[Next] [Previous] [Up] [Top] [Contents]

CHAPTER 29 Secure Shell, SSH

29.1 Secure SHell

Normal IP traffic has the following weaknesses that can be exploited to compromise security:

weak authentication based on IP addresses that can be spoofed or reusable passwords that can be sniffed

no privacy packets can be sniffed

no integrity protection connections can be hijacked

Secure SHell (SSH) was designed to address these problems by providing a stronger authentication mechanism to identify both hosts and users and to enable secure connections between machines for executing commands and remote shells between them. It can be used to directly replace the functions of rsh, rcp and rlogin. It can also be used, in many cases, instead of telnet and ftp and to forward other connections, such as those between X, pop or nntp servers and clients.

The current method of communicating between machines allows anyone to sniff the packets on the network. Passwords and all data are sent along in plain text and can be readily captured and analyzed. Secure shell foils sniffing attempts by encrypting the packets (using ciphers) and by only allowing connections with known machines (using RSA public key technology to authenticate). In general, it never trusts the network. Should an attacker gain root access to your machine through another means, however, SSH can then be compromised also. The encryption method, and indeed whether or not encryption is even turned on, is a setable parameter. Make sure you choose the values that will properly protect your system.

SSH can be used to replace the rsh/rcp/rlogin programs, or to work with them. If you always want to have a secure connection, then replace them. If you want to allow connections to remote machines that don't have SSH, then let it work with them. If the remote machine doesn't support ssh it will then fall back to using the r-programs, after first informing the user that the communication will not encrypted.

More information about ssh can be obtained from the SSH Home Page http://www.cs.hut.fi/ssh and from the documentation files that come with the source code. Ssh was developed by Tatu Ylonen at the Helsinki University of Technology, ylo@cs.hut.fi. There is an SSH mailing list. You can get information about how to subscribe to the list by sending mail to ssh-request@clinet.fi.

I'm writing this report as an aid to the novice administrator to install, configure, and make use of this unique security tool. A script for easy installation is included at the end of this Chapter.

29.1.1 - Description of SSH
29.1.2 - What SSH Does Not Do

Unix System Administration - 8 AUG 1996
[Next] [Previous] [Up] [Top] [Contents]