macdevcenter.com
oreilly.comSafari Books Online.Conferences.

advertisement

AddThis Social Bookmark Button

Personal Security on Jaguar: The Secure Shell, Part 1
Pages: 1, 2, 3

Encrypted Password Authentication

The easiest way to get started is to begin using SSH with password authentication. There is a more secure and ultimately more convenient (although harder to setup) method of authentication using a passphrase that we will address in a later article.



Password authentication uses the password provided to you when your account was setup. SSH encrypts the password instead of sending it in plain text across the Internet as shown above, which is a vast improvement. For example,

[tibook:~] chris% ssh -l chris myisp.com
The authenticity of host 'myisp.com (123.123.123.123)' can't be established.
RSA key fingerprint is 0D:dc:8B:cb:87:c8:373:e4:9g:98:fc:7a:eb:d9:95:72.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'myisp.com,123.123.123.123' (RSA) to the list of known hosts.
chris@myisp.com's password:

FreeBSD 4.4-RELEASE (VKERN) #9: Thu Jan 2 10:23:51 MST 2003


chris%

If this is your first time accessing this server (myisp.com) with SSH, you will be prompted to accept the unique signature or fingerprint of the server. Respond with "yes" to accept and automatically store the fingerprint in a file called known_hosts inside the .ssh directory (the .ssh directory is created automatically if it did not already exist) within your home directory (e.g., ~/.ssh/known_hosts).

This fingerprint is stored so that you do not have to accept it each time; more importantly, the fingerprint on file is compared against the fingerprint of the server on subsequent future access attempts. This comparison is done to verify the server as "known" and trusted. If the fingerprints were different it might indicate that someone has inserted a server in between you and the trusted server thereby masquerading as your trusted server to intercept your private information. Because of this comparison, you will receive a warning message if this masquerading is taking place. Quickly exit from the ssh session if you receive this warning and you think there is a security problem. This situation is unlikely, but it is important for you to know about the possibility and why storing the fingerprint is useful beyond making your daily life easier.

If your experience is different and you receive a message indicating a failure to establish a secure connection, your ISP may not support SSH access. Contact their support staff to investigate it further.

We can view the contents of the known_hosts file to see what gets saved

[tibook:~] chris% more ~/.ssh/known_hosts
myisp.com ssh-rsa ACCAB3NzaC1yc2EAAAABIwAAAIEAx/s2dPcBa57gv6zLU2
i2szAo96dLUEEiP6c7x1s3f7s+RAyaIrgos8z8iiASD;KFHJ3sTTn8uQWgOBieifLLP3m3/hk56CO9
KhzeQ8XBvC9lSDFYPt3SpbhR+8O1HGDSAFKJASDHaZ2olh+l7x8CxnNvwL1I46ls81kmZs2WfdpWz4U=

Not too exciting, but it helps to bring things down to earth a bit. If you deleted this entry and tried to login again you would be prompted to accept the server fingerprint again. Give it a try.

This gets you logged in to issue commands on the remote computer. That's it. You are now much more secure than you were before. The Stealth Meter is now at level 4. If you have trouble you may want to run the command in verbose mode with a ssh -v option and try to evaluate the output. The problem may also exist on the server which will require contacting technical support armed with the verbose output.

Secure File Transferring (SFTP)

Secure file transferring involves encrypting the "data session" as well as the "command session". The command session represents the commands while the data session represents the data sent back and forth--files in this case. Some programs that encrypt FTP sessions only shred the command session. This might be acceptable if the only sensitive information were your username and password. However, a few of the files I transfer back and forth have passwords in them! If these files are "in the clear" then passwords in the files will also be "in the clear". Thus, it is safest to secure the data as well as the commands.

Secure FTP (SFTP) is basically the same as FTP but is built on top of SSH. In order for SFTP to work, compatible SSH applications must reside on the client and the server for a shredding dialog to take place. SFTP uses the same command structure and known host keys, so we can jump right in with:

[tibook:~] chris% sftp chris@myisp.com
Connecting to myisp.com...
chris@myisp.com's password:
sftp>

As you can see, SFTP command line is similar to command line FTP. For more command line SFTP options visit the man pages with the following command, man sftp. Some of you (especially graphic artists and HTML taggers) are probably saying, "Come on, I never use command line FTP". I know! Most of us Mac users typically use an FTP client with a nice graphical interface. In order to keep this article useful for all users, it's important to recognize that SFTP can be automated and scripted to perform file transfers while you sleep. This is often hard to do with other applications and sometimes not possible if you are automating processes on remote computers where the command line is all you've got. Indeed, automating processes is the domain of all lazy and productive computer users.

Fortunately, SSH and SFTP are beginning to make it into more and more graphical FTP client programs on Mac OS X due to Jaguar's UNIX under-the-hood. This is fortunate for the obvious reason of security as well as the fact that some ISPs are turning off regular, insecure FTP leaving you out in the cold if you are not using SSH and SFTP.

I typically use Interarchy by Stairways Software as my graphical SFTP client because Interarchy supports the SSH/SFTP included with Jaguar, making my configuration of SSH at the command line integrated and consistent with the graphical client. Interarchy goes one step further by storing the SSH/SFTP information in the keychain so that it's readily accessible and transparent to transfer files securely . I do not even know that SFTP is happening; this is the way to do security.

In addition, Interarchy integrates with BBEdit which I find indispensable despite some of the groovy (albeit slow) features of Dreamweaver. The other classic Mac FTP client is Fetch which is now out of Dartmouth's hands and in the hands of Fetch Softworks. An SFTP supported version is on the drawing board. I will leave it up to you to investigate how well your favorite FTP application supports SSH. If it does not, I would suggest a nice but firm letter to the developers asking them to get up to speed. Be sure to check that the client you choose shreds the command and the data session. If the product uses SSH bundled with Jaguar you're golden.

The Stealth Meter is now at level 5. Okay, on to our other achilles heel: email.

Pages: 1, 2, 3

Next Pagearrow