SSH Public Key Fingerprints, Windows SSH Servers and Linux Key Pair Exchange


SSH Public Key Fingerprints, Windows SSH Servers and Linux Key Pair Exchange

Continuing with Proxies, SOCKS5 and SSH, Darren and Shannon cover SSH Public Key Fingerprints, then build a free Windows SSH Server and configure Key Pairs for a Linux client.

SSH Public Key Fingerprints and known_hosts

Typical SSH Servers user 128-bit MD5 hashes as Public Key Fingerprints. These are used to verify the authenticity of a server. These key fingerprints are short sequences of bytes used to authenticate a much longer public key. Like we discussed last week regarding key pairs for user authentication, SSH servers have key pairs for server authentication.

On a Linux OpenSSH server for example these key pairs will be found in /etc/ssh/*key*. The public keys will be world readable while the private keys can only be read by a superuser.

On a Linux client for example the key fingerprints of remembered servers are stored in ~/.ssh/known_hosts. Since SSH version 4 the username and hostnames associated with these servers are hashed.

To remotely verify the key fingerprint of an SSH server

ssh-keyscan -t rsa,dsa REMOTEHOSTNAME > /tmp/
ssh-keygen -l -f /tmp/

Alternatively, on the remote server the key fingerprints can be found by:

cd /etc/ssh
ls *key*
cat ssh_host_key # this is the private key
# permission will be denied if not superuser
cat # this is the public key
ssh-keygen -lf
# field 1 = bit length of key
# field 2 = fingerprint of key
# field 3 = name of key

Setting up a Windows SSH Server with Bitvise (+ A few other software recommendations)

Setting up the SSH Server Windows Using BitVise WinSSHd

  • Download BitVise
  • Creating a server on laptop or pc at home...
  • Auto config router (UPnP) - BAD!! No Universal Plug-n-Play
  • Open Port to Any Computer
  • Uncheck 'Allow Any Logon', Click add.
  • Enter Username - Run 'whoami' from CMD to find out your username.
  • Want to add account for a friend? Do a virtual account.

SSH Servers for Windows

FreeSSHd -

  • Nice but lacks advanced security controls. The server starts sessions with security in the context of the service itself, meaning since it needs to be run as administrator or system those are the privileges available to the users.
  • Not open source so it can't be vetted, improved upon by the community
  • Hasn't been updated since 2009
  • Difficult to get working on Windows 7
  • Free and easy to setup

Bitvise WinSSHD -

  • Free for non-commercial / personal use
  • License costs $100, unlocks Active Directory feature for enterprises
  • Easy to install and update, nice GUI
  • Supports Active Directory, Kerberos or it's own user database
  • Works fine in Windows 7
  • Supports AES 128 and 256 bit encryption
  • Not open source so it can't be vetted, improved upon by the community
  • Can be configured to use Power Shell instead of CMD as the default shell for users
  • Supports OpenSSH public key files
  • Configure account and group permissions per IP and DNS
  • Automation API, logging

OpenSSH for Windows -

  • Free, open source implementation of OpenSSH with Cygwin
  • Hasn't been updated since 2004
  • Enough said

Copssh -

  • Package of portable OpenSSH for Cygwin
  • GUI for administartion

KpyM SSH Server -

  • Free, open source
  • Uses Windows identification (Windows user accounts)
  • Automated install and setup
  • Nag screen. Single license is $35

Setting up Key Pair Authentication in Linux with OpenSSH

On the remote host:

mkdir .ssh
chmod 700 .ssh
cd .ssh

On the local host:

ssh-keygen -t rsa
scp ~/.ssh/ user@host:.ssh/authorized_keys2

Back on the remote host:

ls -la authorized_keys2
chmod 600 authorized_keys2

On the local host:

ssh user@host

Bonus: Transfer SSH public keys from one machine to another

Now that we've done it the long way, let's take a moment to appreciate a convenient shortcut -- ssh-copy-id.

ssh-keygen; ssh-copy-id user@host; ssh user@host