SSH configuration

Installation

Refer to http://www.hal.t.u-tokyo.ac.jp/~kunito/install/ssh/index.shtml.

Access control

1. By sshd_config
   The following entries in /etc/sshd_config. (For SSH1, it seens SSH2 does not support)
   AllowHosts, DenyHosts
   AllowUsers, DenyUsers
   AllowGroups, DenyGroups
   
2. Using TCPwrappers library
   If sshd is compiled with --with-libwrap option, TCPwrappers' access control is used.
   This option is vaild in bath SSH1 and SSH2.
   

Selection of cryptography


1. Authentication method
   Host key: Can be changed creating new key with ssh-keygen.
   User key(ssh2): $HOME/.ssh2/identification
   User key(ssh1): Only RSA
   
2. Cipher
   Ciphers entry in a configuration file. Ciphers that a server allows are written in /etc/sshd_config. Ciphers that a user prefers are written in $HOME/.ssh/config.

Using Public key Authentication


1. Supported in SSH1 and SSH2.
   
2. Setup
   Sample is written in SSH2 style. For SSH1 style, see next "Using rhost with RSA Authentication" description.
   • First, at local host (SSH client), create a key-pair with the following helpers.
     UNIX: ssh-keygen
     Windows: F-Secure SSH Wizard
     
     Filenames of a pair of key are...
     $HOME/.ssh2/identification
     
     IdKeys filename
     
     $HOME/.ssh2/id_dsa_1024_a.
     
     Private-key should be kept in high level security.
     
   • Next, send the public key in local host to remote host (SSH server), and add it into authorized key list.
     
     $HOME/.ssh2/authorization
     
     Key filename.pub
     
     $HOME/.ssh2/id_dsa_1024_a.pub (etc.)
     
3. Comment
   In DCE environment, need to execute dce_login to get DCE authentication.
   

Using rhost with RSA Authentication


1. Supported only in SSH1.
   
2. Setup
   • First, at local host (SSH client), create a key-pair with the following helpers.
     UNIX: ssh-keygen
     Windows: F-Secure SSH Wizard
     
     Filenames of a pair of key are...
     $HOME/.ssh/identity
     $HOME/.ssh/identity.pub
     
     Private-key should be kept in high level security.
     
   • Next, send the public key in local host to remote host (SSH server), and add it into authorized key list.
     
     $HOME/.ssh/authorized_keys
     
   • Add client host entry, "hostname username", into $HOME/.rhost file on the remote host.

Host Authentication


Key files are created by "make install". At local host, a file is required which is a collection of server host's public-keys.
Helper for host-key collection. Supported only in SSH1(?).
% make-ssh-known-hosts domain-name

SSH log


SSH1: "SyslogFacility" in /etc/sshd_config.
SSH1 & SSH2: sshd can be configured to use tcp_wrappers using the --with-libwrap compile-time configuration option.


Check sheet for SSH Connectivity

Table 1. SSH Connectivity Test.

	SSH2 server	SSH1 server	DCE-SSH1 server	non-SSH server
ssh	password	password	password	password*1
RSA-ssh	passphrase	passphrase	passphrase*4	N.A.
ssh2	password	password*2	password*2	*3
RSA-ssh2	passphrase	passphrase*2	passphrase*2	N.A.
sftp	password? *5	N.A.?	N.A.?	N.A.?
RSA-sftp	passphrase?	N.A.?	N.A.?	N.A.?

*1

When rsh is not denied by TCPwrappers and .rhosts not grants.


*2

If ssh1 compatibility option is not defined, "Disconnected; protocol version not supported".


*3

"FATAL: Connection Refused", if .rhosts not grants.


*4

To get DCE authentication, need to execute dce_login.


*5

Test from thyme to thyme failed.


?

Test not yet done.



Test environment
• SSH1 is also installed in SSH2 server.
  
• SSH1 compatibility mode in SSH2 server and SSH2 client.
  

X fowarding


Port fowarding


a) telnet

Suppose local hostname is lhost, local port number is 54321, remote hostname is rhost, and remote port number is 23(telnet), enter first...
lhost% ssh -L 54321:rhost:23 rhost
From other terminal

lhost% telnet localhost 54321
The telnet is will be connected to rhost.

Table 2. Port fowarding Test.

	ssh1 server	ssh2 server
ssh1	telnet localhost 54321	telnet localhost 54321
PC-ssh1	?	?
ssh2	*1	telnet hostname 54321 telnet localhost 54321
PC-ssh2	N.A.	?

*1

"Compatibility" is not supported. Need use ssh1.

?

Test not yet done.

Test environment
Same as SSH Connectivity test.

b) ftp

Importamt: Connection will fail if ftp client doesn't support passive mode.

Suppose local hostname is lhost, local port number is 54321, remote hostname is rhost, and remote port number is 21(ftp), enter first...
lhost% ssh -L 54321:rhost:21 rhost
From other terminal

lhost% ftp localhost 54321

:
ftp> passive

:
The ftp will be connected to rhost.
Note that the connection of ftp control path is encripted, on th eother hand, ftp data transfer path is not encripted.


Security level of server host


1. telnet, ftp, xdm,
   Password flows over unsecure network.
   
2. rlogin, rsh, rcp, rdist
   Trusted hosts are secure?
   
3. pop
   Password flows over unsecure network.
   

Problems


1. X terminal
   Connection from X terminal to host is unsecure, unless if X terminal supports ssh.
2. PasswordAuthentication
   A user can add host key. If a user's password is stolen, ......
   That is, client authentication by server is skipped.