SSH Mastery

OpenSSH, PuTTY,
Tunnels and Keys
Michael W Lucas
http://www.MichaelWLucas.co
!S"#an $%&$

'(out Me

'uthor

!S" pusher

irreedia(le sartass

'(out You

How any OpenSSH clients)

How any PuTTY clients)

nae)

your *oals here)

#ontents

SSH O+er+iew

,ncryption &%&

OpenSSH Ser+er

Host Key -eri.ication

SSH clients

#opyin* /iles o+er SSH

SSH Keys

0 /orwardin*

#ontents 11

Port /orwardin*

Host Key "istri(ution

Liitin* OpenSSH

OpenSSH -P2s

Security Warnin*

SSH is a tool

Tools can (e used .or *ood or e+il

SSH can help you sa+e your copany

SSH can help you destroy your copany

MWL is not responsi(le .or reasona(le or

unreasona(le daa*es caused (y your
use/a(use o. SSH

SSH O+er+iew

What is SSH)

What is OpenSSH)

SSH Ser+ers

OpenSSH 3 ost popular

SSH.co 44 coercial

SSH #lients

OpenSSH 3 5ni64li7e

PuTTY 44 Windows

SSH Protocol -ersions

SSH4&, ori*inal SSH

created in &889 (y one *uy, Tatu Yl:nen, .or his

own uses

can (e decrypted (y pac7et sni..ers

do not use SSH4&

SSH &.;, &.9, &.88 < SSH4&

SSH4$, odern SSH

only use SSH4$

,ncryption &%&

plain te6t < reada(le

cipherte6t < unreada(le

al*orith < ethod .or trans.orin* plainte6t to

cipherte6t = (ac7

7ey < secret strin* used as al*orith seed

,ncryption 'l*oriths

Syetric

sae ethod = 7ey used to encrypt = decrypt

'<&, !<$, etc

/ast

'syetric

di..erent ethods to encrypt or decrypt

one 7ey .or encryption

di..erent 7ey .or decryption

slow

Pu(lic Key ,ncryption

'syetric al*orith

*i+e one 7ey away

7eep one 7ey secret

used .or SSH, HTTPS, P>P, etc

Many di..erent asyetric pu(lic 7ey

al*oriths 3 ?S', "S', !low.ish, etc

5se recoended al*oriths

How SSH 5ses ,ncryption

Pu(lic 7ey .or initial session setup

'*ree on teporary syetric secret

syetric .or ost o. session

occasional re7eys

#ool 1s 2ot Secure

The al*oriths used, and the order they are

tried in, are chosen .or a reason

"o 2OT chan*e the

#on.i*uration /iles

all in /etc/ssh

ssh@con.i* 3 host4wide client con.i*

ssh@host@A@7ey.pu( 3 pri+ate 7eys

ssh@host@A@7ey 3 pu(lic 7eys

sshd@con.i* 3 ser+er con.i*

The OpenSSH Ser+er

1ncluded (y de.ault in any ser+er OS at this

con.erence

'lso a+aila(le .or Windows, +ia #y*win,

ssh.orwindows, etc.

Testin* sshd

/etc/ssh/sshd@con.i*

/usr/s(in/sshd 4. sshd@con.i*@test 4p $$$

test alternate con.i*uration

/usr/s(in/sshd 4. sshd@con.i*@test 4p $$$ 4ddd

run in .ore*round

one connection only

use.ul .or weird de(u**in*

#on.i* /ile Synta6

!orin* option4then4+alue synta6

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

2etwor7 = Protocol Options
Port 22
AddressFamily any (inet | inet6)
ListenAddress 0.0.0.0 | ::
Protocol 2 3 no e6cuses .or your ser+ersB

!anner = otd

!anners appear (e.ore auth, (ut i*ht not wor7

.or all clients = can inter.ere with autoation
Banner /etc/ssh/ssh-anner

otd always displays, a.ter auth

Print!otd yes

-eri.y clients a*ainst "2S
"se#$% yes

a7es sure .orward = re+erse "2S atch

su(Cect to "2S attac7s

1P+D

#onclusion: donEt (other

?estrictin* 'ccess (y 5ser or >roup

Processed in order listed in con.i* .ile

.irst4atch (asis

F"eny,'llowG5sers 3 user list

F"eny,'llowG>roups 3 *roup list

?estrict (y 5ser or >roup 11

"eo syste:
&heel: m&l'cas
sta((: m&l'cas) *+dic+) ,-allard
s'**ort: *+dic+) m&l'cas
illin-: ,-allard

"eny !illin* People

OK:
#eny"sers ,-allard

!etter:
#eny.ro'* illin-

'llow only adins

Presence o. an 'llowA option tells sshd to deny

lo*ins (y de.ault
Allo&.ro'*s &heel

"eny one user in *roup

5sers and *roups distri(uted +ia L"'P. One

adin is .or(idden access to this ser+er.
#eny"sers *+dic+
Allo&.ro'*s s'**ort

'utoation

rsync user .ro one achine

Allo&"sers ac+'*/012.0.2.0/22
Allo&.ro'*s s'**ort) &heel

List hosts (y networ7 or hostnae, (ut (eware

"2S

Wildcards

) atches e6actly one character

A atches Hero or ore characters

3.lac+helico*ters.or- 3 any host

44444.lac+helico*ters.or- 3 atches
sloth = wrath, not en+y or *luttony.

Wildcards in 2etwor7s

012.0.2.04 4 &8$.%.$.&% throu*h &8$.%.$.&8

012.0.2.3 4 any host in &8$.%.$.%/$I

012.0.2.0/25 3 (y netas7

Separate ultiple entries with coas.

2e*ation

63.lac+helico*ters.or- 3 e+erythin*
thatEs not under this doain.

,6cludes (lac7helicopters.or* itsel.

!est with e6clusions

6l'st.lac+helico*ters.or-)3.lac+helico*ters.or-

dC descri(es as Ja little .iddlyJ

#onditional #on.i*uration

Match (y user, *roup, networ7, etc

,6aple, 0&& .orwardin*

!atch "ser m&l'cas
700 For&ardin- 8es

More 5ser Matches
!atch .ro'* &heel
700For&ardin- yes
!atch "ser m&l'cas),-allard
700For&ardin- yes

Match (y Host
!atch Address 012.0.2.0/21) 012.0.2.65/29
700For&ardin- yes
!atch :ost 3.lac+helico*ters.or-
700For&ardin- yes

Multiple Matches
!atch Address 012.0.2.; "ser m&l'cas
700For&ardin- yes

Peritted Matches

#an only atch on certain ites

see sshd@con.i*K9L .or .ull list

1n short, can chan*e auth ethods, chroot,

access, 7ey locations, a6ius, etc.

#annot chan*e thin*s li7e "sePA!)

<hallen-e=es*onseA'thentication, etc.

Placin* Matches

'll con.i*uration that .ollows a Match (elon*s to

that Match, until ne6t Match or ,O/.

Place Matches at end

Saple Matches
700For&ardin- no
Pass&ordA'thentication no
>
!atch .ro'* &heel
700For&ardin- yes
!atch Address 012.0.2.0/21) 012.0.2.02;/29
Pass&ordA'thentication yes

?oot SSH 'ccess

"o not allow lo**in* in as root

5se sudo, p.e6ec, other tools

#hrootin* 5sers

5se.ul .or We( ser+ers, other ulti4user ser+ers

with indi+idual cells

Must populate chroot K+aries (y OSL

set perissions on chroot

create hoe dir .or iprisoned user

create de+ice nodes

install shell

Perissions = "irectory

chroot directory owned (y root, Cust li7e syste

hoe dir

5serEs MHOM, .ro /etc/passwd relati+e to Cail.

1. MHOM, is /hoe/p7dic7, and chroot is
/prison/, directory is /prison/hoe/p7dic7

MHOM, owned (y user, contains dot.iles, etc

static4lin7ed shell

"e+ice 2odes

-aries (y OS, de+.s or M'K,",-

e6pect /de+/urando, /de+/null, /de+/stderr,

/de+/stdin, /de+/stdout, /de+/tty, /de+/Hero

'ssi*n chroot

Speci.y userEs root directory as the #hroot

"irectory. "ups e+eryone to*ether in one
chroot.
<hroot#irectory /*rison

Nh < userEs hoe directory in /etc/passwd.

Loc7s user into their own directory
<hroot#irectory ?h

More chroot

Nu e6pands to usernae. Lots o. uniOue users

in shared chroot area.
<hroot#irectory /*rison/home/?'

#hoosin* users
<hroot#irectory none
>
!atch .ro'* illin-
<hroot#irectory /*rison/illin-

1. ost users chrooted, re+erse = allow wheel

shell

Protectin* sshd

Hail Mary #loud

pri+ile*e separation

pac7et .ilter, T#P wrappers

disa(le passwords, allow only 7eys

chan*e port)

-eri.yin* Ser+er Keys

Lon* strin*s o. te6t

Many users disiss +eri.yin* 7eys as

ipossi(le

1s entirely possi(le, you can a7e it easier

'utoated distri(ution is (est

>et the Ser+er /in*erprint
# ssh-keygen -lf ssh_host_rsa_key.pub
205;
11:;c:de:2d:21:1:a(:e9:ce:c6:20:12:1
5:e0:ce:05
/etc/ssh/ssh@host@rsa@+ey.*' (=%A)

#apture all 7eys to .ile

#an also use ssh47eyscan, reOuires you +eri.y

all 7eys yoursel.

Ma7e Keys '+aila(le

Must *et .in*erprints to users

access ust (e easy = secure

easiest: secure We( site

donEt use eail or unencrypted pu(lic site

Later: how to do this .or your users

-eri.yin* #lients

!oth OpenSSH client = PuTTY present host

7ey .in*erprint .or +eri.ication upon .irst
connection

#han*ed Host Keys

5ser *ets a warnin* upon connection that the

7ey has chan*ed. Possi(ilities:

Sysadin oopsB

#lient is wron*. "es7top security) #orrupt cache)

Ser+er up*rade) >et new .in*erprint

round4ro(in "2S)

1ntruder controls ser+er

"O 2OT #O22,#T 52T1L YO5 K2OW WHY

SSH #lients

How any PuTTY users in the roo)

How any OpenSSH client users in the roo)

"e(u**in* OpenSSH #lient

ssh 4+ hostnae

increase nu(er o. 4+s .or ore detailed

de(u**in*

actually read the output

ssh #on.i*uration

/etc/ssh/ssh@con.i* 3 *lo(al

MHOM,/.ssh/ssh@con.i* 3 indi+idual

"ocuented in ssh@con.i*K9L

5se alternate with 4. .ilenae

'll con.i* options wor7 in (oth

#an use patterns Cust li7e sshd

Per4Ser+er #on.i*uration
:ost 3.lac+helico*ters.or-
Port 2222

Matches
ssh aAarice.lac+helico*ters.or-

does not atch

ssh aAarice

#an also use 1P, netas7, patterns

#han*in* 5sernae

on coand line
B ssh ,er+(ace/serAer.c'stomer.com
B ssh -l ,er+(ace serAer.c'stomer.com

1n con.i* .ile
:ost serAer.c'stomer.com serAer
"ser ,er+(ace

#han*in* Port

On coand line
B ssh -* 2222 -l'ttony

1n con.i* .ile
:ost -l'ttony
Port 2222

Options on #oand Line

'nythin* in sshK&L can (e speci.ied on

coand line with -o
B ssh -o BindAddress=192.0.2.5 gluttony

You can use ultiple -o

5se the con.i* .ile

5pdatin* Host Key #ache

Keys cached in MHOM,/.ssh/7nown@hosts

5pdate policy option: StrictHostKey#hec7in*

Only update (y hand) Set to yes.

'uto4add new hosts) Set to no. "a.t.

's7 user to +eri.y, then add) Set to ask.

Hashin* 7nown@hosts

Hash hostnaes in 7nown@hosts, so intruder

doesnEt 7now your networ7
:ashCno&n:osts yes

5se ssh47ey*en 4H to hash unhashed entries

PuTTY #lient

Windows SSH, telnet, serial, rlo*in Pcou*hQ

client

"ownload .ro
http://www.chiar7.*reenend.or*.u7/Rs*tatha/putty/

2ot (y the OpenSSH paranoids, still pretty

*ood

"ownload the .ull installer

Sa+in* PuTTY "e.aults

,6aple: set de.ault usernae

!eneath J#onnection,J select J"ata.J

1n Jauto4lo*in,J put usernae

Sa+e as "e.ault Settin*s

Sa+in* PuTTY Sessions

'dd ser+er hostnae, protocol, port, etc.

,nter session nae

clic7 Sa+e

#an also sa+e other settin*s, such as 0&&

.orwardin*, as sessions, e.*., Jdns&46&&J

Sa+ed de.aults not propa*ate to sa+ed

sessionsB

PuTTY Mana*eent

5pper le.t hand corner drop4down enu.

5se.ul tric7s:

"uplicate Session

Sa+ed Sessions

2ew Sessions

#han*e Settin*s

PuTTY #on.i*uration

1n Windows ?e*istry, under

HKEY_CURRENT_USER\Software\SimonTatham

#an copy .ro achine to achine

#an distri(ute +alid con.i*s +ia 'cti+e "irectory

"e(u**in* PuTTY

,+ent Lo*, in upper le.t drop4down enu

serious de(u**in*, use Session Lo*.

!e.ore openin* new session, *o to Session 4Q

Lo**in*

#hoose lo* type. 1 usually use 'll session output.

>i+e directory and nae .or de(u* .ile

#opy /iles o+er SSH

/TP predates T#P/1P. 1tEs an appallin* protocol.

apps li7e rsync tra+el o+er SSH

Two SSH4(ased protocols, S/TP and S#P

S#P: rcp with SSH (ac7end. !asically

unaintained

S/TP: newer copy pro*ra, aintained

S#P

copies indi+idual .iles

B scp source-hostfile dest-hostfile

#opy data& to host ser+er&:

B scp data1 ser!er1

Without the colon, 1 securely copy .ile data& to

local .ile ser+er&. Pro(a(ly not ri*ht.

S#P 11

#opy reote .ile to local:

B sc* data0:serAer0 .

#han*e .ilenae
B sc* data0 serAer0:data2

#han*e location:
B sc* data0 serAer0:/tm*/

S#P 111

#han*e usernaes
B scp data1 "erkface#ser!er1

?ecursi+e scp
B scp -rp $ho%e$%&lucas ser!er1

S/TP

More odern, interacti+e

loo7s aw.ully li7e /TP

B sftp ser!er1
s(t*D put data1
s(t*D get data2
s(t*D lcd $t%p
s(t*D cd $!ar$db$postgres

Per4Host #on.i*uration

!oth read ssh@con.i*

ssh coand4line options donEt always ap to

scp/s.tp, e.*., use 4P to chan*e port

Windows S#P/S/TP

#oand4line apps li7e pscp.

5se WinS#P .or >51 app

/ree .or personal use, restrictions to redistri(ute

transparently switches (etween S/TP and S#P

protocols dependin* on what ser+er supports

Loo7s li7e any other Windows app

WinS#P tips

1port PuTTY 7ey cache: Sa+ed Sessions 4Q

Tools4Q1port.

Turn o.. SSH+&: select SSH, set Pre.erred SSH

protocol +ersion to $. Select Stored Sessions,
then Sa+e de.aults...

"e.aults do not propa*ate to sa+ed sessions

,6plorer4style window: Pre.erences, choose

,6plorer.

#on.i*urin* S#P/S/TP ser+er

/or scp, scpK&L ust (e in de.ault syste

MP'TH.

S/TP ser+er (undled with sshd, acti+ated with

sshd@con.i*
%'system s(t* /'sr/lieEec/s(t*-serAer

"isa(lin* only reo+es o(+ious .ile copy

ethods. 1. youEre really concerned, chroot s.tp
users.

S/TP4Only 5sers
!atch .ro'* s(t*only
<hroot#irectory ?h
Force<ommand internal-s(t*
Allo&Fc*For&ardin- no

SSH Key 'uth

Passwords are a wea7 point in security

Huans a7e really (ad passwords

one4tie auth KOP1,L annoyin*

two4.actor auth annoyin* and introduces

additional points o. .ailure

>i+e each user a 7eypair, encrypted with a

passphrase

Passphrase

Te6t strin* used to encrypt pri+ate 7ey

1. pri+ate 7ey is stolen, useless without

passphrase

Ma7e passphrase too lon* to *uess (y (rute

.orce, too cople6 to *uess, too lon* to
shoulder4sur..

2u(ers, words, letters, sy(ols and space.

http://67cd.co/8;D/

>ood Passphrases

2ot a cliche, sayin*, or edia catchphrase

My passphrase .ro &888:

J#oe closer, y darlin* child, (ut not too close,

.or 1, too, cannot (e trusted.J

1tEs a in*lin* o. two di..erent translations o.

LautreaontEs Maldoror (1868).

1 can still ree(er it, youEd ha+e a hard tie

*uessin* it.

1 a not recoendin* you read the (oo7.

My current passphrase is lon*er = ore o(scure

Why Kill Passwords)

Siple two4.actor auth Kpassphrase = .ileL

SSH4(rea7in* clouds KHail MaryL

Shuts up sart SSH scanners

SSH '*ents

Typin* passphrases is ore annoyin* than

typin* passwords

SSH a*ent ta7es the 7ey .ile, accepts your

passphrase, and stores decrypted pri+ate 7ey in
eory Kne+er to dis7L

When you SSH to a host, SSH client as7s

a*ent .or passphrase

Type passphrase once, use it all day

'*ent ?is7s

Loc7 Your "es7topB

Multiuser Machines

Sysadins

1nstall Pu(lic Key on Ser+er

MHOM,/.ssh/authoriHed@7eys

Should (e reada(le (y e+eryone 3 itEs pu(lic

Should not (e writa(le (y anyone (ut you

5se S#P/S/TP, not copy = paste

ssh4copy4id

#reate Keypair with OpenSSH
B ssh-keygen
.eneratin- *'lic/*riAate rsa +ey *air.
Gnter (ile in &hich to saAe the +ey
(/home/m&l'cas/.ssh/id@rsa):
Gnter *ass*hrase (em*ty (or no *ass*hrase): ...
Gnter same *ass*hrase a-ain: ...
8o'r identi(ication has een saAed in
/home/m&l'cas/.ssh/id@rsa.
8o'r *'lic +ey has een saAed in
/home/m&l'cas/.ssh/id@rsa.*'.
Fhe +ey (in-er*rint is: ...

5sin* SSH Key .or 'uth
clientB ssh sloth
Gnter *ass*hrase (or +ey
H/home/m&l'cas/.ssh/id@rsaH: ...
slothB

OpenSSH '*ent

-aries (y des7top >51, i*ht Sust Wor7

#oand4line:
B ssh-agent $bin$tcsh
B ssh-add

0"M: use openssh4as7pass

start6: use coand4line (e.ore startin* >51

KWindowMa7erL, or ay(e Cust ssh4add KcwL

PuTTY 5ser 'uth Keys

5se PuTTY*en, included with .ull install

-ery standard Windows >51T start, clic7

J>enerateJ

&%$I (its is iniu, unless youEre lo**in* into

a -'0

Sa+e *enerated 7ey.

Select #on+ersions 4Q ,6port OpenSSH Key.

5sin* 'uth Keys w/PuTTY

/or .irst attept, use 7ey without a*ent

On le.t side o. PuTTY, select #onnection 4Q

SSH 4Q 'uth. >i+e .ull path to pri+ate 7ey .ile.

1nstall 7ey on ser+er.

Lo* in.

Should (e as7ed .or passphrase.

"o not sa+e this session

PuTTY '*ent: Pa*eant

Select 'dd Key, (rowse to your 7ey, select,

enter passphrase

,nter passphrase a*ain. ,+entually youEll *et it

ri*ht.

SSH to your ser+er

PuTTY ena(le/disa(le a*ent: #onnection 4Q

SSH 4Q 'uth, J'ttept 'uthentication usin*
Pa*eantJ chec7(o6

Pa*eant at Startup

'dd Pa*eant shortcut to Startup enu

,dit Tar*et .ield to add .ull path to pri+ate 7ey.

I<:JPro-ram
FilesJP'FF8J*a-eant.eEeI
I<:J"sersJm&l'casJ+eysJ&or+.**+I

Key /ile Mana*eent

One 7ey per client achine

!ac7 up pri+ate 7eys to o..line edia

"isa(lin* Passwords in sshd

/etc/ssh/sshd@con.i*
<hallen-e=es*onseA'thentication no
Pass&ordA'thentication no
P'+eyA'thentication yes
"sePA! no

Selecti+ely 'llow Passwords
!atch Address 012.0.2.0/25
Pass&ordA'thentication yes

'*ent /orwardin*

Ser+ers only allowin* lo*in +ia 7ey, *ood

Must copy .ile .ro one ser+er to another

"onEt want to copy pri+ate 7ey to ser+er

Solution) /orward a*ent reOuests (ac7 to

des7top

/orwards reOuests throu*h

MSSH@'5TH@SO#K, (ac7 to client.

'*ent /orwardin* ?is7s

'nyone who can access soc7et can access

a*ent.

"o you trust root)

"o you trust achine)

,na(le /orwardin*

On ser+er
Allo&A-entFor&ardin- yes

in ssh
For&ardA-ent yes

in PuTTY

#onnection 4Q "ata 4Q SSH4Q'uth.

5nder 'uthentication Paraeters.

/orward '*ent chec7 (o6.

pa@ssh@a*ent@auth

auto4auth sudo +ia your SSH a*ent

in sudoers:
#e(a'lts enA@+ee* KL I%%:@A"F:@%M<CI)timestam*@timeo'tL0

sudo P'M con.i*:

a'th s'((icient J
/'sr/local/li/*am@ssh@a-ent@a'th.so J
(ileLN/.ssh/a'thoriOed@+eys
a'th reP'ired *am@deny.so
acco'nt incl'de system
session reP'ired *am@*ermit.so

Security Sensiti+e Topics

SSH can act as ar(itrary wrapper around other

protocols

2etwor7 adins lo+e the

Security ana*ers hate the

Which one is you)

0&& /orwardin*

,na(le on ser+er
700For&ardin- yes

,na(le 0&& secure su(set on client

For&ard700 yes

,na(le all o. 0&& on client

For&ard700Fr'sted yes

#an ena(le per4host, per4user, etc.

1s 0&& /orwardin* Wor7in*)

#hec7 M"1SPL'Y
B echo '()*+,A-
localhost:00.0

'ny other result < 0 not *oin* o+er SSHB

Test with 6ter, 6eyes, etc.

PuTTY 0&& /orwardin*

2eed 0 ser+er

0in* 3 0.or* (ased 3 on source.or*e

PuTTY 0&& .orwardin* < 0&&Trusted

On (y de.ault

#onnection 4Q SSH 4Q 0&&, .irst (o6 is ,na(le

0&& /orwardin*

Turn it o.. (y de.ault, on as needed

Port /orwardin*

Wrap ar(itrary tra..ic inside SSH

"ri+es corporate security adins insane,

(ecause users can (ypass access controls

2etwor7 and ser+er *uys lo+e it, .or the sae

reason

O(ey corporate security policy

Port /orwardin* Types

Local Port /orwardin*

*ra( a port on local achine

attach to SSH ser+er

?eote Port /orwardin*

*ra( a port on reote achine

attach to SSH client

"ynaic Port /orwardin*

.orward all tra..ic to ser+er +ia SO#KS

Pri+ile*ed Ports

On 5ni64li7e systes, ports (elow &%$I can

only (e (ound (y root.

'..ects port .orwardin* as well.

#an .orward to a pri+ile*es port, not Cust .ro.

#an .orward any port on Windows4li7e systes

Local /orwardin*

'ttach local port to reote port

Tunnel insecure protocol o+er SSH

B ssh -, local)+localportre%ote)+re%oteport host

1. no 1P speci.ied, attach to &$U.%.%.&T can s7ip

.irst colon in that case

#an set peranently in ssh@con.i*

LocalFor&ard localQP:local*ort remoteQP:remote*ort

ssh: tunnel HTTP o+er SSH

connect port V% on localhost to port V% on

ser+erEs localhost

ust run as root

B sudo ssh -, .012/.0.0.1.0 %&lucas#&&&

Ma7e /etc/hosts entry pointin* host at &$U.%.%.&

To set peranently, use ssh@con.i* entry

!atch :ost &&&
LocalFor&ard localhost:;0;0 localhost:;0

PuTTY: tunnel HTTP o+er SSH

Select #onnection4QSSH4QTunnels

Set Jsource portJ to V%

Set "estination to &$U.%.%.&:V%

at the (otto, select Local

To (ind networ74.acin* 1P locally, select JLocal

ports accept connections .ro other hostsJ

?eote Port /orwardin*

'ttach reote port to local port

Tunnel insecure protocol o+er SSH

B ssh -0 local)+localportre%ote)+re%oteport host

1. no 1P speci.ied, attach to &$U.%.%.&T can s7ip

.irst colon in that case

#an set peranently in ssh@con.i*

=emoteFor&ard localQP:local*ort remoteQP:remote*ort

ssh: reote .orward SSH

connect port $$$$ on ser+erEs localhost to port

$$ on clientEs localhost
B sudo ssh -0 2212/.0.0.12222 %&lucas#&&&

To set peranently, use ssh@con.i* entry

!atch :ost &&&
=emoteFor&ard localhost:2222 localhost:22

PuTTY: reote .orward SSH

Select #onnection4QSSH4QTunnels

Set Jsource portJ to $$$$

Set "estination to &$U.%.%.&:$$

at the (otto, select ?eote

To (ind networ74.acin* 1P on ser+er, select

JLocal ports accept connections .ro other
hostsJ

5sin* ?eote /orwardin*

Lo* into ser+er

SSH to port $$$$

will (e connected to clientEs SSH daeon

this is why security adins hate it

"ynaic Port /orwardin*

'ttach local port to ser+er

Local port is SO#KS pro6y

B ssh -( local)+localport ser!er

1. no 1P speci.ied, attach to &$U.%.%.&T can s7ip

colon in that case

#an set peranently in ssh@con.i*

:ost serAername
#ynamicFor&ard host:*ort

ssh: dynaic .orwardin*

connect port 8888 on ser+erEs localhost to port

$$ on clientEs localhost
B ssh -( 9999 &&&

To set peranently, use ssh@con.i* entry

!atch :ost &&&
=emoteFor&ard &or+station:1111

PuTTY "ynaic /orwardin*

Select #onnection4QSSH4QTunnels

Set Jsource portJ to 8888

Lea+e "estination (lan7

at the (otto, select "ynaic

To (ind networ74.acin* 1P on ser+er, select

JLocal ports accept connections .ro other
hostsJ

Testin* "ynaic /orwardin*

#on.i*ure We( (rowser to use SO#KS pro6y

on localhost, port 8888

!rowse out to 1nternet, (ypassin* copany

security policy

1pact on copany security

an illicit SO#KS pro6y in a secure en+ironent will

*et you .ired with preCudice.

Or you can le*itiately use dynaic .orwardin* to

access your secure en+ironent.

Po4tay4to, po4tah4to

#hoosin* 1P 'ddresses

!ind to local address, only client or ser+er can

use the .orwardin*

!ind to networ74.acin* address, e+eryone can

use it.

Host Key "istri(ution

Your users cannot (e trusted.

You donEt want to (e (othered (y du( user

Ouestions

1. a user sees a warnin*, it should (e scary

"istri(ute pre4+eri.ied host 7eys to client

achines sol+es all this

>ather Host Keys

(uild your own 7nown@hosts with all al*oriths

ssh -o :ostCeyAl-orithmsLssh-rsa serAer
ssh -o :ostCeyAl-orithmsLssh-dss serAer
ssh -o :ostCeyAl-orithmsLecdsa-sha2-nist*226 serAer

OpenSSH Host Key "istri(ution

ssh chec7s /etc/ssh/ssh@7nown@hosts as well

as MHOM,/.ssh/7nown@hosts

'utoate distri(ution: rsync, puppet, whate+er

To re+o7e a 7ey, put strin* Wre+o7ed in .ront o.

entry. 5ser will see scary warnin*.

ssh@7nown@hosts +s 7nown@hosts

MHOM,/.ssh/7nown@hosts chec7ed (e.ore

/etc/ssh/ssh@7nown@hosts

!est to o+e 7nown@hosts to

7nown@hosts@personal

"onEt Cust eraseT user i*ht ha+e le*itiate

7eys not on your networ7

"istri(utin* 7nown@hosts .or PuTTY

7h$re*.py part o. PuTTY distri(ution

B hk2reg.py kno&n_hosts 1 puttykids.reg

install re* script +ia lo*in script / '"

Liitin* SSH

7eywords in authoriHed@7eys can liit actions

possi(le o+er SSH.

authoriHed@7eys contains sin*le lines, each the

contents o. a 7ey.pu( .ile.
ssh-rsa AAAA......&<1
m&l'cas/lac+helico*ters.or-

Keywords in authoriHed@7eys

put liitin* 7eywords at (e*innin* o. 7ey

coand<J/(in/whate+erJ 3 this 7ey can only

run this coand
commandLIs'do i(con(i- t'n0 inet
012.0.2.2 netmas+ 222.222.222.222I
ssh-rsa...

Liitin* Locations

?estrict which 1P addresses a 7ey can (e used

.ro:
(romLI012.0.2.0/21I ssh-rsa AAAA....

?estrict /orwardin*

Kill +arious .orwardin*s

no4a*ent4.orwardin*

no4port4.orwardin*

no40&&4.orwardin*

Perit certain types o. .orwardin*

peritopen<J&$U.%.%.&:$9J

Keys .or 'utoated Processes

rsync, rsnapshot, na*ios, etc, can use SSH

transport
B ssh-keygen -f nagios-key -2 33

Ha+e process use this 7ey with 4i .la*:

B ssh -i nagios-key ser!er1

Liitin* 'utoated Processes

That which is not necessary is .or(idden

commandLId'm* /home D /ac+'*s/Rdate
KsR.d'm*I)(romLI012.0.2.;I)no-a-ent-
(or&ardin-)no-*ort(or&ardin-)no-700-
(or&ardin- ssh-rsa AAAA......&<1
m&l'cas/lac+helico*ters.or-

'+oidin* ?oot

5se sudoKVL to a+oid usin* root

Saple /etc/sudoers entry

a'tomation ALLL$MPA%%S#: /in/d'm*
/home D /ac+'*s/Rdate KsR.d'm*

SSH -P2

You can use SSH as a -P2

-aries widely (y operatin* syste

We donEt ha+e tie to co+er all o. the options

"onEt do this i. you ha+e any other choice

Soeties, you ha+e no other choice