SSH:
Secure Shell or SSH is used for secure encrypted remote access to a computer system or systems over insecure networks is provided by ssh. It is built into Linux systems by default and allows the user to enable the ssh service on boot as well as provides a client for accessing other remote systems. Any network service can be secured through encryption afforded by ssh.
Historically Unix-like operating systems such as Linux have had ssh built in and MacOS X has included ssh support as it is BSD based. Microsoft’s Windows operating system is providing ssh support through a reimplementation of the Ubuntu program stack on top of Windows services, but also offers ssh support only in professional versions.
History:
Secure shell was created to replace the very insecure telnet, rsh & rlogin services which send passwords and data in plain text. Such unencrypted communication can easily be intercepted by an attacker. Protocol 2 is the standard recommended as it is more secure and is default on most Linux systems.
Common use of ssh is by password/username authentication to an account on the target system, but more secure methods are available. These include manually generated public key cryptography which is the preferred method to insure end-to-end encrypted communications without the potential for interception by Nation States or other major attackers.
PKI:
Using this method, the user generates a private and public key pair with the ssh-key-gen command and copies the public key to the target server ~/.ssh/authorized_keys file. Often this can be accomplished with the command ssh-copy-id username@hostname:, but can also be performed manually. The one requirement for either of these is that the user has a valid account on the server prior to attempting to copy the public key to the target server.
Ssh will only allow login if the authorized_keys file is owned by the user or root and none other.
The PKI pair method of authentication provides convenience to the user and software programs such as the message passing interface stack which may require passwordless login for automation. However, an additional measure of security can be provided by utilizing a private key passphrase and is important should the system be compromised or attacked by a larger authoritarian agency (NSA, CIA, State Actors, etc). In most cases or normal use this passphrase can be left out and the bash_alises file can have aliases added to simplify access to systems often accessed from the command line.
On Linux distributions, applications such as Dolphin or Nautilus file managers support the sftp or fish protocols for file transfer. Both of these use ssh for authentication and transmission to allow for encrypted transfers. Dolphin affords simple bookmarking of sftp connections to allow even easier methods of secure file access. SImple methods also include scp or Secure Copy to allow transfer from one system to another using ssh.
Tunneling
A common use of ssh is to tunnel traffic to or from a remote machine to execute commands through TCP forwarding and includes X11 forwarding. Such tunneling can often overcome blocks of VPN services by certain ISPs or Countries to allow communications when a method out or in is required. Access to a remote Linux server such as a Raspberry Pi located in an unrestricted country can provide a gateway to the Internet and provide access to region-locked or restricted services such as Netflix, Amazon or even Google. This VPN offers the home user a simple method of creating a VPN for use with cell phones or other computer systems while sitting on an unsecured network.
Simple client ssh tunneling can be accomplished using the sshuttle program on Linux as it handles all tunneling requests in a less complex command sequence and can be added to aliases for even easier use.
Linux systems as well as MacOS provide built-in ssh support through the Terminal while applications for other operating systems such as Microsoft’s Windows can be obtained to allow ssh access: PuTTY is one such example which can be carried around on a USB drive along with the private keys required for access, which doesn’t require any installation to use on the host operating system.
No comments:
Post a Comment