host B:
- Add "hostA root" to /.shosts on host B and the IP address of host A to /etc/hosts on hostB
- add the Public Key of hostA to /etc/ssh_known_hosts or ~/.ssh/known_hosts on host B
- make sure /.shosts is mode 600 or 400.
- RSA Authentication: Setting up RSA trust from host A to host B for user 'jim': The .ssh/identity.pub (public key) of the host A needs to be appended to the list of keys in .ssh/authorized_keys on the destination machine.
- the user creates his RSA key pair using ssh-keygen on host A. The private key is stored in ~jim/.ssh/identity and the public key in ~jim/.ssh/identity.pub.
- copy the identity.pub to ~jim/.ssh/authorized_keys on host B.
- make sure ~jim/.ssh/authorized_keys has mode 600 or 400
- Which is best?
- RSA is better for users who may work from several machines, because the machine is not authenticated, logon is allowed from ANY machine that has a copy of the correct private key.
- In RhostsRSA, the key of the machine is checked and logon is only allowed from the trusted machine. In addition SSH provides additional restrictions "AllowShosts" that can restrict .shosts usage even further. Hence this is my recommended method for trusts for backup automated sysadmin etc.
- Client configuration: Configure the system wide defaults for the SSH client. See commented example /etc/ssh_config
- SSH and SUID root security:
SSH installs two programs that need special privileges. Ssh is the client program, and it is by default installed as suid root, because it needs to create a privileged port in order to use .rhosts files for authentication. If it is not installed as suid root, it will still be usable, but .rhosts authentication will not be available. Also, the private host key file is readable by root only.
Sshd is the daemon that listens for connections. It should preferably be run as root, because it is by normally listening on a privileged port (22), and it needs to be able to do setuid(), update utmp, chown ptys etc. when a user logs in. If it is not run as root, explicit "-p port" option must be given to specify an alternate port (same port must also be specified for clients), "-h host_key_file_path" must be given to specify an alternate host key file, and it cannot be used to log in as any other user than the user running it (because it cannot call setuid()). Also, if your system uses shadow passwords, password authentication will not work when running as someone else than root.
Both the server and the client have been carefully screened for possible security problems, and are believed to be secure. However, there can be no guarantee.
Mindterm SSH installation
- Installation on Windows (tested with v1.1.5):
Get it and install [6] a Java Runtime,
Or, download mindterm_install.zip (3.5MB) and extract to C:\Progra~1, then setup a shortcut on your desktop to c:\Progra~1\mindterm\mindterm.bat. This includes a v118 Java run time and will work with English, French, German, Italian NT (hence the use of the short file names).This bundle includes lots of goodies: 4 Mindterm versions- v1.15, 1.21, 1.99 pre5 and 1.2. Also included is: putty (and pscp, plink) and winscp: A nice SSH file transfer GUI (to replace your ftp client)
- Installation on Solaris:
- An example startup script for Solaris is mindterm.sh. Copy this along with mindterm.zip to /usr/local/bin .
- Install Java (already installed on newer Solaris, make sure you have v118 or later).
- Make sure /usr/local/bin is in your path and then just type mindterm.sh.
Doing even more with SSH
- SSH1 can easily forward single sockets (POP3, SMTP, etc..) out of the box, with either a PC or UNIX client, e.g. ssh -L 25:mailhost.target.domain:25 target &
- SSH cannot tunnel dynamic ports or ranges. Mindterm SSH include an option for FTP tunnelling.
- SSH VPNs:
- If PPP is redirected over an SSH socket, SSH can be used as a general purpose VPN. A practical example using Linux as a gateway on both sides is described the O'Reilly book "Virtual Private networks, 2nd Edition", chapter7 and more information is at http://sunsite.unc.edu/LDP/HOWTO/mini/VPN.html. You'll need Linux on both sides and it's a bit tricky (dated 1997). I've not yet tried this.
- Try also http://sites.inka.de/sites/bigred/sw/ssh-ppp-new.txt (dated 1996)
- Rdist 6.1.2 (public domain version) runs over SSH (tested on Solaris 2 & SunOS) and can be used o synchronise file between two hosts, or report on differing files.
- Fsh is an add-on to keep an SSH tunnel open to allow several commands to be remotely executed without reopening the tunnel each time http://www.lysator.liu.se/fsh. I've not yet tried this.
- Using SSH with RPC/keyserv/NFS/NIS+ : see http://fy.chalmers.se/~appro/ssh_beyond.html
- SSH1 & SecurID:
SecurID does work with SSH1, but with the limitation that "New Pin" and "Next Token" modes are not supported (that would require a change in the client-server authentication protocol).
Installation notes (see also the README.SECURID that comes with SSH1):
Copy the ACE client software to the UNIX host (e.g. /usr/ace on Solaris with ACE V3.3), copy sdconf.rec to /usr/ace/data and sychronise the node secret.
Compile SSH1 as above, but add --with-securid=/usr/ace/example.
With sdamin, activate the unix host for the users who will be allowed to login.
Create user accounts for those who will use SecurID, set the password to blocked and add the user names to /etc/securid.users.
Test - check syslog for entries like:
Dec 1 07:58:10 server1 sshd[20483]: log: Connection from 176.17.17.100 port 38528
Dec 1 07:58:24 server1 sshd[20483]: log: SecurID authentication for bob required.
Dec 1 07:58:26 server1 sshd[20483]: log: SecurID authentication for bob accepted.
and check the ACE log for authentication accepted /refused messages.Jean Chouanard has produced SecurID/ACE patches for SSH1 that add support for the "New Pin" and "Next Token", but which only work if both SSH server and client are modified accordingly. There is no sign of these patches being integrated into OpenSSH or Mindterm SSH, just yet. See ftp.parc.xerox.com:/pub/jean/sshsdi/README .
- Virtual Network Computing (VNC) is a "remote control" program that allows you to see and use the desktop of another machine (NT, Win95, UNIX) over the network. It could also be used for teleworking over insecure networks such as the internet, if SSH is used to encrypt the VNC communications and hence increase it's security.
- Install an NT VNC server on the intranet, one which is part of the usual NT domain and has accounts for those who need to logon. [It could also be UNIX, I'm just using NT as an example].
Secure this machine by choosing a strong VNC password, enabling exclusive VNC access, by enabling a screen saver with password after 5 minutes of inactivity and by not putting it in a public area. Regularly monitor the event log.
- Install an Intranet UNIX SSH server.
- Install a SSH internet gateway, which allows SSH connections from the Internet. Successful logins are presented directly to the Intranet SSH server.
Security: Put this host in the DMZ between two secure firewall filters. Harden. Disable all services except SSH. Allow no protocols except SSH from the Internet. Configure SSH to refuse root logins and disable trust mechanisms and RSA authentication. Configure all user accounts to use a strong authentication mechanism such as SecurID. Configure user shell to automatically login use to the Intranet UNIX server (don't allow local logins to this server). Be paranoid, monitor logs carefully and run integrity checks (such as tripwire) frequently.
- Install an SSH client such as Mindterm on the VNC client (somewhere on the Internet).
- SSH Client configuration: Connect to SSH gateway and authenticate with SecurID (or whatever). Login to UNIX Intranet server. Setup tunnel from local port 5902 to NT_VNC_server port 5900.
- VNC Client: Start local VNC client, connect to localhost:2, enter the VNC password and voila, the desktop should appear. Now login to NT as usual.
- Security: I suggest you use you own machine (not one in an Internet Cafe), with an up-to-date Virus checker, File shares disabled, and a personal firewall installed (and set protection level to Paranoid, no file sharing). This machine should be physically protected and possibly fitted with encrypted disks (e.g. PGPdisk). Note also that VNC does not encrypt it's password very well, see advisory from securiteam.
- PCAnywhere over SSH: PCAnywhere is another remote control program like VNC above, except it's limited to PCs.
- Configure SSH to forward port 5631 and 5632. Verify - telnet to the local side emits packets on the remote side.
- Modify the Windows registry to add a key: It's a DWORD key called TCPIPConnectIfUnknown in HKEY_LOCAL_MACHINE\Software\Symantec\PCAnywhere\Current Version\System. Set to 1 (the key doesn't exist by default). The pc_any.reg script does this.
- Now it should be possible to forward PCAnywhere from the local-side to a remote-side gateway and from there, on to the "real" PCAnywhere host.
More information on the PCAnywhere TCP/IP Registry settings can be found at: http://service1.symantec.com/SUPPORT/pca.nsf/docid/1997471006?OpenDocument&ExpandSection=2#_Section2
For example, the data and status ports numbers are defined at the above registry branch, as are the default folder names for sending and receiving files.
- Citrix over SSH
Assuming you want to connect to the Citrix server 176.17.17.2 via the SSH server gateway1, then try:
ssh -L 1494:176.17.17.2:1494 YourName@gateway1
And connect to "localhost" with Citrix
See also: www.tc.cornell.edu/Services/Docs/HotTips/2000/tunneling.asp
References
[0] Socks http://www.socks5.com
[1] Part II of this Article, which covers OpenSSH.
[2] BugTraq list of all SSH vulnerabilities:
2001-02-05: SSH1 SSH Daemon Brute Force Authentication Logging Failure Vulnerability
2001-01-16: SSH Secure-RPC Weak Encrypted Authentication Vulnerability2000-11-13: OpenSSH Client Unauthorized Remote Forwarding Vulnerability
2000-09-30: scp File Create/Overwrite Vulnerability
2000-06-08: OpenSSH UseLogin Vulnerability
2000-07-05: SSH 1.2.27 Kerberos Ticket Cache Exposure Vulnerability
2000-02-24: SSH xauth Vulnerability1999-12-01: RSAREF Buffer Overflow Vulnerability
1999-11-13: Sshd RSAREF Buffer Overflow Vulnerability
1999-09-17: SSH Authentication Socket File Creation Vulnerability
1999-05-13: Secure Shell Password Brute Force Vulnerability[3] SSH Communications (also http://www.ssh.fi) and
DataFellows (also http://www.datafellows.com/f-secure)[4] Marc Schaefer [schaefer@alphanet.ch]
2000-01-11-Thread: sshd and popftponly users incorrect configuration[5] Getting SSH1: See the main FTP site ftp.ssh.com/pub/ssh or one if it's mirrors such as ftp.cert.dfn.de/pub/tools/net/ssh. For RedHat RPMs (sparc and x86) see ftp.zedz.net/pub/crypto/linux/redhat
[6] Mindterm: http://www.mindbright.se/mindterm
Java Run time from Sun: http://www.javasoft.com/products/jdk/1.1/jre/download-jre-windows.html[7] Explanation of SSH: Discussion thread on FOCUS-SUN
[8] Stupid, Stupid Protocols: Telnet, FTP, rsh/rcp/rlogin, by Jay Beale, explains why ssh is useful and explains how user RSA authentication works with ssh-agent. http://securityportal.com/cover/coverstory20000814.html
[9] This article has been translated into Italian:
Tutto su SSH - Parte I/II, Sostituire telnet/rlogin/rsh con SSH
http://www.ziobudda.net/Recensioni/ssh-part1.phpOther links:
- SSH FAQ http://www.employees.org/~satch/ssh/faq
Getting Started with SSH by Kimmo Suominen http://www.tac.nyc.ny.us/~kim/ssh
Search for SSH pages on the net: http://www.links2go.com/topic/SSH
- Top Ten Secure Shell FAQs by Richard Silverman (RECOMMENDED)
http://sysadmin.oreilly.com/news/sshtips_0101.html
- BOOK: SSH, The Secure Shell: The Definitive Guide, by Richard Silverman (haven't read it yet)
http://www.oreilly.com/catalog/sshtdg (published Jan'2001)
- SSH2 IETF Proposal
http://www.ietf.org/html.charters/secsh-charter.html
- SSH and beyond, by Andy Polyakov
http://fy.chalmers.se/~appro/ssh_beyond.html
- Statistics on SSH usage:
http://ssh-research.ucs.ualberta.ca/ssh-stats.html
- What's in a Name? by Kurt Seifried
http://securityportal.com/articles/ssh20010214.html
About the Author
Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook
Changes to this article
2000:
14.Feb.'00 First Publication https://admin.securityportal.com/research/ssh-part1.html
25.Feb.'00 V1.1 New:sftp, SSH2 for Windows. Update: putty, Mindterm, SSH1 1.2.27 does work OK on IRIX, port forwarding.
08.Mar'00 New: Security Vulnerabilities Update: links
04.Apr'00 Update: Mindterm: add suggestions list. Add RedHat6 startup files. Doing even more with SSH.
30.Jun'00 New: add link to Java Telnet Application/Applet, Add [7]
22.Aug'00 Update: ssh1 v1.2.30, link to article from J.Beale. VNC password weakness.
11.Sep'00 Update: pscp/putty v0.49. Spelling.
09.Oct'00 Update: compression & other mindterm/putty issues, Ladon link. Links to Italian translation.
23.Nov'00 Update: Mindterm v1.99 pre1, putty v0.50
06.Dec.00 New: Windows SSHD servers
2001:
22.Feb.01 Refresh links & references. Add FreSSH, Update Mindterm, putty 0.51, ScanSSH
08.Mar.01 Add Winscp, Minor VNC tweaks.
10.May.01 Update: Licensing, Windows SSHD servers. New: OpenSSH + Cygnus, iXplorer
29.May.01 Update: Mindterm 2.0rc2, Add Tip for Windows users, move Cygwin to OpenSSH/part II article.
18.Jun.01 Sync security portal version.
21.Aug.01 General cleanup, improve example on automatic trusts, Citrix tunnelling
21.Nov.01 Added dataComet-Secure for the Mac.
2002:
25.Feb.02 Update putty 0.52
27.Mar.02 Add Bitvise.
05.Jun.02 Add JSSH
12.Sep.02 Add PockTTY
18.Nov.02 Mindterm Security tip, putty v0.53b, Mindterm 2.3.1
14.Dec.02 New Opensource Java SSH: SSHtools
22.Jul.04 Add Zoc04.Nov.09 Add Absolute telnet
© Copyright 2004, Seán Boran, All Rights Reserved Last Update: 22 Juli, 2004