Inside SSH, Part 2by FJ de Kermadec
Editor's note -- In Part 1 of this multiple-article series delving into the Secure Shell on Mac OS X, François Joseph de Kermadec explained why you should explore the SSH server built into your Mac. Now, in Part 2, he shows you how to get started working with these tools.
While setting up our SSH server and client, we'll assume that you have physical access to both machines and that these are conveniently located next to each other, so that you can read information off one screen and type it onto the other computer's keyboard. While it's possible to follow the steps we outline in less practical environments, you may need to keep a pad and a pencil handy. Also, make sure that nobody is "shoulder surfing" (reading information over your shoulder) while you work on the computers. We are, in the following paragraphs, going to deal with sensitive passwords that should be kept secret at the risk of ruining all your security and privacy efforts.
Also, before we start, we are going to perform two operations on the "server machine" -- in other words, the machine that you wish to administer remotely. While they may not make sense right now, I promise they will in a few seconds and I will point out their significance as we encounter them.
- Open the "Terminal" utility, located in your "Utilities" folder.
- Enter the following command and press return : mkdir ~/.ssh It will create a new, invisible folder called ".ssh" into your home folder.
A Server Never Sleeps
The big problem when setting up a Desktop Mac as a server is that it's easy to forget that, while Desktop Macs should go to sleep when they are not used, servers should not. Indeed, in many cases, a server that is asleep cannot be awoken remotely and the link to it simply dies, without any chance of it being reactivated.
Sure, Mac OS X features a great "wake for administrator access" option, available through the Energy Saver Preferences pane. However, such options do not always work on WANs and should be avoided whenever uptime is a priority.
Therefore, before thinking of setting up your server, you need to use the Energy Saver Preferences pane so that:
- It never sleeps, for the reasons we just saw together.
- Its screen goes to sleep quickly, to avoid burnt images (which can happen even on flat-panel displays) and to save energy.
- The hard drive goes to sleep when possible, to avoid shortening its life. Of course, you should not turn this on if your server needs to be accessed quickly since the drive will take a few seconds to wake up -- this should not apply to our discussion, though, since SSH is not really suited for urgent, real-time queries.
- The Mac automatically starts up again after a power failure. This option will restart your Mac automatically if it is not shut down graciously. In order to take full advantage of it, you should make sure that you use the latest firmware available for your Mac.
- The power button does not put the computer to sleep. This will avoid any accidents while your maintenance staff or the users are cleaning the computer -- keeping in mind that any computer that contains any sensitive information of any kind should not be physically accessible but put in a specifically designed safe box.
You should also invest in an interruptible power supply for your Mac and modem or, at least, a surge protector so that they don't get damaged when you are not here. If you use a phone modem, use a phone surge protector, too, since phone cables happily conduct surges right into your modem card (or worse, motherboard) and have already destroyed more than one computer.
If you need to restart your Mac remotely, it is a good idea to use the "Security" and "Accounts" Preferences pane to disable automatic login. Indeed, this could cause the Mac to log into your account while you are not here simply because you rebooted it remotely, giving access to your files to anyone walking nearby -- yikes! Logging out of a GUI session remotely involves killing processes or hacking the login window preferences file before restarting again. It can be done -- I have done it -- but it's definitely not a risk you want to take.
Finally, put signs or instruct your users to only log out, and never to shut the computer down or put it to sleep unless there is an emergency. Hiding the "shut down" button on the login window can help a great deal, too. "Simple Finder" accounts do not feature a "Shut down" menu, making managing the Mac remotely a lot easier, especially if your users are beginners and may not appreciate the importance of not shutting the computer down.
While the steps we are going to see today should be sufficient for most home users and small businesses, users handling sensitive data may want to seek professional help or training. If you have a system administrator, do speak with him about SSH and your wish to use it. Some restrictions or special policies may apply to your network.
SSH is a fascinating, complex, and powerful protocol. We're going to see together how to use it in your everyday workflow and make it more secure than it is in its default configuration. You may want to have a look at more detailed resources to learn all that SSH can do for you. I highly recommend SSH, The Secure Shell: The Definitive Guide by Daniel J. Barrett and Richard Silverman.
We have already seen that, as secure as SSH may be, it does not protect you against compromised hosts. Therefore, you should pay attention to the security of both computers, the server (the machine you are administrating remotely) and the client (your administrative machine).
This is especially important for two reasons. Since you're creating a link between the two computers, a skilled attacker could take advantage of it to compromise both computers easily, if he has already compromised one. Also, since you will be away from the remote computer, preventing and detecting security issues is likely to be a lot more difficult than if your were there. Make sure that you at least follow the advice described in our Security Primer for Mac OS X article -- both machines and all the users who use or monitor the server should have a way to contact you easily in the event of an issue.
First Encounter with SSH
Now that we have discussed theory, it's time to roll up our sleeves and meet SSH by turning it on the server machine. In order to do so, follow these steps.
- Open the "System Preferences" application.
- Click on "Sharing" to open the Sharing preferences pane.
- In the services tab, check "Remote login" and wait until the window indicates that the service has successfully started up.
- Read the help line printed at the bottom of the window and make sure you write down the magical SSH command, printed in the form "ssh username@ipaddress."
If you use a third-party firewall, make sure that it allows connections to port 22, the default SSH port. If you rely on the Panther built-in firewall, you do not need to worry. Mac OS X is actually smart enough to stop blocking that port as soon as you turn remote logging on.
Keep in mind that, although SSH is a secure protocol and the SSH server supports some strong authentication methods, running a server (of any kind) on a computer (any platform) weakens its ability to resist attacks. You should make sure that your network is properly firewalled in all instances, and that you apply any security update that has been released and will be released by Apple. Indeed, if a serious security issue is discovered with the OpenSSH server, only an appropriate update can protect you against attacks.
If you don't have a firewall, and if your Mac is directly connected to the Internet, I would strongly advise you to purchase a hardware firewall. This will provide you with a very valuable layer of security and will protect your computer from many attack attempts.
If you already have a firewall, now is a good time to make sure that it is properly set up and that its firmware is up-to-date. Indeed, the mini-operating systems contained inside of firewalls do need to be updated from time to time; failure to do so could allow a remote attacker to exploit a known issue in the software and take control of your router -- a scary thought.
As an additional security, you can also test your firewall by using the online tests provided by various security companies on the Internet. You may find the tests from Symantec and Sygate complementary and useful. Of course, these tests cannot replace a true security audit.
Pages: 1, 2