SSH (a prolonged SSL)

SSH Connection Methods
Several things can happen when using SSH to
connect from your machine (client) to another
machine (server):
􀀀
Server's public host key is passed back to the client
and verified against known_hosts
􀀀
Password prompt is used if public key is accepted,
or already on client, or
􀀀
RSA/DSA key exchange takes place and you must
enter in your private key passphrase to
authenticate (assuming you have one).

SSH Quick Tips
You have a choice of authentication keys - RSA
is the default (dsa is fine as well).
The files you care about are:
/etc/ssh/ssh_config
/etc/ssh/sshd_config
~/.ssh/identity and identity.pub (deprecated)
~/.ssh/id_dsa and id_dsa.pub
~/.ssh/id_rsa and id_rsa.pub
~/.ssh/known_hosts
~/.ssh/authorized_keys
And, note the rsa/dsa host-wide key files in /etc/ssh
Be sure that you do “man ssh” and “man sshd”
and read the entire descriptions for both the
ssh client and ssh server (sshd).

SSH Authentication
Private key can be protected by a passphrase
So you have to give it each time you log in
Or use "ssh-agent" which holds a copy of your
passphrase in RAM
No need to change passwords across dozens of
machines
Disable passwords entirely!
/etc/ssh/sshd_config
Annoyingly, for historical reasons there are
*three* different types of SSH keys
SSH1 RSA, SSH2 DSA, SSH2 RSA

Man in the Middle Attacks
The first time you connect to a remote host,
remember its public key
Stored in ~/.ssh/known_hosts
The next time you connect, if the remote key is
different, then maybe an attacker is
intercepting the connection!
Or maybe the remote host has just got a new
key, e.g. after a reinstall. But it's up to you to
resolve the problem
You will be warned if the key changes.

Exchanging Host Keys
First time connecting with ssh:
ssh t1@pc1.t1.ws.sanog.org
The authenticity of host 'pc1.t1.ws.sanog.org (84.201.31.11)' can't be
established.
DSA key fingerprint is 91:ba:bf:e4:36:cd:e3:9e:8e:92:26:e4:57:c4:cb:da.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'pc1.t1.ws.sanog.org,84.201.31.11' (DSA) to
the list of known hosts.
t1@pc1.t1.ws.sanog.org's password:
At this point the client has in the file ~/.ssh/known_hosts the contents
of pc1.t1.ws.sanog.org's /etc/ssh/ssh_host_dsa_key.pub.
Next connection:
[hallen@hallen-lt .ssh]$ ssh t1@pc1.t1.ws.sanog.org
t1@pc1.t1.ws.sanog.org's password:
Now trusted - Not necessarily a good thing...

Exchanging Host Keys Cont.
Command Key Type Generated Public File
ssh-keygen -t rsa RSA (SSH protocol 2) id_rsa.pub
ssh-keygen -t dsa DSA (SSH protocol 2) id_dsa.pub
- Default key size is 1024 bits
- Public files are text
- Private files are encrypted if you use a
passphrase (still text)
Corresponding file on the host for host key
exchange is known_hosts
How does SSH decide what files to compare?
Look in /etc/ssh/sshd_config. For OpenSSH
version 2 and 3 the server defaults to protocol 2
then 1. Recommend turning of version 1.
By default OpenSSH version 2 client connects
in this order:
RSA version 2 key
DSA version 2 key
Password based authentication (even if RSA
version 1 key is present)
Pay attention to the “HostKeyAlgorithms” setting in /etc/ssh/ssh_config to
help determine this order - or use ssh command line switches to override
these settings.