SSHv2 Training

1
SSHv2 Training

• David J. Bianco
• UNIX Systems Team
• ltbianco_at_jlab.orggt

2
Table of Contents

• Upgrade FAQs
• What is changing?
• Why is this happening?
• How will this affect me?
• What do I need to do?

3
Table of Contents

• Working with SSHv2
• Logging in to Other Systems
• Copying Files Between Systems
• Public Key Cryptography
• Creating a Keypair
• Changing Your Passphrase
• Logging in With a Key

4
Table of Contents

• Using the SSH Agent
• Using the Agent Interactively
• Integrating the Agent with the Linux GUI
• Summary Questions

5
Upgrade FAQs
6
What is Changing?

• All CC-managed hosts will require clients to
  connect with SSH protocol v2
• SSH client on CUE machines will be reconfigured
  with Protocol 2 as the default
• Software version will not change
• This will happen at 500PM, Monday August 23rd.
• We've required Internet users to login with SSHv2
  for 2 years now

7
Why is this happening?

• SSH1 is older, slower protocol with significant
  security problems
• SSH2 is the newest, most efficient protocol
• Resolves all known weaknesses in SSH1 security
• IETF standard
• SSH1 hardcodes most of its cryptography
• SSH2 negotiates cryptographic algorithms at
  runtime
• Makes it easier to use internationally

8
How will this affect me?

• Day-to-day life probably wont change much
• Most common tasks will be unaffected
• ssh hostname
• ssh hostname ls /some/remote/directory
• ssh l user hostname
• ssh user_at_hostname
• scp /home/user/myfile hostname/local/myfile

9
What do I need to do?

• Maybe nothing
• If you are using password-based login, you need
  do nothing
• Windows users Just upgrade to the latest PuTTY
  in JLAB CUE
• If you are using key-based login
• Keys created with -t dsa in the last couple of
  years are already SSHv2
• If you have older keys, you will need to create a
  new set

10
What do I need to do?

• You can start using the new settings immediately
  if you like
• Just add Protocol 2 to your /.ssh/config file

11
Working With SSHv2
12
Logging in to Other Systems

• Login to host using the same user ID as on the
  local system
• ssh host
• Login to host using a different user ID
• ssh l user host
• ssh user_at_host

13
Copying Files to Other Systems

• Copy a file to a remote system
• scp /home/user/file1.txt host/tmp/file1.txt
• scp /home/user/file2.txt host/tmp
• Copy a file from a remote system
• scp host/tmp/file3.txt /home/user
• scp host/tmp/file4.txt .
• Copy a file between two remote systems
• scp host1/tmp/file5.txt host2/tmp

jlabs2/home/jdoegt scp ks.cfg jlabs1/tmp jdoe_at_jla
bs1s password ltType password heregt ks.cfg
100 12KB 0.0KB/s 0000
14
Public Key Cryptography

• SSH uses Public Key Cryptography to
• Prove identity of servers to clients (so you know
  to whom you are connecting)
• Prove identity of users to servers (logging you
  in)
• Each host and each user has a private key and a
  public key (a keypair)
• Public keys are intended to be distributed to
  others
• CC maintains a list of public keys for central
  hosts
• Users distribute their public keys to machines
  theyd like to log into

15
Public Key Cryptography

• Private keys are always secret
• Anyone who can access your private key can log in
  as you!
• You should set a passphrase on your private key
• This is like a password, but can be longer and
  usually isnt just one word
• Private key is encrypted with this passphrase
• If no one knows the passphrase, they cant access
  your private key

16
Creating a Keypair

• Use ssh-keygen t dsa command
• Be sure to give your key a passphrase!
• Good passphrases are multiple words, perhaps a
  sentence
• Can even use your JLab password, or something
  just as strong

jlabl1gt ssh-keygen -t dsa Generating
public/private dsa key pair. Enter file in which
to save the key (/home/jdoe/.ssh/id_dsa) Enter
passphrase (empty for no passphrase)ltYOUR
PASSPHRASE HEREgt Enter same passphrase
againltYOUR PASSPHRASE HEREgt Your identification
has been saved in /home/jdoe/.ssh/id_dsa. Your
public key has been saved in /home/jdoe/.ssh/id_ds
a.pub. The key fingerprint is 3082ab43e911c
b7ed6b18393623eeeda jdoe_at_jlabl1.jlab.org
17
Changing Your Passphrase

• Changing your passphrase is easy, though somewhat
  clunky
• Use ssh-keygen -p -t dsa

jlabl1gt ssh-keygen -p -t dsa Enter file in which
the key is (/home/jdoe/.ssh/id_dsa) Enter old
passphraseltYOUR OLD PASSPHRASEgt Key has comment
'/home/jdoe/.ssh/id_dsa' Enter new passphrase
(empty for no passphrase)ltYOUR NEW
PASSPHRASEgt Enter same passphrase againltYOUR NEW
PASSPHRASEgt Your identification has been saved
with the new passphrase.
18
Logging in With a Key

• Two steps necessary
• Tell the client
• Tell the server
• Tell the client
• Lets the client know which private key to try to
  log in with

19
Logging in With a Key

• Tell the server
• /.ssh/authorized_keys lists the public keys that
  go with the private keys the client is allowed to
  use to log in to your account
• Distribute this file to any non-CUE machine you
  need to log into with SSH
• Anyone with the right private key can log in as
  you
• Remember to use a passphrase when you create the
  key!

jlabl1gt cd /.ssh jlabl1gt cat id_dsa.pub gtgt
authorized_keys
20
Logging in With a Key

• When you log in, you should now be prompted for a
  passphrase instead of a password

jlabl1gt ssh jlabs1 Enter passphrase for key
'/home/jdoe/.ssh/id_dsa' ltPASSPHRASEgt login
messages jlabs1gt
21
Using the SSH Agent
22
SSH Login Annoyances

• SSH is great, but its annoying to have to type
  your password/passphrase every time you log in,
  run a remote command or copy some files across
  the network.
• SSH doesnt allow /.rhosts functionality for
  security reasons.
• Passphrase-less keys are quite insecure and not
  recommended practice.
• Can users log in securely without typing their
  password all the time?

23
The SSH Agent

• The agent solves these problems
• Only available for key-based login, however
• You authenticate once to the agent at the
  beginning of your session
• The agent holds your SSH private keys in memory
  and provides them to ssh and scp commands when
  necessary
• You dont have to unlock them each time
• Agent goes away when you log out so unlocked keys
  are never stored on disk

24
Preparing To Use The Agent

• First, get key-based login working
• Distribute your public key to all non-CUE hosts
  you need to log into
• CUE hosts all share your home directory so the
  key is already there
• scp p /.ssh/authorized_keys remotehost/home/ltus
  ernamegt/.ssh
• Use normal SSH and make sure youre prompted for
  a passphrase and not a password

25
Using the Agent Interactively

• Run ssh-agent c to start the agent
• Will print some output that you need to type into
  the same shell or cut-n-paste
• Save yourself some typing and do it the clever
  way
• Now other commands in the same window will be
  able to use the agent

jlabs2/home/jdoegt ssh-agent -c setenv
SSH2_AUTH_SOCK /tmp/ssh-jdoe/ssh2-8765-agent sete
nv SSH2_AGENT_PID 8766 echo Agent pid 8766
jlabl1/home/jdoegt eval ssh-agent c Agent pid
8766
26
Logging In To The Agent

• Use the ssh-add command to authenticate
  yourself to the agent
• After you do this, you wont need to log in with
  SSH or scp!

jlabl1/home/jdoegt ssh-add Enter passphrase for
/home/jdoe/.ssh/id_dsa ltPASSPHRASEgt Identity
added /home/jdoe/.ssh/id_dsa jlabl1/home/jdoegt
ssh-add -l 2048 6eef22a483a198392244572
12ceed333 /home/jdoe/.ssh/id_dsa
(DSA) jlabl1/home/jdoegt ssh jlabs1 login
proceeds normally without a password jlabs1/home
/jdoegt
27
Using the Agent in a GUI

• Starting the agent in a single window is OK for
  testing, but not useful for real work
• Why not integrate with your window environment so
  all windows can take advantage of it?
• This is supported under Linux
• Also possible under Solaris HP-UX, but not
  documented by the Computer Center

28
Linux GUI Agent Config

• Run switchdesk to create your /.Xclients and
  /.Xclients-default files
• Be sure to choose the window environment youre
  already using
• Probably Gnome unless you know differently

29
Linux GUI Agent Config

• Edit your /.Xclients-default file
• Make it look something like the example
• gnome-session may be something else, like
  start-kde depending on which windowing
  environment you use

Created by Red Hat Desktop Switcher exec
ssh-agent gnome-session
30
Linux GUI Agent Config

• Log out and use the login dialog box to tell
  Linux to use your new startup files
• Change your session type to default
• If you log in at the console of several Linux
  machines, you may need to do this at all of them
• Get in the habit when not at your own desktop
• Log back in again

31
Linux GUI Agent Config

• Check to see if your agent is running
• Make sure your environment variables were set
  properly

jlabl1/home/jdoegt ps -auxww grep -i agent jdoe
6888 0.0 0.2 2784 1080 ? S 1008 000
ssh-agent gnome-session
jlabs2/home/jdoegt setenv grep
SSH SSH2_AUTH_SOCK/tmp/ssh-jdoe/ssh2-8770-agent S
SH2_AGENT_PID8771
32
Linux GUI Agent Config

• Authenticate to the agent
• Try to log in somewhere

jlabl1/home/jdoegt ssh-add Enter passphrase for
/home/jdoe/.ssh/id_dsa ltPASSPHRASEgt Identity
added /home/jdoe/.ssh/id_dsa jlabl1/home/jdoegt
ssh-add -l 2048 6eef22a483a198392244572
12ceed333 /home/jdoe/.ssh/id_dsa
(DSA) jlabl1/home/jdoegt ssh jlabs1 login
proceeds normally without a password jlabs1/home
/jdoegt
jlabl1/home/jdoegt ssh jlabs1 login proceeds
normally without a password jlabs1/home/jdoegt
33
Summary
34
Summary

• All CC managed hosts will be converting to SSH v2
  at 500PM on August 23rd
• Day-to-day operations wont change much
• New client performs most common operations
  exactly like the old client
• Create SSHv2 keys with ssh-keygen -t dsa
• Change your key passphrase with ssh-kgent -p -t
  dsa

35
Summary

• You can avoid having to type your
  password/passphrase all the time by using the SSH
  Agent
• Requires key-based logins
• Always use a passphrase for your private key to
  protect your account!
• Can be run interactively or integrated with your
  GUI

36
Questions?

• David J. Bianco
• UNIX Systems Team
• ltbianco_at_jlab.orggt