ssh lab

Matsuzaki ‘maz’ Yoshinobu

<maz@iij.ad.jp>

maz@iij.ad.jp 1
Secure Shell (ssh)
• Replacement for unsecure tools/protocols
• rsh and telnet
• Usually listen on tcp/22
• Whole communication is encrypted
• Ability to check server’s signature
• Multiple ways to authenticate users
• public key
• password

maz@iij.ad.jp 2
telnet – how insecure?
• Checks ‘username’ + ‘password’
• Plain text /etc/passwd
username:<password>
username
password

• Anyone on the wire can monitor the communication

• Password leakage / guess
• A fake server can steal username & password

maz@iij.ad.jp 3
ssh
• ‘username’ + (‘password’ or ‘public key’)
• encrypted communication /etc/passwd
username:<password>
username
credential

host key ~$HOME/.ssh/authorized_keys

encrypted ssh_rsa AAAAB3NzaC1yc2…

• Anyone can monitor the traffic, it’s encrypted though

• Still there is a risk of password leakage / guess for
password authentication
maz@iij.ad.jp 4
Password authentication: setup
/etc/passwd

the same secret information username:<password>

password

• Agree on a secret information called password per

user

maz@iij.ad.jp 5
Passwords for multiple hosts
/etc/passwd
username:<password1>
password1
password2
/etc/passwd /etc/passwd
username:<password2> username:<password1>

• User can use the same password or different ones per host
• User must remember combinations of host and password

maz@iij.ad.jp 6
Password for a shared account
/etc/passwd

the same secret information username:<password>

password

password

• Users need to share the secret information

maz@iij.ad.jp 7
Password authentication is danger
/etc/passwd
password username:<password>
username
password

• Users should: • a password tends to be short

• remember it • using the same one on multiple hosts
• type it • risks of shoulder hacking
• share it with remote hosts • it’s leaky

maz@iij.ad.jp 8
Public key authentication: setup

Private Public Public

• Generate a key pair

• Send the public key to a remote host
• On an UNIX host, authorized public keys for the user should
be stored in ‘$HOME/.ssh/authorized_keys’
• Other devices have own configuration formats to store
authorized public keys
maz@iij.ad.jp 9
Keys for multiple host

Public1

Private1 Public1

Public2 Public1 Public2

Private2

Public2

• User can use the same key pair or a different key pair, and a
host can store multiple public keys per user
• Modern software automatically chooses an appropriate
private key during authentication
maz@iij.ad.jp 10
Key for a shared account

Public1 Public1 Public2

Private1

~$HOME/.ssh/authorized_keys
ssh_rsa AAAADGNgAd5ydd…
ssh_rsa AAAAB3fdJK12KLJ1...

Private2 Public2

• Each user can have own key pair

• Or you can share a private key among users (not
recommended)

maz@iij.ad.jp 11
 Public key authentication
username
nonce
signed Public

Private nonce ~$HOME/.ssh/authorized_keys

~$HOME/.ssh/id_rsa ssh_rsa AAAADGNgAd5ydd…
3egcXJ9dkdBNGGA…

• A digital signature signed by private key can be

verified by corresponding public key
• It proves the private key holder is trying to login

maz@iij.ad.jp 12
Private key
• Key authentication is highly
relying on the secrecy of a
private key
• Keep it secure and secret
• Store it in a secure host only passphrase
• Set a passphrase to encrypt
the private key file locally
local encryption
• Decrypt and use it when needed
Private
• You can change the passphrase
~$HOME/.ssh/id_rsa
anytime, and still the public key
is the same and unchanged 3egcXJ9dkdBNGGA…

maz@iij.ad.jp 13
Host authentication
Private Public
username
nonce
host key
~$HOME/.ssh/known_hosts
server1 ssh_rsa AAAADG5ydd…

• A ssh server has own key pair (host key)

• Sends the public key during session initialization
• A client stores the public keys in a file, and verifies
and uses it during session setup
• On an UNIX, the file is ‘$HOME/.ssh/known_hosts’
• Used to decrypt information from the host

maz@iij.ad.jp 14
During the initial connection
"tjj_ +)+)+)
N_ Xlk_ ek Z kp f]t_fjk # +)+)+) t$ +)+)+) #tZXe#k Y jkXYc j_ [)
?=>M tb p ] e igi ek j MB -015QiBek1[e c_?Tm<O0B0QAKOhCGi@@YF 3F<AG.l*HiC)
i tpfl jli pfl nXek kftZfek el Zfee Zk e $p j*ef 9t

• If you don’t have the host

key, clients ask you whether
you trust the key or not
• ’yes’ if you are comfortable
• Or you can put the key into
the file manually in advance

maz@iij.ad.jp 15
When the host key doesn’t match
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:ttttQ LHCHA5tL?GIN?tBIMNtC>?HNC@C= NCIHtB Mt=B HA?> ttttt:
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
CNtCMtJIMMC<F?tNB NtMIG?IH?tCMt>ICHAtMIG?NBCHAtH MNS
Mfd fe Zflc[ Y Xm j[ifgg e fetpfl i _k efn $dXe( e(k_ (d [[c XkkXZb
Ck j Xcjf gfjj Yc k_Xk Xt_fjktb p _XjtaljktY e Z_Xe [)
N_ ] e igi ek ]fi k_ ?=>M tb p j ek Yptk_ i dfk _fjkt j
MB -015nh]_LC0* JhZ<2@c'Xh< Hg.]bl<C1]Pk>/>dj-jIl/)
Jc Xj ZfekXZk pfli jpjk d X[d e jkiXkfi)
[[ Zfii Zk _fjktb p et*_fd *nfibj_fg*)jj_*befneW_fjkj kft k i [ f] k_ j d jjX )
I]] e[ e ?=>M tb p et*_fd *nfibj_fg*)jj_*befneW_fjkj5 1
i dfm n k_5
jj_(b p e (]t *_fd *nfibj_fg*)jj_*befneW_fjkj t(L +)+)+)
?=>M t_fjktb p ]fi +)+)+) t_XjtZ_Xe [ Xe[tpfl _Xm i hl jk [ jki Zk Z_ Zb e )
Bfjktb p m i ] ZXk fe ]X c [)

• It could be just reinstalled/replaced server

• But pay attention just in case…
maz@iij.ad.jp 16
ssh-agent
• Holds decrypted private key in the process and use
it for authentication
• You do not need to type passphrase every time when
logging in to a remote host
• During the startup process, you will be asked your
passphrase to decrypt and store your private key
• ssh clients work with the agent nicely
• Use the agent on a trusted host only
• like your own local pc

maz@iij.ad.jp 17
ssh implementations
• OpenSSH
• https://www.openssh.com/
• build in MacOS and most UNIX systems
• PuTTY
• http://www.chiark.greenend.org.uk/~sgtatham/putty/
• For Windows
• and more!
• for androids, iOS devices

maz@iij.ad.jp 18
Key algorithms
• rsa2048 is pretty common
• some routers support rsa1024 only
• for a paranoid
• rsa4098
• ed25519

• These should match with your server side

capabilities

maz@iij.ad.jp 19
Generating a key pair (UNIX)
"tjj_(b p e
A e iXk e tglYc Z*gi mXk tijX b ptgX i)
?ek it] c t etn_ Z_tkftjXm tk_ tb pt$*_fd *nfibj_fg*)jj_* [WijX 5t6 ek i8t
=i Xk [t[ i Zkfipt#*_fd *nfibj_fg*)jj_#)
?ek itgXjjg_iXj t$ dgkpt]fiteftgXjjg_iXj 5t6pflitgXjjg_iXj 8
?ek itjXd tgXjjg_iXj tX X e5t6pflitgXjjg_iXj tX X e8
Sflit [ ek ] ZXk fet_XjtY etjXm [t et*_fd *nfibj_fg*)jj_* [WijX)
SflitglYc Ztb pt_XjtY etjXm [t et*_fd *nfibj_fg*)jj_* [WijX)glY)
N_ tb pt] e igi ekt j5
MB -015?n/Pm >APLfKFd1B/M>N I.HnC 1[iY'SH_n2d/D +Ctnfibj_fg:nj
N_ tb p#jtiXe[fdXik dX t j5
'(((ULM t-+/3V(((('
rtttt)ft'77)))ttttr
rtttf)tff7tff r
rttf)f ''f ))tttttr
rt?'ff't 7)'ttttttr
r)f)'))7)Mttttttttr
rftf ))t)t)tttttttr
r)t)'7)tttttttttttr
rtttf')tttttttttttr
rtttff))ttttttttttr
'((((UMB -01V((((('
maz@iij.ad.jp 20
You have a key pair (UNIX)
"tZ[t)jj_*
nfibj_fg:nj5s*)jj_"tcjt(c
kfkXct3
(in((((((( tnfibj_fgtnfibj_fgt 120tHfmt .t+45//t [WijX 6( pflitgi mXk tb p
(in(i((i(( tnfibj_fgtnfibj_fgtt.4-tHfmt .t+45//t [WijX)glY 6( pflitglYc Ztb p
nfibj_fg:nj5s*)jj_"tZXkt [WijX)glY
jj_(ijX
<.HqX= pZ-? > K < < K=pGADmkAip/J _4dmpLYl OR41 pL+SNd@Z./FhE<OG+=SlThl*lCpJ/
D23ihj_OGPQa 0qNEcJ'CLfeSDM2 [FE>lhmbd fDRhS d'-Na HS.i>MJZ_bk1oBNoEedF cM_<CNiKi'_.ag
H LFXocGMkNo31fg?/bJ[-F@+>m/n+L>K?q3 1pBM+[ -THA/MJHfd lnJ TlL<1=Jb@JnoL4Jg?fS +bh4+Tc
]o++qCXDYbP[*l*A4N'ZkLNeM'._MGBX T1Z+/h1'= n1JL-2k+e?'0 iG2BLMcn=+@n =<g@-kR3'n L 3l+_
_/<Ded .-FTP>SI44N[/qo0gqn mtnfibj_fg:nj
nfibj_fg:nj5s*)jj_"t

maz@iij.ad.jp 21
Putting the key on the target host
(UNIX)
• use a command for that
• $ ssh-copy-id <username>@<target_host>
• login the target host first, and edit the file
• $ mkdir -p ~/.ssh
• $ chmod 0700 ~/.ssh
• $ vi ~/.ssh/authorized_keys
• copy and paste your public key there

• Note: each public key should be one line in the file

• without CR/LF

maz@iij.ad.jp 22
ssh key authentication (UNIX)
• $ ssh <username>@<target_host>

• OpenSSH client automatically use keys those have

default notation in the ~/.ssh folder
• id_rsa, id_id_ecdsa, and so on

maz@iij.ad.jp 23
Generating a key pair (Windows)
1. Download
‘puttygen.exe’
and execute it
2. Pick parameters
as you like
(default setting
is RSA2048 now),
and ’Generate’

maz@iij.ad.jp 24
Generating a key pair (Windows)
3. Move your mouse
in the blank area
as the application
says until it gets
finished

maz@iij.ad.jp 25
Generating a key pair (Windows)
4. Name and save
your private key
somewhere in
your folder

maz@iij.ad.jp 26
Generating a key pair (Windows)
5. Right-click in the text
field labeled ’Public
key for pasting into
OpenSSH
authorized_keys file’
and choose “Select
All” and “copy” the
key
6. Open ‘notepad’,
paste your public key,
then save as a text
file

maz@iij.ad.jp 27
Putting the key on the target host
(windows)
• Login the target host first, and edit the file
• $ mkdir -p ~/.ssh
• $ chmod 0700 ~/.ssh
• $ vi ~/.ssh/authorized_keys
• copy your key from the public key file
• type i on the ssh session window to insert new text in the file
• right click your mouse to paste your public key
• press Esc and type :wq then <enter> to overwrite the file and
quit vi

• Note: each public key should be one line in the file

• without CR/LF

maz@iij.ad.jp 28
ssh key authentication (Windows)
1. Set ‘<username>@<target_host>’ in the Host
Name field

maz@iij.ad.jp 29
ssh key authentication (Windows)
2. Go to ‘Connction’
-> ‘ssh’ -> ‘Auth’
3. ‘Browse’ and find
your saved
private key and
set the file there 3
4. ‘Open’
2
4

maz@iij.ad.jp 30
hands on

maz@iij.ad.jp 31