SSH Tips & Tricks

Axel "XTaran" Beckert

Debian / ETH Zürich

axel@beckert.ch
http://axel.beckert.ch/

Motivation

  • Don't show basics, but neat features
  • Show possibilities, but not too many details
  • Compatibility
    • Everything should work with OpenSSH 4.3 (unless stated otherwise)
    • Most things also work with even older OpenSSH versions
    • Many things also work with other implementations

Overview

  • Verifying Host Keys
  • Making Life Easier with Onboard Features
  • Tunneling is Important, not Evil
  • Connected! And now?
  • New in OpenSSH 6.9 and Upcoming Changes in 7.0
  • Neat Tools in the SSH Ecosystem
  • SSH is not only for Unix
  • Restrict Usage of SSH Keys
  • Links, Resources and Contact

Onboard Features (1/9): SSH Host Keys (1/2)

Verifying the identity of an SSH server by its host keys

  • Public Key Cryptography
  • RFC 4255 (2006, Draft from 2003)
  • ssh-keygen -l -f /etc/ssh/ssh_host_<algorithm>_key.pub (adds .pub automatically if omitted):
    $ ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key
    256 fd:89:37:8e:f0:76:f0:c9:47:ee:73:31:0f:48:fe:20  root@c-cactus (ECDSA)
  • GET https://db.debian.org/debian_known_hosts > ~/.ssh/known_hosts2 (~/.ssh/known_hosts and~/.ssh/known_hosts2 are both checked by default. How convenient! :-)

Onboard Features (2/9): SSH Host Keys (2/2)

Verifying SSH Host Keys via DNS — DNSSEC recommended

  • ssh-keygen -r <hostname>:
    $ ssh-keygen -r c-cactus.deuxchevaux.org
    c-cactus.deuxchevaux.org IN SSHFP 1 1 8270d67451d29af5b2cc3d0a00c2df20060746fa
    c-cactus.deuxchevaux.org IN SSHFP 1 2 7683a04bbd2dbbae9c6d487493c251de69100287e09fa6c72d7d74555c8a4912
    c-cactus.deuxchevaux.org IN SSHFP 2 1 f43b0e9d2367bf6cd47fb405288d7304a10a41d9
    c-cactus.deuxchevaux.org IN SSHFP 2 2 0e6b6d17e1565ec05d9c400abda79eae935e44b6a1faa22d20083d38c517f7b9
  • host -t SSHFP <hostname>:
    $ host -t SSHFP www.ccczh.ch
    www.ccczh.ch is an alias for proxy.ccczh.ch.
    proxy.ccczh.ch has SSHFP record 3 1 CC60D7A88E96BDAD570EAA39CDC86FED
    proxy.ccczh.ch has SSHFP record 1 1 9BA56C02A0A82E2BED5D946413E6A62B
    proxy.ccczh.ch has SSHFP record 2 1 99C0844B0A0692EEC6601B5ACBDC81D5
  • ssh -o "VerifyHostKeyDNS ask" <hostname>:
    $ ssh -o "VerifyHostKeyDNS ask" host.example.com
    […]
    Matching host key fingerprint found in DNS.
    Are you sure you want to continue connecting (yes/no)?

Onboard Features (3/9): SSH Keys and SSH-Agent

SSH Keys for Authentication and Authorization

  • Public Key Cryptography
  • ssh-keygen (only in special cases without passphrase!)
  • ssh-copy-id (copies key(s) into the remote ~/.ssh/authorized_keys)
  • eval `ssh-agent` (often started via Xsession)
  • ssh-add
  • ssh-add -l (List fingerprints) / ssh-add -L (List public key parameters)
  • ssh other.computer -t -A ssh-add (Loading key from other computer into the local key agent.)

Nearly Onboard Features (4/9): Alternative SSH Agents

  • GnuPG Agent (gpg-agent)
  • GNOME Keyring
  • KWallet via kwalletcli, kwalletaskpass und gpg-agent

Onboard Features (5/9): Working with the SSH Agent

  • ssh-add -x (Lock)
  • ssh-add -X (Unlock)
  • ssh -A (Forward Agent)
  • ssh -a (Don't forward Agent)
  • Host *.deuxchevaux.org *.noone.org
      ForwardAgent yes

Onboard Features (6/9): SFTP, SCP

Transfering files with SSH

  • $ scp file myaccount@computer:directory/
    file                             100%  337     0.3KB/s    00:00

    (Path on remote computer relative to $HOME or chroot)
  • $ sftp myaccount@computer
    Connecting to rechner...
    sftp> ls
    file1 file2
    sftp> get file1
    Fetching /home/myaccount/file1 to file1
    /home/abe/file1                      100%  337     0.3KB/s   00:00
    sftp> lls
    file1 file3
    sftp> put file3
    Uploading file3 to /home/myaccount/file3
    file3                                100%   65     0.1KB/s   00:00
    sftp> quit

Onboard Features (7/9): SSH Configuration File

$EDITOR ~/.ssh/config

Host *
        HashKnownHosts no
        NoHostAuthenticationForLocalhost yes

Host sym
        HostName symlink.to.noone.org
        ForwardAgent yes
        ForwardX11Trusted yes

Host sf
        Hostname shell.sourceforge.net
        User xtaran

Host avaya
        StrictHostKeyChecking no
        UserKnownHostsFile /dev/null

Onboard Features (8/9): ProxyCommand

$EDITOR ~/.ssh/config

# OpenSSH < 5.4
Host myhomeserver
        ProxyCommand ssh myhomegateway nc myhomeserver 22

# OpenSSH ≥ 5.4
Host myhomeserver
        ProxyCommand ssh myhomegateway -W myhomeserver:22

Onboard Features (9/9): ControlMaster

$EDITOR ~/.ssh/config

Host host-with-picky-firewall
        ControlMaster autoask
        ControlPath ~/.ssh-master-%l-%h-%p-%r

Tunneling (1/5): Overview

  • Tunneling is not evil and serves your own security and privacy (Hello to the NSA! *blblblbl* :-P)
  • Take care when creating tunnels into non-trustworthy countries (i.e. where the government is known to issue faked SSL certificates)
  • Subtopics:
    • Applications which call ssh themselves
    • Tunneling X Applications ("DISPLAY Forward")
    • Tunneling single connections
    • SSH as SOCKS Proxy

Tunneling (2/5): Tools which use SSH

  • Often call the unencrypted rsh by default.
  • rsh may be a symbolic link to ssh if rsh is not installed
  • rsync -e ssh
  • Many Version Control Systems (VCS) support ssh "out of the box": cvs (CVS_RSH=ssh), svn (svn+ssh://…), git, hg, etc.
  • "Pre-Authenticated IMAP" (needs SSH keys)
    • mutt (.muttrc: set tunnel="ssh -q imap.example.org /etc/rimapd")
    • pine (.pinerc)
      inbox-path={imap.example.org/user=myaccount/secure}INBOX
      folder-collections=Mail {imap.example.org/user=myaccount/secure}[]
      rsh-open-timeout=0
      ssh-path=/usr/bin/ssh
    • Supported by at least UW IMAPd and Dovecot.

Tunneling (3/5): X Applications

  • Standard "forwarding" of X applications is unencrypted
  • ssh can setup the right tunnel and $DISPLAY automatically. Needs xauth in the search path on the remote computer.
  • -X or ForwardX11 yes
  • -Y or ForwardX11 yes + ForwardX11Trusted yes (Details in ssh_config(5))
  • -x or ForwardX11 no

Tunneling (4/5): Single Ports

  • A connection to a local "port" will be forwarded to another port behind the remote computer (or vice versa)
  • Forward ports by default only accessible from "localhost". Use -g to allow access from everywhere.
  • ssh -L 8080:proxy:8080 router.at.home (Use the proxy at home from elsewhere)
  • ssh -R 8000:localhost:8001 company.computer (Give a computer at work access to your local web server)
  • ssh -R 8000:localhost:8001 -g company.computer (Give all computers at work access to your local web server)

Tunneling (5/5): SOCKS Proxy

Using SSH as SOCKS proxy

  • ssh -D 1080 remote.computer and configure localhost:1080 as SOCKS proxy in your browser, e-mail client, other program or with tsocks.
  • All TCP connections of the program will appear to come from "remote.computer".
  • Attention: DNS requests (usually UDP) won't be tunnelled by default, possible with protocol SOCKS4a and higher.

Connected! And now?

  • After pressing <Enter>~ nothing seems to happen.
  • A tilde (~) after an Enter is the escape sequence of SSH
  • ~~ results in one tilde
  • ~. disconnects immediately
  • ~<Ctrl-Z> stops the SSH (continue with fg)
  • ~& puts the SSH in the backgound, e.g. in case there are still tunnels open after logging out.
  • ~? shows the help.

New in OpenSSH 6.9 (30-Jun-2015)

  • Primarily a bug fix release
  • Change of the default cipher (now "chacha20-poly1305@openssh.com")
  • Bruteforcing a locked ssh-agent will mitigated by delaying the password prompt after entering a wrong password.
  • http://www.openssh.com/txt/release-6.9

Changes planned for OpenSSH 7.0 (End of July 2015)

  • The default value for PermitRootLogin will change from "yes" to "no". (Debian and Ubuntu already default to "without-password".)
  • Version 1 of the SSH protocol will be disabled at compile time by default.
  • Support for ssh-dss host and user keys will be disabled by default.
  • Several ciphers will be disabled by default: blowfish-cbc, cast128-cbc, all arcfour variants and the rijndael-cbc aliases for AES
  • Refusing all RSA keys smaller than 1024 bits. (The current minimum is 768 bits.)
  • See http://www.openssh.com/txt/release-6.9 for the announcement of these plans.

Neat Tools in the SSH Ecosystem (1/5): screen + tmux

GNU Screen allow one (amongst other things) to continue to use shell sessions and other text mode programs (e.g. mutt, irssi, mcabber) on remote computers without the need to keep the SSH session always open.

  • Starting: screen
  • Starting a program with a screen session around it: screen irssi
  • Detach: <Ctrl-A><Ctrl-D> (Tmux: <Ctrl-B><Ctrl-D>)
  • Reattach: screen -r
  • Attach here, detach the current connection: screen -r -d
  • Attach here, but keep the existing connection: screen -x
  • tmux is similar, but rewritten from scratch, colorful by default, misses some features, offers others.

Neat Tools in the SSH Ecosystem (2/5): autossh

  • Tests via a pair of automatically created SSH port forwardings the availability of the connection and restarts the SSH session if necessary.
  • Perfect together with GNU Screen or Tmux
  • Use autossh -t computer 'screen -RD' and you will be connected to your shell again if the network connection is good again.

Neat Tools in the SSH Ecosystem (3/5): mosh

  • SSH alternative for network connections with high latency or high packet loss.
  • mosh-server needs to be installed on the server.
  • No open port if unused
  • Uses SSH for authentification, authorization, and for starting the server.
  • Uses UDP ports 60000 to 61000 by default.
  • Doesn't need to "Detach" — client and server just wait, until there is a network connection again.
  • Supports only UTF-8 (no ISO-8859-*, etc.).
  • Non-roaming IPv6 support from version 1.2.5 (expected soon, RC2 released recently) onwards.

Neat Tools in the SSH Ecosystem (4/5): sshfs

  • Mounts directories from computer reachable by SSH using FUSE.
  • Uses the SFTP subsystem on the remote computer.
    • Doesn't work with a dropbear server — unless a 3rd party SFTP server is installed, too.
    • openssh-sftp-server available as separate package starting with Debian 8 "Jessie" and Ubuntu 14.04 LTS "Trusty"
    • mysecureshell available since Debian 8 "Jessie" and Ubuntu 15.04 "Vivid"
  • sshfs computer:/home/myaccount home-on-computer
    cd home-on-computer

Neat Tools in the SSH Ecosystem (5/5): sslh

  • Allows one to use HTTPS as well as SSH on port 443 (HTTPS).
  • Automatically recognizes the protocol (SSL or SSH) and forwards the connection to the right service. (HTTPS often runs on port 442 then.)
  • Helps against firewalls which forbid SSH but allow HTTPS.
  • Can also be used to combine SSH with other SSL based protocols on the same port.

SSH is not only for Unix

  • Windows:
    • Cygwin: POSIX environment for Windows including OpenSSH (Client+Server)
    • Putty: Free SSH client for Windows among others
    • KiTTY: a Putty fork, more features, windows-only
    • MobaXterm: terminal, SSH client and X server in one (GPLed, but with "freemium" scheme)
    • WinSCP: Drag & Drop SCP, based on Putty, requires SFTP service.
  • dropbear: Free SSH implementation (Client+Server) for embedded systems (including iPhone, AppleTV, Dreambox, many NAS and routers)
    • no SFTP backend included, but the one from OpenSSH can be used.
  • PSPSSH: Free SSH client for the Sony PSP, based on dropbear
  • MidpSSH: Free SSH client for MIDP/J2ME capable mobile phones
  • S2Putty: Free SSH client for Symbian S60 mobile phones

Restrict Usage of SSH Keys in .ssh/authorized_keys

  • Sometimes you want to allow only access to one single program or command.
  • Laborious, complicated and error-prone if done via a web service.
  • command="foobar" ssh-rsa AAAAB3Nza… calls "foobar" and only "foobar" upon every login with this key
  • from="computer" ssh-rsa AAAAB3Nza… allows access with this key only from the host "computer".
  • no-{agent,port,X11}-forwarding ssh-rsa AAAAB3Nza… disallows misc. forwardings.
  • no-pty ssh-rsa AAAAB3Nza… disallows the allocation of a pseudo terminal.

Summary

  • SSH is far more than just a logging in somewhere else via command line.
  • Tunneling is important, not evil.
  • SSH doesn't only work with computers running Linux.

Links (1/2)

Links (2/2)

Thanks + Feedback

Thanks goes to

  • Fabian Wenk for showing me -D and hence giving me the idea to this talk
  • Aaron Toponce, Michael Pobega, Michael Prokop, Sven Guckes, Jörg Jaspert, Alexander Wirt, Michael Stapelberg, Raoul vom CCC ZH and Venty for tips and ideas about the talk
  • Eric S. Meyer for S5

Feedback to

  • Axel Beckert
  • E-Mail: axel@beckert.ch