Introducing OpenSSH

By binhnx2000

INTRODUCE

OpenSSH is an open source program (Open Source) used to encrypt (encrypt) transactions between hosts using Secure Shell (SSH). It is a safe alternative for programs used to connect such as: Telnet, rlogin, rsh . By it always encrypt (encrypt) all transactions, hide, hide username and Password is used for remote login sessions. After the login session is done, it will continue to encrypt (encrypt) all transaction data between the two hosts

The OpenSSH project was developed based on the foundation of the Open BSD project (an OS belonging to the Unix family). It is designed to use strong encryption algorithms to improve security and prevent hackers from sabotaging. Although built and developed by the OpenBSD platform, it is also compatible and can work on most Unix : Linux, HP-UX, AIX, Irix, SCO, MacOS X, and OS OSes. Cygwin, Digital Unix / Tru64 / OSF, SNI / Reliant Unix, NeXT, Solaris .

OpenSSH is not a program. It is a set of secure connection programs:

1. OpenSSH Client (ssh) : The program is used for remote login. For security and encryption (encrypt) in each high-level login session. It is a safe alternative to: rlogin and telnet have been outdated and less secure.
   
2. Secure Copy Program (scp) : Used for remote file copying, copying files from different hosts on the Internet. It supports username and password.
3. Secure File Transfer Program (sftp) : Used to safely secure FTP requests.
4. OpenSSH Deadmon (shhd) : Set OpenSSH to run in daemon mode on Unix systems.

These are the main Tools that are indispensable in OpenSSH. There are also many Tools, Plugins, Addin .

SETTING

To get OpenSSH you go to its main Homepage: openssh.org

Download a version that matches your system. I use Linux so I will download the * .rpm package. Then use the command:

 root@domain.com#: rpm -Uvh * .rpm 

If you use other systems, the installation is similar. You download the package that fits your system. It can be * .tar, * .tar.gz, * .gz . etc. Extract it to a folder.

 root@domain.com #: ./configure 
 root@domain.com #: make 
 root@domain.com #: make install 

Then follow the script's instructions. Installation is not difficult. Let's spend time and effort on configuration work.

HIGHLIGHTS OF OPEN SSH

Open SSH provides a lot of features to make communication between two hosts safe. Here are some highlights:

1) Strong coding capabilities by using 3 DES and Blowfish coding standards :

Both of these coding standards are provided free of charge and widely used in many countries around the world. 3DES provides the ability to validate time authentication. Blowfish provides faster coding capabilities. As with other coding standards, both standards provide the ability to encrypt data before it can be safely transmitted.

2) Strong authentication ability by using Public Key mechanisms, OPTs (One Time Password), Kerberos :

It protects against vulnerability in the authentication process by exploiting and using techniques such as IP Spoof, DNS Spoof, Fake Router . There are 4 authentication methods used by Open SSH:

1. Only authenticate Public Key
2. Host authentication by using Public Key in conjunction with .rhost
   
3. Authentication is based on OPTs associated with s / key
4. Authentication is based on Kerberos mechanism

3) Encrypt X11 protocol for using X Window :

Encrypt data during the use of X Window between two hosts. Used to combat remote attacks aimed at xterm like Snooping, Hjacking .

4) Encryption for port conversion (Port Forwarding) :

Allows the process of converting TCP / IP ports to another system via an encrypted channel. It is used for standard Internet protocols that do not provide data encryption capabilities such as SMTP, POP, FTP, Telnet .

5) Forwarding for logon to single networks :

A user authentication key can and is usually stored on their PC, it can become an authentication representative station. When users access the system from another network system. Their connection will be forwarded to this authentication agent. It works to allow users to access your system securely from any system.

6) Data compression :

Provides the ability to securely compress data. It makes sense on non-fast networks.

7) General authentication for Kerberos and Andrew File System using Ticket :

Kerberos and AFS users will be provided with a common password to use and access the two services for a specified period of time.

OPEN OPERATIONS OF OPEN SSH

We first learn about authentication mechanisms for r * commands (rlogin, rsh, rcp). When using rlogin , the first condition is that the user must have an account on the system they want to log in remotely. For example, the remote system has an account. If from the local system I connect to a remote system, there will not be any requests to ask for passwords when I access this remote system. Simply by my account binhnx2000 has been confirmed by the .rhost file placed in the / home / binhnx2000 directory on the remote system.

The .rhost file contains the required hostname and username for the accounts needed to use the login to the system. For example, my hostname is vnzone.net and my username is binhnx2000 . To access the system without Passowd, the information about me in the .rhost file is as follows:

 Hostname Username 
 

For hostname must be the full hostname of the system. For username, it must be valid usernames that exist on the system you want to log into.

A concrete example: if I want to use rlogin. Then admin must create a .rhost file in / home / binhnx2000 with the content:

 domain.com binhnx2000 

Everything is done! Now when I want to log into the system I just issue commands.

The drawback of this protocol is that the data going to the host is not encrypted. It is very likely to be sniffed by sniffer programs. Especially very vulnerable to attacks: IP Spoof, DNS Spoof, Router Spoof .

Because of the vulnerability on security experts recommend you to remove (disable) the r * service (rlogin, rsh .) on the system. Usually on Linux systems the overall configuration works for the services configured in the /etc/xinet.d file, to disable the * service:

- You use vi, emacs . or any text editor you want to open /etc/init.d/xinet.d
- Find the ' service login ' section to remove them. Record all changes and exit the editor.
- Restart the xinetd.d daemon: /etc/init.d/xinet.d restart
- If possible, disable the telnet service all the time. Then replace them with Open SSH.

We learned through the operation principle of r * service. Now we will learn about the operating principle of Open SSH. The first thing I can tell you is: Open SSH provides a quite secure authentication mechanism by using Public Key and Private Key . Private Keys are only used by the owner, and Public Key can be used by everyone.

Want Open SSH to create DSA Private / Public Key you use the command:

 shh-keygen -d 

The DSA Private Key is usually stored in $ HOME / .ssh / id_dsa file. The DSA Public Key is usually stored in $ HOME / .ssh / id_dsa.pub . Public Key needs to be renamed and copied to the appropriate directory on the remote system that wants to use Open SSH.

The following lists the location of the Public Key that Open SSH uses in the authentication process:

SSH Version 2 Key

Local System Default Location

Remote Host Location

Private Key

$ HOME / .ssh / id_dsa

Public Key

$ HOME / .ssh / id_dsa.pub

$ HOME / .ssh / authorized_keys2

SSH Version 1 Key

Local System Default Location

Remote Host Location

Private Key

$ HOME / .ssh / identity

Public Key

$ HOME / .ssh / identity.pub

$ HOME / .ssh / authorized_keys

 

Here are the important files used by Open SSH to identify Public Key:

- $ HOME / .ssh / known_hosts : A list of Public Key for all hosts with user login. Usually the Public Key host lists are listed at / etc / ssh_known_hosts
- / etc / ssh_known_hosts : Contains a list of RSA Generated Public Key for all hosts for which the system is known. Any host who wants to log in to the system must have the Public Key listed in this file. The administrator on your system needs to list the Public Keys of the users in that network
- / etc / ssh_known_hosts2 : Just like ssh_know_host it contains a list of DSA Generated Public Key for all hosts that the system knows.
- $ HOME / .ssh / config : Configuration file for each user. In some large systems, each user will have a special configuration file. It will be used by SSH Client.
- / etc / ssh / ssh_config : Configuration file for the entire system. It can also be used for users without configuration files or temporarily without configuration files. It is automatically initialized when installing Open SSH for the first time and is called to use each time the Open SSH daemon runs.
- $ HOME / .ssh / rc : List the commands that were executed during the user login, these commands are executed before the user's shell is opened.
- / etc / sshrc : Similar to / .ssh / rc it is used on large systems.

USING OPEN SSH TO ENSURE SECURITY OF DATA ON AN SECURITY NETWORK SYSTEM

Before using Open SSH you must make sure that your local system and the remote system have Open Open installed .
The ssh-keygen command is used to create and manage SSH Key authentication. To use Open SSH you must first create DSA or RSA Private Key, Public Key . Next, follow the instructions below. I myself use the Debian Linux system v 2.5.2

First, create a user on the system

 root@domain.com#: useradd binhnx2000 

Don't forget to set a password for this user

 root@domain.com#: passwd binhnx2000 
 Đang thay đổi mật khẩu cho người dùng xn2000 
 New UNIX password: ***** 
 Retype new UNIX password: ***** 
 passwd: all authentication tokens updated successfully 

Log in to the account that I just created:
Now I will continue to create Private Key and Public Key.

Note : From Open SSH v 2.0 onwards when you request to create a new Key. By default it will give you RSA Key. If you want to create a Key DSA you must use the -d option

 binhnx2000@domain.com$: ssh-keygen -d 
 Generating DSA parameter and key. 
 Enter file trong đó để lưu khóa (/home/binhnx2000/.ssh/id_dsa): 

Press Enter if you want to save the Key to its default directory:

 Created directory '/home/binhnx2000/.ssh'. 
 Enter passphrase (empty for no passphrase): 

Enter the passphrase (this is the password that will be encrypted using the 3 DES algorithm to control the Private Key).

Note : pasphrase cannot be recovered. If you forget, you will have to create and redistribute the Key. This is very annoying.

Press Enter when everything is done.

 Bạn xác định đã được lưu lại trong /home/binhnx2000/.ssh/id_dsa. 
 Your public key has been saved in /home/binhnx2000/.ssh/id_dsa.pub. 
 The fingerprint key is: 
 ca: 3b: f9: 80: 5a: 91: e5: c1: 1e: 5b: 30: 02: 2f: d5: 53: 13 
 binhnx2000@domain.com 

Looking through the Private Key content you will see:

 ----- BEGIN DSA PRIVATE KEY ----- 
 Proc-Type: 4, ENCRYPTED 
 DEK-Info: DES-EDE3-CBC, D40D902FF5666C7B 

 DlyufhXG5shn / JblF4iY67nMAHG5AUtBvpdBZKiMnq6bKLPQ5nFmDBVxZ9jb86BT 
 p / XL6IoJOeyeHDf3txtCkFymujibeO203uMwQ / yvH1VrENkywj1uglAYBxF5FdPt 
 44Y5Mab04tQPVKLd1Jgxs / O / 23bghYNJyCw9j9uP / G / 6dkrYB5EAMZ / HnD6OG0 / 5 
 UPSrOTLwxfIOq7RbJGthgejosVvSFCEfNOu1OyhTF0FqM9po6uGbzVra36Lk13M + 
 EnNbG7Bs0Z91v9hgyb0w0TwA4jnX / uP2lUdYxuCgpRyg3jDoYZFsa37GBZm5WeOY 
 4TjsuSKuE4oNLnr6Kx5dcg6ZedHRx + ggaSRZ + 4VTP43RgEj0CsqY9wB8kN1wXEWM 
 z7oj4o8EtrN4xFcT3C9Jl2sd + nJA085wFCFktdtI6zN7i6gMXMhTvTi / w / gPF + vM 
 4pAzP9Z5NHN5v8 / UHBmkytwx4f5uofYovM8hHQzUZGs / 3yEsUPBrxCQgW / MMC5jd 
 XyZyF0ryleid62feGNbbvgLEIZMZvNSCmJpYgD60CFskBemg / 02htaIVwdlg85lW 
 JoZuLBBKpkRb4UXNb0IRG2NvtZKQ8h98 

 ----- END DSA PRIVATE KEY ----- 

This is the content of Public Key:

 ssh-dss AAAAB3NzaC1kc3MAAACBAL4qF1YLu6l / zhhmgBJfFOgAqc635u / DRes / bXiSrCbuV1 
 Rey5nZb2AA8rdCZzwMyMdreCD34HRCVSblirirhSZ3r9qld1fipT6NPsOr + AMct13oPirlWAF0 
 1euJoPYEm62 + subVKWHQoNAwb7gIjNlMqNjaRuwNyBCLPwb7EcUjAAAAFQD9L07yMF 
 CTQ5bmP7ztr1LME / UjMQAAAIEAlyiJs4CazMnGB6mguefOZHI1BJPmPdOZeee9cvFRSQ1 
 nDoLK6ScxPpclQu0uwh8CEFuIjl / oMBf1rIHwONC7kxIIY6U82B3cZcBOL7SXt2wnPg8mg4I7 
 quG2Mq23lWsPeAH3ElfijOr15rgb4PQPV1bYoNlQPmb3zb6n4uoe3WQAAACBAKiamld09b 
 mHk3GCqn40u1WKtMLzpwowCtv24VZ / v4yQV4fY3CvrbgsAEnBD3mSEpOea7tSNDTxY83D 
 6ayJ40ZS2zN3bhBZos + Jp53tq8Eni1pSELS5wlw5NkkoY + F4lmda + sK5gTOOExI2tWyA0z5V 
 7hkOQuxcLbvc9GR + ywibz binhnx2000@domain.com 

All important information is encrypted using DSA algorithm

USE The Private Key & Public Key

Using the Public Key, you must first distribute it. Or, to put it in a straightforward way, you must activate these Public Keys in the appropriate locations on the remote server. As stated above Public Key can be distributed freely and freely. So you can send it to any system you want to communicate with Open SSH.- Create Public Key folder in Apache root directory:

 root@domain.com#: mkdir / var / html / pubkeys 
 

- Copy Binhnx2000's Public Key into the folder you just created and rename them:

 root@domain.com#: cp /home/binhnx2000/.ssh/id_dsa.pub var / html / pubkeys / binhnx2000.pub 
 

- On remote host system: You need to refer to the parameters as on your host. You log in as root and create an account account:

 root@domain2.com#: useradd binhnx2000 
 passwd binhnx2000 
 Đang thay đổi mật khẩu cho người dùng xn2000 
 New UNIX password: ***** 
 Retype new UNIX password: ***** 
 passwd: all authentication tokens updated successfully 
 

- Next create a ' .ssh ' subdirectory in the home directory of your account.

 root@domain2.com#: mkdir / home/binhnx2000/.ssh 
 

You have uploaded the address uploaded to the x2000's Public Key and downloaded it to:
Save it to /home/binhnx2000/.ssh = => This is the Public Key of domain.com. It contains information about the ID encoded by DSA algorithm. Everything is fine, now try ssh from system 2 via system 1 with Public Key see:

 binhnx2000@domain2.com$: ssh domain.com 
 

If all goes well you can ssh into system 1 remotely via Open SSH safely. All transactions between systems 1 and 2 are compressed and encoded to ensure safety on the line

For example, VeriSign is a company that provides Digital ID to encrypt and secure E-mail for customers. Digital ID is actually a Public Key embedded with basic ID information in it. VeriSign will automatically send the user's Public Key to its Site. Any user who wants to access another user's Public Key. They can download the user's Digital ID from the VeriSign site:

 digitalid.verisign.com/services/client/index.html 

For Private Key. I will Upload it to my Web server. Remote hosts will Download Public Key and automatically activate them.

You continue to do the following steps if your system has installed Apache Web server:

However! life is not always as good as we thought ;-( You will encounter notice:

 Đã xác thực của máy phục vụ domain.com 'không thể được thực hiện. 
 DSA key fingerprint is ca: 3b: f9: 80: 5a: 91: e5: c1: 1e: 5b: 30: 02: 2f: d5: 53: 13. 
 Bạn có chắc muốn tiếp tục kết nối (yes / no)? 

The above message says that you cannot set up a secure connection from system 2 to system 1 using Open SSH. You continue to click Yes to continue connecting. There will be a message saying that the remote system's Public Key has been added to a reasonable location on the local system. The work of updating Public Key was successful. Next time you won't have to see this annoying message again. Why don't you try ssh to the remote system again (There won't be any requests for passwords, because it uses and authenticates Public Key)

 /home/binhnx2000/.ssh/know_host. 
 Warning: Permanently added 'domain.com, 24,130.8,170' 
 (DSA) to the list of known hosts. 
 [binhnx2000@domain.com binhnx2000] $ 

If the information about Public Key is incorrect. In other words, the authentication process of Public Key failed. Open SSH will ask you to provide the user's password using the server:

 binhnx2000@domain.com's password: 

The password here is the password of the account that is created on the remote system. When you enter a username and password similar to Telnet, the other point is that it has been encrypted with Open SSH. If you encounter password query requests, review the process of allocating and using Public Key.

DATA SAFETY ISSUES

So far RSA and DSA Key are considered to have high security and data encryption capability (RSA Key is now up to 256 bit encryption). In the middle of July, the Security community discovered a Bug that exploited the vulnerability of short passphrases under 2 characters. But it was quickly overcome and the practicality of this Bug was not high. Open SSH is still considered by the * nix community as a highly secure media.

Note : This article is only for learning and exchanging experiences. You can freely use it, but hope you respect Copyright a bit. When you need to quote somewhere in the document, please specify the source and the name of the writer . Thank you very much for your interest in my article.
(Power by: binhnx2000 == (=========> ^ ($) ^ Supporter Of VTF)
(E-mail: binhnx2000@yahoo.com | Home: vieteam.com)

References
- Using OpenSSH to Encrypt Network Traffic between Two Hosts
- Deutsch Unix / Linux Gruppen (DUG)
- Information Bibliothek Frei Universität Berlin (FU Berlin)

Note : Public Key can be distributed as you like. Anyone, the system who wants to communicate securely with x2000 can receive Public Key . You can change the name of Public Key comfortably. For security purposes, Security advises you to regularly rename Public Key before distributing it to each person. binhnx2000@domain.com$: rlogin -l binhnx2000 vnzone.net