LINUX SYSTEM ADMINISTRATION AND SECURITY SSH (The Secure Shell) - - PowerPoint PPT Presentation

linux system administration and security ssh the secure
SMART_READER_LITE
LIVE PREVIEW

LINUX SYSTEM ADMINISTRATION AND SECURITY SSH (The Secure Shell) - - PowerPoint PPT Presentation

Jun 15, 2023 382 likes •631 views

LINUX SYSTEM ADMINISTRATION AND SECURITY SSH (The Secure Shell) -Lakshmana Rao Konda lkonda@cs.siu.edu Topics Covered Introduction Overview of features SSH Client and Server Model Cryptographic Keys Attacks SSH Agent

slide-1
SLIDE 1

LINUX SYSTEM ADMINISTRATION

AND SECURITY SSH (The Secure Shell)

  • Lakshmana Rao Konda

lkonda@cs.siu.edu

slide-2
SLIDE 2

Topics Covered

Introduction Overview of features SSH Client and Server Model Cryptographic Keys Attacks SSH Agent Architecture of SSH System Installation and Configuration Differences between SSH1 and SSH2 Conclusion

slide-3
SLIDE 3

Introduction

SSH, the secure shell, is a popular, powerful software

based approach to network security. Whenever data is sent by a computer to the network, SSH automatically encrypts it.

SSH is used to replace telnet, ftp and reexec. In telnet, ftp and reexec sends data (username and

password) in plain text.

SSH Solves this by encrypting all the

  • communications. In even if they watch they can see
  • nly garbage.
slide-4
SLIDE 4

Overview of Features

Privacy of your data, via strong encryption. Integrity of Communications , guaranteeing

they have not been altered.

Authentication, proof of identity by senders

and receivers.

Authorization, i.e.,access control to

databases.

Forwarding or tunneling to encrypt other

TCP/IP based sessions.

slide-5
SLIDE 5

SSH Protocol

slide-6
SLIDE 6

client server

Transport Layer Key exchange (SSH_MSG_KEXDH_INIT), e n p , g computes computes e = g^x mod p. f = g^y mod p K = e^y mod p H = hash(V_C || V_S || I_C || I_S || K_S || e || f || K) s = signature on H with its private host key. (SSH_MSG_KEXDH_REPLY), K_S || f || s verifies that K_S really is the host key computes: K = f^x mod p H = hash(V_C || V_S || I_C || I_S || K_S || e || f || K), and verifies the signature s

  • n H.

1 2 3 4

SSH Client and Server Model

slide-7
SLIDE 7

Payload, signature Pay load is:

SSH_MSG_USERAUTH_REQUES T, username, service,

"password", FALSE, plaintext password signature is: session identifier, payload encrypted with session key server checks whether the supplied password is acceptable for authentication, and if so, it checks whether the signature is correct. SSH_MSG_USERAUTH_SUCCESS OR _FAILURE

client server

request service if userauth_success User auth layer (using password) 5 6 7

SSH Client and Server Model

slide-8
SLIDE 8

Authentication by Cryptographic Key

Before you can use the public key authentication ,

  • You need a private key and pubilc key ie, key pair and

you also need a secret passphrase. In SSH System ssh-keygen creates an RSA key pair and asks you for a secret passphrase to protect the private key. And it then generates a public key.

SSHKeygen then creates your local SSH directory and

stores the private and public components of generated key in two files identity and identity.pub.

slide-9
SLIDE 9

Authentication by Cryptography

  • Installing a Pubilc Key on an SSH

Server machine .

  • After creating the key pair on the local

account on the remote host.

  • This is done by editing the file in the

SSH coniguration directory ~/.ssh/authorized_keys and append your public key.

slide-10
SLIDE 10

SSH AGENT

An agent is a program that keeps private keys in

memory and provides authentication services to SSH Clients.If you preload an agent with private keys at the beginning of a login session ,your SSH clients wont prompt for passphrases. To try the agent type $ssh-agent $shell where shell is the environment variabe contaning the name of our login shell.

Once the agent is running , its private key is loaded

using the $ssh-add.

slide-11
SLIDE 11

SSH ARCHITECTURE

slide-12
SLIDE 12

Architecture of an SSH system

SSH has following components- Server Client Session Keys Known Host Database

slide-13
SLIDE 13

Contd…

Key generator Agent Signer Random seed Configuration file

All these components are required in an implementation of SSH

slide-14
SLIDE 14

Attacks

Threats SSH can prevent

Man in the middle attack Eavesdropping Connection hijacking IP Spoofing

slide-15
SLIDE 15

Alice requests ssh conn, with Bob Alice Trudy Bob Bob sends public key Trudy sends her public key instead

  • f Bob’s

Alice gets the key for the first time, so she stores it as Bob’s key Alice sends username, password as plaintext in encrypted channel, that Trudy can decipher Trudy now has Alice’s username and password!!

Man in the middle attack

slide-16
SLIDE 16

Man in the middle attack

slide-17
SLIDE 17

Alice requests ssh connection with Bob Alice Trudy Trudy sends her public key claiming to be Bob Alice gets the key for the first time, so she stores it as Bob’s key Alice sends username, password as plaintext in encrypted channel, that Trudy can decipher Trudy now has Alice’s username and password!! Trudy sends authentication failure Alice sends credentials again as plaintext in the encrypted channel Trudy sends another authentication failure and disconnects Alice thinks she must have entered incorrect passwords!!

Spoofing Attack

slide-18
SLIDE 18

Installation and Configuation

Extracting the files

$ gunzip ssh -1.2.7.tar.gz $ tar xvf ssh-1.2.27.tar The result is a new sub directory containing all files in the distribution.

Verifying with PGP

$pgp ssh-1.2.27.tar.gz If no warning messages are produced the distribution file is genuine.

slide-19
SLIDE 19

Contd….

Building and Installing SSH1

  • 1. Run the supplied configure script

$ ./configure

  • 2. compile everything

$ make

  • 3. Install everyhing

$ su root 4.create knownhosts file

$ make-ssh-known-hosts

slide-20
SLIDE 20

Contd….

Compile time configuration

The configure script accepts command line flags— with/without flags Enable/disable flags

  • include a package during compilation.

Ex- 1.Installation files and directories $configure –prefix=/usr/local/ssh 2.Tcp/ip support $configure –disable-tcp-node delay

slide-21
SLIDE 21

Contd…

X window support

  • configure ….-without-x…

Encryption and Ciphers

$ configure --without-blowfish

Authentication

$configure –enable-kerberos-tgt

slide-22
SLIDE 22

SSH1 AND SSH2 DIFFERENCES

SSH2

Separate transport,

authentication and connection protocols.

Any number of session

channels for connection.

Supports public key

certificates SSH1

One monolithic protocol Exactly one session

channel per connection.

It does not support.

slide-23
SLIDE 23

Contd….

Strong cryptographic

integrity check.

Periodic replacement

  • f session keys.

Authentication is

more flexible.

Weak CRC32

integrity check.

It does not provide

a way to change key for session.

Client tries a

sequence of authentication methods

slide-24
SLIDE 24

Conclusion Threads SSH cant prevent

IP and TCP attacks Traffic Analysis Covert channels Carelessness