Secure Shell (SSH)

SSH is used to log in to a remote computer system using port 22, much in the same way that Telnet (port 23) has been used in the past for the same purpose. The big difference between Telnet and SSH, however, is that SSH provides significantly enhanced security for your connection. SSH is a program/client that provides an encrypted communications path between two hosts over an untrusted, potentially insecure network such as the Internet. Therefore, it prevents users’ passwords and other sensitive data from being transmitted across the network in clear-text form. SSH helps solve one of the most important security problem on the Internet: hackers stealing or cracking passwords.

Used since 1995, SSH1 was designed to replace the nonsecure UNIX commands (rlogin, rsh, and rcp). These protocols provided UNIX users with a variety of useful tools; however, they were fraught with security concerns. The IETF released SSH2 in 1997 and improved the security and functionality of SSH1. SSH1 is slowly being phased out in favor of SSH2.

The most common use of SSH is for creating a secure command shell (remote login) like the more common protocol, Telnet. However, SSH takes the basic functionality and vulnerabilities of Telnet and solves them in a manner that has made SSH the de facto connection standard for secure network remote device access.

SSH extends Telnet capabilities both in features and functionality. Today, SSH is available as a client on virtually all computer platforms: Macintosh, Microsoft Windows, UNIX, Linux, and so on.

Typical SSH applications include remote access (login) to computer resources over the Internet or via some other untrusted network where you want to perform one of the three core SSH capabilities:

• Secure command shell

• Secure file transfer

• Secure port forwarding

Although remote login is the primary use of SSH, you can use the protocol as a general-purpose cryptographic tunnel capable of copying files, encrypting email connections, and triggering remote execution of programs. Your company’s remote access security policy should require SSH and disallow Telnet for secure remote access to company systems and partner extranets.

SSH Versus Telnet

Telnet is quite insecure for so many reasons: It has no protection, encryption, or any way to protect your password or any activity you conduct via Telnet. When this book was first published, a simple Google search revealed 53,400 hits when searching for “telnet vulnerabilities.” The same search done today revealed 147,000 hits—now automated tools, both licensed and commercial, regularly exploit them.

SSH is better than Telnet because of its built-in encryption; however, the benefits of SSH do not stop there. SSH offers additional features and benefits as follows:

• Denies IP spoofing of packets, thereby ensuring you know the host that is sending the packets

• Encrypts packets to prevent the interception of clear text passwords and other data by intermediate hosts

• IP source routing by preventing a host from pretending that an IP packet comes from another, trusted host

• Prevents the manipulation of data by people in control of other devices along the route of your packets

A much simpler way to look at this is that SSH doesn’t trust any device other than the one with which it is trying to establish a secure connection. On the other hand, Telnet trusts anyone and pretty much anything by default.

Perhaps showing you just how easily people with malicious intent could use easily downloadable tools to gather even basic information about your network and then place themselves in a position for an ARP poisoning attack would help make the point. It took me 10 minutes to find, download, and install ettercap—a software suite for man-in-the-middle (MitM) attacks on a LAN. The software supports various platforms: Linux, FreeBSD, OpenBSD, Mac OS, Windows 2000/XP/2003, and Solaris 2.x, just to name a few. Using this freeware tool, hackers, script kiddies, or disgruntled employees can position themselves for a MitM.

When installed, I can open ettercap and scan the network segment I’m on and view all hosts currently attached to the network (see Figure 6-4).

Figure 6-4 ettercap Reveals Attached Hosts

After seeing and selecting the hosts I’d like to intercept traffic between, be it an SSH or a Telnet session, I can then pick which type of MitM attack I want to accomplish (see Figure 6-5). At this point, if communication were with a Telnet session, I could gather usernames and passwords and then wreak havoc on routers and servers alike. Because the use of ettercap to wreak havoc is not the focus of this book, I’ll skip that exercise. But just know and understand that SSH is secure and encrypted, whereas Telnet is not and is susceptible to MitM attacks.

Figure 6-5 Man-in-the-Middle Attack Vectors Within the ettercap Application

SSH Operation

To review, SSH is used to connect two different hosts using an encrypted communication session. In its simplest mode of operation, SSH uses TCP to connect to a host and authenticates using a username and password; authentication is successful, and SSH begins encrypting data.

Depending on the version of SSH, a variety of different encryption methods can be available for use, as shown in Table 6-1.

Table 6-1 SSH Encryption Methods

Connecting keys are used during the authentication phase of SSH. Depending on the version of SSH used, either an RSA or DSA key is used with a pair created, one public and one private. Depending on the version of SSH, a variety of different authentication methods can be available for use, as shown in Table 6-2.

Table 6-2 SSH Authentication Ciphers

The private key is stored encrypted while the public key is stored on the users’ machine if they authenticate properly. This enables SSH software clients to automatically connect because the key is stored for use any time the user starts a connection.

Tunneling and Port Forwarding

SSH brings an interesting feature to the realm of information security: the concept of forwarding certain traffic (identified by port number) via SSH in a tunnel. The two most common protocols to take advantage of this feature are FTP and X Window. This forwarding feature provides SSH with the capability to use these other protocols for conducting operations on the host terminating the SSH connection. Perhaps the other end is a web server, and you want to upload new files over the Internet, or you want desktop type access to the device using X Window.

Figure 6-6 shows easy configuration of port forwarding. Notice also that X Window can be easily forwarded because it is so commonly used with SSH.

Figure 6-6 SecureCRT Allows SSH Tunneling

Limitations of SSH

SSH version 1 (SSH1) had several bugs and problems, so choose SSH version 2 (SSH2) if you have a choice. Choosing version 2 eliminates most of the limitations and network inconsistencies by version and policy.

SSH does not help you protect any of your internal systems (PCs, servers, and so on); therefore, after an attacker gains access to one of those systems, he has access to SSH and it, too, can be subverted for his use.

The ability to tunnel through an SSH connection might make you think that it would be a good alternative to a VPN, but that is not the case. A better solution would be tunneling via SSH through a VPN connection—now that is a more secure connection!

This section of the chapter covered SSH rather broadly and gave you enough information to understand what is happening. If you would like to learn more about SSH, check out the following book:

Barrett, Daniel J. and Richard Silverman. SSH, The Secure Shell: The Definitive Guide. Cambridge, MA: O’Reilly & Associates; 2001.

In summary, SSH is a popular and powerful tool/client for encrypting TCP sessions over a network. It is most commonly used for remote login but also has other uses for increasing your company’s information security posture.