Java Eclipse Linux Operating Systems Web Technology Software Software Engineering Computing Societies

Accessing Remote Machines Securely using ssh

Overview

SSH [1] is a secure protocol that allows us to access a remote machine. After authentication, all traffic between the client and remote machines are encrypted. The client also keeps track of machines that it has communicated with before, and warns the user if the public key of the machine changes, as that could be a sign of a man-in-the-middle attack.

To a large extent, ssh obsoletes several older network protocols such as telnet and ftp, and these older protocols should not be used as they are not secure.

OpenSSH [2] is an open source implementation of SSH tools. It is available for many Unix like systems, and is widely used.

Basic Usage of SSH

To log into host as a particular user, we can use either of the following forms of the ssh command

ssh -l [username] [host]
ssh [username]@[host]

where username is the username that we would like to log in as, and host is the domain name and the IP address of the host we would like to log into.

The scp command can be used to copy files between local and remote locations

scp [sourcefile] [...] [dest_loc]

where sourcefile and dest_loc can either be a local file path, or a remote file path in the format [username]@[host]:[file_path]

SSH Tunneling

SSH Tunneling [3] is a powerful feature of the SSH. It allows us to access a service remotely in a secure manner, even one that uses an insecure protocol (such as VNC). All traffic between the client and service will be encrypted to ensure data integrity and confidentiality.

To do this, we need to set up an SSH tunnel between a port on the local machine and the desired port on the destination machine. Instead of accessing the destination machine directly, we need to set up the application to point to the local port. SSH will encrypt the application traffic, and redirect it to the destination server machine. This is shown in the diagram below.

To set up an SSH tunnel, execute the following command

ssh -L[local_port]:localhost:[destination_port] [username]@[server]

server specifies the hostname of the ssh server machine through which the tunnel will be set up. username is a valid login for the ssh server

The -L option specifies the local port and the destination port on the destination machine. The localhost in the option specification indicates that the destination machine is the same as the machine on which the ssh server is running. We can specify a different destination machine than localhost . This could be useful if we want to use the ssh server as a proxy server to connect to machines behind a firewall, for instance.

Configuring and Securing OpenSSH

Since the root account has all rights and permissions on the sytem, it is critical to protect the root account on a Linux (indeed any Unix like) system. To minimize the chances of a brute force attack on the root account, it is a good idea to disable root login through ssh [4] [5] .

To disable root login, modify /etc/ssh/sshd_config to set PermitRootLogin to no

#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

Then restart sshd. On Fedora, the following command should do the trick

sudo systemctl restart sshd.service

SSH Public Key Authentication [6]

Besides standard password based authentication, SSH provides an alternative way of authentication with the remote machine, based on public key authentication.

Instead of authenticating by passing the account password over the network, authentication is based on public/private key pair generated for the account on the client machine. The ssh server will then use the public key to issue a challenge to the client machine to confirm that it has access to the corresponding private key, thereby authenticating the client machine.

If set up properly, this can provide a more secure way for authenticating the login [7] . However, it is important to ensure that the private key is properly secured, by making sure that the account is properly secured, and the ssh private key is protected with a passphrase.

To enable public key authentication, update /etc/ssh/sshd_config to ensure that the following lines are set properly

PubkeyAuthentication yes
AuthorizedKeysFile	.ssh/authorized_keys

Restart sshd if necessary.

Next, we need to generate the ssh public/private key on the client account by running ssh-keygen . As we discussed before, to properly secure the system, it's best to choose a non-trivial passphrase instead of leaving it empty. The private key will be encrypted with the passphrase, providing protection even if the account was broken into.

If defaults are chosen, the public key can be found in the .ssh/id_rsa.pub file in the client account. We need to add the public key of the client to the .ssh/authorized_keys file on the remote account that we want to log in to. It is important to make sure that we have appropriately restricted permissions to both the .ssh directory and the authorized_keys file. Assuming the .ssh/id_rsa.pub has been copied to the remote account, we can achieve the above with the following commands.

chmod 700 .ssh
chmod 600 .ssh/authorized_keys
cat id_rsa.pub >> ~/.ssh/authorized_keys

Next time when we try to log in to the remote account from the (authorized) client account, ssh client will ask for the appropriate passphrase to be specified so it can decrypt the private key, before authenticating with the remote machine.

Using ssh-agent

ssh-agent can be used to minimize the number of times the passphrase must be typed in. Instead of asking for the passphrase every time we try to log in, the passphrase will be requested once for the session. [8]

To set up ssh-agent, run ssh-agent and then ssh-add to add the public key file we desire, as follows.

ssh-agent
ssh-add [public_key_file_path]

Note that in the gnome environment, the gnome-keyring can handle ssh keys to support the same behavior, so by default, the instructions in this section is not necessary. If this behavior is not desirable, we can disable this and use ssh-agent instead. [9]

Miscellaneous Hints

To differentiate between different public key files, use the ssh-keygen program to print the fingerprint as follows

ssh-keygen -l -f [public_key_file_path]

Footnotes

1. Secure Shell - Wikipedia, the free encyclopedia
2. OpenSSH
3. Linux Horizon: SSH Port Forwarding (SSH Tunneling)
4. Security Tip: Disable Root SSH Login on Linux
5. 7 Default OpenSSH Security Options You Should Change in /etc/ssh/sshd_config
6. Using SSH Public Key Authentication
7. Fedora 19 Documentation: Secure Shell
8. Using ssh-agent with ssh
9. How to stop Gnome Keyring from clobbering OpenSSH's ssh-agent on Ubuntu 12.04

Written by Mike Kwong