Building on top of last week's episode on Proxies, SOCKS5 and SSH we're covering Authentication via Public Key Cryptography, setting up an SSH server in Linux and properly configuring a client in Windows.
Breaking down SSH-2 Protocol Layers
Before getting into public key crypto we should first take a moment to gather a basic understanding of the SSH-2 protocol layers. In a nutshell the three layers of SSH-2 are:
The first is the Transport Layer. This layer is responsible for handling key exchanges, the servers authenticity (server authentication), compression, encryption and re-keying (typically after 1 GB of traffic or 1 Hour have elapsed). We'll get into more detail on this next week when we focus on key fingerprints.
Second is the User Authentication Layer, which handles client authentication, or authentication of the user trying to log-in. This process is client driven, meaning that the connecting client chooses which method they would like to authenticate with. Accepted methods vary by server but typically these include:
Finally there is the Connection Layer. This layer defines the channels, or asymmetric communications supported by SSH, including:
Understanding Public Key Cryptography
Authentication via Asymmetric Key Cryptography (aka Public Key Crypto) is the method for generating a key pair -- both public and private (aka secret) -- and publishing one or the other in order to initiate secure communication. In our example we'll be protecting our private key on the client while publishing the public key on the SSH server. With this setup anything encrypted with the public key can be decrypted with our own private key. The oversimplification of this is that the key pairs are linked mathmatically allowing for encryption with the public key and decryption with the private key. The idea is that it's impractical to figure out the private key based on only knowledge of the public key. This is the basis for SSL, PGP, GPG, Bitcoin and many other protocols.
SSH-2 supports at least two methods for Public Key authentication
Setting up a Linux OpenSSH Server
On a Debian based Linux machine setting up ssh can be as simple as issuing "sudo apt-get install ssh". In this segment Darren goes over some of the configuration lines you would find useful to modify in /etc/ssh/sshd_config.
AllowTcpForwarding yes GatewayPorts yes RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile %h/.ssh/authorized_keys AllowUsers bob alice PermitRootLogin no Protocol 2 Port 222 LoginGraceTime 1m ListenAddress ClientAliveInterval 60 ClientAliveCountMax 0
Be sure to restart the SSH deamon after editing the configuration. stop ssh;start ssh;service ssh restart;/etc/init.d/ssh restart #one of these should do it! :)
SSH Key Authentication On Windows with Putty for a Linux Server
This'll create key pair- an authorization to log on to server for authentication. Begin by downloading the Putty KeyGen tool. Click Generate and move mouse to generate key pair, and save both. Now open the server via Putty.
On the server go ahead and create a user if you haven't already done so. Typically this is achieved using the "adduser username" then "passwd username" commands.
Now, while logged in as your user, make a directory called .ssh in the your home. For example "mkdir ~/.ssh"
You'll want to change the mode to 700 so that only you have access to it. In the world of Unix there are 3 levels of permissions for files and directories. The Owner, Groups and World (everyone). The first 10 characters are the file's attributes. The first character represents what type of file it is. If it's a dash (-) it's a regular file. A (d) represents a directory, and there are a few others for special stuff like symbolic links. The next 9 characters specify the Read (r), Write (w) and Execute (x) permissions for the file's Owner, Groups and World (everyone). Change the mode of the directory with "chmod 700 .ssh/" The "chmod" command stands for Change Mode and allows you to easily modify a file or directory's permissions. Chmod will accept an octal representation of the modes. We're not going to get into them all but in this case 700 changes the file to be Readable, Writeable and Executable by the file's Owner, and nothing else for any Groups and the World.
Next change to the newly created directory with "cd .ssh" and create a file called authorized_keys2 with the public key on one line saved in file. Add ""ssh-rsa "" to the beginning.
Finally you'll want to again change the mode of the file so that only you can read and write to it. In this case the command would be "chmod 600 authorized_key2".
Now back on the Windows machine ppen pageant.exe and select 'add key'. Add the private key created in the initial setup. Pageant works as a passphrase keeper. With Pageant in memory and your private key loaded go ahead and test your connection. Just as before login with putty being sure to include "username@" before the hostname in the connection dialog.
You should now login without a password needed! Hooray!
If you're into Hak5 you'll love our new show by hosts Darren Kitchen and Shannon Morse. Check out HakTip!
Whether you're a beginner or a pro, HakTip is essential viewing for current and aspiring hackers, computer enthusiasts, and IT professionals. With a how-to approach to all things Information Technology, HakTip breaks down the core concepts, tools, and techniques of Linux, Wireless Networks, Systems Administration, and more
And let's not forget to mention that you can follow us on Twitter and Facebook. Subscribe to the show and get all your Hak5 goodies, including the infamous WiFi Pineapple over at HakShop.com. If you have any questions or suggestions please feel free to contact us at firstname.lastname@example.org.
Put together by a band of IT ninjas, security professionals and hardcore gamers, Hak5 isn't your typical tech show. We take on hacking in the old-school sense, covering everything from network security, open source and forensics, to DIY modding and the homebrew scene. Then we wrap it all up with a healthy dose of cocktails and geek comedy. Damn the warranties, it's time to Trust your Technolust.
Want the most recent episode of this show always up to date on your website? Use this self-updating embed code!