Documente Academic
Documente Profesional
Documente Cultură
indigoo.com
SSH
SECURE SHELL
1/20
Rev. 2.50
indigoo.com
Contents
1.
2.
3.
4.
5.
6.
7.
8.
9.
SSH in a nutshell
SSH-1 architecture
SSH-1 protocol
SSH-1 server (host) authentication
SSH-1 client authentication
SSH-1 keys
SSH-1 session trace
SSH configuration
SSH port forwarding / SSH tunneling
2/20
Rev. 2.50
indigoo.com
3/20
Rev. 2.50
indigoo.com
4/20
Rev. 2.50
indigoo.com
SSH Server
H
H
Session key
SK
SSH
Agent
Shell
MUX
Compression
Integrity
Encryption
Encryption
Integrity
H,S
Compression
User
Terminal
MUX
$HOME/.ssh/known_hosts
/etc/ssh_known_hosts
Agent
Socket
SSH connection
Locally
tunneled
TCP port
Channels
TCP
Connection
Session key
SK
Session key
Channels
Plaintext
Encrypted
H
Public key
Private key
SK
5/20
Rev. 2.50
indigoo.com
SSH uses a message based protocol (inband, same TCP connection for SSH-1 protocol and for user data).
SSH Client
SSH Server
SYN
TCP connection
establishment
(server TCP port 22)
Protocol version
exchange to check
compatibility
(SSH-1, SSH-2)
Plaintext
communication
Encrypted
communication
SYN, ACK
ACK
server protocol SSH-1.99-Sun_SSH_1.0
client protocol SSH-1.5-1.2.30
SSH_SMSG_PUBLIC_KEY
anti-spoofing cookie
public server key (S)
public host key (H)
protocol flags
supported ciphers (3DES, Blowfish)
supported authentication protocols
SSH_CMSG_SESSION_KEY
cipher_type
anti-spoofing cookie
encrypted session-key
protocol flags
SSH_SMSG_SUCCESS
Client authentication
User data exchange
indigoo.com
equal?
H
S
host FQDN
SSH_CMSG_SESSION_KEY
/etc/ssh/ssh_host_key
Private key
Asymmetric key(s)
SK
Server authentication is completed with SSH_SMSG_SUCCESS (encrypted with session key SK). If
the client can correctly decrypt the message SSH_SMSG_SUCCESS authentication is successful
because only a genuine server could have decrypted encrypted session key in
SSH_CMSG_SESSION_KEY with its private host and server keys (H and S).
Symmetric key
7/20
Rev. 2.50
indigoo.com
1 entry for
each host
(SSH server)
RSA key
public exponent
RSA key
public modulus
User defined
text (ignored)
8/20
Rev. 2.50
indigoo.com
SSH Client
~/.ssh/mykey or
anywhere else known
to SSH client
SSH Server
SSH_CMSG_USER
user login name on server
SSH_SMSG_SUCCESS
SSH_SMSG_FAILURE
SSH_CMSG_AUTH_RSA
public RSA key (as identifier)
SSH_SMSG_AUTH_RSA_CHALLENGE
encrypted challenge
SSH_CMSG_AUTH_RSA_RESPONSE
MD5 checksum of challenge and session
ID
SSH_SMSG_SUCCESS
SSH_SMSG_FAILURE
indigoo.com
SSH Client
SSH Server
SSH_CMSG_USER
user login name on server
SSH_SMSG_SUCCESS
SSH_SMSG_FAILURE
SSH_CMSG_AUTH_PASSWORD
plaintext password
SSH_SMSG_SUCCESS
SSH_SMSG_FAILURE
10/20
Rev. 2.50
indigoo.com
11/20
Rev. 2.50
indigoo.com
Lifetime
Generated by
Type
Description
User key U
Persistent
User
Public
(asymmetric)
One session
Client (and
server)
Private
(symmetric)
Persistent
Sysadmin
Public
(asymmetric)
Limited
(default 1 hour)
Server
Public
(asymmetric)
Session key SK
SK
Host key H
Server key S
S
12/20
Rev. 2.50
indigoo.com
1
2
3
4
5
6
7
0.000000
0.020510
0.020545
0.065252
0.073510
0.093569
0.099686
C:
S: 9
S: 10
C: 11
C: 12
S: 13
C: 14
S: 15
C: 16
...
0.163857
0.229181
0.356903
4.622742
4.683739
4.684010
4.760309
4.760570
192.168.1.15
193.5.54.112
192.168.1.15
193.5.54.112
192.168.1.15
193.5.54.112
193.5.54.112
193.5.54.112
193.5.54.112
192.168.1.15
192.168.1.15
193.5.54.112
192.168.1.15
193.5.54.112
192.168.1.15
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
193.5.54.112
192.168.1.15
193.5.54.112
192.168.1.15
193.5.54.112
192.168.1.15
192.168.1.15
192.168.1.15
192.168.1.15
193.5.54.112
193.5.54.112
192.168.1.15
193.5.54.112
192.168.1.15
193.5.54.112
13/20
Rev. 2.50
indigoo.com
14/20
Rev. 2.50
indigoo.com
15/20
Rev. 2.50
indigoo.com
Client host
Application
Client
Server host
Secure application to application communication
Application
Server
SSH Client
SSH Server
Firewall
Firewall
The Connection between application client and server is relayed through a pair of SSH
client and server.
The connection between client and server host is protected (but not the connection between
SSH client and application client and between SSH server and application server!).
16/20
Rev. 2.50
indigoo.com
SSH Client
Application
Server
SSH Server
Sockets
Socket
Socket
P1
TSAP
P2
22
P3
TCP
IP
P2
TCP
127.0.0.1
NSAP
P4
0.0.0.0
0.0.0.0
SSH connection
(tunnel)
127.0.0.1
IP
Application client and SSH client are on same machine (and accordingly application server and SSH server).
Local forwarding configuration command:
$ ssh -L<local port>:<local host>:<remote port> <remote host>
Example: $ ssh -L 2001:localhost:143 pop.fhzh.ch
Forwarding is initiated by client sending SSH_CMSG_PORT_FORWARD_REQUEST message to SSH server
(along with remote port number). SSH client and server establish a channel for this forwarding within the
existing SSH connection. Client application is bound to localhost/P1 and talks to localhost/P2.
P1: source port number of application clients TCP connection (ephemeral port number).
P2: port number to be forwarded; can be well-known port, e.g. 21 for FTP (2001 in example above).
P3: source port number of SSH clients SSH TCP connection (ephemeral port).
P4: source port number of SSH servers TCP connection to application server (ephemeral port).
Peter R. Egli 2015
17/20
Rev. 2.50
indigoo.com
SSH Client
Application
Client
SSH Server
Sockets
Socket
Socket
143
TSAP
P4
22
P3
TCP
IP
P1
TCP
127.0.0.1
NSAP
P2
0.0.0.0
0.0.0.0
SSH connection
(tunnel)
127.0.0.1
IP
Application client and SSH client are on different machines (and accordingly application server
and SSH server).
Remote forwarding configuration command:
$ ssh -R<remote port>:<local host>:<local port> <remote host>
Example: $ ssh -R 2001:localhost:143 pop.fhzh.ch
P1: source port number of application clients TCP connection (ephemeral port number)
P2: port number to be forwarded; can be well-known port, e.g. 21 for FTP (2001 in example above)
P3: source port number of SSH clients SSH TCP connection (ephemeral port)
P4: source port number of SSH servers TCP connection to application server (ephemeral port)
Peter R. Egli 2015
18/20
Rev. 2.50
indigoo.com
Host S
Application
client
Application
server
Port W
Port P
Host A
SSH
client
Host B
SSH connection (tunnel)
SSH
server
$ ssh -L P:S:W B
19/20
Rev. 2.50
indigoo.com
But: some servers (e.g. FHZH FTP server) will rant if the client wants to open an FTP-Data connection with
a different source IP address (public client IP address since FTP-Data does not pass through SSH tunnel)
than the FTP control connection (localhost on server=172.10.0.1 when using SSH tunnel); the warning will be
something like 425 Possible PASV port theft, can not open data connection (this is a security feature of the
FTP server).
The problem is that FTP clients, when in passive mode, try to open a data connection to the address
provided by the server after sending the PASV command (FTP server communicates IP/port number encoded
as n1,n2,n3,n4,n5,n6) because opening a connection to localhost/20 would not be possible since server port
is dynamic and there is no way to let the SSH client dynamically open (listen) a TCP port on localhost.
20/20
Rev. 2.50