SSH Tricks

1
SSH Tricks

• Matthew G. Marsh

2
Overview

• SSH
• What is it
• How does it work
• Discussion of Network Topology
• Tricks for multiple hosts
• Keys and config files
• MultiHop tricks
• QA

3
SSH

• What is it
• Secure Shell was developed to solve the two most
  acute problems in the Internet, secure remote
  terminal logins and secure file transfers.
• Essentially an encrypted Remote Utilities
  replacement
• How does it work
• Set up and generation of an encrypted TCP
  connection
• Authentication can be Password or PubPriv key
• Yes there are others but that is where the cracks
  are
• Arbitrary TCP ports - WKP 22
• In this session we will concentrate on SSH1 using
  key based authentication

4
Simple Examples

• Two hosts
• 1 has a sshd running on WKP
• 2 has a client
• root_at_2 ssh 1
• root_at_1s password
• This allows root to login remotely using a
  password - BAD!
• Better is to define PermitRootLogin no in the
  sshd_config file

5
Simple Examples

• Two hosts - preshared key
• 1 has a sshd running on WKP
• 2 has a client
• tech_at_2 ssh 1
• tech_at_2
• The way to set this up is as follows
• tech_at_2 ssh-keygen -t rsa1 -f /home/tech/.ssh/key4
  mac1 -N
• tech_at_2 scp .ssh/key4mac1.pub tech_at_1/.ssh/author
  ized_keys
• tech_at_1s password
• tech_at_2 cat gt .ssh/config
• Host 1
• User tech
• Protocol 1
• IdentityFile /home/tech/.ssh/key4mac1
• Hostname 10.1.2.1
• D

6
A wee bit less Simple Examples

• Two hosts - preshared key
• 1 has a sshd running on port 17
• 2 has a client
• tech_at_2 ssh 1
• tech_at_2
• The way to set this up is as follows
• tech_at_2 ssh-keygen -t rsa1 -f /home/tech/.ssh/key4
  mac1 -N
• tech_at_2 scp -P17 .ssh/key4mac1.pub
  tech_at_1/.ssh/authorized_keys
• tech_at_1s password
• tech_at_2 cat gt .ssh/config
• Host 1
• User tech
• Port 17
• Protocol 1
• IdentityFile /home/tech/.ssh/key4mac1
• Hostname 10.1.2.1
• D

7
A wee bit less Simple Examples

• Three hosts - Assume preshared keys
• 1 has sshd running on port 17
• 2 has sshd running on port 27
• tech_at_3 ssh 2 ssh 1
• tech_at_1
• The way to set this up is as follows
• tech_at_3 cat gt .ssh/config
• Host 2
• User tech
• Port 27
• Protocol 1
• IdentityFile /home/tech/.ssh/key4mac2
• Hostname 10.1.2.2
• D
• Note you may need ssh -t 2 ssh -t 1 ...

8
AN4SCD

• Buy a copy of SSH by Daniel J. Barrett
  Richard E. Silverman pub. OReilly (ISBN
  0-596-00011-1)
• Read it
• I use openssl 0.9.7c with openssh
  2.9.9p2-PS2.4.18
• I do not use any other version of SSH
• I use Protocol 1 on purpose
• I use TCP Wrappers w/ IPv6 extensions
• I keep tight controls using TCP Wrappers

9
AN4SCD - 2

• Static Compile methods
• Get the latest openssl
• 1. Compile it static with the /usr/static
  directory target
• ./config --openssldir/usr/static
  --prefix/usr/static no-shared
• 2. Get openssh-2.9.9p2-PS2.4.18
  http//www.paksecured.com
• ./configure --prefix/usr/static
  --with-ssl-dir/usr/static --with-ipaddr-display
  --with-ipv4-default with-tcp-wrappers
• compile it and install
• Edit the sshd config file
• Make sure you also change the paths for the
  keys!!

10
AN4SCD sshd_config

• Port 17
• Protocol 1
• ListenAddress 192.168.1.1
• HostKey /usr/static//etc/ssh_host_key
• KeyRegenerationInterval 3600
• ServerKeyBits 768
• SyslogFacility AUTH
• LogLevel INFO
• LoginGraceTime 600
• PermitRootLogin no
• StrictModes yes
• RSAAuthentication yes
• PubkeyAuthentication yes
• RhostsAuthentication no
• IgnoreRhosts yes
• RhostsRSAAuthentication no
• PasswordAuthentication yes
• PermitEmptyPasswords no
• ChallengeResponseAuthentication no

11
Fun Examples - 1

• Using commands attached to keys
• On the server define a command in the
  authorized_keys file associated with a key
• Format is commandmy/command/stringkey data
• EX
• command/bin/ls -al /logsABCDEF1234567
• Then ssh with the appropriate key will only allow
  you to execute this command.
• Note that this is per key so

12
Fun Examples 1A

• Each connection performs a different function
• command/bin/tar C /var zc logs/1024 35
  14011271974199576039639923107445413095443837472597
  34516089771188967767458939385504290626639723367553
  52093456208519164097137651780560357432366574014563
  97953787690189347836390721132781316957494747764442
  37515391657324013921180513478445898911260784215908
  46523123481112885029800203382369752603047612281250
  015390957 mgm_at_mgmlap.paksecured.org
• command/bin/tar C / zc etc/1024 35
  22011271974199576039639923107445413095443837472597
  34516089771188967767458939385504290626639313208519
  16409713765178056037233675531699057432366574014563
  97953787690189347836390721132781316957494747764442
  37515391657324013921180513478445898911260784215908
  46523123481112885029800203382369752603047612281250
  015390957 mgm_at_mgmlap.paksecured.org
• command/bin/tar C /home zc mgm/mail/1024 35
  23011271974199576039639923107445413095443837472597
  34516089771188967767458939385504290626639723367553
  16990313209800203382369752603085191640971376517805
  60357432366574014563979537876901893478363907211327
  81316957494747764442375153916573240139211805134784
  45898911260784215908465231234811128850247612281250
  015390957 mgm_at_mgmlap.paksecured.org
• First one is keytar1
• Second one is keytar2
• Third one is keytar3

13
Fun Examples 1B

• Assuming we have setup the config file then
• ssh 1 tar zxv
• Will generate a copy including timestamps and
  permissions of the logs/ directory
• ssh 2 tar zxv
• Will generate a backup copy of our remote etc/
  directory (assuming we have permission)

14
Fun Examples - 2

• MultiBounce Sessions
• Using the three hosts example from earlier
• Consider
• ssh 1 ssh 2 /bin/tar -C /home -zc myhomedir/
  tar -zxv
• ssh 1 ssh 2 ssh 3 /bin/tar -C /home -zc
  myhomedir/ tar -zxv
• Note that there are limits

15
Q A
16
This is The