macdevcenter.com
oreilly.comSafari Books Online.Conferences.

advertisement

AddThis Social Bookmark Button

Personal Security on Jaguar: The Secure Shell, Part 1

by Chris Cochella
05/01/2003

In a world full of spam, identity theft, and heightened national security, no one can argue that personal security isn't important. Many of us shred paper records of personal information to keep them from dumpster divers. Yet sometimes we forget to take those same precautions with our digital information. In some cases our digital data--personal ID numbers (PINs) and passwords--are more important than paper information.

Why do we let our guard down in the digital realm? Is this discrepancy due to the complexity of digitally shredding documents compared to paper shredding? I find it much simpler to shred paper than setup an encryption tunnel. But protecting our digital information is just as important if not more so.

The goal of this article is to help you improve your daily security habits by learning how to use a few cool software programs included with Jaguar, while making these habits easy and transparent to implement. Let's face it, if we can't make it relatively easy, we won't do it.

There are multiple security technologies that fit in the category of personal security including the configuration of Jaguar's firewall, SSL (Secure Sockets Layer), and file encryption with protocols like Pretty Good Privacy (keep an eye out for an upcoming article on this topic). Our focus will be on another complementary security mechanism available in Jaguar, Secure Shell (SSH).

The purpose of focusing on SSH is that it can be instantly used in Jaguar to secure two of the most common daily work processes: file transfers (FTP) and email. As a web applications developer, I often connect to remote servers to upload files or make changes to sites. Wrapped around this process is a constant buzz of email communication. In the case of email and FTP we want to protect our passwords as well as the information or content that we send. SSH can do both and it costs nothing.

If this article is already too geeky, take a step back by reading The Code Book, a wonderful and exciting tour of how encryption has impacted history from the time of Elizabeth I and Mary Queen of Scots through World War II to the present day. This book will stoke anyone's interest in encryption.

Isn't this Science Fiction?

If you think that password theft by snooping on net traffic is the subject of science fiction, think again. Take a look at the following output (greatly edited for easier viewing) from a program called tcpflow, that will capture your own network-bound traffic and display it in the Terminal application.

[tibook:~] chris% sudo tcpflow -i en1 -c port 110
tcpflow[3975]: listening on en1
+OK Qpopper (version 4.0.5) at mailserver.myisp.com starting.
AUTH
USER chris
+OK Password required for chris.
PASS fido0269
+OK chris has 0 visible messages (0 hidden) in 0 octets.
QUIT
+OK Pop server at mailserver.myisp.com signing off.

Without going into the details of the tcpflow command structure, this command causes tcpflow to "listen" or grab information from port 110 and display the information that comes and goes. Port 110 is the port that POP incoming mail uses. The message is clear: "Hey, that is my username, password and mail server flying by". Yup, that's right! Notice my fabricated password for this example is "fido0269". If this were also my bank PIN (a common practice) I would be in big trouble.

If I can grab a free utility like tcpflow and do this, how hard would it be for a motivated malicious person to do this on a grand and automated scale. It would certainly be a lot cleaner than rifling through a dumpster. I don't know how to eavesdrop on the Internet at large (and I don't want to), but it's clear to me that it isn't hard.

Now that you are reliving that adolescent nightmare of showing up at school exposed in only your underwear you might be asking: "What do I do?" As you probably guessed, our digit-shredding super hero is SSH.

What is it?

SSH started out as a secure replacement for telnet, often referred to as the shell (think Terminal App), and other programs for issuing remote commands. The SSH protocol, now in version 2 (often shown as SSH-2), has evolved to do a lot more like secure FTP (SFTP) and tunneling, which we will get to later. First, we will do the basics and then ramp up.

SSH version 2 is more secure than version 1 and is now widely adopted. Thus, I'll focus on the SSH-2 protocol and supporting products. I won't, however, discuss compatibility issues with SSH-1. In most cases compatibility between protocol versions is not a problem and we will not prospectively problem-solve these possibilities here.

For more information on SSH-1 and SSH-2, including complicated configurations, please refer to the clear and well-written book SSH, The Secure Shell: The Definitive Guide by Daniel J. Barrett and Richard Silverman. To be honest, my digital life would still be exposed if it were not for the usefulness of this book.

Where Is It?

You can find the SSH command in Jaguar at the following location,

[tibook:~] chris% which ssh
/usr/bin/ssh

Your version of ssh can be determined with the following command:

[tibook:~] chris% ssh -V
OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL

Notice that Jaguar uses OpenSSH, which is a very common public license version with a cool fish logo.

Screen shot.
The OpenSSH Logo.

Two of the major managed server and website hosting companies I work with use OpenSSH on FreeBSD and Red Hat Linux, which were easy to integrate with Jaguar's version of SSH. In most cases, you will not experience any problems.

And, like all good shell or terminal commands, you can use the man pages

[tibook:~] chris% man ssh
SSH(1) System General Commands Manual       SSH(1)

NAME ssh - OpenSSH SSH client (remote login program)
SYNOPSIS
ssh [-l login_name] hostname | user@hostname [command]
...

Simply typing "ssh" will also return a short list of command options like:

[tibook:~] chris% ssh
Usage: ssh [options] host [command]
Options:
  -l user     Log in using this user name.
  -n          Redirect input from /dev/null.
  -F config   Config file (default: ~/.ssh/config).
  ...

These are very basic commands, but typing them before starting something new on the command line always gives me a sense of comfort. You might like the same start.

How Does SSH Work?

SSH works by establishing an encrypted dialog between a client (your computer) and a server (your ISP's email or FTP server). The dialog might start with "Please give me my email" or something like that. Note that your computer could also act as a server if you were trying to "talk" to it from a home computer during off hours.

Encryption is simply a mechanism of shredding or scrambling information before sending it, such that it can only be put back together again by the intended recipient. Therefore, the two parties in the conversation need to have compatible SSH applications installed. In a nutshell, the server and client have unique keys that are used to generate random data that is used to shred the plain text or "clear" information. The details of making strong encryption algorithms, performing authentication, and guaranteeing integrity are very interesting but beyond our purpose here. The following is shredded output similar to the email retrieval tcpflow session shown above,

[tibook:~] chris% sudo tcpflow -i en1 -c port 22

tcpflow[3972]: listening on en1

/..#1\+2Q....a...r.Fj......:.......j4.....=}..j..

#..*.....u.i.a6.fq?%P6.gjhkym+|.q........

.........9A,..T$>W...,,,,,,>K......8... U. 1.Sd...}OFXl^;.s..5..p.?
>...]r...Zs7...q....gz.h.......j.
>.{...1..V.Q...&..D...6.....f$.D.*.-.1.E

Not very understandable is it? That is the point.

Notice that the tcpflow command is now grabbing information on port 22, the default SSH port. Thus, all information passing through port 22 is encrypted by the SSH client and all return information from the server is received on port 22. You might be wondering how we go from the POP email port of 110 to the SSH port of 22. We will clear this up a little later when we discuss port forwarding also known as tunneling. For now it is enough to understand that the first tcpflow results were "in the clear" and now they are shredded. This brings us up to Stealth Meter level 3 (simply reading this article got us to Stealth Meter level 2).

Pages: 1, 2, 3

Next Pagearrow