17
C H A P T E R 2
■ ■ ■
A
Quick SSH Implementation
T
he theory and history of SSH have been documented in technical journals, magazines, books,
and Internet blogs. The goal of this chapter is not to make you an SSH historian, but to get you
running with SSH as early as possible.
This chapter will cover the following:
• A brief introduction to SSH
• Installing/compiling OpenSSH
• Troubleshooting
• A quick
look at some client tools
A Brief Introduction to SSH
Secure Shell (SSH) is an encrypted connectivity protocol utilized by users, administrators, and
applications for secure interaction and system maintenance. SSH has advantages over tradi-
tional communication services, such as
telnetd
,
ftpd
,
rshd
, and
rlogind
,
normally included
with UNIX and UNIX-like systems. SSH provides a deeper level of authentication than the previ-
ously mentioned daemons do. The SSH daemon accepts usernames and passwords, but it also
prevents a
man-in-the-middle (MITM) attack
by authenticating the host. Man-in-the-middle
attacks are common in many technical security concepts. The premise of a man-in-the-middle
attack is that the attacker sits between client and server, pretending to
be the server while talking
to the client, and pretending to be the client while talking to the server. For example, using
rlogin
,
I could connect to host John from host Ringo. However, if someone is able to spoof the IP address
of John, Ringo will not know it. This allows the
rogue
John server to obtain the critical information
I was intending to pass to the real machine named John. A basic illustration
of this is provided in
Figure 2-1.
C H A P T E R 2
■
A Q U I C K S S H I M P L E M E N TAT I O N
18
Figure 2-1.
An example of a man-in-the-middle attack via IP spoofing
With an understanding of what a man-in-the-middle attack is, you must wonder how
such an occurrence can be prevented. If you were somehow able to validate the host you are
transferring data with is the host you expect, IP spoofing becomes a worry of the past. SSH
provides this functionality through its use of keys. SSH uses keys
in an asymmetric algorithm
to prove each host is the expected host.
Asymmetric encryption (also known as
public key
) algorithms basically have two pieces,
a public key and a private key, whereas symmetric encryptions algorithms have only one key.
The private key of your key pair should be protected as you would protect your credit card
numbers, house keys, etc. The public key,
on the other hand, is just that—public. Anyone can
have it, because without its companion private key, a public key is unable to cryptographically
unlock a message encrypted using the public key.
Imagine that the public key is a mailbox on the sidewalk. People know the location of it
and can drop letters in, but only authorized persons (the post office workers) have the private
key to open it.
In the case of SSH, I know (or can obtain) the host’s advertised public key, when
my message is sent encrypted via the host’s public key; only the host with its private key can
unlock it. When the validation process is complete, you are ensured this host has the key pair
you expected and can begin transferring my data.
While key exchange might sound complicated, it takes place
mostly under the hood in
SSH technologies. The first time you connect to a host via SSH, you will be asked whether you
want to add the host’s public key to your inventory of known keys. This is where your client
first trusts the host and sets up the host key exchange.
For example, if a connection is attempted to the machine
www
from the workstation
rack
and the host key has not already been cached (trusted), the following message is displayed:
stahnke@rack: ~>
ssh www
The authenticity of host 'www (192.168.1.109)' can't be established.
RSA key fingerprint is d9:2f:0d:72:a9:cb:5d:07:e6:23:23:e5:cb:ba:35:3f.
Are you sure you want to continue connecting (yes/no)?
To verify that this is indeed the host it is thought to be,
a simple command can be run
from the host. This can be done on the console or through another connectivity protocol if it is
thought to be secure.
