SSH

An introduction and overview

What is SSH
SSHSecure Shell (SSH) is a cryptographic
network protocol for secure data communication,
remote command-line login, remote command
execution, and other secure network services
between two networked computers.
SSH Features
1. Provides data encryption services based on PKI -
Confidentiality
2. Primarily used to protect the transport layer
3. Encrypted shell sessions, file transfers
4. Password-less logins
5. Port forwarding - Pseudo-VPN
SSH Encrytion
Packages
OpenSSL (Secured Socket Layer)
OpenSSH (Secured Shell)

###OpenPGP|GNU Privacy Guard (GPG)###
Features:
1. Confidentiality - Data (Files or e-mail) are encrypted
2. Integrity - Digital signatures
3. Public Key Infrastructure (PKI)
a. Public key - used to encrypt data to a recipient
b. Private key - used to decrypt data from a sender
SSH PKI Asymmetric Encryption

Public-key authentication (or PKI -- a public key infrastructure) is an
authentication method that relies on a generated public/private
keypair. With PKI a special "key" is generated which has a very
useful property: Anyone who can read the public half of the key is
able encrypt data which can then only be read by a person who has
access to the private half of the key. In this way, having access to
the public half of a key allows you to send secret information to
anyone with the private half, and to also verify that a person does in
fact have access to the private half. It's easy to see how this
technique could be used to authenticate.
a. Public key - used to encrypt data to a recipient
b. Private key - used to decrypt data from a sender
SSH Configuration Files
ssh_config: configuration file for the ssh client on the host machine
you are running. For example, if you want to ssh to another remote
host machine, you use a SSH client. Every settings for this SSH
client will be using ssh_config, such as port number, protocol
version and encryption/MAC algorithms.
sshd_config: configuration file for the sshd daemon (the program
that listens to any incoming connection request to the ssh port) on
the host machine. That is to say, if someone wants to connect to
your host machine via SSH, their SSH client settings must match
your sshd_config settings in order to communicate with you, such
as port number, version and so on.
SSH Tools
1. scp - secure, non-interactive, copy program
a. scp sample.txt linuxcbt@linuxcbtmedia1:
b. scp linuxcbt@linuxcbtmedia1:testRH5/sample.txt sample2.txt

2. sftp - secure, interactive, FTP-like, copy program
a. sftp linuxcbt@linuxcbtmedia1

3. ssh-copy-id - permits easy propagation of SSH pub/priv keypair
a. ssh-copy-id -i ~/.ssh/id_rsa.pub root@192.168.75.10

4. ssh-keygen - used to generage SSH pub/priv keypair
Note: Use '-v' with SSH clients to enable verbosity

5. ssh-keygen -t rsa
SSH Configuration Settings
Port 22
The option Port specifies on which port number ssh daemon listens for incoming connections. The default port is 22.

ListenAddress 192.168.1.1
The option ListenAddress specifies the IP address of the interface network on which the ssh daemon server socket is bind. The
default is 0.0.0.0; to improve security you may specify only the required ones to limit possible addresses.

HostKey /etc/ssh/ssh_host_key
The option HostKey specifies the location containing the private host key.

ServerKeyBits 1024
The option ServerKeyBits specifies how many bits to use in the server key. These bits are used when the daemon starts to
generate its RSA key.

LoginGraceTime 600
The option LoginGraceTime specifies how long in seconds after a connection request the server will wait before disconnecting if
the user has not successfully logged in.
SSH Configuration Settings
KeyRegenerationInterval 3600
The option KeyRegenerationInterval specifies how long in seconds the server should wait before automatically regenerated its
key. This is a security feature to prevent decrypting captured sessions.

PermitRootLogin no
The option PermitRootLogin specifies whether root can log in using ssh. Never say yes to this option.

IgnoreRhosts yes
The option IgnoreRhosts specifies whether rhosts or shosts files should not be used in authentication. For security reasons it is
recommended to no use rhosts or shosts files for authentication.

IgnoreUserKnownHosts yes
The option IgnoreUserKnownHosts specifies whether the ssh daemon should ignore the user's $HOME/.ssh/known_hosts during
RhostsRSAAuthentication.

StrictModes yes
The option StrictModes specifies whether ssh should check user's permissions in their home directory and rhosts files before
accepting login. This option must always be set to yes because sometimes users may accidentally leave their directory or files
world-writable.
SSH Configuration Settings
X11Forwarding no
The option X11Forwarding specifies whether X11 forwarding should be enabled or not on this server. Since we setup a server
without GUI installed on it, we can safely turn this option off.

PrintMotd yes
The option PrintMotd specifies whether the ssh daemon should print the contents of the /etc/motd file when a user logs in
interactively. The /etc/motd file is also known as the message of the day.

SyslogFacility AUTH
The option SyslogFacility specifies the facility code used when logging messages from sshd. The facility specifies the
subsystem that produced the message--in our case, AUTH.

LogLevel INFO
The option LogLevel specifies the level that is used when logging messages from sshd. INFO is a good choice. See the man page
for sshd for more information on other possibilities.

RhostsAuthentication no
The option RhostsAuthentication specifies whether sshd can try to use rhosts based authentication. Because rhosts
authentication is insecure you shouldn't use this option.
SSH Configuration Settings
X11Forwarding no
The option X11Forwarding specifies whether X11 forwarding should be enabled or not on this server. Since we setup a server without GUI installed on it, we can
safely turn this option off.

PrintMotd yes
The option PrintMotd specifies whether the ssh daemon should print the contents of the /etc/motd file when a user logs in interactively. The /etc/motd file is also
known as the message of the day.

SyslogFacility AUTH
The option SyslogFacility specifies the facility code used when logging messages from sshd. The facility specifies the subsystem that produced the message--
in our case, AUTH.

LogLevel INFO
The option LogLevel specifies the level that is used when logging messages from sshd. INFO is a good choice. See the man page for sshd for more information
on other possibilities.

RhostsAuthentication no
The option RhostsAuthentication specifies whether sshd can try to use rhosts based authentication. Because rhosts authentication is insecure you shouldn't
use this option.

RhostsRSAAuthentication no
The option RhostsRSAAuthentication specifies whether to try rhosts authentication in concert with RSA host authentication.
SSH Configuration Settings
RSAAuthentication yes
The option RSAAuthentication specifies whether to try RSA authentication. This option must be set to yes
for better security in your sessions. RSA use public and private key pairs created with the ssh-
keygen1utility for authentication purposes.

PasswordAuthentication yes
The option PasswordAuthentication specifies whether we should use password-based authentication. For
strong security, this option must always be set to yes.

PermitEmptyPasswords no
The option PermitEmptyPasswords specifies whether the server allows logging in to accounts with a null
password. If you intend to use the scp utility to make automatic backups over the network, you must set
this option to yes.

AllowUsers admin
The option AllowUsers specifies and controls which users can access ssh services. Multiple users can be
specified, separated by spaces.