Five steps to a secure login using SSH By A Guest Contributor Takeaway
advertisement
Five steps to a secure login using SSH Version 1.0 March 21, 2005 By A Guest Contributor Takeaway One of the best ways to ensure all of your network's communication links are secure is to implement system-wide encryption. This download shows you how to setup of a Secure Shell (SSH) that will encrypt all the traffic on a network. Table of Contents OPENSSH..................................................................................................................................................................................2 DEFINITIONS ............................................................................................................................................................................2 PROCESS .................................................................................................................................................................................2 1. Get the source code .....................................................................................................................................................2 2. Compile and install the software, and generate a host key....................................................................................2 3. Generate a user key.....................................................................................................................................................2 4. Configure authentication..............................................................................................................................................3 5. Start SSH and log in.....................................................................................................................................................3 ADDITIONAL NOTES .................................................................................................................................................................3 TECHREPUBLIC ......................................................................................................................................................................4 Additional resources .........................................................................................................................................................4 Version history...................................................................................................................................................................4 Tell us what you think .......................................................................................................................................................4 Page 1 Copyright ©2005 CNET Networks, Inc. All rights reserved. To see more downloads and get your free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html. Five steps to a secure login using SSH OpenSSH In this age of hacker attacks and electronic identity theft, prevention really is the only cure. And one of the most important things you can do to protect yourself is to ensure that all of your network's communication links are secure. This means encrypting all the data flowing in and out of your system, so as to prevent cyber-sniffers from reading it and using it to gain unauthorized access to your data. This is much easier than it sounds, thanks to a variety of freely-available tools designed specifically to improve network security. And one of the most effective is the Secure Shell (SSH) program, which ensures that only trusted users can log in to a system. This tutorial shows you how to set up OpenSSH on a *NIX system, in five easy steps. Definitions Local host: The host from which you will be logging in (in this example, local.site.com) Remote host: The host to which you will be logging in (in this example, faraway.site.com) Local user account: A user account on the local host (in this example, rufus@local.site.com) Remote user account: A user account on the remote host (in this example, webmaster@faraway.site.com) Process 1. Get the source code Begin by downloading the source for OpenSSH. The program is available for a variety of different UNIX operating systems, so you should have no trouble finding a version for yours. Once the file has downloaded to the local host, log in as root, copy it to the system's temporary directory and uncompress it using the tar program. root@local.site.com $ tar -xzvf openssh-4.0p1.tar.gz Repeat this step for the remote host. 2. Compile and install the software, and generate a host key Compile and install the software on the local host using the traditional configure-make-install process: root@local.site.com $ ./configure root@local.site.com $ make root@local.site.com $ make install Repeat this step for the remote host. The compilation process could take between five and twenty minutes depending on the system configuration. By default, the software will be installed to the /usr/local/ directory tree once compilation is complete. Once the software has installed, it will automatically generate a host key for the system on which is has been installed. This host key is a pair of cryptographic signatures that uniquely identifies the system, and it is used for host-based authentication and identity verification. 3. Generate a user key Log in to the local user account and generate a user key by running the ssh-keygen command. rufus@local.site.com $ ssh-keygen -t dsa This command generates a key pair that uniquely identifies the combination of user and host. The key pair consists of two keys, a public key (id_dsa.pub) and a private key (id_dsa), both stored in the user's ~/.ssh directory. During the key generation phase, you will be asked for a passphrase. Enter a hard-to-guess passphrase and also commit it to memory. This passphrase will be used to verify the user's identity at a later stage. Note that the public key may be widely distributed, but the private key and passphrase should be accessible and known only to the user. Page 2 Copyright ©2005 CNET Networks, Inc. All rights reserved. To see more downloads and get your free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html. Five steps to a secure login using SSH On successful completion, you will see a message like this: Your identification has been saved in /home/rufus/.ssh/id_dsa. Your public key has been saved in /home/rufus/.ssh/id_dsa.pub. The key fingerprint is: f9:c2:d4:73:bf:54:d4:4a:14:6f:ea:0d:f1:23:eb:00 rufus@local.site.com Here's an example of the public key generated by this step: ssh-dss AAAAB3NzaC1kc3MAAACBAK/OZUL/HrUFbjSHEf8FyV2TQciMJTHtLt813Og8vifngpGFZEtvjtgn29rU2DI rVYesf01QrtOtyOVubN6dpWdLVgICL++4s6UsAjynf9h8PO0oguZKHyilLsNKjSwymR+Uv+Mi++doi6xHn+ 5BQdrizndwzva1L4QdIND5QcVJGLAAAAFQCLXzRJjPhW/31F5qPM/N1l/9S87wAAAIByEvyWZt0dUA3yllZ T9adcoIQxLU6FtPbhNXmp+K0W7uypWIB8q6lYQSlahWZBC8ecG63m6CknsTxTmu3xvz+4+0VeJdMBeSveE9 OeY8Hk3v4Xep2VuDaKLZtJaUXs1874UUVV8NsRFs/t2IrEGSkUJzKNaMGaYlHasVJJY2R+bClgo1wAAAIA2 MOpeX75UiJ2+asMZ9sGi1cRFb+ADXt3jcmvzo3jxw8jcjBW1rHa9iExE2OPi0v/ThJvnTZdVXYy7XL/Gq6Z 96pxzbsL0cJNRh4lAFMGwCj03wvA6TC5eVehYI5pJoIfKLagrgQAdKEBeh5UmQ4axsjtRSLVhcW/wle2Ez3 2QAA== rufus@local.site.com 4. Configure authentication Use FTP or telnet to log in to the remote user account. On the remote host, create a ~/.ssh directory in the remote user's home directory and upload the public key file (id_dsa.pub) generated in the previous step. Then, create a file named authorized_keys in the ~/.ssh directory. Copy the contents of the public key file to the authorized_keys file, as shown below: webmaster@faraway.site.com $ mkdir .ssh webmaster@faraway.site.com $ cat id_dsa.pub >> .ssh/authorized_keys 5. Start SSH and log in On both remote and local hosts, start SSH with the sshd command: root@local.site.com $ /usr/local/sbin/sshd root@faraway.site.com $ /usr/local/sbin/sshd Then, on the local host, use the ssh command to log in to the remote user account: rufus@local.site.com $ ssh -l webmaster faraway.site.com Notice that the ssh command includes both the name of the remote user and remote host. You will be asked for the passphrase to the private key, as entered in step 3. Enter this, and you will be logged in to the remote user account. All communication between the two hosts will now be encrypted, foiling any attempt to electronically eavesdrop on the connection. You're done! Additional Notes Disabling telnet The normal telnet command sends passwords and other data in clear text over the network link. Hence, once you have an encrypted SSH connection configured and working, it's a good idea to disable the normal telnet command. To do this, look in your system's /etc/xinetd.d/telnet file and ensure it contains the line disable = yes. Then, restart the xinetd service with the command /etc/rc.d/init.d/xinetd restart. Automatically loading SSH at startup You can have SSH automatically start at system boot-up, by adding the command /usr/sbin/sshd to your system's start-up file, for example /etc/rc.local. Page 3 Copyright ©2005 CNET Networks, Inc. All rights reserved. To see more downloads and get your free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html. Five steps to a secure login using SSH TechRepublic Additional resources • Use SSH tunneling for secure B2B networking (Article) • SSH and Intrusion Detection (White paper) • Monitor and manage logs in Linux/UNIX (Download) Version history Version: 1.0 Published: March 22, 2005 Tell us what you think TechRepublic downloads are designed to help you get your job done as painlessly and effectively as possible. Because we're continually looking for ways to improve the usefulness of these tools, we need your feedback. Please take a minute to drop us a line and tell us how well this download worked for you and offer your suggestions for improvement. Thanks! —The TechRepublic Downloads Team Page 4 Copyright ©2005 CNET Networks, Inc. All rights reserved. To see more downloads and get your free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html.
