Building on top of last week's episode on Proxies, SOCKS5 and SSH we're covering Authentication via Public Key Cryptography, setting up an SSH server in Linux and properly configuring a client in Windows.

Download HD Download MP4

Breaking down SSH-2 Protocol Layers

Before getting into public key crypto we should first take a moment to gather a basic understanding of the SSH-2 protocol layers. In a nutshell the three layers of SSH-2 are:

The first is the Transport Layer. This layer is responsible for handling key exchanges, the servers authenticity (server authentication), compression, encryption and re-keying (typically after 1 GB of traffic or 1 Hour have elapsed). We'll get into more detail on this next week when we focus on key fingerprints.

Second is the User Authentication Layer, which handles client authentication, or authentication of the user trying to log-in. This process is client driven, meaning that the connecting client chooses which method they would like to authenticate with. Accepted methods vary by server but typically these include:

  • Password Authentication - we used this last week by interactively typing in our password at the prompt when logging in

  • Public Key - this is the method we'll be using today and going forward
  • Keyboard Interactive - a process that can be used for one-time-passwords.
  • GSSAPI (Generic Security Services Application Programming Interface) - this is actually a library used by commercial vendors, usually to implement single-sign-on services in enterprises and integrating with existing security services such as NTLM or Kerberos.

Finally there is the Connection Layer. This layer defines the channels, or asymmetric communications supported by SSH, including:

  • Shell Channel for Shells, SFTP, SCP
  • Direct-TCP/IP Channel for Client-to-Server forwards
  • Forwarded-TCP/IP Channel for Server-to-Client forwards

Understanding Public Key Cryptography

Authentication via Asymmetric Key Cryptography (aka Public Key Crypto) is the method for generating a key pair -- both public and private (aka secret) -- and publishing one or the other in order to initiate secure communication. In our example we'll be protecting our private key on the client while publishing the public key on the SSH server. With this setup anything encrypted with the public key can be decrypted with our own private key. The oversimplification of this is that the key pairs are linked mathmatically allowing for encryption with the public key and decryption with the private key. The idea is that it's impractical to figure out the private key based on only knowledge of the public key. This is the basis for SSL, PGP, GPG, Bitcoin and many other protocols.

SSH-2 supports at least two methods for Public Key authentication

  • RSA Key Pairs, which are named after creators Rivest, Shamir and Adleman and published in 1978 is an algorithm based on the difficulty of factoring large integers. Again the oversimplification is that the public key is based on the product of two large primes (along with an aux value) and the private key is derived from prime factors used to create the public key.

  • DSA Key Pairs, or Digital Signature Algorithm, have been a Federal Information Processing Standard since 1993. Originally pantented by former NSA employee David Kravitz this technology is now freely available for anyone to use worldwide.

Setting up a Linux OpenSSH Server
On a Debian based Linux machine setting up ssh can be as simple as issuing "sudo apt-get install ssh". In this segment Darren goes over some of the configuration lines you would find useful to modify in /etc/ssh/sshd_config.

AllowTcpForwarding yes
GatewayPorts       yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      %h/.ssh/authorized_keys
AllowUsers bob alice
PermitRootLogin no
Protocol 2
Port 222
LoginGraceTime 1m
ListenAddress
ClientAliveInterval 60
ClientAliveCountMax 0

Be sure to restart the SSH deamon after editing the configuration. stop ssh;start ssh;service ssh restart;/etc/init.d/ssh restart #one of these should do it! :)

SSH Key Authentication On Windows with Putty for a Linux Server

This'll create key pair- an authorization to log on to server for authentication. Begin by downloading the Putty KeyGen tool. Click Generate and move mouse to generate key pair, and save both. Now open the server via Putty.

On the server go ahead and create a user if you haven't already done so. Typically this is achieved using the "adduser username" then "passwd username" commands.

Now, while logged in as your user, make a directory called .ssh in the your home. For example "mkdir ~/.ssh"

You'll want to change the mode to 700 so that only you have access to it. In the world of Unix there are 3 levels of permissions for files and directories. The Owner, Groups and World (everyone). The first 10 characters are the file's attributes. The first character represents what type of file it is. If it's a dash (-) it's a regular file. A (d) represents a directory, and there are a few others for special stuff like symbolic links. The next 9 characters specify the Read (r), Write (w) and Execute (x) permissions for the file's Owner, Groups and World (everyone). Change the mode of the directory with "chmod 700 .ssh/" The "chmod" command stands for Change Mode and allows you to easily modify a file or directory's permissions. Chmod will accept an octal representation of the modes. We're not going to get into them all but in this case 700 changes the file to be Readable, Writeable and Executable by the file's Owner, and nothing else for any Groups and the World.

Next change to the newly created directory with "cd .ssh" and create a file called authorized_keys2 with the public key on one line saved in file. Add ""ssh-rsa "" to the beginning.

Finally you'll want to again change the mode of the file so that only you can read and write to it. In this case the command would be "chmod 600 authorized_key2".

Now back on the Windows machine ppen pageant.exe and select 'add key'. Add the private key created in the initial setup. Pageant works as a passphrase keeper. With Pageant in memory and your private key loaded go ahead and test your connection. Just as before login with putty being sure to include "username@" before the hostname in the connection dialog.

You should now login without a password needed! Hooray!

Leave a Reply

Your email address will not be published. Required fields are marked *

*

9 Comments

  • jamis 2 years ago

    Nice plug: http://www.layerone.org/ rofl.

    Interesting trivia: one of the exploits in SSH Version 1 was “featured” in the Matrix: Reloaded
    http://www.securityfocus.com/news/4831
    http://www.securityfocus.com/bid/2347

    Also, not a plug for securityfocus…

  • Please be aware that neither the ‘Download HD’ or ‘Download MP4′ links work (404)…

  • This is going to help with my Security+ exam.

    “If Bob wants to send a secure message to Bill using public-key encryption without sender validation, what does Bill need?” Answer: Bill’s private key.

    “If Mary wants to send a secure message to Todd using public-key encryption but is not worried about sender verification, what does she need in addition to her original message text?” Answer: Todd’s public key.

    Questions like that used to stump me, but after watching this, I have a better understanding.

  • Dude, fix the video links. Thanks.

  • Asniffer 2 years ago

    Awesome guys keep up the good work I am loving this section on Proxies and SSH and picking up a few tips along the way :-) Thanks !!!!

    Asniffer

  • LOVE the Proxie episodes. Now have you in my Google Reader. Watching the episodes has replaced TV viewing

  • Wallace 2 years ago

    Blooper at 40:17
    Incorrect SSH server config file was edited.

    root@vps20403 [/etc/ssh]# vi ssh_config

    should be editing sshd_config

  • Tyler 2 years ago

    PuttyGen comes with WinSCP, so thats why u have to already
    Also, WinSCP comes with putty for its auth.