Building on top of last week's episode on Proxies, SOCKS5 and SSH we're covering Authentication via Public Key Cryptography, setting up an SSH server in Linux and properly configuring a client in Windows.
Breaking down SSH-2 Protocol Layers
Before getting into public key crypto we should first take a moment to gather a basic understanding of the SSH-2 protocol layers. In a nutshell the three layers of SSH-2 are:
The first is the Transport Layer. This layer is responsible for handling key exchanges, the servers authenticity (server authentication), compression, encryption and re-keying (typically after 1 GB of traffic or 1 Hour have elapsed). We'll get into more detail on this next week when we focus on key fingerprints.
Second is the User Authentication Layer, which handles client authentication, or authentication of the user trying to log-in. This process is client driven, meaning that the connecting client chooses which method they would like to authenticate with. Accepted methods vary by server but typically these include:
- Password Authentication - we used this last week by interactively typing in our password at the prompt when logging in
- Public Key - this is the method we'll be using today and going forward
- Keyboard Interactive - a process that can be used for one-time-passwords.
- GSSAPI (Generic Security Services Application Programming Interface) - this is actually a library used by commercial vendors, usually to implement single-sign-on services in enterprises and integrating with existing security services such as NTLM or Kerberos.
Finally there is the Connection Layer. This layer defines the channels, or asymmetric communications supported by SSH, including:
- Shell Channel for Shells, SFTP, SCP
- Direct-TCP/IP Channel for Client-to-Server forwards
- Forwarded-TCP/IP Channel for Server-to-Client forwards
Understanding Public Key Cryptography
Authentication via Asymmetric Key Cryptography (aka Public Key Crypto) is the method for generating a key pair -- both public and private (aka secret) -- and publishing one or the other in order to initiate secure communication. In our example we'll be protecting our private key on the client while publishing the public key on the SSH server. With this setup anything encrypted with the public key can be decrypted with our own private key. The oversimplification of this is that the key pairs are linked mathmatically allowing for encryption with the public key and decryption with the private key. The idea is that it's impractical to figure out the private key based on only knowledge of the public key. This is the basis for SSL, PGP, GPG, Bitcoin and many other protocols.
SSH-2 supports at least two methods for Public Key authentication
- RSA Key Pairs, which are named after creators Rivest, Shamir and Adleman and published in 1978 is an algorithm based on the difficulty of factoring large integers. Again the oversimplification is that the public key is based on the product of two large primes (along with an aux value) and the private key is derived from prime factors used to create the public key.
- DSA Key Pairs, or Digital Signature Algorithm, have been a Federal Information Processing Standard since 1993. Originally pantented by former NSA employee David Kravitz this technology is now freely available for anyone to use worldwide.
Setting up a Linux OpenSSH Server
On a Debian based Linux machine setting up ssh can be as simple as issuing "sudo apt-get install ssh". In this segment Darren goes over some of the configuration lines you would find useful to modify in /etc/ssh/sshd_config.
AllowTcpForwarding yes GatewayPorts yes RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile %h/.ssh/authorized_keys AllowUsers bob alice PermitRootLogin no Protocol 2 Port 222 LoginGraceTime 1m ListenAddress ClientAliveInterval 60 ClientAliveCountMax 0
Be sure to restart the SSH deamon after editing the configuration. stop ssh;start ssh;service ssh restart;/etc/init.d/ssh restart #one of these should do it! :)
SSH Key Authentication On Windows with Putty for a Linux Server
This'll create key pair- an authorization to log on to server for authentication. Begin by downloading the Putty KeyGen tool. Click Generate and move mouse to generate key pair, and save both. Now open the server via Putty.
On the server go ahead and create a user if you haven't already done so. Typically this is achieved using the "adduser username" then "passwd username" commands.
Now, while logged in as your user, make a directory called .ssh in the your home. For example "mkdir ~/.ssh"
You'll want to change the mode to 700 so that only you have access to it. In the world of Unix there are 3 levels of permissions for files and directories. The Owner, Groups and World (everyone). The first 10 characters are the file's attributes. The first character represents what type of file it is. If it's a dash (-) it's a regular file. A (d) represents a directory, and there are a few others for special stuff like symbolic links. The next 9 characters specify the Read (r), Write (w) and Execute (x) permissions for the file's Owner, Groups and World (everyone). Change the mode of the directory with "chmod 700 .ssh/" The "chmod" command stands for Change Mode and allows you to easily modify a file or directory's permissions. Chmod will accept an octal representation of the modes. We're not going to get into them all but in this case 700 changes the file to be Readable, Writeable and Executable by the file's Owner, and nothing else for any Groups and the World.
Next change to the newly created directory with "cd .ssh" and create a file called authorized_keys2 with the public key on one line saved in file. Add ""ssh-rsa "" to the beginning.
Finally you'll want to again change the mode of the file so that only you can read and write to it. In this case the command would be "chmod 600 authorized_key2".
Now back on the Windows machine ppen pageant.exe and select 'add key'. Add the private key created in the initial setup. Pageant works as a passphrase keeper. With Pageant in memory and your private key loaded go ahead and test your connection. Just as before login with putty being sure to include "username@" before the hostname in the connection dialog.
You should now login without a password needed! Hooray!