Implementing SSH Strategies for Optimizing the Secure Shell phần 8 potx

In addition to using the password file, Rlogin uses the rhostsfile, which has a list of IP addresses that are authorized to log in to the server.. Figure 8.3 Sniffer capturing an Rlogin

Figure 7.23 The results of the pcAnywhere server with SSH.

Secure VPN with SSH (PPP over SSH)

This section discusses the ability to use PPP (Point-to-Point Protocol) over anSSH connection as a fully functional virtual private networking (VPN) solu-tion If you look at traditional VPN implementations, such as IPSec implemen-tations, PPP over SSH offers almost everything that other implementations do.For example, SSH offers strong encryption with 3DES, Point-to-Point (PPP)access, and the ability to provide multiple tunnels between two different net-works Furthermore, unlike other VPN solutions, PPP over SSH as a VPN solu-tion does not require a significant cost for hardware appliances or softwarelicensing, does not require significant support requirements, and has the abil-ity to adapt to your existing network without any major re-architecturalrequirements The advantages just mentioned, as well as many others, makePPP over SSH an ideal VPN solution for many small to mid-tier types of networks

PPP over SSH does not involve port forwarding but instead uses simple PPPscripts Figure 7.24 shows a typical PPP architecture with an SSH server

Secure Remote Access 259

Figure 7.24 The SSH/PPP server architecture.

In the architecture shown in Figure 7.24, the SSH server is also the PPPserver, which is a Linux RedHat 8.0 server running OpenSSH Furthermore,the client in the example is a regular RedHat 8.0 client machine, with no ser-vices installed or running No special changes are required on the firewall,except a rule that allows connections on port 22 to the SSH/PPP server Once

an SSH/PPP client makes that connection, it will have a VPN inside the nal network

inter-PPP Daemon on the Server

First, you must ensure the PPP daemon (pppd) is loaded and functional onyour SSH server If you are using Linux Redhat 8.0 or higher, the PPP daemonshould work just fine out of the box To confirm, type the following commands

~ }#_!}!}!} }4}”}&} } } } }%}&}”-1L}’}”}(}”e”~~ }#_!}!}!} }4}”}&} } } } L}’}”}(}”e”~~ }#_!}!}!} }4}”}&} } } } }%}&}”-1L}’}”}(}”e”~~ }#_!}!}!} }4}”}&} }} } }%}&}”-1L}’}”}(}”e”~~ }#_!}!}!} }4}”}&} } } } }%}&}”

Router Firewall

SSH/PPP Server 11.30.11.21 (ssh.ppp.server.com)

VPN User and Sudo

Next, you must configure a user to run the pppd service Many users choose tocreate a separate user account other than root, such as vpnmonkey, to executethe PPP daemon The use of sudo ensures that remote VPN users will not havefull root access to the PPP/SSH server, which would decrease the security pos-ture of the remote access solution If this is the route you are taking also, makesure you allow the vpnmonkey account to execute the pppd service by editingthe sudoers file Also, make sure you have set up the appropriate public-keyauthentication requirements for the vpnmonkey account, discussed in Chap-ter 4 However, to quickly refresh, make sure the public-key file (identity.pub)for the vpnmonkey account is in the authorized key file on the SSH/PPPserver (/home/vpnmonkey/.ssh/authorized_keys) Furthermore, edit thesudoers file on the SSH/PPP server (/etc/sudoers) and allow vpnmonkey tostart the PPP daemon The contents of the sudoers file on the server shouldlook like this:

#sudo /usr/sbin/pppd noauth

If things are working correctly under sudo, you should see the following onthe server, which is the PPP daemon spitting out information to the screen that

is not readable to end-users, but actually confirms that the PPP daemon is ning correctly The following is just an excerpt of the output of the PPP daemon:

run-~ }#_!}!}!} }4}”}&} } } } }%}&}”-1L}’}”}(}”e”run-~run-~ }#_!}!}!} }4}”}&} } } }

L}’}”}(}”e”~~ }#_!}!}!} }4}”}&} } } } }%}&}”-1L}’}”}(}”e”~~ }#_!}!}!}

}4}”}&} }} } }%}&}”-1L}’}”}(}”e”~~ }#_!}!}!} }4}”}&} } } } }%}&}”

1L}’}”}(}”e”~~ }#_!}!}!} }4}”}&} } } } }%}&}”-1L}’}”}(}”e”~~ }#_!}!}!}

Client Script

Next, you must configure a script on the VPN client to use SSH for the PPPconnection This script was originally created on www.linuxorg.org byauthors of that site

Before editing the script, you must define the variables that will need to becustomized according to the architecture According to Figure 7.24, yourserver hostname will be ssh.ppp.server.com, your server username will be

Secure Remote Access 261

vpnmonkey, your server IP address will be 11.30.11.21, and your client IPaddress will be 72.12.8.l5 The specific entries to modify are SERVER_HOST-NAME, SERVER_USERNAME, SERVER_IFIPADDR, and CLIENT_IFIPADDR.Now that you have established the variables, you can use these variables inthe script, as the following script shows in bold:

#!/bin/sh

# /usr/local/bin/vpn-pppssh

#

# This script initiates a ppp-ssh vpn connection.

# see the VPN PPP-SSH HOWTO on http://www.linuxdoc.org for more

# The host name or IP address of the SSH server that we are

# sending the connection request to:

SERVER_HOSTNAME=ssh.ppp.server.com

# The username on the VPN server that will run the tunnel.

# For security reasons, this should NOT be root (Any user

# that can use PPP can intitiate the connection on the client)

# This tells ssh to use unprivileged high ports, even though it’s

# running as root This way, you don’t have to punch custom holes

# through your firewall.

LOCAL_SSH_OPTS=”-P”

#

# The rest of this file should not need to be changed.

262 Chapter 7

if ! test -f $PPPD ; then echo “can’t find $PPPD”; exit 3; fi

if ! test -f $SSH ; then echo “can’t find $SSH”; exit 4; fi

case “$1” in

start)

# echo -n “Starting vpn to $SERVER_HOSTNAME: “

${PPPD} updetach noauth passive pty “${SSH} ${LOCAL_SSH_OPTS}

${SERVER_HOSTNAME} -l${SERVER_USERNAME} -o Batchmode=yes sudo ${PPPD}

nodetach notty noauth” ipparam vpn ${CLIENT_IFIPADDR}:${SERVER_IFIPADDR}

# echo “connected.”

;;

stop)

# echo -n “Stopping vpn to $SERVER_HOSTNAME: “

PID=`ps ax | grep “${SSH} ${LOCAL_SSH_OPTS} ${SERVER_HOSTNAME} l${SERVER_USERNAME} -o” | grep -v ‘ passive ‘ | grep -v ‘grep ‘ | awk

Save the script as wee-pee-en, or whatever you wish, and make it executable(chmod a+x wee-pee-en) After the script is executable, enter the followingcommand on the client to use the wee-pee-en script and access the SSH/VPNserver over a trusted VPN connection:

Port forwarding is a powerful and very useful feature of SSH that almostovershadows the terminal access that it provides In fact, many SSH solutionsdeployed in networks today are being deployed more for their port-forwardingcapabilities than for their remote terminal access capabilities Furthermore, theflexibility of SSH, which allows it to be used from both NAT’d networks andnon-NAT’d networks, makes it a very attractive remote access solution thatcan support end-user security in any type of network environment, whether it

is from a hotel room, a home office, a customer site, a data center, or even awireless network at your local coffee shop

The use of other applications, such as Outlook Express, Netscape ger, and Eudora, with SSH allows SSH to mitigate and solve security concerns

Messen-in other entities In addition to securMessen-ing other applications, the use of SSH withexisting, required, or standard protocols, such as SMB and NFSallow, allow it

to interoperate with existing networks quite easily with little to no effect on the

264 Chapter 7

end-user Lastly, its ability to support GUI applications allows SSH to provide

a truly secure remote management solution for the remote administrator

Basic port forwarding and advance techniques allow SSH to be a fully tional and very inexpensive remote access solution that cannot be matchedwith any other service, device, or protocol Now that you fully understandport forwarding, I will shift gears to other uses of SSH, such as general proto-col replacement In the next chapter, I will discuss how SSH should be usedinstead of various other dangerous protocols, such as insecure “R” protocols

func-Secure Remote Access 265

PA R T

Three

Protocol Replacement

This chapter demonstrates how SSH can be used to replace several otherprotocols, many of which are insecure protocols that greatly decrease the secu-rity posture of a network environment For example, SSH can be used toreplace the dangerous protocols listed in Table 8.1.

SSH Versatility

C H A P T E R

8

Table 8.1 Protocols That SSH Can Replace for Stronger Security

SSH (Terminal Access) RSH, Rlogin, Rexec

SSH with Backups RSync

Terminal Access

One of the most basic uses of SSH that I have only implied thus far is SSH minal access One of the primary reasons to install SSH is to provide secure ter-minal access In order to replace the dangerous Berkeley R-protocols such asRSH and Rlogin, SSH needs to be used Furthermore, if other terminal emula-tors such as Telnet are used in addition to the Berkeley R-protocols, the level ofsecurity across a network environment will be greatly reduced SSH not onlyprovides the same level of access that RSH, Rlogin, and Telnet do, but it does

ter-so in a secure manner through two-factor authentication, advanced tion, and strong encryption

authoriza-SSH is often deployed for its secure terminal access, aside from the otherfeatures such as port forwarding and SFTP discussed in the next section Whendealing with remote management issues across the Internet or even insecureinternal networks, Telnet, RSH, rexec, and Rlogin can and will cripple an orga-nization’s security infrastructure by allowing any passive user from gainingaccess to sensitive information, such as usernames, passwords, directorystructures, and so on

For example, RSH, Rlogin, and Rexec are clear-text protocols that providesome type of remote terminal emulation or remote execution service All three

of these protocols can be sniffed with any traffic analyzer that can revealauthentication and authorization information to an unauthorized user Thiscan potentially allow unauthorized users to gain access to sensitive authenti-cation information and either log in to systems and/or devices or executeremote commands in an unauthorized fashion

270 Chapter 8

The following examples show a traffic analyzer program that will sniff theconnections among four protocols: RSH, Rlogin, Rexec, and finally the SSHconnection The examples show how the use of three insecure protocols basi-cally provides no security and how the use of SSH not only brings a great deal

of security, but also provides the same level of functionality The architecturefor the example is shown in Figure 8.1

Compromising a System with Remote Shell (RSH)

The first example will address RSH (Remote Shell) This section will not gointo the specifics of RSH, because you will never use it after reading this sec-tion, but some basics need to be covered RSH is the client end of a client-server relationship, which works with an RSH server (rshd), usually listening

on port 514 RSH executes a remote command on a remote RSH server as if thecommand came from the machine itself The RSH client uses a username andpassword that he or she must have on the server running the RSH server Forexample, all usernames and passwords in the Unix password file,/etc/passwd or /etc/shadow, will be allowed to authenticate to the RSHserver with their system credentials This issue with RSH, as I have alreadydiscussed, is that the RSH protocol is clear-text, so anyone sniffing the wire canobtain username and password information of the user’s account on the sys-tem Once an unauthorized user obtains the information, the system is virtu-ally compromised See Figure 8.2 for a sniffer program that captures the RSHconnection

Figure 8.1 Sample architecture for terminal access with RSH, Rlogin, Telnet, and SSH.

RSH RLOGIN REXEC SSH

SSH Versatility 271

Figure 8.2 Sniffer capturing an RSH connection.

Compromising a System with Remote Login (Rlogin)

Remote Login (Rlogin) is also a client/server technology wherein the client,Rlogin, connects to an Rlogin server (Rlogind), usually listening on port 513.Rlogin starts a remote terminal session on a system, usually an operating sys-tem or device, running the rlogin server Rlogin also uses the username andpassword information from the Unix password file, such as /etc/passwd or/etc/shadow In addition to using the password file, Rlogin uses the rhostsfile, which has a list of IP addresses that are authorized to log in to the server

As with RSH, Rlogin has connections that are in clear-text, which allows a sive attacker to sniff the connection and access the username, password, and

pas-IP address in order to make a valid connection Once an unauthorized userobtains the information, the system is virtually compromised See Figure 8.3for a sniffer program that captures the Rlogin connection

272 Chapter 8

Figure 8.3 Sniffer capturing an Rlogin connection.

Compromising a System with Remote Execution (Rexec)

Remote Execution (Rexec) is also a client/server technology wherein theclient, Rexec, connects to a rexec server (Rexecd), usually listening on port 512.Rexec executes a remote command on a remote Rexec server as if the com-mand came from the machine itself Rexec also uses the username and pass-word information from the Unix password file, such as /etc/passwd or/etc/shadow As with RSH, Rexec has connections that are in clear-text, whichallows a passive attacker to sniff the connection and access the username andpassword information on the remote operating system or device Once anunauthorized user obtains the information, the system is virtually compro-mised See Figure 8.4 to view a sniffer program that captures the Rexec con-nection where a user has to log in to the rexec server with a username of root,

a password of shreya, and a command of ‘ls’

SSH Versatility 273

Figure 8.4 Sniffer capturing an Rexec connection.

Why Access via SSH Is Better

After learning about the insecurities of RSH, Rlogin, and Rexec, you shouldnow understand why utilities such as SSH were developed and widelyadopted The use of RSH, Rlogin, and Rexec in any hostile environment,whether it be the Internet, an internal network, a DMZ environment, anextranet, or even a local network, will cause a lot of security issues for a givennetwork In order to protect against the basic flaws of the protocols mentionedpreviously, SSH should be used While RSH, Rlogin, and Rexec provide mod-erately different functions, all three of the utilities’ primary functions is to pro-vide the execution of a command on a remote server, either through a localterminal session or a remote execution service SSH can eliminate the need forall three of these utilities by providing the same, if not better, remote executionservice or terminal sessions with an encrypted and secure connection UnlikeRSH, Rlogin, and Rexec, SSH is not a clear-text protocol, so if passive attackerswere sniffing the network, they would not be able to gain or view any useful

274 Chapter 8

information, such as username and passwords The connection is completelyencrypted, from the time the user is authenticated to the time the session isclosed See Figure 8.5 to view a sniffer program that captures an SSH connection.Notice how Figure 8.5 is quite different from Figures 8.4, 8.3, and even 8.2.While all four utilities (RSH, Rlogin, Rexec, and SSH) offer the same type ofaccess, the protocols they use are quite different Furthermore, the end result ofall four utilities is a remote execution There are no added advantages to usingRlogin over SSH, aside from the fact that some end-users may be used to theolder insecure protocol Furthermore, if a remote terminal session is notdesired, just remote execution, both RSH and Rexec can be used with SSH inorder to secure the connection The use of remote commands instead of aremote terminal session may be required for night backup processes; there-fore, Rexec with SSH, which will be discussed later in this chapter, is also astronger alternative than Rexec alone

Figure 8.5 Sniffer program that captures an SSH connection.

SSH Versatility 275

File Transfer with Secure File

Transfer Protocol (SFTP)

File sharing over a network has been a standard capability in organizations for

a great deal of time Standard protocols such as FTP (File Transfer Protocol),Microsoft’s SMB (Server Message Block), and NFS (Network File System) areprobably the most popular methods of transferring files within most organi-zations Despite the popularity of these three protocols, all have many securityproblems FTP and NFS are clear-text protocols that have several securityissues, including clear-text transmission of authentication (username/pass-word) information

Unlike the last section, this section will not discuss the issues with FTP, NFS,

or SMB, but rather discuss how to use SSH’s file transfer subsystem (SecureFile Transfer) and a secure file-sharing method I assume that you are some-what aware of the security problems with FTP, NFS, and SMB and proceedwith how to develop a secure solution

Secure File Transfer Protocol (SFTP) is a subsystem used with SSH SFTP isvery similar to FTP; however, it offers the ability to transfer files to and from

an SFTP server (SSH server) to or from an SFTP client over a secure encryptionconnection SFTP and FTP both use client/server architecture, but SFTP carrieswith it a performance penalty that you will endure, as the packets areencrypted before they are sent over the wire Often, however, this performancepenalty may be negligible, especially when the extra security gained in usingSFTP is factored in

Each installation of SSH version 2 has the SFTP subsystem available andfunctioning by default There are no extra steps required on the SSH server inorder to start the SFTP subsystem after a default installation; the SFTP subsys-tem is built right into the service and will respond on the selected port chosenfor SSH, such as port 22 Despite the fact that all three major providers of SSH,including OpenSSH, SSH Communications, and VanDyke Software, enablethe SFTP subsystem by default, there are different features of each installationthat may affect your decision-making process The following section discussesthe different SFTP installations, as well as the specific features of each inregard to four main uses of SFTP:

■■ General setup and use of SFTP

■■ SFTP for management purposes

■■ SFTP for corporate file-sharing (file access controls)

■■ SFTP for authorized system users (user access controls)

276 Chapter 8

This overview will allow you to understand the general uses of SFTP andalso allow your decision-making process to be as informed as possible,depending on your business and security requirements for SFTP.

SFTP with the OpenSSH SFTP Server

The OpenSSH SFTP subsystem is a great solution when requiring the securetransfer of file and folders from one machine to the next As stated earlier, theuse of the SFTP subsystem is enabled by default on the OpenSSH server; nospecial or additional steps are required To ensure that the SFTP subsystem hasbeen enabled, open the sshd_config file on the SSH server and scroll all theway to the bottom of the file The SFTP subsystem information should be at thevery end Enter the following command to view the SFTP subsystem informa-tion in OpenSSH’s configuration file:

#cd /etc/ssh/

#more sshd_config

The following syntax should be at the end of the sshd_config file:

# override default of no subsystems

Subsystem sftp /usr/libexec/openssh/sftp-server

If the SFTP is not desired and only the use of the SSH service (shell or portforwarding access) is desired, the SFTP subsystem can be easily disabled bycommenting out the “Subsystem SFTP” line For example, in order to disablethe SFTP subsystem in OpenSSH, make sure the last two lines of yoursshd_config file look like the following:

# override default of no subsystems

# Subsystem sftp /usr/libexec/openssh/sftp-server

Since you want to use the SFTP subsystem, make sure it is enabled mented) in your /etc/ssh/sshd_config file Now that you understand how toenable/disable the SFTP subsystem, examine the different ways you can use itwith OpenSSH

(uncom-Using OpenSSH for Management Purposes

First, I will discuss OpenSSH in terms of management purposes Using anySFTP client, such as the command-line version that comes with OpenSSH(sftp), you can make a connection to an SFTP server to download files in asecure fashion For example, if you want to copy the file called Commodore-Vic20.txt from the SFTP server, which has an IP address of 172.16.11.17, enterthe following commands with your OpenSSH SFTP client:

SSH Versatility 277

a secure and easy fashion.

Using OpenSSH for File Sharing

To provide the use of the SFTP subsystem in a complementary fashion to SSH,valid accounts have to be made on the operating system, since SSH uses operating-system accounts, not their own specific SSH accounts That beingthe case, having an account on the operating system means the account has theright to the system’s files also, such as /etc/, /usr/sbin, /var, and so on Even

if the purpose of the account is to transfer files securely to/from /tmp/share,the account, because it is an operating-system account, has inherent rights tothe operating system itself

In a file-server situation, you may not want to expose the operating systemdirectories or the entire directory architecture for SFTP access, but rather afolder or two for general organization-wide file sharing For example, youmay not want all users to download a copy of /etc/passwd but only files

in a specified directory, such as their home directory or a directory called/tmp/share In this case, the use of file access controls should be used

By default, there are no access control permissions on the SFTP subsystem;all file access permission relies on the native operation system permission Inthe Unix world, all access control permissions for SFTP will be controlled bythe Read/Write/Execute values placed by the files and folders themselves

In the Windows world, the file access permissions for SFTP will be controlled

by the NTFS access controls

You need to place appropriate access control permission on the operatingsystem, not just rely on the SFTP subsystem If proper access controls are not

278 Chapter 8