Ssh

From Hackepedia
Jump to navigationJump to search

Socket.jpg

SSH stands for "Secure Shell" and was first written by a Finnish computer scientist named Tatu Ylonen. Mr. Ylonen went on to found SSH Communications which continues developing the ssh program. The program uses both symmetric and assymetric cryptography in order to keep the OSI session layer secure from session hijacking and sniffing.

Public Key Differences

There are three versions used in SSH. One for v1 protocol, and two for v2.

  • RSA1 is referred to as the original RSA key used for v1 protocols. These keys were used to encrypt the communications.
  • RSA is referred to as the v2 protocol. This is used for signing the channel only since the underlying protocol is now handled by a different means.
  • DSA was added to v2 protocol after RSA Security assured patent rights, and the IETF included DSA to allow for patent free implementation. Note: Due to how DSA works it requires a lot more good enthropy to be secure compared to RSA.

Which is the right one for you? Since the RSA patent has expired it is recommended by most of the OpenSSH team to stay with RSA keys since they have been around longer and are more known in terms of their strengths and weakness.

The OpenSSH Fork

OpenSSH was forked from a free version of SSH 1.2.12 and shipped with the OpenBSD 2.6 system. It has gained popularity among many vendors and is shipped with their products as well. Tatu Ylonen's company took OpenSSH to court but lost.

Cool SSH Tricks

Modern SSH clients and servers allow you to do some pretty nifty tricks. The most common is X11 Port Forwarding. You can also forward arbitrary ports, and compress files when transfering them over the network (all in addition to encrypting the data). One really nifty trick is to forward FlexLM connections. Another popular trick is passphraseless key exchange.

Travel

To use this, you'll need a shell account. This can be on a server you're running at home, or a machine that you trust. SOCKS mode is accomplished by adding the -D flag to start a SOCKS proxy.

$ ssh $home_machine -D127.0.0.1:8080

Now in firefox I enter a SOCKS proxy of 127.0.0.1 with port 8080 and it will appear to any website I visit that I am at home, not at my remote location! You can do this in any applications you wish (Firefox,Thunderbird or Pidgin for example, or you can use this as a VPN for all applications.


Lessons learned from Enigma

In world war 2 the germans used a cipher mechanism called enigma to secure their communications. Little did they know the british were able to read through this ciphertext and gain plain knowledge of everything being written. Enigma was a lazy concept, it allowed comforts on part of the operator and it was so complex that noone on the german side questioned it because they probably were too lazy to dig up dirt.

The same can be said for SSH, don't get lazy. Don't reuse private/public keys for passwordless access across systems. So far the public knows not of a case where it's possible to derive a private key from a public key. But we have a threat looming... quantum computers. If they manage to make this easy all security over public/private keys is diminished. It may even be safer to just use passwords (that are good! not simple ones). Stay vigilant my crypto heros, ssh shouldn't make you lazy!

Rotate keys with ansible

Generate your new keys:

$ ssh-keygen -t rsa -b 4096 -C "ansible 2021" -f "ansible2021"

The following is dangerous in that you could get locked out of a remote system. For testing, I did --limit='server_one' in ansible to test on one host only, and I was manually ssh'd into that machine in case I did something wrong and had to manually replace my ssh key.

The following playbook assumes that your local username is localuser and in your hosts.yaml file you use ansible_user as the username:

---
- hosts: all
 tasks: 
    - authorized_key:
        user: "{{ ansible_user }}" 
        state: present
        key: "{{ lookup('file', '/home/localuser/.ssh/ansible2021.pub') }}" 
        exclusive: True

Remove exclusive: True if you don't want to clobber/remove all existing ssh keys listed in authorized_keys, but simply want to add your new one!