Professional Documents
Culture Documents
and SSH
12/22/22 08:15 AM S D Patil, RGIT, Mumbai ( REF: TCP/IP Protocol Suite by Forouzan) 2
TELNET
12/22/22 08:15 AM S D Patil, RGIT, Mumbai ( REF: TCP/IP Protocol Suite by Forouzan) 5
Remote login
12/22/22 08:15 AM S D Patil, RGIT, Mumbai ( REF: TCP/IP Protocol Suite by Forouzan) 6
Concept of NVT
12/22/22 08:15 AM S D Patil, RGIT, Mumbai ( REF: TCP/IP Protocol Suite by Forouzan) 7
Format of data and control characters
12/22/22 08:15 AM S D Patil, RGIT, Mumbai ( REF: TCP/IP Protocol Suite by Forouzan) 8
12/22/22 08:15 AM S D Patil, RGIT, Mumbai ( REF: TCP/IP Protocol Suite by Forouzan) 9
An example of embedding
• Telnet uses only one TCP connection
• Server: well known port 23
• Client : an ephemeral port
• Same connection is used for sending data and control cha
• Embedding control the character in the data stream
• Distinguishing them IAC : interpret as control is used
• User want a server to display a file on a remote computer
cat filea<backspace>1
c a t f i l e a IAC EC 1
12/22/22 08:15 AM S D Patil, RGIT, Mumbai ( REF: TCP/IP Protocol Suite by Forouzan) 10
TELNET Options
• TELNET lets the client and server negotiate options before or
during the use of the service.
• Options are extra features available to a user with a more
sophisticated terminal.
• Users with simpler terminals can use default features.
• Some control characters discussed previously are used to
define options.
12/22/22 08:15 AM S D Patil, RGIT, Mumbai ( REF: TCP/IP Protocol Suite by Forouzan) 11
TELNET Option Negotiation
12/22/22 08:15 AM S D Patil, RGIT, Mumbai ( REF: TCP/IP Protocol Suite by Forouzan) 12
Offer to enable an option
WILL
Will I enable the option?
DO or DONT
Do (or don’t) enable the option
12/22/22 08:15 AM S D Patil, RGIT, Mumbai ( REF: TCP/IP Protocol Suite by Forouzan) 13
Request to enable an option
DO
Do enable the option
WILL or WONT
I will (won’t) enable the option
12/22/22 08:15 AM S D Patil, RGIT, Mumbai ( REF: TCP/IP Protocol Suite by Forouzan) 14
Offer to disable an option
WONT
I won’t use the option any more
DONT
Don’t use it
12/22/22 08:15 AM S D Patil, RGIT, Mumbai ( REF: TCP/IP Protocol Suite by Forouzan) 15
Request to disable an option
DONT
Don’t use the option any more
WONT
I won’t
12/22/22 08:15 AM S D Patil, RGIT, Mumbai ( REF: TCP/IP Protocol Suite by Forouzan) 16
Example 20.1
• Figure shows an example of option negotiation.
• In this example, the client wants the server to echo
each character sent to the server.
• In other words, when a character is typed at the
user keyboard terminal,
• it goes to the server and is sent back to the
screen of the user before being processed.
• The echo option is enabled by the server because it
is the server
• that sends the characters back to the user
terminal.
12/22/22 08:15 AM S D Patil, RGIT, Mumbai ( REF: TCP/IP Protocol Suite by Forouzan) 17
Example 20.1 Echo option
• Therefore, the client should request from the server the
enabling of the option using DO.
• The request consists of three characters: IAC,
DO, and ECHO.
• The server accepts the request and enables the option.
• It informs the client by sending the three-character
approval: IAC, WILL, and ECHO.
• Suboption Negotiation
12/22/22 08:15 AM S D Patil, RGIT, Mumbai ( REF: TCP/IP Protocol Suite by Forouzan) 19
Example of sub-option negotiation
12/22/22 08:15 AM S D Patil, RGIT, Mumbai ( REF: TCP/IP Protocol Suite by Forouzan) 20
Controlling the TELNET Server
12/22/22 08:15 AM S D Patil, RGIT, Mumbai ( REF: TCP/IP Protocol Suite by Forouzan) 21
Example of interrupting an application program
12/22/22 08:15 AM S D Patil, RGIT, Mumbai ( REF: TCP/IP Protocol Suite by Forouzan) 22
Out-of-band signaling
• To make control characters effective in special situations,
TELNET uses out-of-band signaling.
12/22/22 08:15 AM S D Patil, RGIT, Mumbai ( REF: TCP/IP Protocol Suite by Forouzan) 23
Two different interruptions
• A character typed by the user is normally sent to the server.
• However, sometimes the user wants characters interpreted
by the client instead of the server.
• In this case, the user can use an escape character, normally
Ctrl+] (shown as ^]).
12/22/22 08:15 AM S D Patil, RGIT, Mumbai ( REF: TCP/IP Protocol Suite by Forouzan) 24
TELNET Modes of Operation
Three Modes
Default Mode
Echoing is done by clients
After sending whole line to server wait for GA from server
to go the next line
Half duplex communication hence obsolete
Character Mode
Full duplex comm TCP
Echoing of Character is delayed due to Tt is long
Create overhead as more TCP segments are sent
Line Mode:
superior to both.
Line editing is done by the client, then sent to server,
full duplex, without GA from server
12/22/22 08:15 AM S D Patil, RGIT, Mumbai ( REF: TCP/IP Protocol Suite by Forouzan) 25
Example 20.2
In this example, we use the default mode to show the concept and
its deficiencies even though it is almost obsolete today.
The client and the server negotiate the terminal type and terminal
speed and then the server checks the login and password of the
user (see Figure 20.15).
12/22/22 08:15 AM S D Patil, RGIT, Mumbai ( REF: TCP/IP Protocol Suite by Forouzan) 26
Example 20.2 Default Mode
GO AHEAD 1
2 WILL TERMINAL TYPE
DO TERMINAL TYPE 3
GO AHEAD 4
5 WILL TERMINAL SPEED
Password: 10
GO AHEAD 11
12 XXXXX
GO AHEAD 13
14 cp file1 file2
12/22/22 08:15 AM S D Patil, RGIT, Mumbai ( REF: TCP/IP Protocol Suite by Forouzan) 27
Example 20.3
In this example, we show how the client switches to the character
mode.
This requires that the client request the server to enable the
SUPPRESS GO AHEAD and ECHO options (see Figure 20.16).
12/22/22 08:15 AM S D Patil, RGIT, Mumbai ( REF: TCP/IP Protocol Suite by Forouzan) 28
Example 20.3Character Mode
GO AHEAD 1
2 DO SUPPRESS GO AHEAD
WILL SUPPRESS GO AHEAD 3
4 DO ECHO
WILL ECHO 5
Login: 6
7 f
f 8
9 o
o 10
12/22/22 08:15 AM S D Patil, RGIT, Mumbai ( REF: TCP/IP Protocol Suite by Forouzan) 29
USER INTERFACE
12/22/22 08:15 AM S D Patil, RGIT, Mumbai ( REF: TCP/IP Protocol Suite by Forouzan) 30
TELNET Security Issue
TELNET suffers from security problems.
Although TELNET requires a login name
and password (when exchanging text),
often this is not enough.
A microcomputer connected to a
broadcast LAN can easily eavesdrop
using snooper software and
capture a login name and the corresponding
password (even if it is encrypted).
12/22/22 08:15 AM S D Patil, RGIT, Mumbai ( REF: TCP/IP Protocol Suite by Forouzan) 31
SECURE SHELL (SSH)
12/22/22 08:15 AM S D Patil, RGIT, Mumbai ( REF: TCP/IP Protocol Suite by Forouzan) 32
Topics Discussed in the Section
Versions
• Two version but totally incompatible
• SSH-1 is deprecated, security flaws
• SSH-2
Components
Port Forwarding
12/22/22 08:15 AM S D Patil, RGIT, Mumbai ( REF: TCP/IP Protocol Suite by Forouzan) 34
SSH : Features
Privacy : via strong end-to-end encryption- DES, IDEA,
Blowfish
Integrity : via 32 bit Cyclic Redundancy Check (CRC-32)
Authentication : server via server’s host key,
client usually via password or public key
Authorization : controlled at a server wide level or per account
basis
Forwarding : encapsulating another TCP based service such as
Telnet within an SSH session
12/22/22 08:15 AM S D Patil, RGIT, Mumbai ( REF: TCP/IP Protocol Suite by Forouzan) 35
Components of SSH
12/22/22 08:15 AM S D Patil, RGIT, Mumbai ( REF: TCP/IP Protocol Suite by Forouzan) 36
SSH: Port forwarding
12/22/22 08:15 AM S D Patil, RGIT, Mumbai ( REF: TCP/IP Protocol Suite by Forouzan) 37
SSH packet format
12/22/22 08:15 AM S D Patil, RGIT, Mumbai ( REF: TCP/IP Protocol Suite by Forouzan) 38
Security Mechanism
Establishing the Secure Connection
The client initiates the connection by sending a request to the TCP
If the client and server decide their versions are compatible, the
connection proceeds
SSH server sends the following to the client - host key, the server
hosts database
Client generates a session key and double encrypts it using the host
acceptable algorithm
12/22/22 08:15 AM S D Patil, RGIT, Mumbai ( REF: TCP/IP Protocol Suite by Forouzan) 39
Authentication
Server then decrypts the encrypted session key it received
Server sends a confirmation encrypted with this session key
Client receives confirmation, confirms server authentication
Client Authentication usually either by Password
Authentication or Public key Authentication
Server confirms client authorization
Generates a 256 bit random challenge, encrypts it with
clients public key, and sends to client
Client decrypts challenge, generates a hash value with a
session identifier (commonly generated random string at
beginning of session), and sends to server
Server generates hash, if both match, session is
authenticated
12/22/22 08:15 AM S D Patil, RGIT, Mumbai ( REF: TCP/IP Protocol Suite by Forouzan) 40