Dryice Liu’s Blog

(originally posted at www.linuxboxadmin.com )

Well, someone want me to write something about OpenSSH, so here it is.

• Why SSH?A lot of Internet protocols are based on telnet, FTP, POP3, SMTP,
  etc. That is, these protocols works like two man talking:

  “Hello, this is John.”

  “Hi, John, please provide your password.”

  “My password is ’secret’.”

  “OK, you have the right password, please go on.”

  “Please check how many new mails has arrived since I last check.”

  “OK, you have 5 new mails.”

  “Please show me the sender and title of these 5 new mails.”

  “OK. For the first mail, the sender is your wife, the title is ‘Our
  washing machine is broken, need to buy a new one’. For the second
  mail, the sender is your bank. the title is ‘You have spend $6000 on
  online game this month’…..”

  ……

  this is a clear design, however, as for telnet, the password is send
  as plain text. This is something like the conversation above happens
  in a public hall, anyone passing by could hear your password. And
  someone bad will remember it and use it.

  There are different ways to encrypt the password. However the
  conversation is still in plain text and someone will know you’ll buy
  a washing machine next month and you’ve spent alot of money on online
  game this month.

  This is where SSH comes useful. It works like telnet, but all the
  conversations is encrypted. You can look it as a “secure telnet”.

• A brief history of SSH/OpenSSHSSH was first developed by a Finland company. However it’s a
  commercial software and not everyone can use it.

  The OpenBSD (http://www.openbsd.org) project is to develop the most
  secure Operating System in the world. The OpenBSD developers think
  SSH will improve the security of their OS and decide to write an open
  source implementation of SSH. This is OpenSSH
  (http://www.openssh.org/).

• How OpenSSH worksThere are 2 level of security: password based, and key based.

  For password based ssh, it looks exactly like telnet. You tell the
  client program which host you want to login, and with which account. And the
  server will ask you for a password. If you provide the password, you
  are connected. And all the data transferred between you and the
  server are encrypted.

  However, there is a security problem if someone really want to hack
  into your system: They can setup a machine, and make your client
  believe this machine is the server you want to connect (By some DNS
  hacks, which is beyond the scope of this introduction). And when you
  send out your password, the attacker’s machine get the password, record
  it, and then send it to the real machine you want to connect. And if
  the password is correct, you are connected. You will not notice
  anything on your client machine, but the attacker’s machine has
  recorded your password, and if it like, it can record all the data
  between you and the server. This is known as “Middle Man Attack”.

  To avoid middle man attack, key based ssh is used. To use this,
  you’ll need to make a pair of keys: a public key and a private
  key. Anything encrypted with the public key can only deciphered with
  the private key. And you’ll need to put the public key onto the
  machine you want to log on. Now when you try to connect to a server,
  your client program will negotiate with the server to use key based
  ssh. The server will encrypt something with your public key, and send
  to your client. Your client will decipher the data with your private
  key and send it back. Since only you have the private key and only
  the private key can decipher the data correctly, the server knows you
  are the right person. To get more security, in case you lost your U
  key with your private key in it, you can protect your private key
  with a password. Now only someone with your private key (a file) and
  the password (which is never send across the network, unless you do
  something stupid) can act as you.

  The cost of this higher security level is that key based ssh will
  need more power of CPU to do the calculation when login. It is OK
  with most modern computers. However for handheld devices such as PDA
  and mobile phones, this could take minutes.

• Login with password based sshOpenSSH is included in FreeBSD and most Linux distros. If it is not,
  check the package system of your OS and there is a good chance it is
  included. And finally, you can always download the source from
  http://www.OpenSSH.org and compile it yourself.

  We’ll take FreeBSD as an example:

  First we’ll start the SSH server on the local machine. If you know
  some machine running SSH and don’t want others to login your machine
  with SSH, you can skip this step.

  Open /etc/rc.conf in your favorite
  editor, and add this line

in it. And then run

to start the ssh server.

Now the client side:

type

in the command line. If everything goes right, you’ll see a message
like this: (The numbers will be different)

This means OpenSSH can’t recognize this host. You can safely answer
“yes” if this is the first time you connect to this machine most of
the time. However if you see this later when you connect to the same
machine later, something is happening: either the server has been
changed, (say the OS is re-installed), or someone is trying to attack
your system.

Now the ssh client will ask you the password. This is the same
password you used when running telnet. You’ll be connected if the
password is correct. And you can use the remote machine the same way
when you are using telnet.

• Login with key based sshFirst you’ll need to generate the key pairs.

  Issue the command

on the command line. You will see some message like

You can just press “Enter” here. This is the default place to keep
your key. And then

The program is asking for the password to protect your private
key. Note this is not the password you used to logon remote machine.

As always, you’ll need to enter the password twice.

Now the file ~/.ssh/identity holds your private key and the file
~/.ssh/identity.put holds your public key. The name of the file will
change if you use different encrypt algorithm.

Note the file permission for your private key must be “-rw———” so
no one could read it. OpenSSH will refuse to work otherwise.

Now you need to place your public key onto the machines you want to
logon. Make the directory ~/.ssh on the remote machine, place your
public key file (identity.put in our case) under it, and rename it to
“authorized_keys”. You also need to change the mode to 644 for that
file. If you allow someone else to write this file, OpenSSH will
refuse to work, again.

Now you can try to login with key based ssh. Issue

in the command line. This time the client will ask for the
“passphrase”. This is what you typed twice when generating your key
pair, not the password you use when using telnet. If everything goes
right, you’ll be connected and ready to go.

• to be continuedThere are many things to talk about for OpenSSH: using ssh-agent to
  avoid typing the passphase every time, using scp/sftp to transfer
  files in secure tunnel, using port forwarding, etc. Just wait for the
  next time

Share This

Tags: freebsd, openssh, ssh