15th meeting

From BLUG

Topic: Secure SHell & You
Presenter: Mark Krenz

Date: Tuesday, January 10th, 2006
Time: 7-9pm
Location: Monroe County Public Library room 1B

Attendance: 14 (with 7 new people)

Synopsis

Mark Krenz will be giving a presentation about Secure SHell (SSH) and its many uses. This presentation will go far beyond the basics of how to make a connection and will talk about the following:

• Overview of SSH
• How the encryption works
• Security considerations
• Using ssh-agent for automatic login to hosts
• Make TCP tunnels for forwarding ports
• How to do dynamic port forwarding with -D (SOCKS5)
• VPN-like functionality using SSH
• X Windows connection forwarding (for running GUI programs remotely)
• Using the ssh command line and escapes
• Controlling root logins
• Using iptables to slow rapid SSH connection attempts from internet worms
• Using your local ~/.ssh/config file
• Useful options you can set in the authorized_keys file
• Using ssh in a command pipeline for sending data
• Using secure copy (scp)

SSH is a cornerstone of a networked linux environment and we think anyone using Linux should have a good working knowledge of SSH and its features. There will be useful handout sheets that you can use as a reference and he'll try to have some nice graphics and even explain how encryption works at an algorithmic level.

If there is anything else about SSH that you would like to see as part of this presentation, please don't hesitate to let me know. Mark welcomes your input. Just write to him at mark@slugbug.org

Post meeting summary

Even though it rained, 14 people showed up including 7 new people and 2 guys from Columbus and Seymor. A lot of people were interested in SSH specifically. Mark talked presented for about 1 hour and 45 minutes about different SSH topics and covered almost all of the topics above. Most of the information that was presented can be found on the following page:

http://www.suso.org/docs/shell/ssh.sdf

Mark actually did this presentation to prepare a revision of the above document, which is one of the top tutorials on SSH on the web. Search for "SSH Linux" or "SSH Tutorial" on google and it is usually in the top 10 results.

Other information that Mark presented is documented below

SSH other topics

The following topics are things I discussed but have not covered in the document on suso.org.

How encryption works (in a very small nutshell)

How encryption works is worthy of a whole other presentation just to explain the basics and prerequisites, let alone explaining how something like the RSA encryption algorithm works. However, here is a simple example that will give you a taste of how some encryption techniques work.

In mathematics, there is a function called modulus that gives you the remainder after division. Its commonly notated as mod() in computer programming. For example, the mod(3,5) is 3, mod(6,5) is 1, mod(25,5) is 0. Basically, whatever is left over after doing the division of the first number by the second number.

Now if you imagine the alphabet and all of its 26 letters being numbered from 1 to 26. a is 1, b is 2.......x is 24, y is 25 and z is 26.

Now let's make a sentence to encrypt.

How about

 linux is the best os

Now to do the encryption we need a key, which is what is used to encrypt and decrypt the data. In this case it is simply a string of characters that makes a word.

 windows

Now we number the letters in each string of characters. In this case let's make the space ' ' a 27th character in the alphabet.

l = 12
i = 9
n = 14
u = 21
x = 24
  = 27
i = 9
s = 19
  = 27
t = 20
h = 8
e = 5
  = 27
b = 2
e = 5
s = 19
t = 20
  = 27
o = 15
s = 19

And the key

w = 23
i = 9
n = 14
d = 4
o = 15
w = 23
s = 19

Now doing the encryption is simply a matter of applying the key over the string and repeating when we run out of characters in the key. Then for each character we do a mod(27,s+k) where s is the numerical value of the character in the string and k is the numerical value of the character in the key. Then for each numeric result, we assign a letter according to the number in the same fashion we did for the string and the key, and we get this:

l=12 + w=23 = (35 mod 27) =  8 -> h
i=9  + i=9  = (18 mod 27) = 18 -> r
n=14 + n=14 = (28 mod 27) =  1 -> a
u=21 + d=4  = (25 mod 27) = 25 -> y
x=24 + o=15 = (39 mod 27) = 12 -> l
 =27 + w=23 = (50 mod 27) = 23 -> w
i=9  + s=19 = (28 mod 27) =  1 -> a
s=19 + w=23 = (42 mod 27) = 15 -> o
 =27 + i=9  = (38 mod 27) = 11 -> k
t=20 + n=14 = (34 mod 27) =  7 -> g
h=8  + d=4  = (12 mod 27) = 12 -> l
e=5  + o=15 = (20 mod 27) = 20 -> t
 =27 + w=23 = (50 mod 27) = 23 -> w
b=2  + s=19 = (21 mod 27) = 21 -> u
e=5  + w=23 = (28 mod 27) =  1 -> a
s=19 + i=9  = (28 mod 27) =  1 -> a
t=20 + n=14 = (34 mod 27) =  7 -> g
 =27 + d=4  = (31 mod 27) =  4 -> d
o=15 + o=15 = (30 mod 27) =  3 -> c
s=19 + w=23 = (42 mod 27) = 15 -> o

or

hraylwaokgltwuaagdco

So the whole operation looks something like this

  "linux is the best os"
+ "windowswindowswindow" mod 27
------------------------------
= "hraylwaokgltwuaagdco"

Then to decrypt, someone needs to have the same key 'windows' and do the operation in reverse. You can also crack encryption using a variety of techniques, one of the most common being done through the frequency of letters in the English language. For instance, the letter 'e' is the most common letter used in English. The important thing is to use a good long key and keep it secret.

Again, this is very simple. But I think it illustrates the concept.

See if you can crack this encrypted string:

egi 

Or these:

hpg

uqccgcptcoqwavradh

epdposcnranwznprawkyaubanbeggvtrctbsuznovktswsnhmxwlkijdzcwbgzfgzvanbodwewmmjk

If you crack them, put the results and your name on the talk page for this article.

Here is simple program I wrote in perl that encrypts a string using a key that you supply.

Using the ssh command line and escapes

Did you know that you can control your ssh client while you are logged in to a host? Using the ~ (tilde) followed by several different characters you can do a few different useful things:

~.  Disconnect by closing the client side process (instead of the server side shell)
~C  Open command line.  Currently this allows the addition of port forwardings using the -L and -R options (see below).  It also
~#  List forwarded connections.
~R  Request rekeying of the connection (only useful for SSH protocol version 2 and if the peer supports it).
~?  Display a list of escape characters.

Useful options you can set in the authorized_keys file

You can put certain options in front of your key in an authorized_keys file on the server.

 from="hostname"  This limits access so that only the user logging in from "hostname" with the right key can login.
 command="path/to/command" this is discussed below.

Controlling root logins

On the server, you can use the directive PermitRootLogin to turn on the ability to login directly as root or not. There is also another option for that directive called 'forced-commands-only' that allows root logins, but forces the login session to run a specific command that is specified in the authorized_keys file. Like this:

from="special.host.name.com",command="/usr/local/bin/backup.sh" ssh-rsa AAAAB3NzaC1y......

And then usually you would create a special key for root that has an empty passphrase. That way even if someone else gets the key file, they are only allowed to run one specific command.

Using iptables to slow rapid SSH connection attempts from internet worms

In early 2005 I started to receive large numbers of SSH connection attempts to some of my suso.org servers from a series of internet worms that were making their way around. Below is a graph I made plotting the number of connection attempts per day over about a 110 day period.

The real problem was that these worms would open a connection and leave it open for a while and try common usernames with a variety of passwords, which ended up causing outages of SSH for legitimate users.

So I needed a solution and fast. I found a module for iptables called hashlimit. The hashlimit module keeps track of how many recent connections (SYN packets) a client has made to a specific port and keeps that in a database file in /proc/net/ipt_hashlimit. You can then control how many connections a specific IP address can make in a period of time. For instance, below is a set of rules that limits clients to 4 connections per minute. After exceeding this, the client is denied access for 600 seconds (10 minutes).

/sbin/iptables -A INPUT -p tcp -i eth0 --syn --dport 22 -m hashlimit --hashlimit-name SSH --hashlimit 4/minute \
  --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-htable-expire 600000 -j ACCEPT

The --hashlimit-htable-expire option specifies the number of milliseconds before a denied address is removed from the list. This actually works quite well and legitimate users run into this limit very seldomly.

Using ssh in a command pipeline for sending data

A colleage of mine where I work once had to copy the contents of an old server with a hardware problem over to a replacement server with an identical hard drive configuration. To transfer the data he used one of the coolest uses of ssh in a pipeline I've ever seen. It was something like this:

dd if=/dev/sda | ssh username@new.host.name dd of=/dev/sda

So in this case, ssh becomes a sort of network transparent 'cat' program.