NG|Console Tracking System User Guide

Version 2.2.0

All material in these pages, including text, layout, presentation, logos, icons, photos, and all other artwork is the Intellectual
Property of NetGuardians SA, unless otherwise stated, and subject to NetGuardians SA copyright. No commercial use of any
material is authorised without the express permission of NetGuardians SA. Information contained in, or derived from these
pages must not be used for development, production, marketing or any other act, which infringes copyright. This document is
for informational purposes only. NetGuardians SA makes no warranties, expressed or implied, in this document.
 TABLE OF CONTENTS

1 Console Tracking System at a glance 4

2 CTS Usage 5
2.1 CTS menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2 Standard CTS session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.3 Change user password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.4 SCP command usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.4.1 Main Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.4.2 Advanced Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.5 Edit ssh authorized keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

3 Passwordless connection with CTS 14

3.1 Public/Private key generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.1.1 On Unix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.1.2 On Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.2 Transparent connection to CTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.2.1 SSH connection using Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.2.2 SSH connection using Putty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.2.3 Private key conversion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.3 Transparent connection to remote servers . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.3.1 Automatic host redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.3.2 Direct connection using key authentication . . . . . . . . . . . . . . . . . . . . . 21
3.4 SSH Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.4.1 Unix : ssh-agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.4.2 Windows : Pageant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

2
 LIST OF FIGURES

1.1 CTS Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2.1 CTS user session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.2 Changing user password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.3 Transferring files to a remote server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.4 Main SCP Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.5 Browsing inside directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.6 After having browsed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.7 Transferring files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.8 SCP command option1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.9 SCP command option2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

3.1 Public/Private key generation with ssh-keygen . . . . . . . . . . . . . . . . . . . . . . . . 15

3.2 PuTTY Key Generator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.3 Public key handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.4 CTS passwordless connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.5 Private key usage on CTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.6 Public/Private key generation with Putty . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.7 Automatic host redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.8 Environment variable creation 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.9 Environment variable creation 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.10 Direct connection to the remote server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.11 Environment variable configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
3.12 Agent forwarding and private key configuration . . . . . . . . . . . . . . . . . . . . . . . 23
3.13 Pageant add keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

3
 CHAPTER

1
CONSOLE TRACKING SYSTEM AT A
GLANCE

The NetGuardians Console Tracking System is the NG|Screener SSH proxy that registers all console
activities.
The Console Tracking System (CTS) will track and register any actions done by Unix server admin-
istrators at the operating system level.

Figure 1.1: CTS Overview

Instead of connecting directly to the Unix system, administrators should first connect to CTS (by
SSH) and may then connect the system to be administered (Telnet and SSH are supported). CTS
will track all activities and register them in the NG|Analytics server. Usual NG|Screener analysis tools
(reports, alerts, forensic browsing) are available to take benefit from this data. In addition, CTS admin-
istrators can define a list of servers that individual users can access to, enabling them to define strict
security policies.

4
 CHAPTER

2
CTS USAGE

Unix administrators should connect to CTS before connecting to the server to be administrated. To
connect to CTS, connect via SSH to the CTS server.

2.1 CTS menu

Once you are connected to CTS several options are available.
Change your password
SCP command
Edit SSH authorized keys

Refresh
Quit

2.2 Standard CTS session

The standard CTS usage procedure is:

1. Connect to CTS1 with SSH (with any SSH client, i.e. PuTTY)
2. Enter CTS Username and Password
3. Select a main command or the hosts number in the list

4. If a number was selected, enter the credentials to connect on the system

Note : If the administrator has selected Allow any hosts in the CTS User Administration page,
you may either select a host in the provided list or type any IP address. For more information, please
refer to the CTS Administration Guide.
1 NG|Screener IP Address or hostname

5
NG|Console Tracking System User Guide 2.2. STANDARD CTS SESSION

Figure 2.1: CTS user session

6
NG|Console Tracking System User Guide 2.3. CHANGE USER PASSWORD

2.3 Change user password

If the CTS administrator has activated the change password at 1st login option, you will be asked
to change your password at the first connection on CTS.

To change the password at the first login:

1. Connect to CTS2 with SSH (with any SSH client, i.e. Putty)

2. Enter CTS username and password (provided by CTS administrator).

3. Enter current password
4. Enter new password (twice)
5. After this phase, your CTS session is closed and you need to connect again with the new pass-
word

Figure 2.2: Changing user password

To change the password, at any other time, connect to CTS, select the aoption Change your
password from the main commands menu 2.1, and follow instructions as described from the 2nd step
(Point 2) above.

2 NG|Screener IP Address or hostname

7
NG|Console Tracking System User Guide 2.4. SCP COMMAND USAGE

2.4 SCP command usage

SCP command is one of the options that you can use on CTS. It allows the transfer of files from a local
machine to the remote server using the CTS appliance, and vice versa.

From User PC to Remote Server

Figure 2.3: Transferring files to a remote server

2.4.1 Main Menu

Before using the SCP command, you must first transfer your files on CTS server using an sftp client
(i.e Filezilla) or SCP command line. Once the transfer is done, you can select the soption from the
CTS connection menu. The standard menu is then displayed to offer a simple menu to transfer either
directories or files.

Figure 2.4: Main SCP Menu

8
NG|Console Tracking System User Guide 2.4. SCP COMMAND USAGE

Three main commands are provided :

1. Advanced Menu : Enables to enter more specific parameters for the SCP command (as IP
protocol). For more information, please refer to section 2.4.2

2. Refresh : Enables to refresh the menu (if for example new files have been uploaded)
3. Quit : Enables to return to the previous menu for connecting to a specified host

The part FILES AND DIRECTORIES displays the HOME directory of the current user, and all files and
directories inside. It is possible to browse inside directories by typing their own number in the list, as
shown below :

Figure 2.5: Browsing inside directories

9
NG|Console Tracking System User Guide 2.4. SCP COMMAND USAGE

For each directory selected, it is requested to choose between browsing inside (b option), or transferring
it with its whole content (t option). By default, the b option is selected, and pressing <ENTER>
enables to browse quickly in the directory selected.

Figure 2.6: After having browsed

Once the browsing option has been selected, the new current directory is updated, and its content is
displayed. The same choices are then available (browsing deeply or transfer files or directories). A
new option appears in MAIN COMMANDS which allow to go back to the previous directory.
After choosing a file to transfer, it is then requested to choose to which host to send it. Only hosts
displayed in the list are available.

Note : If the administrator has selected Allow any hosts in the CTS User Administration page,
you may either select a host in the provided list or type any IP address. For more information, please
refer to the CTS Administration Guide.

10
NG|Console Tracking System User Guide 2.4. SCP COMMAND USAGE

Then, enter the username and the password and the file is transfered

Figure 2.7: Transferring files

11
NG|Console Tracking System User Guide 2.4. SCP COMMAND USAGE

2.4.2 Advanced Menu

The advanced menu is available by entering a in the SCP menu and allows to specify more parame-
ters to the SCP command. After having selected it, you will be offered to display your home files. (The
figures below illustrates the two choices.)

Figure 2.8: SCP command option1

Figure 2.9: SCP command option2

12
NG|Console Tracking System User Guide 2.5. EDIT SSH AUTHORIZED KEYS

The next step is to enter the arguments for the SCP command.

[-4|6] (optional) IP version

For IPv4 use -4
For IPv6 use -6

[-P 22] (optional) Port number

The default port number is 22

[-r] optional Use recursive copy

local path necessary Local file path
username necessary Username of remote host
server necessary Remote host name or IP address
[remote path] optional Remote path (optional), by default the sys-
tem uses the remote username home path

Examples:
/tmp/TestFile.txt ng-dev@10.194.6.17:/home/ng-dev
/tmp/TestFile.txt ng-dev@10.194.6.17:
-4 -P 22 /tmp/TestFile.txt ng-dev@10.194.6.17:/home/ng-dev

-4 -P 22 /tmp/TestFile.txt ng-dev@10.194.6.17:/home/ng-dev
-4 -P 22 -r /tmp/MyDir ng-dev@10.194.6.17:/home/ng-dev

From Remote Server to User PC

In this case you should start by using the SCP command from the CTS connection menu. Then retrieve
the files from the remote server to CTS server, and in 2nd step send them on the User PC using the
SCP command or an SFTP client.

2.5 Edit ssh authorized keys

Select this option in case you want to use password less connection mecanism described in chapter 3

13
 CHAPTER

3
PASSWORDLESS CONNECTION
WITH CTS

In order to make the use of the CTS as easy as possible for users, it is possible to connect to the CTS
without entering any password, by only using keys exchange. It is also possible to directly access the
remote server without having to enter in the CTS. This section explains firstly how to generate a key
pair used in both cases.

3.1 Public/Private key generation

The following instructions are required to successfully generate a key pair needed for a safe password-
less connection to the CTS. Two procedures are provided, depending on which system the keys are
generated

3.1.1 On Unix
1. Open the terminal
2. Enter the following commands to create keys : ssh-keygen
3. Enter a passphrase1

After that, two new files are created in the :

id_rsa : Containing users private key (which must never be transmitted to anybody !)
id_rsa.pub : Containing users public key (which must be sent on the CTS, see below)
1 A passphrase is similar to a password, except it can be a phrase with a series of words, punctuation, numbers, whitespace,

or any string of characters you want

14
NG|Console Tracking System User Guide 3.1. PUBLIC/PRIVATE KEY GENERATION

Figure 3.1: Public/Private key generation with ssh-keygen

3.1.2 On Windows
Follow your SSH clients instructions for generating a key pair. This example demonstrates key pair
generation in the popular program PuTTY.
1. Download PuttyGen.exe. (http://www.chiark.greenend.org.uk/ sgtatham/putty/download.html)

2. Launch it and select generate

Figure 3.2: PuTTY Key Generator

3. Move the mouse on the blank area as displayed by puttygen to generate the key.
4. Copy the content of public key as shown on the following picture :

15
NG|Console Tracking System User Guide 3.2. TRANSPARENT CONNECTION TO CTS

Figure 3.3: Public key handling

5. Save it in a file with .pub extension

6. Enter a passphrase
7. Click on Save private key

3.2 Transparent connection to CTS

In this configuration, users use their private key to authenticate on the CTS, where public keys are
stored. Then, they select hosts they want to connect to.

Figure 3.4: CTS passwordless connection

Before following the next procedure, it is required that a user has already been created on webmin.
After both keys have been generated, the public key has to be copied on the CTS :

16
NG|Console Tracking System User Guide 3.2. TRANSPARENT CONNECTION TO CTS

1. Connect with SSH to the CTS using users username and password

2. Select k in the menu

3. Paste the content of the usr01key.pub file and press CTRL+X and Y
4. Quit the CTS by selecting q

Then, follow the next instructions, depending on which way you are connecting to the CTS.

3.2.1 SSH connection using Linux

The user can connect to CTS using the following command :

ssh usr01@ctsserver

3.2.2 SSH connection using Putty

1. Start Putty, enter the machine IP address or url as usual, then open Connection->SSH->Auth.

Figure 3.5: Private key usage on CTS

2. Browse your private key.

3. You are now able to connect to the CTS with putty without entering a password.2
2 In case of the key was created using ssh-keygen, refer to section 3.2.3

17
NG|Console Tracking System User Guide 3.3. TRANSPARENT CONNECTION TO REMOTE SERVERS

3.2.3 Private key conversion

In case of the key has been generated on a Unix system and will be used on a windows system, it
needs to be converted in the right format, using de following procedure

1. Download putty generator and install it. (http://www.chiark.greenend.org.uk/ sgtatham/putty/-

download.html)
2. Start puttygen, and click on Conversions->Import key, then click Browse and select the private
key generated with openssh

Figure 3.6: Public/Private key generation with Putty

3. Enter a passphrase to protect your key

3.3 Transparent connection to remote servers

By using the key authentication mecanism and automatic host redirection, it is possible to make a direct
connection to the remote server, without having to select it in the menu. Users need therefore only to
connect to the CTS and they are directly connected to the server they want to connect to. The first
section explains how to proceed to use automatic host redirection mecanism and the second section
explains how to combine it with the key authentication mecanism.

Note : This section requests that the previous section showing how to generate and perfom a pass-
wordless connection to the CTS has already been completed.

18
NG|Console Tracking System User Guide 3.3. TRANSPARENT CONNECTION TO REMOTE SERVERS

3.3.1 Automatic host redirection

In this configuration, users use their private key to connect to the CTS where public keys are stored.
Then, automatic redirection redirect them to the host they want to connect to.

Figure 3.7: Automatic host redirection

By using Automatic host redirection, users are directly redirected on the server they want to reach.
Then, the password to connect to the remote server is requested.

On Unix
If users connect from a Unix system, they only need to enter the following command :

CONNECT =" ssh < remote_server >" ssh -o SendEnv = CONNECT user@ctsserver

Both passwords (to connect to the CTS and to the remote server) are requested, if no key has been
set up previously.

Note : The SSH configuration can be set up in the configuration file /.ssh/config as following :

Host cts
HostName < ctsserver >
User foxy
ForwardAgent yes
SendEnv CONNECT

Then, the simplified command may be used :

CONNECT =" ssh userr@ < ctsserver >" ssh cts

On windows
Users can use putty and the following configuration to use automatic host redirection.

1. Create an environment variable (Connection/Data) as shown on the picture below :

19
NG|Console Tracking System User Guide 3.3. TRANSPARENT CONNECTION TO REMOTE SERVERS

Figure 3.8: Environment variable creation 1

2. Click Add

Figure 3.9: Environment variable creation 2

(a) tom : The user used to connect to the remote server

(b) 192.168.33.12 : The IP Address of the remote server
(c) -p 63022 : The port on which the SSH daemon of the remote server is running.

20
NG|Console Tracking System User Guide 3.3. TRANSPARENT CONNECTION TO REMOTE SERVERS

3. A key can also be used if the transparent connection to the CTS has been set up. (section 3). If it
is not the case, both passwords (to connect to the CTS and to the remote server) are requested.
4. Each configuration can be saved in putty by clicking Save in the Session tab.

3.3.2 Direct connection using key authentication

In this configuration, users use their private keys to connect directly to the remote server. Public keys
are stored on the CTS as well as on the remote server. Automatic redirection is used to make the
connection totally transparent.

Figure 3.10: Direct connection to the remote server

To avoid users to enter their passwords while they are connecting to a remote server, CTS enables
them to connect directly. The CTS becomes then totally transparent for users, but it still tracks their
actions on the remote systems.
Remote Server3 :

1. On the remote server, connect with your user account

2. Create the folder /.ssh : mkdir /.ssh
3. Change its rights : chmod 700 /.ssh
4. Create the file /.ssh/authorized_keys : touch /.ssh/authorized_keys

5. Change its rights : chmod 600 /.ssh/authorized_keys

6. Paste in this file the content of id_rsa.pub4
7. For OpenSSH5 , ensure the file /etc/ssh/sshd_config contains :
RSAAuthentication yes
PubkeyAuthentication yes

After these steps, the remote host is well configured to accept connection from the user who owns
the right private key. The following steps need to be executed regarding the system used to connect.
3 We assume that the remote server runs a Unix system. For any other system, the procedure needs to be adapted according

to the system documentation.

4 Refer to section 3.1
5 In case of another program is used, please refer to its documentation

21
NG|Console Tracking System User Guide 3.3. TRANSPARENT CONNECTION TO REMOTE SERVERS

On Unix
Connecting directly to the remote server request to send use the key authentication mecanism and the
automatic host redirection. Since the private key has to be used to authenticate on the remote server,
ssh-agent needs to be used as following :

1. Run the ssh agent, following instructions of section 3.4.1

2. Then, the following command can be used to connect to the remote server :

CONNECT =" ssh < remote_server >" ssh -A -o SendEnv = CONNECT

user@ctsserver

On Windows
Connecting directly to the remote server request to send use the key authentication mecanism and the
automatic host redirection. Since the private key has to be used to authenticate on the remote server,
pageant needs to be used as following :

1. Run the ssh agent, following instructions of section 3.4.2

2. Then, open PuTTY and create an environment variable (Connection/Data) as shown on the pic-
ture below :

Figure 3.11: Environment variable configuration

3. In Connection/SSH/Auth, select Allow agent forwarding and select the private key

22
NG|Console Tracking System User Guide 3.4. SSH AGENT

Figure 3.12: Agent forwarding and private key configuration

4. Connect directly to the remote server

The user is now able to connect to the CTS with an encrypted private key, handled by the ssh agent.
They do not need anymore to enter their passwords everytime they connect.

3.4 SSH Agent

In order to avoid to have to enter a passphrase to decrypt private keys everytime users connect to a
server, ssh-agent or pageant can be used depending on from which system users connect. These two
programs request to decrypt the private key only once and load it into the memory safely. Thus, the
private key can then be used as much as users need.

3.4.1 Unix : ssh-agent

1. ssh-agent

2. Copy paste the result of the previous command

3. ssh-add usr01key
4. Enter the passphrase for the key

3.4.2 Windows : Pageant

1. Download Pageant and run it (http://www.chiark.greenend.org.uk/sgtatham/putty/download.html)

23
NG|Console Tracking System User Guide 3.4. SSH AGENT

2. Add the encrypted private key

Figure 3.13: Pageant add keys

3. Enter the passphrase to decrypt it and click OK

24