Ssh explained newfdawg com

Pdf File 2,474.29 KByte, 104 Pages

Version 3 August 2005

SSH Explained

Chris Wong

ITSA Newfdawg ? IT Security & Auditing cwong@ 425 260-6501



Copyright 2004 ITSA Newfdawg, LLC

1

The history of SSH

? Protocols developed for encrypting network traffic developed in 1995 by Tatu Yl?nen

? Released in July 1995 to the public ? SSH Communications Security (SCS) founded in December

1995 ? SSH-2 released in 1996 by SCS ? 1998 SCS releases SSH-2 based on IETF SSH-2 protocol (Feb.

1997). Commercial product, free only to non-profits & edu. Others continued to use SSH-1 ? 2000 SCS extends free use to Linux, NetBSD, FreeBSD, and OpenBSD

While working as a researcher at the Helsinki University of Technology the university's network was compromised by a password sniffing attack. The researcher developed SSH1 to stop passwords from being sent across the network in clear-text.... thus disabling password sniffing attacks.



Copyright 2004 ITSA Newfdawg, LLC

2

The history of OpenSSH

? Based on the last free release of SSH 1.2.12 ? Markus Friedl ? Supports both SSH-1 and SSH-2 in one set of programs.

Free set of tools based on the SSH protocols. ? ? What is SCS now?

- SSH Communications Security, Ltd. - () - "A world-leading developer of managed security middleware" - Variety of products including SSH-client for Windows

(98/NT/ME/2000/XP), IBM Aix, Linux, Solaris, & HP-UX 10.20 & 11x - Support for end-to-end mixed environments

"OpenSSH is primarily developed by the OpenBSD Project, and its first inclusion into an operating system was in OpenBSD 2.6. The software is developed outside the USA, using code from roughly 10 countries, and is freely useable and re-useable by everyone under a BSD license. Managing the distribution of OpenSSH is split into two teams. One team does strictly OpenBSD-based development, aiming to produce code that is as clean, simple, and secure as possible. We believe that simplicity without the portability "goop" allows for better code quality control and easier review. The other team then takes the clean version and makes it portable, by adding the portability "goop" so that it will run on many operating systems (these are known as the p releases, and named like "OpenSSH 3.3p1"). Please click on the provided link for your operating system." From:



Copyright 2004 ITSA Newfdawg, LLC

3

Why HP Secure Shell?

? Supported & pre-packaged

- A.04.0.00 ? Based on OpenSSH 4.0p1

? Why not use HP-SSH?

- Running pre 11x - Want the latest version of

OpenSSH - Have time/ability to compile &

troubleshoot - Want end-to-end support (SCS)

$$

TCPWrappers v7.6

OpenSSL 0.9.7e

Zlib v1.2.2

HP

HP-SSH is easily installed using swinstall. If you have an existing HP-UX support agreement, support is free for HPSSH. HP-SSH 4.0 built with these libraries:

zlib v1.2.2 OpenSSL v0.9.7e TCPWrappers v7.6



Copyright 2004 ITSA Newfdawg, LLC

4

Without SSH

Traffic

HP-UX clear text HP-UX clear text HP-UX

Dopey

Sleepy

Doc

clear text

Authentication

PAM

Kerberos LDAP UNIX

NSSWITCH.CONF

Files

NIS+

NIS

If not using SSH, the traffic between client and server is sent in the clear. The same can be said for traffic between servers. Notes on the following page detail the difference between a packet sent in clear text vs. one that is encrypted. Solutions such as IPSec work for encrypting the data between servers but may not be available at the client level. IPSec itself is easy to implement, however, the updating of the keys is not simple.

If you are running HP-UX 10.30 or higher, you are using PAM (Pluggable Authentication Module) for authentication. However, PAM by default uses the UNIX module, so you wouldn't notice any difference. The UNIX module looks at entries found in the /etc/nsswitch.conf file to determine how to perform the authentication. These type of authentication methods rely on a single hashed password, either stored on each server or centralized.



Copyright 2004 ITSA Newfdawg, LLC

5

Why Secure Shell?

telnet, rlogin, ftp, rcp, remsh ssh, slogin, sftp, scp

Sarbanes-Oxley issues: Trusted Path



Copyright 2004 ITSA Newfdawg, LLC

6