Más contenido relacionado
La actualidad más candente (19)
Similar a Ssh that wonderful thing (20)
Ssh that wonderful thing
- 1. Marc
Cluet
–
Lynx
Consultants
How
I
learned
to
stop
worrying
and
love
the
shell
- 2. What we’ll cover?
¡ Understand
how
SSH
works
¡ Get
a
clear
picture
of
how
ssh
bastion
hosts
work
¡ Be
able
to
do
more
awesome
stuff
with
SSH!
Lynx
Consultants
©
2013
- 3. What is SSH?
¡ Secure
Shell
(SSH)
is
a
cryptographic
network
protocol
for
secure
data
communication,
remote
shell
services
or
command
execution
and
other
secure
network
services
between
two
networked
computers
that
it
connects
via
a
secure
channel
over
an
insecure
network:
a
server
and
a
client
(running
SSH
server
and
SSH
client
programs,
respectively).[1]
The
protocol
specification
distinguishes
two
major
versions
that
are
referred
to
as
SSH-‐1
and
SSH-‐2….
*whew*
Lynx
Consultants
©
2013
- 4. But really, what is SSH?
¡ SSH
opens
a
terminal
connection
to
a
remote
host
¡ It
does
so
using
cryptography
to
avoid
any
break
or
leak
in
communication
¡ It
is
a
very
powerful
tool
for
remote
execution
¡ It
is
awesome!
Lynx
Consultants
©
2013
- 5. How does SSH create a connection?
¡ You
run
your
SSH
command
ssh
user@host
¡ SSH
client
connects
to
host
¡ SSH
client
negotiates
with
host
crypto
and
version
¡ SSH
host
requests
authentication
(password,
certificates)
¡ SSH
client
replies
with
the
crypto
challenge
¡ Communication
is
open!
Lynx
Consultants
©
2013
- 6. Authentication methods
¡ Password
§
Typical
manual
password
§
Turing
keyboard
test
¡ Certificates
§
Public
Key
certificates
(RSA1,
RSA,
DSA,
GSS)
§
Host-‐based
certificates
Lynx
Consultants
©
2013
- 7. Certificates
¡ A
certificate
ensures
your
identity
by
providing
a
crypto
key
divided
in
public
and
private
parts
(asymmetric
cryptography)
¡ A
public
crypto
key
can
be
shared
and
is
mathematically
linked
to
the
private
key
¡ A
private
key
shouldn’t
be
shared
and
is
able
to
unlock
and
decipher
the
ciphertext
Lynx
Consultants
©
2013
- 8. Certificates
¡ A
certificate
can
be
generated
for
each
host
or
group
of
hosts
you
want
to
access
¡ Each
certificate
can
and
should
be
protected
by
a
password
for
extra
security
¡ Certificates
are
easy
to
revoke,
so
in
case
of
any
incident
a
new
certificate
can
be
generated
Lynx
Consultants
©
2013
- 9. Certificates
¡ Run
the
command
§ ssh-‐keygen
–t
rsa
~/.ssh/id_foryournetwork
¡ This
will
create
a
unique
certificate
for
network
hosts
¡ All
your
other
hosts
or
keys
(github,
etc)
are
safely
different
Lynx
Consultants
©
2013
- 10. Security risks of running an
infrastructure
¡ If
we
leave
password
authentication
open
we’re
subject
to
dictionary
attacks
§ The
whole
system
strength
is
defined
by
the
weakest
password
¡ Each
host
that
has
ssh
open
is
another
security
risk
¡ All
this
can
be
resolved
by
Bastion
Hosts!
Lynx
Consultants
©
2013
- 11. What is a Bastion Host?
Lynx
Consultants
©
2013
- 12. What is a Bastion Host?
¡ A
Bastion
Host
sits
between
two
networks,
one
trusted
and
one
untrusted
¡ It
regulates
traffic
between
those
networks,
highlighting
any
malicious
traffic
and
refusing
it
¡ It
is
the
first
line
of
defence
in
a
system
Lynx
Consultants
©
2013
- 13. SSH Configuration
¡ Here’s
an
example
# Config to access bastion host!
Host bastionhost!
!User myuser!
!IdentityFile ~/.ssh/id_mynetwork!
!Hostname 1.2.3.4!
Lynx
Consultants
©
2013
- 14. How to Diagnose connections
¡ Always
run
ssh
–v
(-‐v
for
verbose)
¡ Make
sure
you
test
each
point
of
your
connection
Lynx
Consultants
©
2013
- 15. How to Diagnose connections
¡ Always
run
ssh
–v
(-‐v
for
verbose)
¡ Make
sure
you
test
each
point
of
your
connection
§ First
bastion
host
§ Then
proceed
further
up
¡ Regular
issues
§ Lack
of
Certificate
§ DNS
problem
§ Internets
is
broken
Lynx
Consultants
©
2013
- 16. Awesome Stuff – Port Redirection
¡ You
can
redirect
a
port
from
your
machine
to
the
remote
host
or
the
other
way
around
§
-‐L
myport:destination:destport
▪ Forwards
a
connection
made
to
localhost
8080
to
myhost
port
80
(-‐
L
8080:myhost:80)
Lynx
Consultants
©
2013
- 17. Awesome Stuff – Port Redirection
¡ You
can
redirect
a
port
from
your
machine
to
the
remote
host
or
the
other
way
around
§
-‐R
remoteport:destination:destport
▪ Forwards
a
connection
made
to
destination
port
8080
to
localhost
port
80
(-‐R
80:myhost:8080)
Lynx
Consultants
©
2013
- 18. Awesome Stuff – Socks Proxy
¡ You
can
create
a
SOCKS
Proxy
transparently
with
SSH
§ This
will
allow
you
to
navigate
the
remote
network
as
if
it
was
your
own
¡ ssh
–D2222
user@myhost
¡ Configure
your
browser
to
use
a
SOCKS
proxy
at
localhost
port
2222
¡ Navigate
to
all
internal
network
pages!
Lynx
Consultants
©
2013