MandrakeUser.Org - Your Mandrake-Linux Knowledge Base!


 
 

*DocIndex - Security

SSH I - Installation

* What Is SSH?
* How SSH Authentication Works
* Installing And Testing OpenSSH

Related Resources:

SSH FAQ
Getting started with SSH
man ssh

Revision / Modified: Sep. 27, 2001 / Oct. 09, 2001
Author: Tom Berger

 

SSH I - Installation

* What Is SSH?

The traditional network services like ftp, pop or telnet are convenient but inherently unsafe, since they all make you send a password and data in clear text over an increasingly unsafe network. It is almost a no-brainer to intercept these services and copy transferred data. Furthermore the authentication of the server is weak: the services are open to so-called 'man-in-the-middle' attacks, where an intruder pretends to be the server and thus receives all data the client is sending.

Enter SSH (Secure SHell). By using SSH, you encrypt the traffic and you can make 'man-in-the-middle' attacks almost impossible. It also protects you from DNS and IP spoofing. As a bonus, it offers the possibility to compress the traffic and thus make transfers faster. SSH is a very versatile tool: not only does it replace telnet, you can also 'tunnel' services like ftp, pop and even PPP via it.

SSH implementations exist for almost all major operating systems.

The original SSH has been developed by a Finnish company. Due to copyright restraints and patented algorithms, the Free Software world now uses OpenSSH, a free SSH work-alike.

SSH consists of a client-server pair like all the other services. Every system administrator worth his money runs an SSH server. If your remote host doesn't run SSH, you should really think about switching to a host which does. A site which doesn't run an SSH server displays a serious lack of interest in network security.

SSH comes in two major, partly incompatible versions, 1.x and 2.x. You won't be able to connect to an SSH 1.x server with an SSH 2.x client. OpenSSH 2.x supports both versions.

Notice that the use of version 1 is deprecated in favor of version 2 for security reasons.

* section index * top

* How SSH Authentication Works

Seen from the client level, SSH provides two levels of authentication.

The first level allows you to connect from any machine to a SSH server, as long as you know the password of the account on the remote machine. This encrypts any traffic sent via SSH, but doesn't provide a strong mechanism to authenticate the host you are connecting to. Another host could intercept your connection by pretending to be the host you want to connect to ('man-in-the-middle-attack').

The second level relies on the key mechanism: you create your own key pair and put the public key onto the server. Now if you connect to the SSH server, your client sends a request to the server for authentication using your keys. The server looks up the public key in your remote home directory, and compares both keys. Then it sends an encrypted challenge to the client. This challenge is decrypted on the local machine using the private key and sent back to the server.
Using this method, you will have to know the password of your key (if you choose to use one). In contrast to level one, this password will not be sent over the network. Level two authentication doesn't use any passwords at all.
This scheme not only encrypts any travel sent via SSH, but also makes 'man-in-the-middle' attacks next to impossible. This login process usually takes ten seconds.

* section index * top

* Installing And Testing OpenSSH

If you are using a Mandrake release prior to 7.2, you will have to download the needed packages from one of the servers listed on the crypto apps page or get the source directly from the OpenSSH website. If you are using 7.2 or later, you will find all the needed software on your Mandrake CD.

You will need these packages:

  • openssl
  • openssh
  • openssh-clients
  • and, if you want to run an SSH server, openssh-server

Of course the truly paranoid will prefer building them from source, but usually RPMs will do ;).

To test your installation, connect to a SSH server:

ssh -l [your account name on the remote host] [address of the remote host]

If this works, you will receive a message like this:

The authenticity of host [hostname] can't be established.
Key fingerprint is 1024 5f:a0:0b:65:d3:82:df:ab:44:62:6d:98:9c:fe:e9:52.
Are you sure you want to continue connecting (yes/no)?

If it doesn't work, you might use a newer version of OpenSSH which defaults to SSH version 2, while the server still uses SSH version 1. In this case, use the -1 option to the 'ssh' command.

SSH tells you that it doesn't know this host, which is nothing to worry about, since you are connecting for the first time. Type yes. This will add the 'fingerprint' of this host to '~/.ssh/known_hosts'. Future connects to this host will not display this message.
However, if the remote host at a later point changes its IP or its server key, SSH will display a huge warning message, because such changes might be symptoms of a 'man-in-the-middle' attack. Ask the administrator of the remote server first before proceeding.
Then SSH will prompt you for your account password on the remote machine. Type it, press ENTER et voila, you've established your first SSH connection! Now proceed just like you would in a telnet session.

Installing an OpenSSH server is easy, too. Just install the RPM. During the installation, you will get a message like this:

Generating RSA keys: .ooooooO..................ooooooO
Key generation complete.
Your identification has been saved in /etc/ssh/ssh_host_key.
Your public key has been saved in /etc/ssh/ssh_host_key.pub.
The key fingerprint is:
5f:a0:0b:65:d3:82:df:ab:33:52:6f:89:9a:fe:e9:52 root@[local machine]
Generating DSA parameter and key.
Your identification has been saved in /etc/ssh/ssh_host_dsa_key.
Your public key has been saved in /etc/ssh/ssh_host_dsa_key.pub.
The key fingerprint is:
64:85:4a:da:cf:74:94:0d:5a:93:cf:f2:62:ed:07:26 root@[local machine]

This message indicates that the key, which identifies your machine to clients, has been generated. It is a very good idea to keep external backup copies of these keys!

Start the server with

service sshd start

That's all. Now external ssh-clients can connect to the machine (provided they have an account on your machine, naturally). If you want the SSH server to be started every time you boot the machine, run

chkconfig --add sshd

once (as 'root').

* section index * top

Now that you've got it running basically, learn how to * set up SSH ...

 
Legal: All texts on this site are covered by the GNU Free Documentation License. Standard disclaimers of warranty apply. Copyright LSTB (Tom Berger) and Mandrakesoft 1999-2002.