An Overview of Secure Shell - PowerPoint PPT Presentation

1 / 24
About This Presentation
Title:

An Overview of Secure Shell

Description:

Run as a subsystem of the connection, name is sftp' After a channel is opened, activate sftp server by 'starting a shell or command'. 13 ... – PowerPoint PPT presentation

Number of Views:108
Avg rating:3.0/5.0
Slides: 25
Provided by: xuka1
Learn more at: http://www.wildbill.org
Category:

less

Transcript and Presenter's Notes

Title: An Overview of Secure Shell


1
An Overview of Secure Shell
2
Secure Shell
  • A replacement for telnet, rlogin, etc.
  • Developed in 1995 by Tatu Ylönen from Espoo,
    Finland
  • Commercialized in 1998 by SSH Communications
    Security
  • OpenSSH was created by the OpenBSD team as an
    open alternative to SSH
  • http//www.openssh.org

3
Open SSH Features
  • Open Source Project
  • Free Licensing
  • Strong Encryption (3DES, Blowfish, AES, Arcfour)
  • X11 Forwarding (encrypt X Window System traffic)
  • Port Forwarding (encrypted channels for legacy
    protocols)

4
Open SSH Features
  • Strong Authentication
  • Agent Forwarding (Single-Sign-On)
  • Interoperability (Compliance with SSH 1.3, 1.5,
    and 2.0 protocol Standards)
  • SFTP client and server support in both SSH1 and
    SSH2 protocols.
  • Kerberos and AFS Ticket Passing
  • Data Compression

5
SSH services/functionality
  • Services
  • Confidentiality
  • Integrity
  • Authentication
  • Functionality
  • Secure command shell (remote execution of
    commands)
  • Secure file transfer
  • Data tunneling for TCP/IP applications (TCP port
    forwarding)

6
Major SSH components
  • SSH Transport Layer Protocol
  • provides server authentication, confidentiality,
    and integrity services
  • it may provide compression too
  • runs on top of any reliable transport layer
    (e.g., TCP)
  • SSH User Authentication Protocol
  • provides client-side user authentication
  • runs on top of the SSH Transport Layer Protocol

7
Major SSH components (Cont)
  • SSH Connection Protocol
  • multiplexes the secure tunnel provided by the SSH
    Transport Layer and User Authentication Protocols
    into several logical channels
  • these logical channels can be used for a wide
    range of purposes
  • secure interactive shell sessions
  • TCP port forwarding
  • carrying X11 connections

8
SSH security features
  • strong algorithms
  • uses well established strong algorithms for
    encryption, integrity, key exchange, and public
    key management
  • large key size
  • requires encryption to be used with at least 128
    bit keys
  • supports larger keys too

9
SSH security features (Cont)
  • algorithm negotiation
  • encryption, integrity, key exchange, and public
    key algorithms are negotiated
  • it is easy to switch to some other algorithm
    without modifying the base protocol

10
Supported Algorithms/Encryption
  • 3des
  • blowfish
  • twofish256 / twofish192 / twofish128
  • aes256 / aes192 / aes128
  • serpent256 / serpent192 / serpent128
  • arcfour (RC4)
  • idea / cast128

11
SSH TLP Overview
client
server
TCP connection setup
SSH version string exchange
SSH key exchange (includes algorithm negotiation)
SSH Transport Layer Protocol
SSH data exchange
termination of the TCP connection
12
SFTP (secure file transport protocol)
  • runs over a secure channel
  • Server and client are inter-authenticated
  • The channel will support encryption and integrity
  • Run in request-response mode
  • Independent from other SSH protocols
  • may run on top of other secure protocols, e.g.,
    TLS
  • Current use with the SSH Connection Protocol
  • Run as a subsystem of the connection, name is
    sftp
  • After a channel is opened, activate sftp server
    by starting a shell or command.

13
Transport layer protocol
  • Client initiates connection to the server
  • Identification string exchange
  • Algorithms exchange
  • Key exchanges include host key sent to client
  • Diffie-Hellman key exchange
  • Client selects a random session key

14
User Authentication Protocol
  • the protocol assumes that the underlying
    transport protocol provides integrity and
    confidentiality (e.g., SSH Transport Layer
    Protocol)
  • the protocol has access to the session ID
  • the server should have a timeout for
    authentication and disconnect if the
    authentication has not been accepted within the
    timeout period
  • recommended value is 10 minutes

SSH User Authentication Protocol
15
User Authentication Protocol
  • the server should limit the number of failed
    authentication attempts a client may perform in a
    single session
  • recommended value is 20 attempts
  • three authentication methods are supported
  • publickey
  • password
  • hostbased

16
User authentication overview
client
server
SSH_MSG_USERAUTH_REQUEST
SSH_MSG_USERAUTH_FAILURE (further authentication
needed)
SSH_MSG_USERAUTH_REQUEST
SSH User Authentication Protocol
SSH_MSG_USERAUTH_FAILURE (further authentication
needed)

SSH_MSG_USERAUTH_REQUEST
SSH_MSG_USERAUTH_SUCCESS
17
SSH attacks
  • Man-in-the-middle
  • How does a client verify the host key?
  • Check local database
  • If exist, the server is authenticated, connection
    is established
  • If not exist, currently let user determine
  • (because public certificates are not used widely)
  • Build connection with saving the server host key
  • Build connection without saving.
  • Therefore there exists a possibility of
    man-in-the-middle attack.
  • Denial of service
  • Attacker sets up many connections without user
    authentication.

18
Tunneling
  • A mechanism to encapsulate a message/packet
    within another message/packet and transfer
    through a network without touching the internal
    message/packet.
  • Analogy to English Channel (railway tunneling)
  • Typical scenario for Tunneling
  • Two same networks connected by a different
    network
  • Multicast backbone
  • Mobile host moves out of its home area
  • IPSec tunneling mode
  • SSH port forwarding

19
  • Application streams are tunneled over Secure
    Shell by forwarding individual TCP ports.
  • When a local port is forwarded the ssh client
    listens on the specified port on the local host.
  • The ssh server opens a TCP connection to the
    remote host where the server application is
    actually running.
  • localhost refers to the application client's host
  • remotehost refers to the application server's
    host
  • Privileged ports can only be forwarded by root

20
Local Port Forwarding
21
How to make it happen
  • On host-1 type the following
  • ssh l 2525localhost25 host-2
  • You will then receive a login prompt from host-2
  • As long as this connection is up all traffic
    hitting host-1 on port 2525 will be forwarded to
    host-2 via secure shell and port 22 to port
    localhost port 25 on host-2

22
Class Exercise
  • Team up into pairs and exchange IP addresses
  • Create accounts for each other if the do not
    exist and password protect them
  • Verify you have smtp (sendmail) running on each
    server. If not let me know.
  • Verify you have the telnet client installed on
    each server.
  • Ready?

23
Class Exercise
  • We will call the destination server host
  • At the shell prompt type
  • ssh L 2525localhost25 ltusergt_at_lthostgt
  • Where lthostgt is the IP address of your partners
    server
  • Now test the connection. On your server type
  • telnet localhost 25

24
Another Example
  • Using the remote -R switch
  • ssh R 8080there.com80 there.com
  • Anyone connecting to www.here.com on port 8080
    will be forwarded down the ssh tunnel to the
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "An Overview of Secure Shell" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!