|
|
This document is available in: English Castellano Deutsch Francais Italiano Nederlands Portugues Russian Turkce Arabic |
by Georges Tarbouriech About the author:
Georges is a long time Unix user (commercial and free). He is very interested in
security and wants to thank the free software community for the great job done in
this area.
Content: |
Abstract:
SSH, the secure shell, is a very good commercial product.
However, there are various great free implementations of ssh clients or servers
available for Unix (commercial or free) or for different OSes.
The best known is OpenSSH, available from http://www.openssh.org. From this website you
can find alternatives for Unix systems, Windos, Mac... For some products such
as Windos you only have free clients.
In this article, we present a few examples on how to use ssh to tunnel data
from/to external applications. VPN (Virtual Private Network) relies on ssh but in a
different way, much more elaborate than the one we take up here. Another
sophisticated solution, is to use VTun.
Accordingly, let's consider this tunneling an easy and simple way to encrypt data in an
heterogeneous network to prevent it from being snooped. Obviously, this is
applicable to both local and remote networks. However, remember ssh only
encrypts data, it won't make your network secure on its own...
You've been warned !
SSH is a replacement for telnet or rsh, rlogin, as already mentioned in a
previous article. Even if some security
problems were found recently in ssh, it remains a good security tool for data
encryption. By the way, the above mentioned security problem concerned passwords
: it's strongly recommended to use passphrases instead and of course RSA keys ! Using ssh doesn't
prevent you from using many other security tools such as tcpwrapper.
It's quite easy to snoop data circulating through a network with
standard tools such as tcpdump or snoop. You can test this on a network where
two machines are exchanging data using telnet, for instance. From a third machine
running Linux, for example, run tcpdump (as root, obviously) and see what
happens. You can read all the data ! (Editors note: the three computers need to be
connected via a hub to test this. It will not work if you have a switch but the
point is still valid.)
Of course the display is too fast to be
read on the screen, but nothing prevents you from redirecting the output to a
file and then to be able to read it while drinking a coffee.
If this is true for the data, it's true for the password : that is,
the door is wide open to the crackers. You give them the key to your
house.
Just imagine if the circulating data is confidential... If you're the
sysadmin, I'm afraid your boss will ask you to get another job
somewhere else.
The remote commands, rsh, rcp, rlogin are very dangerous too,
since the data is not encrypted either. If ssh is a good replacement
for rlogin or rsh, it comes with scp being another good replacement for rcp.
That is, you don't need anymore remote commands or telnet if you use ssh, at least, you shouldn't use them.
How to install ssh, how to generate private and public keys... is not within the
scope of this article. You'll find everything you need within the ssh archive you
download or by reading the documentation available on the matter from the Linux Documentation Project.
Since using a computer today almost always transfers data in one way or
another, ssh should be compulsory... well, it's up to you. However ssh can do much
more than replacing telnet or the remote commands.
It can be used to encrypt the
data transferred between external applications and obviously between different
OSes. It can also compress this data. It's often used with protocols such as
pop, ftp, http... either for compression or encryption. This is very useful, if
you are a sysadmin, for instance, to connect from home to work or vice versa.
Being a client/server application, ssh obviously needs both to work : you
need a machine running an ssh server and a machine running an ssh client (I hope
you noticed how smart I am !).
Why am I insisting on this obvious fact ? Because,
since we are talking about free software, many OSes apart from Unix don't have
free servers. That is, sometimes you won't be able to do the obvious, you'll
have to turn the problem around : the key is called forwarding. More on this
later. That means, using OSes such as Mac OS or Windos implies you
don't have free servers so you will have to manage with clients alone. How to do so isn't
always that obvious. Let's take a few real examples.
If you don't know VNC, you're missing one of the greatest tools ever. You can have a look there to learn more about it.
If you go to the VNC website at
http://www.uk.research.att.com/vnc/docs.html you'll find a lot of documentation concerning
what we are talking about. For instance, you'll find how to use VNC through ssh,
from a Windos ssh client to an Unix ssh server. Accordingly, I won't rewrite Frank
Stajano's great work since it's much better than what I could do.
So, let's see how this can work.
First of all, you have to choose a free Windos client. For this example, we'll
use Teraterm Pro with its Ttssh extension. You can find it at http://hp.vector.co.jp/authors/VA002416/teraterm.html. As a matter of fact, it's called
Ttssf, since it's a version allowed in France. (Things are changing, but be aware
many countries don't accept encryption yet. Check this URL to see the encryption
situation in you own country : http://www2.epic.org/reports/crypto2000/countries.html.)
Now, let's say you launched an ssh server on an Unix machine. On the same
machine, we suppose you can run a vncserver. Once those two servers are
running, you can connect an NT machine to a Unix server using Ttssh.
That means you now have an encrypted connection between the two machines. But
this doesn't allow you to run an encrypted vncviewer protocol (vncclient) from
that NT machine. To do that you need to tell ssh to forward (there we are !) the
right port.
The Unix machine running the vncserver is called "bandit" and uses the port
5901, because it's the display number 1, the default X display for this machine
being 0. The normal use would be to send a command "vncviewer bandit:1". This will
work, of course, but without the data being encrypted. Instead, using the NT
"shell" (that's to say the DOS interface...) , send the command
"/ssh-L5902:bandit:5901" without space. This means, you create a local port
5902. Now a command such as "vncviewer localhost:2" runs an encrypted connection
of the VNC protocol on your NT machine. This can be done without using the
command line since Ttssh has a graphical interface. Let's add this syntax only
concerns Ttssh. Typing the same command from an Unix machine should say :
"ssh -L 5902:bandit:5901 bandit".
This is of course a basic example : you can do much more complex things. Check
the documentation available from VNC website, especially the one from Frank Stajano.
MySQL is probably one of the most used DBMS,
especially on the Internet. Again, securing MySQL is out of the scope of this
article. However, encrypting the data circulating between a MySQL server and a
MySQL client makes the connection more secure. SSH allows you to do that, in the same
way as we did it with VNC, that is port forwarding.
Let's say our example concerns an Intranet. The MySQL server is a Linux box and
most of the clients are NT machines. Once again, we use a Ttssh client on the
Windos machines.
The default MySQL port number is 3306. Then we
forward the same port (3306).
You can do either a local forward or a remote forward.
A local forward will look like "/ssh-L3306:localhost:3306" on the NT machine or
"ssh -L 3306:localhost:3306" on a Unix machine. Using "localhost" allows sending
the data through the loopback interface instead of the host interface.
A remote forward would be "/ssh-R3306:bandit:3306" for NT and "ssh -R
3306:bandit:3306" for Unix.
This only concerns the connection itself. To log into the DBM, you obviously need
to set your hostname and your username for the MySQL server, probably different
from the login username for your machine. Investigate the ssh man pages about option
"-l".
Of course, this will work only if you have a MySQL client on your NT machine.
If you don't, you will need to use an ODBC application, Sybase for instance.
Start this application and use your ODBC driver to link it to MySQL.
You can now connect to the localhost not to the MySQL server
host, to access the MySQL server. The data circulating between the server and the client is now
encrypted. You can check it with snoop or tcpdump.
That's a local network example. If you feel like doing such a thing on WANs, it
should be a bit more complex, if you're behind a firewall.
This can be a way to do some remote administration from home if you're the
sysadmin, but you can't expect to use such a method to access a DBM on a website. You
then will have to look for something much more sophisticated, like VPN for
instance, but this is the idea.
Anyway, don't believe that's enough to set a secure DBM server transferring
confidential data such as credit card numbers ! And, by the way, who really
believes someone saying he has a very secure server able to transfer this sort
of data without any risk ? Personally, I don't !!!
What does this mean since we are already using terminal emulation ?
Let's say you run an old Cobol application on a Unix server. The clients are,
again NT machines. To connect they need a more sophisticated terminal emulation
than vt100, vt220 or vt320, since they have to get the proper user interface. That is,
accents, tables... Setting a standard (vt100, vt220...) terminal emulation to
8bit won't work properly. What you get is just unusable. Accordingly, since it's
a rather old product, you use an "old" terminal emulation specific software.
After a long fight trying to get the right emulation, you find "ibm3151"
gives the best result. So far so good !
But, since the software you use has been developed
many years ago, it doesn't know anything about security. The connection uses
telnet ! As a matter of fact, the data transferred is quite confidential...
So what ? You have to find, at least, a way to encrypt the data. And again, ssh
will help.
Once again, There Is More Than One Way to Do It...
Either you redirect telnet to port 22 (ssh) or you forward the port of the
terminal emulation. But... I'm afraid the server won't accept a normal user
redirecting the telnet port (default is 23) : you must be root to do such a thing (at least I hope
!). Concerning the terminal application, it can be used by different
users at once, thus using different ports for each connection, i.e, 10 users=10
ports.
That's becoming a bit tricky, isn't it ?
So, first of all, the application server must have the ssh server running and
listening to port 22.
>From an NT client, connect to the app server either using Ttssh or the "command
line". That is you establish a secure connection between the server and the
client as a specific user. From the Ttssh options you forward the local port 50000 to the port 23
(telnet) on the remote server. From the command line, it should look like
"ssh-L50000:servername:23". Now you can tell your terminal emulation to run
through port 50000 instead of port 23. The data now circulates through a secure
channel, that means encrypted. You can check it with snoop or tcpdump.
Obviously, you should do the same for each client allowed to connect to the
application, changing the forwarded port number. For example, you could use 50001,
50002, and so on.
Now, you could ask : why such high ports ? The answer is : for many reasons !
Seriously, the main reason is that you can "manipulate" high ports without being
root.
The second reason is that the selected port must not already be in use on both
machines. Example : if the server runs Solaris, many high ports are used,
according to the running services. Thus port 50000 and up should work.
That means you'll have to check the ports in use before forwarding.
Of course, this would work for many other OSes able to use ssh clients.
Concerning the way to automate the process on the clients machines, it's up to
you. You can't ask a "normal" user to do all this before connecting, can you ?
Then, we leave that as an exercise for the readers...
Those few examples show the numerous uses of ssh.
You can do much more with a lot of
applications and ssh. It depends on your needs. However the "philosophy" is almost
always the same : port forwarding.
Nevertheless, be careful when using more complex forwarding. For instance, if
you forward through a third machine, the data circulating in the middle
connection won't be encrypted.
Another drawback concerns Windos clients using Ttssh. The connection to forwarding ports
relies on IP addresses like remote commands do, thus allowing spoofing attacks.
Hence the need to use other tools besides ssh, such as tcpwrappers.
Investigate the "literature" about ssh, it will teach you a lot. Your
imagination will do the rest.
Security should be a concern for everyone, but it isn't ! ssh is only one of the
security tools you can use everyday. It's quite a good one, as soon as you
consider it for what it is, that is an encryption or compression tool.
On its
own, ssh is almost useless, since it won't solve the numerous "holes" you can
have in a machine or a network. Securing a host, or a network, is a big job and
tools don't make everything even if they are quite good.
The basic tasks are
compulsory when it concerns security. Don't forget to remove all the unused
services, check the SUID root programs, disable the "risky" programs... There's a
lot to do and it will never be enough. You can install all the available
security tools, it will be useless if you leave one or more backdoors wide open.
Of course, this is another story, but don't forget the obvious.
Going back to ssh, let's say it is a tool you can't live without, as soon as
you use it properly and for what it has been made. Again, use it with
passphrases and RSA keys, not with passwords. Check the permissions of the
different files in the .ssh directory and of course the permissions of the
directory itself. And again and again, at least use wrappers !
However, remember, you can tunnel through ssh most of the existing protocols.
This can be quite useful to make connections a bit more secure.
There is another common use of ssh we didn't talk about, X session forwarding.
Since this implies running X on different OSes, we intentionally left it off.
But it's well within the scope of protocol tunneling. X not being that secure,
ssh can make things better.
For more sophisticated use, ssh won't be enough. As we said before, check
VPNs or tools like VTun, they probably will help a lot.
Last but not least, check the encryption situation in your own country.
It would be sad to go to jail as a spy just for using a software like ssh.
It's like that...
Anyway, we're living a in great time !
|
Webpages maintained by the LinuxFocus Editor team
© Georges Tarbouriech, FDL LinuxFocus.org Click here to report a fault or send a comment to LinuxFocus |
Translation information:
|
2001-05-01, generated by lfparser version 2.13