SSH and Cryptography

Learning Objectives
 Explain secure login service.
 Explain Layering of SSH Protocols
 Introduce User Authentication Protocol
 Verify the effectiveness of SSH

configuration.
What is SSH?
“SSH is a protocol for secure remote
login and other secure network services
over an insecure network.” – RFC 4251
 Secure channel between two computers

◦ Provides data confidentiality and integrity

 It’s a secure replacement for Telnet
 Provides encrypted channel for remote

logging, command execution and file

transfers

3
History
 SSH-1 designed in 1995 by Tatu Ylönen
◦ In response to a password-sniffing attack
◦ Replacement for rlogin, telnet, and rsh
◦ Released as freeware in July 1995
◦ ~20,000 users in 50 countries by the end of the
year
 Ylönen founded SSH Communications
Security in December 1995
◦ Code became increasingly more proprietary

4
History (continued)
 SSH-2 designed in 1996
◦ Incompatible with SSH-1
◦ Security and feature improvements
 Open source implementations (OSSH and
OpenSSH) created in 1999
◦ OSSH is now obsolete
◦ OpenSSH is the most popular SSH
implementation

5
 Current Implementations
 OpenSSH – common on UNIX systems
“OpenSSH is the premier connectivity tool for remote login with the SSH
protocol. It encrypts all traffic to eliminate eavesdropping, connection
hijacking, and other attacks. In addition, OpenSSH provides a large suite
of secure tunneling capabilities, several authentication methods, and
sophisticated configuration options.”

https://www.openssh.com/
OpenSSH 8.9 released February 23, 2022
OpenSSH 9.3 released March 15, 2023

6
Layering of SSH Protocols

 Transport Layer Protocol

◦ Provides server authentication, confidentiality,
and integrity
 User Authentication Protocol
◦ Authenticates the client-side user to the server
 Connection Protocol
◦ Multiplexes the tunnel into logical channels

7
Connection Parameters
When an SSH client connects to a server, each
side offers lists of connection parameters to the
other.
 KexAlgorithms: the key exchange methods that

are used to generate per-connection keys

 HostkeyAlgorithms: the public key algorithms

accepted for an SSH server to authenticate

itself to an SSH client
 Ciphers: the ciphers to encrypt the connection

 MACs: the message authentication codes used

to detect traffic modification

8
Transport Layer Protocol
 Public-key host authentication
◦ Let the client know the correct server is on the
other end
 Strong symmetric encryption
◦ Uses Diffie-Hellman algorithm for secure key
exchange
◦ Many ciphers are supported: AES, 3DES, Blowfish,
Twofish, etc., most with multiple key sizes
◦ New keys generated every 1 GB or 1 hour
 Data integrity via MACs (message
authentication codes)
◦ SHA2, SHA and MD5 are supported

Reference: “Cryptography and Network Security”

by William Stallings, slides by Lawrie Brown.
9
User Authentication
Protocol
 Multiple authentication methods
◦ public-key, password, host-based
◦ Extensible
 Server tells client which methods can be
used; client picks the most convenient
 Example:

/etc/ssh/sshd_copnfig with
AllowUsers [email protected]/24
AllowUsers [email protected]

10
Connection Protocol
 Provides multiple channels:
◦ interactive login sessions
◦ remote execution of commands
◦ forwarded TCP/IP connections
 All channels are multiplexed into a single
encryption tunnel

11
 Ref: Cryptographic
Methods and Apps
Layers and secure methods:

At the link layer PPP encryption

At the network layer IPSec

At the transport layer TLS (SSL)

At the application layer SSH, PGP/GPG
 Main Security
Concerns
SSH applies directly to dealing with these two
areas of security:

Confidentiality

Keeping our data safe from prying eyes
Authentication and Authorization



Is this person who they claim to be?
 Where to Get SSH

See if SSH is installed on your system and
what version. Easiest way is:
ssh –V

Need an updated version?
https://www.openssh.com
https://www.ssh.com/
 Configure

FindOpenSSH
SSH related files in /etc/ssh.


sshd_config is the configuration file for the
OpenSSH server.

ssh_config is the configuration file for the
OpenSSH client.

Example:
In sshd_config you might be interested in:
PermitRootLogin yes/no (you generally want “no”)
and in ssh_config you may change the following
Protocol 1,2 (you only want “2”)

There are many options in ssh_config and
sshd_config. Always verify to see if they
meet your expectations.
System Configuration Files
(OpenSSH)
 /etc/ssh/
◦ sshd_config – SSH server configuration
◦ ssh_config – SSH client configuration
◦ ssh_host_*_key – private host keys
◦ ssh_host_*_key.pub – public host keys
◦ ssh_known_hosts – list of known public host keys

16
User Configuration Files
(OpenSSH)
 ~/.ssh/
◦ id_* - private authentication keys
◦ id_*.pub – public authentication keys
◦ known_hosts – list of known public host keys
◦ authorized_keys – list of allowed public
authentication keys

17
 Get SSH Clients for
Windows
There are several free, shareware, and
commercial ssh clients for Windows:
See this reference:
https://www.ssh.com/academy/ssh/best_ssh_cli
ents

A few that support protocol version 2 include:

Putty:
https://www.chiark.greenend.org.uk/~sgtatham/putty/
http://www.cygwin.com/
https://www.wrq.com/products/reflection/ssh/
 SSH Connection
Methods
Several things can happen when using SSH to
connect from your machine (client) to another
machine (server):

Server's public host key is passed back to
the client
and verified against known_hosts

Password prompt is used if public key is
accepted, or already on client,
or

RSA/DSA key exchange takes place and you
enter in your private key passphrase to
authenticate (assuming you have one).
SSH Public-key
Authentication
Private key can be protected by a passphrase
So you have to give it each time you log in
Or use "ssh-agent" which holds a copy of your
passphrase in RAM

No need to change passwords across dozens of

machines
Disable passwords entirely!
/etc/ssh/ssh_config
# PasswordAuthentication yes

For historical reasons there are three different

types of SSH keys
SSH1 RSA, SSH2 DSA, SSH2 RSA
 SSH Public-key
Authentication
- “Magic Phrase”
Basic concept to understand how an SSH connection is
made using RSA/DSA/ED25519 key combination:
– Client X contacts server Y via port 22.
– Y generates a random number and encrypts
this using X's public key. X's public key must
reside on Y. You can use scp (or other means)
to copy this over.
– Encrypted random number is sent back to X.
– X decrypts the random number using it's
private key and sends it back to Y.
– If the decrypted number matches the
original encrypted number, then a
connection is made.
– The originally encrypted random number
sent from Y to X is the “Magic Phrase”
Key Files

Example of new key pair generation:

ssh-keygen -f /etc/ssh/ssh_host_ed25519_newkey -t ed25519

22
Managing sudo -Controlling
Sudo Access
1. sudo allows users to run commands with elevated
(root) permissions without the need for a root shell.
2. Only users listed in the /etc/sudoers file are allowed to
use sudo.
3. When a user runs a command using sudo, they are
prompted for their password. Password is stored for a 5-
minute period.
4. To edit the /etc/sudoers file, use the visudo command.
5. To give a user full administrative permissions, add the
following line to the /etc/sudoers file:
james ALL=(ALL) ALL
This states that user james can use sudo from any host
and execute any command.

23
The sudoers file

Can you edit it by vi or other Text

Editors?

24
Managing sudo -Controlling
Sudo Access – Cont’
6. sudo can be used granularly as well:

%users locahost=/usr/sbin/shutdown -h now

This states that any member of the users system group can issue
the command shutdown –h now as long as it’s issued from the
console.

7. You can also set it so that users don’t need to enter a password
when using sudo:
user_name ALL=(ALL) NOPASSWD: ALL

8. Groups can be added to the sudoers file as well, using the same
format used to add users:
group_name ALL=(ALL) ALL

25
Locking Down sudo
1. By default, all users of the wheel group have sudo access:
%wheel ALL=(ALL) ALL
This allows people in the wheel group to run all commands
and should be changed.

2. By default, sudo stores the user password for a period of 5

minutes, which could be exploited.
Consider adding the following line to the sudoers file to
change the default timeout period:

Defaults timestamp_timeout=1 (1 minute)

Setting this value to zero requires a password to be entered
every time.

26
Summary
 SSH is a protocol for secure remote login
and other secure network services over an
insecure network.
 sudo allows users to run commands with

elevated (root) permissions without the

need for a root shell.