Some thoughts about ssh

Deutsch

In the good old days, when the participants of the Internet still kind of knew each other, it was reasonable to trust each other, because the bad guys where not likely among the few and they did not have much to gain there from an ordinary user. So it was common to use telnet or rlogin or sethost to connect to other computers. Usually the password was transmitted unencrypted, which was actually quite irresponsible.

Today we have to use ssh instead and it does pretty much what telnet could do in the old days, but also quite a bit more, even much more than can be mentioned in these lines. It is not only important to transmit the password in an encrypted way, but also to ensure that the other side is really the desired node, not some man in the middle, trying to capture the password, which would leave us where we were with telnet.

For this purpose the .ssh-directory contains those certificates, which are files like id_rsa and id_rsa.pub. The id_rsa should be kept safe. They must not be given away, but they should also not be changed, which means that they should not be lost, because they are hard to reproduce, otherwise they would not be secret. The security of the whole protocol depends on this. With ssh-keygen it is possible to create such certificates, optionally in such a way that a password needs to be provided prior to using it. This password remains within the local computer. Certificates have fingerprints, that can be shown with ssh-keygen -l. Exactly this fingerprint will be shown when logging into a node from some other node for the first time and it needs to be confirmed. So it is important to make sure that the fingerprints have been transferred on a safe channel prior to this login, because otherwise we could possibly just confirm the fingerprint of the man in the middle. This is like with infectious diseases. It is necessary to work in a very hygienic way all the way, otherwise the security is at risk. A good way might be to start the first ssh-session to some node in a cabled network, where the cable and network topology is well known and trusted and simple enough to assume that the network traffic really goes to the desired host. Another way is to write down the fingerprint on paper or to print it or to use a USB stick to copy it to the host from which ssh is initiated. With this first login an entry to .ssh/known_hosts is created, which will be used subsequently. As long as .ssh/known_hosts contains no corrupted entries, it will be very hard for a man in the middle to do his evil job and the whole process provides a reasonable level of security.

Now the public key from id_rsa.pub of the own computer can be transferred to the remote computer and added to .ssh/authorized_keys on the remote hosts. This results in the possibility to log into that host without the need to enter a password, unless the local certificate needs a password, which it should in such a case. For convenience this password needs to be typed only once per session by calling ssh-add.

ssh is used even for other purposes, because it supports tunneling of other protocols like subversion or git.

Very beautiful is the possibility to use ssh in conjunction with X11 by calling

ssh -X user@host

This allows to start graphical applications on the remote computer and they are displayed on the local computer. The x11-windowing system is network enabled and uses the ssh tunnel.

Redirection of displays has been common practice in the Unix and Linux-world for more than 25 years, but with ssh it is much more secure than with the unencrypted protocols that ware used in the old days. Who of you still knows xhost +?

All of this is referring to ssh for Linux, but it should work exactly the same way on all kinds of recent Unix systems like Solaris or BSD variants. On MS-Windows-computers it is possible and useful to install putty. Many of the capabilities of ssh can be found in putty as well, just packaged and used in a different way. I actually prefer to use cygwin and its ssh implementation on MS-Windows, which is very similar to the Linux-ssh. It is even possible to build up an ssh-server with MS-Windows using cygwin, but this is not so easy.

Share Button

Ein Gedanke zu „Some thoughts about ssh

  1. Pingback: Ein paar Gedanken zu ssh | Karl Brodowskys IT-Blog

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.


*