The ECN No Name Newsletter is no longer being published. This is an archived issue.

SSH -- The Facts, Just The Facts

Joe Gainey, Support Software Specialist
gainey@ecn.purdue.edu

SSH (Secure Shell) is a program used for logging into and executing commands on a remote machine. It is intended as a replacement for rlogin, rsh, and rcp for those wishing a secure, encrypted connection between two hosts on a network. To begin using SSH, place /usr/new/bin at the front of your PATH environment variable. If you have questions, contact your site specialist.

SSH provides many user features using modern authentication and encryption techniques:

strong authentication through a combination of .rhosts and RSA-based host authentication or pure RSA authentication. The client machine will authenticate the server machine before every session to prevent potential security holes such as DNS, IP, or route spoofing.
automatic, transparent encrypted connections to protect against "packet spoofing"
X11 connection forwarding and automatic setup of the X11 environment, providing secure communications between X11 client applications and the X11 server
convenient features that correct annoying problems with rlogin and rsh

SSH is intended as a replacement for rlogin, rsh, and rcp. It can be used in conjunction with rdist to prevent potential snoopers gaining access to secured material.

What is RSA?

RSA, developed in 1978, is an acronym of its inventors: Rivest, Shamir, and Adleman. It has become the most popular and one of the strongest public key cryptographic systems. An RSA key pair is created by multiplying two randomly chosen and very large (more than 100 digits) prime numbers to get their product, called the modulus. The two prime numbers are used with the modulus to create the private and public keys.

The key to RSA's strength is that it is far easier to multiply two numbers than it is to factor them. For example it is easy enough to multiply 11 by 29 to arrive at 319. It would take far longer to work out that 319 is the product of those two numbers (and only those two numbers, since they are both prime numbers).

It has been estimated that it would take an extremely large, powerful computing power to break RSA keys with 768-bit key size. Using a 1024-bit key makes breaking the encryption beyond current computer technology.

Overview Of The Secure Shell Software

There are a number of programs that make up the Secure Shell software.

sshd

This is the server that runs on a machine. This program listens for connections from the client machines on port 22. When a connection is made, it performs the authentication of the client, then begins to serve the client.

ssh

This is the client program. SSH is used to remotely connect to a machine running sshd. Both rlogin and rsh are symbolically linked to this binary. This client connects to port 22 of the server and initiates a connection. After it authenticates itself to the server, it requests server authentication.

scp

This is a smaller SSH client intended to replace the standard rcp command. Scp performs authentication just as the SSH binary and standard rcp functions do.

ssh-keygen

This program is used to create RSA keys for both host and user authentication. The user's RSA keys are normally protected by a pass-phrase described later in this article and are usually stored in

$HOME/.ssh/identity
       and 
$HOME/.ssh/identity.pub

ssh-agent

This authentication agent is used to hold the RSA keys in memory so that they can be read by other programs. This allows people with pass phrase protected RSA keys to type the pass-phrase once.

Using The Secure Shell Software

Most users will rely upon SSH to make connections between a client and server machine. SSH binaries are currently installed in /usr/local/etc/ecn/ssh/ . Typically, SSH will be used identically to rsh/rlogin; however, other methods for using SSH will follow.

Normally SSH is initiated on a command line as follows:

       mustang% ssh hostname

This, of course, is equivalent to using rlogin as:

       mustang% rlogin hostname

In this form SSH will make a connection to the remote machine and start an interactive login shell.

SSH can be used to run commands on remote machines similarly to rsh:

       mustang% ssh <hostname> <command>

The rsh equivalent is the same:

       mustang% rsh < hostname >   < command >

You will notice that in both cases, SSH was used exactly as rsh and rlogin. Its capability far exceeds these two commands.

An average SSH connection follows a series of well defined steps to authenticate and encrypt a connection between two machines. This procedure results in an overhead in both connection and transport time.

SSH will initiate a connection to a remote machine on port 22. After the connection has been established, the client will be asked to authenticate itself through RSA encryption/verification. After the client has been authenticated to the server, the server will be required to authenticate itself to the client.

After the host authentication has been completed, the server and client will exchange the encryption keys used to encrypt the communications channel. Both machines will use RSA encryption to encrypt the encryption key, insuring a secure channel.

User verification is accomplished through .rhosts, RSA authentication, or conventional password-based authentication. Instructions for using different methods will be covered later.

After the user has been verified, the server will allocate a pseudo-terminal (TTY) and start an interactive shell or execute the specified command.

SSH will attempt to set several of the commonly used environment variables appropriately. These variables include:

TERM: This variable describes the type of terminal the user is on and is passed from the client to the server.
DISPLAY: If the DISPLAY variable is set on the client side, the server will attempt to create a dummy X server and set the DISPLAY accordingly. Any connections sent to the DISPLAY will be forwarded through the secure channel and redirected to the true X server. An arbitrary number of X clients can be started without any user configuration. However, if the user manually sets the DISPLAY variable, X clients will not use the encrypted channel. This option can be turned off by specifying the -x option on the client program (ssh -x <hostname>).

Arbitrary X clients can be started on the remote machine by using the SSH command. The recommended procedure is as follows:

       mustang% ssh -f <hostname>   <command>

Using the -f command with SSH will force SSH to disassociate itself from the user's shell and run the remote X application in the background. Notice that this assumes SSH sets the DISPLAY environment variable for the user; be careful to avoid running programs that set the DISPLAY environment variable.

Using Different Types Of Authentication

SSH uses different types of authentication to verify both the user and the host. These types include pure RSA authentication, .rhosts authentication with RSA authentication, and conventional password authentication.

RSA is based on public/private key cryptography. It accomplishes its task by using two encryption keys: one key for encryption and another for decryption. Currently, it is improbable that the decryption key can be derived from the encryption key. The encryption key is public and can be given to anyone. However, the decryption key is a private key. It is a secret and must be stored in a secure place.

RSA is not a new technology; it has been around since 1978. If used properly, no known methods exist for breaking the the RSA encryption or RSA keys larger than 512 bits.

Conventional .rhosts-based authentication is fundamentally insecure. The ability to attack and break into machines through IP, DNS, or routing attacks have been known, documented and exploited for a long time. This method of authentication relies heavily upon the integrity of the client machines.

SSH improves this method of authentication by providing a secure way to authenticate the client and the user. It is possible to still use the .rhosts authentication; however, it is not recommended as it leaves a security hole that can be exploited through normal rsh/rlogin methods. Instead of a .rhosts file, it is strongly recommended that users create a .shosts file in their home directories. The format of the file is exactly the same as the format for .rhosts, except SSH is the only program to use this file. Therefore, the .shost file cannot be exploited by typical rsh/rlogin attacks.

SSH also provides for conventional password verification. Under normal communication methods, like rsh/rlogin/telnet/ftp, when a user enters a password, the password is transmitted across the network to the remote machine in PLAIN TEXT. This method relies heavily upon the integrity of all networks traversed to reach the remote machine. Since SSH provides a secure channel between any two machines connected with SSH, the password is encrypted and is no longer vulnerable to insecure networks where people might be running "packet-sniffers."

Command Line Options

ssh

[-a]: disables forwarding of the authentication agent connection. This may be specified in /var/ssh/ssh_config on a per-host basis.
[-c <encryption type>]: selects the cipher type to use for encrypting the session. In our setup the choices are `idea' or `none.'
[-e <escape-char>]: sets the escape character for sessions with a tty, the default is "~". The escape character is only recognized at the beginning of a line. The escape character followed by a period (.) closes the connection, followed by control-Z suspends the connection, and followed by itself sends the escape character once. Setting the character to `none' disables any escapes.
[-f]: places the connection in the background after authentication has been accomplished.
[-i <identity file>]: selects the file where the user's private key may be found; by default this location is $HOME/.ssh/identity.
[-l <login>]: specifies the login of the user on the remote machine.
[-n]: prevents reading from stdin. This must be used when ssh runs in the background.
[-V]: prints the version number and exits.
[-o `<option>']: gives options on the command line to override the normal configuration options. See the man pages on "ssh" for more information on the -o option.
[-p <port>]: request that SSH use a particular port on a remote machine. This is useful when a remote machine has ssh running on a non-standard port. The standard port is 22.
[-q]: causes SSH to suppress all diagnostic messages. Only fatal errors are displayed.
[-P]: use non-privileged port.
[-v]: causes SSH to print out copious debugging messages. This is very useful when problems occur and should be used whenever problems are reported.
[-x]: disables X11 forwarding.
[-C]: causes the connection to compress all data using GNU zip compression algorithm. The level of compression is controlled by the CompressionLevel option. For more information see the SSH manpages.
[-L <port:host:hostport>]: specifies that the given port on the client is forwarded to the specified port on the given host. Whenever a connection is made to this port, the connection is forwarded to the remote machine over the secure channel.
[-R <port:host:hostport>]: specifies that the given port on the server be forwarded to the local host at the given port.
hostname: name of the remote machine you want to connect to.
[command]: command you want to execute on the remote machine.

ssh-keygen

[-b <bits>]: specifies the bit size of the RSA private/public key pair. The minimum size is 512 bits and the largest suggested size is 1024 bits; anything larger increases the overhead.
[-f <filename>]: specifies the file name in which to load/store the key.
[-N <pass-phrase>]: provides a new pass-phrase (usually 10-30 characters long).
[-C <comment>]: provides a comment.
[-c]: requests changing the pass-phrase.
[-u]: requests that the key's cipher be changed to the current default cipher. The default cipher is IDEA encryption.
[-P]: provides the old pass-phrase.

ssh-agent

Ssh-agent is a program that holds private authentication keys. Initiating ssh-agent at the beginning of an X session or login session will result in all other windows and programs becoming children of the ssh-agent program. For more detailed information see the ssh-agent man pages. Typically, ssh-agent is executed in an eval line:

eval `ssh-agent [-s] [-c]'

[-s]: use sh-style environment variables
[-c]: use csh-style environment variables

ssh-add

[-p]: read pass-phrase from stdin (or pipe)
[-l]: list all identities currently stored in the agent
[-d]: remove the identity from the agent
[-D]: delete all identities from the agent
[file ...]: files containing identities

scp

[-i filename]: selects the file which contains your private key
[-o ssh-options]: SSH options that are passed through to SSH
[-p]: preserves modification times, access times, and modes from the original file
[-r]: recursively copy entire directories
[-v]: verbose mode Prints out SSH debugging messages.
[-C]: enables compression
[-c cipher]: selects cipher type [idea|none]
[-S path-to-ssh]: specifies the path to the SSH program

As a complete replacement for rlogin and rsh, SSH is used for securely logging into and for executing commands on a remote machine. It provides security between two untrusted hosts over an insecure network by encrypting the communications between the machines.

webmaster@ecn.purdue.edu

Last modified: Wednesday, 10-Jun-98 15:08:28 EST

HTML