advanced usage of openssh
play

Advanced Usage of OpenSSH Sean Cody MUUG Presentation September - PowerPoint PPT Presentation

Nov 07, 2023 •140 likes •694 views

Advanced Usage of OpenSSH Sean Cody MUUG Presentation September 9, 2008 Tuesday, September 9, 2008 1 Who am I? Senior Systems Administrator for Prime Focus VFX Services (formerly Frantic Films VFX). Editor at The OpenBSD Journal

  1. Advanced Usage of OpenSSH Sean Cody MUUG Presentation September 9, 2008 Tuesday, September 9, 2008 1

  2. Who am I? Senior Systems Administrator for Prime Focus VFX Services (formerly Frantic Films VFX). Editor at The OpenBSD Journal (undeadly.org). Practical Paranoid Gets claustrophobic in closed networks. Enjoys a good challenge. Tuesday, September 9, 2008 2

  3. What we’ll cover. Brief introduction to the OpenSSH world. A look at a few of some of the more esoteric but interesting features of OpenSSH. Getting the most out of your OpenSSH daemon. Some cute usage of OpenSSH to subvert the “real world” and survive hostile networks. Tuesday, September 9, 2008 3

  4. What I’ll Assume You’ve used a CLI before. You can read man pages. You have a good understanding of the fundamentals of ‘The Internet.’ You’ll tell me when I screw up? Tuesday, September 9, 2008 4

  5. OpenSSH Tuesday, September 9, 2008 5

  6. OpenSSH Tuesday, September 9, 2008 5

  7. OpenSSH A suite of cryptographically secured connectivity tools. Comes in two flavours. OpenSSH OpenSSH-portable A crypto powered hammer in a world full of rusty nails. Tuesday, September 9, 2008 5

  8. Flavours OpenSSH-portable Follows OpenSSH but contains patches to work on a variety of non BSD operating systems. Like Linux, AIX, HPUX, Windows Sometimes referred to as OpenSSH+PAM. Sometimes doesn’t get all the features of the parent project but tries really hard. Tuesday, September 9, 2008 6

  9. Problem If you decide to use a machine in a hostile network, how can you set it up to be useful yet still protect yourself from attacks and packet sniffing? ie. DefCon, badly setup conference, some random sketchy coffee shop/hot-spot. Tuesday, September 9, 2008 7

  10. Solution OpenSSH client contains a built in, on-demand SOCKS proxy! ssh -D1234 -n user@host Tell your web browser to use localhost:1234 as your proxy. Bonus points for tunneling DNS over said proxy. This works for any application that can talk with a SOCKS proxy. Tuesday, September 9, 2008 8

  11. Solution (FireFox) Tuesday, September 9, 2008 9

  12. Solution (FireFox) Tuesday, September 9, 2008 9

  13. Solution (FireFox) Tuesday, September 9, 2008 9

  14. Solution (FireFox) The “SwitchProxy” and “ProxyButton” make this configuration painless. Using a nice SSH-Agent will make the connections less painful. On the mac there is SSHKeyChain On other *nix hosts: echo secure_browsing.sh > ssh -n -D8888:user@host && firefox & use ssh-agent(1) Tuesday, September 9, 2008 10

  15. Problem Tuesday, September 9, 2008 11

  16. Problem In a low bandwidth/high-latency environment, how do you handle multiple connections to a remote server? Tuesday, September 9, 2008 11

  17. Problem In a low bandwidth/high-latency environment, how do you handle multiple connections to a remote server? The remote server also happens to be resource sensitive. Tuesday, September 9, 2008 11

  18. Solution We can use a single multiplexed session! One TCP socket, multiple sessions over said socket. Tuesday, September 9, 2008 12

  19. Solution Tuesday, September 9, 2008 13

  20. Solution Tuesday, September 9, 2008 13

  21. Problem Tuesday, September 9, 2008 14

  22. Problem How do you allow remote access to an internal subversion repository? Tuesday, September 9, 2008 14

  23. Problem How do you allow remote access to an internal subversion repository? Security and containment is important. Tuesday, September 9, 2008 14

  24. Problem How do you allow remote access to an internal subversion repository? Security and containment is important. How about restricting per user access to specific repositories? Tuesday, September 9, 2008 14

  25. Solution Use authorized_keys, with forced commands and a few extra options to limit ‘fringe utility.’ authorized_keys file format: OPTIONS TYPE KEY COMMENT eg. no-pty ssh-rsa AAAA….a== sample Tuesday, September 9, 2008 15

  26. Solution - Server Add a user called ‘svn’ whose home is /home/svn/ su - svn mkdir -p ~svn/.ssh/ mkdir -p ~svn/repository/ touch ~svn/.ssh/authorized_keys svnadmin create ~svn/repository/ Tuesday, September 9, 2008 16

  27. Solution - Client Each client must setup their ssh key identity and their public key must be the key in the server’s authorized_keys file. Connecting to the repository is as easy as svn co svn+ssh://user_a@server/path_to_repository/ env SVN_SSH="ssh -i /Users/sean/.ssh/svn" svn co \ svn+ssh://user@server/path_to_repository/ Tuesday, September 9, 2008 17

  28. Problem Tuesday, September 9, 2008 18

  29. Problem How do you provide desk side support to a user who is on the other side of the world on a foreign network ? Tuesday, September 9, 2008 18

  30. Problem How do you provide desk side support to a user who is on the other side of the world on a foreign network ? The user is also NAT’d (possibly multiple times) behind some random firewall (or firewalls). Tuesday, September 9, 2008 18

  31. Problem How do you provide desk side support to a user who is on the other side of the world on a foreign network ? The user is also NAT’d (possibly multiple times) behind some random firewall (or firewalls). The solution needs to be ‘average user’ friendly. Tuesday, September 9, 2008 18

  32. Solution A reverse SSH tunnel using an intermediary SSH server! Tuesday, September 9, 2008 19

  33. Solution Tuesday, September 9, 2008 20

  34. Solution Tuesday, September 9, 2008 20

  35. Solution Tuesday, September 9, 2008 20

  36. Solution Tuesday, September 9, 2008 20

  37. Solution Tuesday, September 9, 2008 20

  38. Solution Tuesday, September 9, 2008 20

  39. Problem You would like to give users SSH access or use the previous examples in production but need to control/limit their use and abuse. Tuesday, September 9, 2008 21

  40. Solution Configure limitations on your ssh daemon and/or user config. Constrain port forwarding with PermitOpen configuration option (per server, or user). Doing just port forwarding… use ‘no-pty’ option in authorized_keys (this is per key). Use forced commands instead of giving shells (works for all kinds of things, not just subversion). Tuesday, September 9, 2008 22

  41. Secured Shell Server In sshd_config you can lock things down with the following options: PermitRootLogin no StrictModes yes PasswordAuthentication no PermitEmptyPasswords no AllowTcpForwarding no AllowX11Forarding no UsePrivilegeSeparation yes Compression yes UseDNS yes Tuesday, September 9, 2008 23

  42. Secured Shell Server Don’t forget to remove setuid from passwd(1) chmod -s `whereis passwd` User creation should include setting up an encrypted RSA/DSA key and set their login password to ‘garbage’ of length at least 15 characters. Tuesday, September 9, 2008 24

  43. Bonus Problem You have a server far away who has a crypto card/accelerator that has locked up and isn’t responding to new SSH sessions? Tuesday, September 9, 2008 25

  44. Solution Tuesday, September 9, 2008 26

  45. Solution Change the default cipher in the ssh client to one that the crypto card doesn’t support! Tuesday, September 9, 2008 26

  46. Solution Change the default cipher in the ssh client to one that the crypto card doesn’t support! For example the VPN1411 HiFn Crypto accelerator doesn’t support the blowfish cipher. Tuesday, September 9, 2008 26

  47. Solution Change the default cipher in the ssh client to one that the crypto card doesn’t support! For example the VPN1411 HiFn Crypto accelerator doesn’t support the blowfish cipher. Therefore… Tuesday, September 9, 2008 26

  48. Solution Change the default cipher in the ssh client to one that the crypto card doesn’t support! For example the VPN1411 HiFn Crypto accelerator doesn’t support the blowfish cipher. Therefore… ssh -c blowfish user@host Tuesday, September 9, 2008 26

  49. Key Sizes Longer key lengths provide ‘better’ security at the cost of decreased performance but don’t go crazy. SSH Keys are for authentication only, once authenticated a Diffie- Hellman key exchange is used to generate session keys which can/ are re-key’d after specified intervals or traffic use. Avoid unencrypted (ie. no/blank password) keys, use an ssh-agent to handle credential management (ie. type the password once per ‘login’ and forget about it). Don’t ignore ‘known host key has changed’ messages as they are your last line of defense against MITM attacks. Seriously... Tuesday, September 9, 2008 27

  50. But wait there’s more! Ad-hoc VPN using SSH and tunnel devices see ‘ssh -w’ option. If you can get any type of traffic out of a network you can tunnel over it. Defense; rate-limit DNS, ICMP and UDP. chroot’d sftp server (OpenSSH 4.7+) Per user/key SSHD restrictions. Per user/key TCP Forwarding restrictions See PermitOnly config option. SSH signature visualization makes it easy to recognize keys. Use the command channel to add tunnels to already active sessions. Tuesday, September 9, 2008 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Security Measures in OpenSSH Damien Miller djm@openbsd.org Introduction Describe the

Security Measures in OpenSSH Damien Miller djm@openbsd.org Introduction Describe the

Security Measures in OpenSSH Damien Miller djm@openbsd.org Introduction Describe the security measures in OpenSSH What they are How we implemented them How well they work Why? OpenSSH is an

359 views • 32 slides
scikit-learn Case Study Professor Patrick McDaniel Jonathan Price Fall 2015 More Advanced Usage

scikit-learn Case Study Professor Patrick McDaniel Jonathan Price Fall 2015 More Advanced Usage

scikit-learn Case Study Professor Patrick McDaniel Jonathan Price Fall 2015 More Advanced Usage Here, we will do a more advanced usage of scikit learn to solve an actual security problem. We will using the Microsoft Malware Classification

434 views • 22 slides
your exercise Order of Presentations Team Topic 212 Distributed file systems 209 OpenSSH:

your exercise Order of Presentations Team Topic 212 Distributed file systems 209 OpenSSH:

The iLab Experience a blended learning hands-on course concept you set the focus Create Your Own Lab July 5, 2016 your exercise Order of Presentations Team Topic 212 Distributed file systems 209 OpenSSH: More than a remote shell 207

1.21k views • 118 slides
Advanced Usage of Multi Site Functionality Advanced Usage of Multi Site Functionality by by

Advanced Usage of Multi Site Functionality Advanced Usage of Multi Site Functionality by by

Advanced Usage of Multi Site Functionality Advanced Usage of Multi Site Functionality by by Olli Aro Olli Aro Head of Technology & Products, Clicks and Links Ltd Head of Technology & Products, Clicks and Links Ltd About Us About

935 views • 24 slides
Enhance OpenSSH for Fun and Security Enhance OpenSSH for Fun and Security Enhance OpenSSH for Fun

Enhance OpenSSH for Fun and Security Enhance OpenSSH for Fun and Security Enhance OpenSSH for Fun

Enhance OpenSSH for Fun and Security Enhance OpenSSH for Fun and Security Enhance OpenSSH for Fun and Security Enhance OpenSSH for Fun and Security Enhance OpenSSH for Fun and Security Enhance OpenSSH for Fun and Security Enhance OpenSSH for

1.07k views • 72 slides
Advanced Computer Graphics CS 525M: Identifying diverse usage behaviors of smartphone apps Alec

Advanced Computer Graphics CS 525M: Identifying diverse usage behaviors of smartphone apps Alec

Advanced Computer Graphics CS 525M: Identifying diverse usage behaviors of smartphone apps Alec Mitnik Computer Science Dept. Worcester Polytechnic Institute (WPI) Introduction The popularity of mobile devices is increasing. Apps are

437 views • 21 slides
Advanced indexing methods Usage and Abusage Riyaj Shamsudeen Ora!nternals Introduction Who

Advanced indexing methods Usage and Abusage Riyaj Shamsudeen Ora!nternals Introduction Who

Advanced indexing methods Usage and Abusage Riyaj Shamsudeen Ora!nternals Introduction Who am I ? Various indexing features Use and abuse of index types Questions Riyaj Shamsudeen @Orainternals 2 Who am I? 16 years using

682 views • 67 slides
Ho How Po Power Use sers s Grow with Hu HubSpot: Tips s for Advanced Marke keting &

Ho How Po Power Use sers s Grow with Hu HubSpot: Tips s for Advanced Marke keting &

Ho How Po Power Use sers s Grow with Hu HubSpot: Tips s for Advanced Marke keting & Sales Teams Advanced HubSpot Usage Works kshop Ag Agenda Sup Super ercha harging ng your ur Hub ubSp Spot smart cont ntent ent Extend

533 views • 39 slides
Lists Intro A list is a data structure based on usage of pointers and dynamic allocation of

Lists Intro A list is a data structure based on usage of pointers and dynamic allocation of

Advanced Programming Lists Lists Intro A list is a data structure based on usage of pointers and dynamic allocation of memory. With respect to other ADT (like arrays), a list: provides more flexibility in memory usage but it is less

450 views • 14 slides
Latest version of the slides can be obtained from

Latest version of the slides can be obtained from

Latest version of the slides can be obtained from http://www.cse.ohio-state.edu/~panda/it4-advanced.pdf InfiniBand, Omni-Path, and High-Speed Ethernet: Advanced Features, Challenges in Designing HEC Systems, and Usage A Tutorial at IT4

1.81k views • 157 slides
1.113.5 2.113.7 Set up secure shell (OpenSSH) Setup and configure basic DNS services Setup and

1.113.5 2.113.7 Set up secure shell (OpenSSH) Setup and configure basic DNS services Setup and

2 2.113.4 Properly manage the NFS, smb, and nmb daemons 2.113.5 Setup and configure basic DNS services [] 1.113.5 2.113.7 Set up secure shell (OpenSSH) Setup and configure basic DNS services Setup and Configure basic DNS services Candidate

469 views • 6 slides
Euthanasia and PAS Euthanasia an ambigous concept Analytical usage vs. normative usage

Euthanasia and PAS Euthanasia an ambigous concept Analytical usage vs. normative usage

11/23/17 Introduction Euthanasia and PAS Euthanasia an ambigous concept Analytical usage vs. normative usage WMA European Region Meeting Ethics Human Rights (National) Legal on End-of Life Questions Systems Common

313 views • 3 slides
MIDDLEWARE COMMUNICATIONS Steve Bernier, M.Sc., Senior Architect & Project Leader, Advanced

MIDDLEWARE COMMUNICATIONS Steve Bernier, M.Sc., Senior Architect & Project Leader, Advanced

- SCA ADVANCED FEATURES - OPTIMIZING BOOT TIME, MEMORY USAGE, AND MIDDLEWARE COMMUNICATIONS Steve Bernier, M.Sc., Senior Architect & Project Leader, Advanced Radio Systems, Communications Research Centre Canada Outline 1. Introduction 2.

448 views • 17 slides
Commercial Energy Usage District Fuel We have reduced Fuel Usage FY03 - FY08 our average

Commercial Energy Usage District Fuel We have reduced Fuel Usage FY03 - FY08 our average

Commercial Energy Usage District Fuel We have reduced Fuel Usage FY03 - FY08 our average yearly fuel usage by 58,255 250000.00 gallons. Energy Plan Begins There is still more 200000.00 we can save. Current prices are high so it

351 views • 8 slides
Advanced Linux Usage 2017-10-24 Martin Dahl martin.dahlo@scilifelab.uu.se Valentin Georgiev

Advanced Linux Usage 2017-10-24 Martin Dahl martin.dahlo@scilifelab.uu.se Valentin Georgiev

Advanced Linux Usage 2017-10-24 Martin Dahl martin.dahlo@scilifelab.uu.se Valentin Georgiev valentin.georgiev@icm.uu.se Shell and Bash the Shell is a Command Line Interface (CLI) Bash is one particular shell tcsh, zsh are also shell

1.02k views • 64 slides
Supero: A Sensor System for Unsupervised Residential Power Usage Monitoring Dennis E. Phillips 1

Supero: A Sensor System for Unsupervised Residential Power Usage Monitoring Dennis E. Phillips 1

Supero: A Sensor System for Unsupervised Residential Power Usage Monitoring Dennis E. Phillips 1 , Rui Tan 2 ; Mohammad-Mahdi Moazzami 1 ; Guoliang Xing 1 ; Jinzhu Chen 1 ; David K. Y. Yau 2,3 1 Michigan State University, USA 2 Advanced

1.22k views • 65 slides
Automatic Discovery of Diverse and Changing Network Services AMICT 2009 Workshop Petrozavodsk

Automatic Discovery of Diverse and Changing Network Services AMICT 2009 Workshop Petrozavodsk

Automatic Discovery of Diverse and Changing Network Services AMICT 2009 Workshop Petrozavodsk State University 19 th May 2009 Mikko Pervil, prof. Jussi Kangasharju (instructor) Department of Computer Science, University of Helsinki

286 views • 17 slides
Geographic Information Provenance J AMES F REW Donald Bren School of Environmental Science and

Geographic Information Provenance J AMES F REW Donald Bren School of Environmental Science and

Geographic Information Provenance J AMES F REW Donald Bren School of Environmental Science and Management University of California, Santa Barbara James Frew ThinkSpatial brown bag 2009-02-11 1 What is Provenance? Information about

506 views • 40 slides
Reconstructing Netflix Raghuram SV, Aditya Rao, Kunal Lillaney 600.667 Advanced Distributed

Reconstructing Netflix Raghuram SV, Aditya Rao, Kunal Lillaney 600.667 Advanced Distributed

Reconstructing Netflix Raghuram SV, Aditya Rao, Kunal Lillaney 600.667 Advanced Distributed Systems & Communication Johns Hopkins University Netflix Facts Internet has overtaken cable TV as preferred medium for delivering video content

506 views • 27 slides
JPL's Kerberos 5 Upgrade Henry B. Hotz Jet Propulsion Laboratory California Institute of

JPL's Kerberos 5 Upgrade Henry B. Hotz Jet Propulsion Laboratory California Institute of

JPL's Kerberos 5 Upgrade Henry B. Hotz Jet Propulsion Laboratory California Institute of Technology Henry B. Hotz Kerberos 5 Upgrade Overview Preparation Requirements and Testing MIT/KTH (Heimdal) Tradeoff Doing the upgrade

708 views • 9 slides
Project Plan AppDynamics Platform Configuration Tool The Capstone Experience Team Evolutio Kp

Project Plan AppDynamics Platform Configuration Tool The Capstone Experience Team Evolutio Kp

Project Plan AppDynamics Platform Configuration Tool The Capstone Experience Team Evolutio Kp Inuaeyen Jon Dressel Ian Guswiler Cameron Rasico Ben Haase Department of Computer Science and Engineering Michigan State University From

247 views • 12 slides
Responses to Questions/Comments from Public Forum Session Beijing, April 11, 2013 As regards New

Responses to Questions/Comments from Public Forum Session Beijing, April 11, 2013 As regards New

Responses to Questions/Comments from Public Forum Session Beijing, April 11, 2013 As regards New gTLD evaluation panels, are we going to have information about what these dispute resolution providers were saying, and more importantly - what is

343 views • 8 slides
Human Science Institute Conference - Call for Presentations September 8-10, 2016 Salt Lake City,

Human Science Institute Conference - Call for Presentations September 8-10, 2016 Salt Lake City,

Human Science Institute Conference - Call for Presentations September 8-10, 2016 Salt Lake City, Utah http://humanscienceinstitute.org Compassion, Connection and Response-Ability Todays social and environmental challenges call all of us to

365 views • 3 slides
Improving Software Quality with Static Analysis William Pugh Professor Univ. of Maryland

Improving Software Quality with Static Analysis William Pugh Professor Univ. of Maryland

Improving Software Quality with Static Analysis William Pugh Professor Univ. of Maryland http://www.cs.umd.edu/~pugh TS-2007 2007 JavaOne SM Conference | Session TS-2007 | You will believe... Static analysis tools can find real bugs

991 views • 62 slides

More recommend