SSH, The Secure Shell The Definitive Guide (Daniel J. Barrett, Richard E. Silverman etc.) (Z-Library)

SSH, the Secure Shell The Definitive Guide

Other computer security resources from O’Reilly Related titles 802.11 Security Digital Identity Firewall Warrior Internet Forensics Network Security Assessment Network Security with OpenSSL nmap: The Definitive Guide Managing Security with Snort and IDS Tools PGP: Pretty Good Privacy Snort Cookbook Security Books Resource Center security.oreilly.com is a complete catalog of O’Reilly’s books on security and related technologies, including sample chapters and code examples. oreillynet.com is the essential portal for developers interested in open and emerging technologies, including new platforms, pro- gramming languages, and operating systems. Conferences O’Reilly brings diverse innovators together to nurture the ideas that spark revolutionary industries. We specialize in document- ing the latest tools and systems, translating the innovator’s knowledge into useful skills for those in the trenches. Visit con- ferences.oreilly.com for our upcoming events. Safari Bookshelf (safari.oreilly.com) is the premier online refer- ence library for programmers and IT professionals. Conduct searches across more than 1,000 books. Subscribers can zero in on answers to time-critical questions in a matter of seconds. Read the books on your Bookshelf from cover to cover or sim- ply flip to the page you need. Try it today with a free trial.

SSH, the Secure Shell The Definitive Guide SECOND EDITION Daniel J. Barrett, Richard E. Silverman, and Robert G. Byrnes Beijing • Cambridge • Farnham • Köln • Paris • Sebastopol • Taipei • Tokyo

SSH, the Secure Shell: The Definitive Guide™ by Daniel J. Barrett, Richard E. Silverman, and Robert G. Byrnes Copyright © 2005, 2001 O’Reilly Media, Inc. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (safari.oreilly.com). For more information, contact our corporate/insti- tutional sales department: (800) 998-9938 or corporate@oreilly.com. Editor: Mike Loukides Production Editor: Mary Brady Cover Designer: Ellie Volckhausen Interior Designer: David Futato Printing History: February 2001: First Edition. May 2005: Second Edition. Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarks of O’Reilly Media, Inc. SSH, the Secure Shell: The Definitive Guide, the image of a land snail, and related trade dress are trademarks of O’Reilly Media, Inc. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and O’Reilly Media, Inc. was aware of a trademark claim, the designations have been printed in caps or initial caps. While every precaution has been taken in the preparation of this book, the publisher and authors assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein. This book uses RepKover™, a durable and flexible lay-flat binding. ISBN: 0-596-00895-3 ISBN13: 978-0-596-00895-6 [M] [1/07]

v Table of Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi 1. Introduction to SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1 What Is SSH? 1 1.2 What SSH Is Not 3 1.3 The SSH Protocol 3 1.4 Overview of SSH Features 5 1.5 History of SSH 9 1.6 Related Technologies 10 1.7 Summary 15 2. Basic Client Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 2.1 A Running Example 16 2.2 Remote Terminal Sessions with ssh 16 2.3 Adding Complexity to the Example 18 2.4 Authentication by Cryptographic Key 21 2.5 The SSH Agent 28 2.6 Connecting Without a Password or Passphrase 32 2.7 Miscellaneous Clients 33 2.8 Summary 34 3. Inside SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 3.1 Overview of Features 36 3.2 A Cryptography Primer 39 3.3 The Architecture of an SSH System 43 3.4 Inside SSH-2 45 3.5 Inside SSH-1 68

vi | Table of Contents 3.6 Implementation Issues 69 3.7 SSH and File Transfers (scp and sftp) 81 3.8 Algorithms Used by SSH 84 3.9 Threats SSH Can Counter 91 3.10 Threats SSH Doesn’t Prevent 93 3.11 Threats Caused by SSH 97 3.12 Summary 98 4. Installation and Compile-Time Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 99 4.1. Overview 99 4.2 Installing OpenSSH 106 4.3 Installing Tectia 111 4.4 Software Inventory 124 4.5 Replacing r-Commands with SSH 125 4.6 Summary 127 5. Serverwide Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 5.1 Running the Server 129 5.2 Server Configuration: An Overview 132 5.3 Getting Ready: Initial Setup 141 5.4 Authentication: Verifying Identities 171 5.5 Access Control: Letting People In 184 5.6 User Logins and Accounts 198 5.7 Forwarding 201 5.8 Subsystems 206 5.9 Logging and Debugging 209 5.10 Compatibility Between SSH-1 and SSH-2 Servers 223 5.11 Summary 226 6. Key Management and Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 6.1 What Is an Identity? 227 6.2 Creating an Identity 233 6.3 SSH Agents 242 6.4 Multiple Identities 260 6.5 PGP Authentication in Tectia 262 6.6 Tectia External Keys 264 6.7 Summary 265

Table of Contents | vii 7. Advanced Client Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266 7.1 How to Configure Clients 266 7.2 Precedence 276 7.3 Introduction to Verbose Mode 277 7.4 Client Configuration in Depth 278 7.5 Secure Copy with scp 313 7.6 Secure, Interactive Copy with sftp 323 7.7 Summary 325 8. Per-Account Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326 8.1 Limits of This Technique 326 8.2 Public-Key-Based Configuration 328 8.3 Hostbased Access Control 346 8.4 The User rc File 348 8.5 Summary 348 9. Port Forwarding and X Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349 9.1 What Is Forwarding? 350 9.2 Port Forwarding 351 9.3 Dynamic Port Forwarding 373 9.4 X Forwarding 377 9.5 Forwarding Security: TCP-wrappers and libwrap 389 9.6 Summary 395 10. A Recommended Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396 10.1 The Basics 396 10.2 Compile-Time Configuration 397 10.3 Serverwide Configuration 397 10.4 Per-Account Configuration 403 10.5 Key Management 404 10.6 Client Configuration 404 10.7 Remote Home Directories (NFS, AFS) 404 10.8 Summary 407 11. Case Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408 11.1 Unattended SSH: Batch or cron Jobs 408 11.2 FTP and SSH 415 11.3 Pine, IMAP, and SSH 436 11.4 Connecting Through a Gateway Host 444

viii | Table of Contents 11.5 Scalable Authentication for SSH 452 11.6 Tectia Extensions to Server Configuration Files 468 11.7 Tectia Plugins 479 12. Troubleshooting and FAQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495 12.1 Debug Messages: Your First Line of Defense 495 12.2 Problems and Solutions 497 12.3 Other SSH Resources 513 13. Overview of Other Implementations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515 13.1 Common Features 515 13.2 Covered Products 516 13.3 Other SSH Products 516 14. OpenSSH for Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521 14.1 Installation 521 14.2 Using the SSH Clients 522 14.3 Setting Up the SSH Server 522 14.4 Public-Key Authentication 524 14.5 Troubleshooting 525 14.6 Summary 525 15. OpenSSH for Macintosh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526 15.1 Using the SSH Clients 526 15.2 Using the OpenSSH Server 526 16. Tectia for Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531 16.1 Obtaining and Installing 532 16.2 Basic Client Use 533 16.3 Key Management 534 16.4 Accession Lite 536 16.5 Advanced Client Use 539 16.6 Port Forwarding 542 16.7 Connector 543 16.8 File Transfers 551 16.9 Command-Line Programs 552 16.10 Troubleshooting 554 16.11 Server 555

Table of Contents | ix 17. SecureCRT and SecureFX for Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563 17.1 Obtaining and Installing 563 17.2 Basic Client Use 564 17.3 Key Management 564 17.4 Advanced Client Use 568 17.5 Forwarding 570 17.6 Command-Line Client Programs 572 17.7 File Transfer 572 17.8 Troubleshooting 574 17.9 VShell 574 17.10 Summary 575 18. PuTTY for Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576 18.1 Obtaining and Installing 576 18.2 Basic Client Use 576 18.3 File Transfer 578 18.4 Key Management 580 18.5 Advanced Client Use 583 18.6 Forwarding 587 18.7 Summary 589 A. OpenSSH 4.0 New Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591 B. Tectia Manpage for sshregex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595 C. Tectia Module Names for Debugging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604 D. SSH-1 Features of OpenSSH and Tectia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609 E. SSH Quick Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 629

This is the Title of the Book, eMatter Edition Copyright © 2008 O’Reilly & Associates, Inc. All rights reserved. xi Preface Welcome to the second edition of our book on SSH, one of the world’s most popu- lar approaches to computer network security. Here’s a sampling of what’s new in this edition: • Over 100 new features, options, and configuration keywords from the latest ver- sions of OpenSSH and SSH Tectia (formerly known as SSH Secure Shell or SSH2 from ssh.com) • Expanded material on the SSH-2 protocol and its internals, including a step-by- step tour through the transport, authentication, and connection phases • Running OpenSSH on Microsoft Windows and Macintosh OS X • All-new chapters on Windows software such as Tectia, SecureCRT, and PuTTY • Scalable authentication techniques for large installations, including X.509 certifi- cates • Single sign-on between Linux and Windows via Kerberos/GSSAPI • Logging and debugging in greater depth • Tectia’s metaconfiguration, subconfiguration, and plugins, with examples ...and much more! You might be surprised at how much is changed, but in the past four years, SSH has significantly evolved: SSH-2 protocol triumphant Back in 2001, only a handful of SSH products supported the relatively new SSH- 2 protocol, and the primary implementation was commercial. Today, the old SSH-1 protocol is dying out and all modern SSH products, free and commercial, use the more secure and flexible SSH-2 protocol. We now recommend that everyone avoid SSH-1. The rise of OpenSSH This little upstart from the OpenBSD world has become the dominant imple- mentation of SSH on the Internet, snatching the crown from the original, SSH Secure Shell (now called SSH Tectia, which we abbreviate as Tectia). Tectia is

This is the Title of the Book, eMatter Edition Copyright © 2008 O’Reilly & Associates, Inc. All rights reserved. xii | Preface still more powerful than OpenSSH in important ways; but as OpenSSH is now included as standard with Linux, Solaris, Mac OS X, and beyond, it dominates in pure numbers. The death of telnet and the r-tools The insecure programs telnet, rsh, rcp, and rlogin—long the standards for com- munication between computers—are effectively extinct.* FTP is also on the way out, except when operated behind firewalls or over private lines. An explosion of Windows products In 2001, there were a handful of SSH implementations for Windows; now there are dozens of GUI clients and several robust servers, not to mention a full port of the free OpenSSH. Increased attacks The Internet has experienced a sharp rise in computer intrusions. Now more than ever, your servers and firewalls should be configured to block all remote accesses except via SSH (or other secure protocols). Protect Your Network with SSH Let’s start with the basics. SSH, the Secure Shell, is a reliable, reasonably easy to use, inexpensive security product for computer networks and the people who use them. It’s available for most of today’s operating systems. Privacy is a basic human right, but on today’s computer networks, privacy isn’t guaranteed. Much of the data that travels on the Internet or local networks is transmitted as plain text, and may be captured and viewed by anybody with a lit- tle technical know-how. The email you send, the files you transmit between com- puters, even the passwords you type may be readable by others. Imagine the damage that can be done if an untrusted third party—a competitor, the CIA, your in-laws— intercepted your most sensitive communications in transit. SSH is a small, unassuming, yet powerful and robust solution to many of these issues. It keeps prying eyes away from the data on your network. It doesn’t solve every privacy and security problem, but it eliminates several of them effectively. Its major features are: • A secure, client/server protocol for encrypting and transmitting data over a net- work • Authentication (recognition) of users by password, host, or public key, plus optional integration with other popular authentication systems, such as PAM, Kerberos, SecurID, and PGP * Not counting secure versions of these tools, e.g., when enhanced with Kerberos support. [1.6.3]

This is the Title of the Book, eMatter Edition Copyright © 2008 O’Reilly & Associates, Inc. All rights reserved. Preface | xiii • The ability to add security to insecure network applications such as Telnet, NNTP, VNC, and many other TCP/IP-based programs and protocols • Almost complete transparency to the end user • Implementations for most operating systems Intended Audience We’ve written this book for system administrators and technically minded users. Some chapters are suitable for a wide audience, while others are thoroughly techni- cal and intended for computer and networking professionals. End-User Audience Do you have two or more computer accounts on different machines? SSH lets you connect one to another with a high degree of security. You can remotely log into one account from the other, execute remote commands, and copy files between accounts, all with the confidence that nobody can intercept your username, pass- word, or data in transit. Do you connect from a personal computer to an Internet service provider (ISP)? In particular, do you connect to a Unix shell account at your ISP? If so, SSH can make this connection significantly more secure. An increasing number of ISPs are running SSH servers for their users. In case your ISP doesn’t, we’ll show you how to run a server yourself. Do you develop software? Are you creating distributed applications that must com- municate over a network securely? Then don’t reinvent the wheel: use SSH to encrypt the connections. It’s a solid technology that may reduce your development time. Even if you have only a single computer account, as long as it’s connected to a net- work, SSH can still be useful. For example, if you’ve ever wanted to let other people use your account, such as family members or employees, but didn’t want to give them unlimited use, SSH can provide a carefully controlled, limited-access channel into your account. Prerequisites We assume you are familiar with computers and networking as found in any mod- ern business office or home system with an Internet connection. Ideally, you are familiar with network applications like Telnet and FTP. If you are a Unix user, you should be familiar with standard network applications (e.g., ftp) and the basics of writing shell scripts and Perl scripts.

This is the Title of the Book, eMatter Edition Copyright © 2008 O’Reilly & Associates, Inc. All rights reserved. xiv | Preface System-Administrator Audience If you’re a Unix or Macintosh OS X system administrator, you probably know about SSH already. It’s less well known in the Windows world, where secure log- ins are usually accomplished with radmin (Remote Administrator) and other remote desktop applications, and network file transfers are done using network shares. In contrast, SSH is more focused on the command line and is therefore more scriptable than the usual Windows techniques. SSH also can increase the security of other TCP/IP-based applications on your network by transparently “tunneling” them through SSH-encrypted connections. You will love SSH. Prerequisites In addition to the end-user prerequisites in the previous section, you should be famil- iar with user accounts and groups, networking concepts such as TCP/IP and pack- ets, and basic encryption techniques. Reading This Book This book is divided roughly into three parts. The first three chapters are a general introduction to SSH, first at a high level for all readers (Chapters 1 and 2), and then in detail for technical readers (Chapter 3). The next nine chapters cover SSH for Unix and similar operating systems (OpenBSD, Linux, Solaris, etc.). The first two (Chapters 4 and 5) cover SSH installation and serv- erwide configuration for system administrators. The next four (Chapters 6–9) cover advanced topics for end users, including key management, client configuration, per- account server configuration, and forwarding. We complete the Unix sequence with our recommended setup (Chapter 10), some detailed case studies (Chapter 11), and troubleshooting tips (Chapter 12). The remaining chapters cover SSH products for Windows and the Macintosh, plus brief overviews of implementations for other platforms. Each section in the book is numbered, and we provide cross-references throughout the text. If further details are found in Section 7.1.2.2, we use the notation [7.1.2.2] to indicate it. Our Approach This book is organized by concept rather than syntax. We begin with an overview and progressively lead you deeper into the functionality of SSH. So, we might intro- duce a topic in Chapter 1, show its basic use in Chapter 2, and reveal advanced uses in Chapter 7. If you prefer the whole story at once, Appendix E presents all com- mands and configuration options in one location.

This is the Title of the Book, eMatter Edition Copyright © 2008 O’Reilly & Associates, Inc. All rights reserved. Preface | xv We focus strongly on three levels of server configuration, which we call compile- time, serverwide, and per-account configuration. Compile-time configuration (Chapter 4) means selecting appropriate options when you build the SSH clients and servers. Serverwide configuration (Chapter 5) applies when the SSH server is run and is generally done by system administrators, while per-account configuration (Chapter 8) can be done anytime by end users. It’s vitally important for system administrators to understand the relationships and differences among these three lev- els. Otherwise, SSH may seem like a morass of random behaviors. Although the bulk of material focuses on Unix implementations of SSH, you don’t have to be a Unix user to understand it. Fans of Windows and the Macintosh may stick to the later chapters devoted to their platforms, but a lot of the meaty details are in the Unix chapters, so we recommend reading them, at least for reference. Which Chapters Are for You? We propose several “tracks” for readers with different interests and skills: System administrators Chapters 3–5 and 10 are the most important for understanding SSH and how to build and configure servers. However, as the administrator of a security prod- uct, you should read the whole book. Unix users (not system administrators) Chapters 1 and 2 provide an overview, and Chapters 6–9 discuss SSH clients in depth. Windows end users Read Chapters 1, 2, 13, 14, and 16–18 for starters, and then others as your inter- ests guide you. Macintosh end users Read Chapters 1, 2, 13, and 15 for starters, and then others as your interests guide you. Users of other computer platforms Read Chapters 1, 2, and 13 for starters, and then others as your interests guide you. Even if you are experienced with SSH, you’ll likely find value in Chapters 3–12. We cover significant details the Unix manpages leave unclear or unmentioned, including major concepts, compile-time flags, server configuration, and forwarding.

This is the Title of the Book, eMatter Edition Copyright © 2008 O’Reilly & Associates, Inc. All rights reserved. xvi | Preface Supported Platforms This book covers Unix, Windows, and Macintosh implementations of SSH. When we say “Unix” in this book, we mean the whole family of Unix- like operating systems such as Linux, OpenBSD, and Solaris. SSH products are also available for the Amiga, BeOs, Java, OS/2, Palm Pilot, VMS, and Windows CE, and although we don’t cover them, their principles are the same. This book is current for the following Unix SSH versions: Version information for non-Unix products is found in their respective chapters. Disclaimers We identify some program features as “undocumented.” This means the feature isn’t mentioned in the official documentation but works in the current release and/or is clear from the program source code. Undocumented features might not be officially supported by the software authors and can disappear in later releases. Conventions Used in This Book The following typographical conventions are used in this book: Constant width For configuration files, things that can be found in configuration files (such as keywords and configuration file options), source code, and interactive terminal sessions. Constant width italic For replaceable parameters on command lines or within configuration files. Italic For filenames, URLs, hostnames, command names, command-line options, and new terms where they are defined. AK In figures, the object labeled A has been secured using a cryptographic key labeled K. “Secured” means encrypted, signed, or some more complex relation- ship, depending on the context. If A is secured using multiple keys (say, K and L), they are listed in the subscript, separated by commas: A K, L. OpenSSH 3.9a a See Appendix A for a preview of new features in OpenSSH 4.0. SSH Tectia 4.2

This is the Title of the Book, eMatter Edition Copyright © 2008 O’Reilly & Associates, Inc. All rights reserved. Preface | xvii This icon indicates a tip, suggestion, or general note. This icon indicates a warning or caution. Comments and Questions Please address comments and questions concerning this book to the publisher: O’Reilly Media, Inc. 1005 Gravenstein Highway North Sebastopol, CA 95472 (800) 998-9938 (in the United States or Canada) (707) 829-0515 (international/local) (707) 829-0104 (fax) There is a web page for this book, which lists errata, examples, or any additional information. You can access this page at: http://www.oreilly.com/catalog/sshtdg2/ To comment or ask technical questions about this book, send email to: bookquestions@oreilly.com For more information about books, conferences, Resource Centers, and the O’Reilly Network, see the O’Reilly web site at: http://www.oreilly.com Safari Enabled When you see a Safari® Enabled icon on the cover of your favorite tech- nology book, it means the book is available online through the O’Reilly Network Safari Bookshelf. Safari offers a solution that’s better than e-books. It’s a virtual library that lets you easily search thousands of top technology books, cut and paste code samples, down- load chapters, and find quick answers when you need the most accurate, current information. Try it for free at http://safari.oreilly.com.

This is the Title of the Book, eMatter Edition Copyright © 2008 O’Reilly & Associates, Inc. All rights reserved. xviii | Preface Acknowledgments Our biggest thanks go to the two parties who made this second edition a reality: the many readers who purchased the first edition, and our editor Mike Loukides. We couldn’t have done this without you! We thank the O’Reilly “tools” team for Frame typesetting advice, and Rob Romano for turning our hasty sketches into polished illustrations. Special thanks to the O’Reilly production team, Keith Fahlgren, John Bickelhaupt, Audrey Doyle, and Mary Brady, for their hard work creating the final package. We thank our excellent technical reviewers for their thorough reading and insightful comments: Markus Friedl and Damien Miller of the OpenSSH team, Paul Lussier, Drew Simonis, and Mike Smith. Big thanks also to several vendors of SSH products who provided us with free copies of their software, reviewed the manuscript, and answered our questions. From SSH Communications Security, maker of SSH Tectia, we thank Nicolas Gabriel-Robez, Tommi Lampila, Sami J. Lehtinen, Timo J. Rinne, Janne Saarikko, Petri Sakkinen, Vesa Vatka, and Timo Westerberg. From VanDyke Software, maker of SecureCRT, SecureFX, and VShell, we thank Jill Christian, Mau- reen Jett, Marc Orchant, and Tracy West. SSH Communications Security also kindly gave us permission to include the sshregex manpage (Appendix B) and the sshdebug.h error codes (Appendix C). Dan Barrett thanks Lisa and Sophie for bearing the late-night writing and hacking sessions required for this book. He also thanks Alex Schowtka and Robert Dulaney of VistaPrint, his employer, for their kind permission to work on this project. Bob Byrnes thanks Alison and Rebecca for all of their help and understanding through- out the many nights and weekends when he was glued to his keyboard. Richard Sil- verman thanks his coauthors for their unfailing good humor and patience—even when a sudden decision to change jobs and move out of state threw his book sched- ule into chaos. He also thanks his various friends, especially Bob Stepno, for listen- ing to his endless chatter about The Book. It’s truly a wonder they still speak to him at all.