Monday, September 12, 2011

Using openSSH

Ssh/scp is more secure than telnet/rsh/rcp due to encryption and server verification through certificates. In this blog we will discuss 3 issues: how to verify that you connect to the genuine server, how to create new keys in case that your keys have been compromised and a handy method to do ssh/scp without password.

1. How to verify a server connection
The first time you tried to connect to a server using ssh, you will be asked to verify the public key of the server:
> ssh auser@aserver
The authenticity of host 'auser(ip address)' can't be established.
RSA key fingerprint is bla:16:ee:ec:0b:19:5e:0b:33:c7:9f:ef:bla:bla:bla
Are you sure you want to continue connecting (yes/no)?

Once you say yes, the public key will be saved in your ~/.ssh/known_hosts file. Bear in mind of the man in the middle attack, how can you be sure that you communicate with the genuine server? A way to check by comparing the fingerprint of the server's public key with the fingerprint stated above. The server public key is located in the /etc/ssh/ssh_host_algorithm_pub.key file. Having this file (perhaps mailed by the admin of the server) you can generate the fingerprint using 'ssh-keygen -l -f public_key_file' and compare the values with the fingerprint above.

2. How to create new keys
If you're in a situation where your server keys have been compromised, you can generate a new pair of ssh public & private keys in the server, using ssh-keygen or open-ssl for example: 'ssh-keygen -t algorithmname', substitute the algorithmname with RSA or DSA. Use ' Hostkey keyfilename' to assign this key as the new ssh key. It's a good habit to regularly renew your keys just in case that the current key has been compromised.

3. Ssh/scp without password (authentication via PKI / X.509 certificate)
It will be handy to avoid being asked to type password everytime you use scp/ssh. Here are the steps to accomplish this: generate client keys using ' ssh-keygen -t algorithmname' in ~/.ssh directory. Substitute the algorithmname with RSA or DSA. Then copy the public key to ~/.ssh/authorized_keys in the server.

Source: Steve's blog

Foundations of CentOS Linux by Chivas Sicam and Ryan Baclit

Man in the middle attack
Convert keys between OpenSsh and OpenSSL

No comments: