Table 3.1 Location of Configuration Files CLIENT WINDOWS OS UNIX OS OpenSSH \Program Files\OpenSSH\etc /etc/ssh_config SSH Communications \Program Files\SSH Secure Shell /etc/ssh2/ssh2_config \ssh2_config General The general section of the of the configuration file lists generic flags and switches that can limit the number of commands the end-user needs to type when trying to access the SSH server. Fields such as VerboseMode, Quiet- Mode, Compression, GoBackground, and EscapeChar allow customized generic settings to be enabled from the profile file itself instead of typed into the command line. Some of the selected fields in the General section are pro- vided in Table 3.2, as well as a brief description of each. Network The Network section of the configuration file lists networking settings required for the connection. An example of a network setting is the specific port that the SSH client should use when attempting to connect to the SSH server. Table 3.3 gives a brief description of some of the selected fields in the Network section. Table 3.2 Fields in the General Section FIELD DESCRIPTION VerboseMode Displays verbose information of the SSH session QuietMode Displays warning messages DontReadStdin Disables input for Standard input BatchMode Enables/Disables batch-mode processing Compression Enables/Disables compression GoBackground Sends the connection to the background EscapeChar Sets the ESC character for the session PasswordPrompt Type of Password prompt AuthenticationSuccessMsg Displays success message after login SetRemoteEnv Sets environment variables for the session Secure Shell Clients 95 Table 3.3 Fields in the Network Section FIELD DESCRIPTION Port Sets the port to connect to NoDelay Enables/Disables the delay process KeepAlive Keeps the connection active SocksServer The network ID of SOCKS server UseSocks5 Support for SOCKS version 5 Crypto The Crypto section of the configuration file lists the types of cryptography that can be set for the SSH clients. This section is useful when different SSH servers require different types of encryption algorithms. For example, a different SSH configuration file can be set for backups, enabling certain types of encryption that have the least effect on bandwidth and enabled data validation with MAC. Table 3.4 gives a brief description of some of the selected fields in the Crypto section. Table 3.4 Fields in the Crypto Section FIELD DESCRIPTION Ciphers Specifies which Ciphers can be used MACs Specifies which MACs can be used StrictHostKeyChecking Enables hostkey checking server validation RekeyIntervalSeconds Interval length for re-keying the session User Public Key Authentication The Public Key Authentication section of the configuration file simply speci- fies the location and name of the user’s public key to use for authentication. The fields in the Public Key Authentication section are described in Table 3.5. Table 3.5 Fields in the Public key Authentication Section FIELD DESCRIPTION IdentityFile Name of identification file RandomSeedFile Name of random_seed file 96 Chapter 3 Tunneling The Tunneling section of the configuration file specifies the local and remote tunneling options that should be used on the SSH client. This section adds a great deal of value when the client has enabled multiple local and remote port forwards. The selected fields in the Tunnel section are described in Table 3.6. Table 3.6 Fields in Tunnel Section FIELD TUNNELING DESCRIPTION GatewayPorts Allow interfaces to act as a gateway ForwardAgent Enable/Disable forwarding of packets ForwardX11 Enable/Disable X11 emulation TrustX11Applications Options to trust/distrust X11 TUNNELS SET UP UPON LOGIN LocalForward Local port forwarding setting (143:IP:143) LocalForward Local port forwarding setting (25:IP:25) RemoteForward Remote port forwarding setting (22:IP:23) SSH1 Compatibility The SSH1 Compatibility section of the configuration file specifies the options to use in order to be compatible with SSH1 version 1. In order for SSH2 clients to be compatible with SSH1 servers, the following fields must be set (shown in Table 3.7). Table 3.7 SSH Compatibility FIELD DESCRIPTION Ssh1Compatibility Enable/Disable SSH1 support Ssh1Path The path to use for SSH1. The default is /usr/local/bin/ssh1 Ssh1MaskPasswordLength Enable/Disable masking for the password length Secure Shell Clients 97 Authentication The Authentication section of the configuration file specifies the options sup- ported for authentication. This section allows the client to know which type of authentication to use, whether to use a password and public key instead of just a password, in order to authenticate. Table 3.8 is a brief list of the selected fields of the authentication section. Table 3.8 Authentication FIELD DESCRIPTION AllowedAuthentication Specifies the authentication types allowed, such as password, public key, or all of the above GUI SSH Clients Secure Shell Communications (www.ssh.com), VanDyke Software, PuTTY, AppGate, and WinSCP are several of the vendors that provide graphical user interfaces (GUIs) for SSH clients. Since there are several GUI clients on the market, the following section examines some of the optimal features of the GUI SSH clients. Also, since the GUI clients are primarily available for Windows, the following section focuses on Windows 2000 and Windows XP. Table 3.9 shows where the SSH clients can be purchased and/or down- loaded. Table 3.9 Web Sites Where SSH Clients Are Available CLIENTS URL SSH Communications www.ssh.com VanDyke Software www.vandyke.com/ Putty www.chiark.greenend.org.uk/~sgtatham/putty/ WinSCP winscp.vse.cz/eng/ Mindterm www.appgate.com/mindterm/ MacSSH pro.wanadoo.fr/chombier/ Windows Installation Installing Windows-based SSH clients is relatively straightforward. I do not describe the process of installing each of the SSH clients listed in Table 3.9, but a wizard of each will walk you through the installation process. 98 Chapter 3 SSH Communications SSH Communications’ SSH client is the first I will discuss. Open the SSH client and initiate a simple SSH connection by executing the following steps: 1. Start ➪ Programs ➪ SSH Secure Shell ➪ Secure Shell Client 2. File ➪ Open ➪ Quick Connect As shown in Figure 3.1, the Host Name field is either the fully qualified DSN name for the SSH server, such as sshserver.aum.com, or the dot notation of the IP address of the SSH server, such as 172.16.11.17. The User Name field is the username on the remote SSH server. The username can either be the local account on a Windows machine or a domain account on a Windows domain, depending on how the SSH server is implemented. In Unix environments, the username is the same in the /etc/passwd file. The Port Number field is used to specify the port number. If the SSH server is listening on a nonstan- dard port (a port other than port 22), the appropriate port number should be placed in the port box, such as 202. Lastly, the Authentication Method spec- ifies the type of authentication that should be used when attempting to connect to the remote SSH server. The possible values and their descriptions are in Table 3.10. Figure 3.1 “Quick Connect” menu. Secure Shell Clients 99 Table 3.10 Authentication Types AUTHENTICATION TYPE DESCRIPTION Password Username and password combination Public Key Public and Private-key authentication SecureID RSA SecureID tokens for authentication* PAM Pluggable authentication module** * Requires RSA ACE server. ** The pluggable authentication module is a Unix authentication method that integrates various authentica- tion methods into one. SSH Communications offers different settings on SSH clients. Using the Menu bar, open the settings menu by selecting Edit ➪ Settings. Under the settings menu, there should be two sections: Profile Settings and Global Settings. Under profile and global settings, there should be several more options. In the following sections, each option is examined individually and its purpose and usage described. Profile Settings The profile settings are similar to the ssh2_config file discussed previously with the command-line utilities. All options under the Profile Settings section directly correlate to settings used by default when attempting to connect to an SSH server. The description and usage of the settings are provided in Table 3.11. Table 3.11 Options Under the Profile Settings Section SETTING DESCRIPTION AND USAGE Connection The following describes the options on each of the sections to the left. The options within those sections are also explained. - Host Name: DNS name or IP address of the remote SSH server. - User Name: Username of the account to log in with. - Port Number: Port number that the SSH server is listening on. - Authentication Methods: Authentication types that can be used in order to log in to the SSH server. Options can be password, public key, SecureID, and PAM. - Encryption Algorithm: Sets the type of cryptography to be used for the session. -MAC Algorithm: Sets the type of hashes to be used when hashing the data being sent across the network. Options can be MD5 or SHA1. (The option chosen must be supported by the SSH server.) - Compression: Enables compression on the connection. The valid choice for compression in only zlib. 100 Chapter 3 Table 3.11 (continued) SETTING DESCRIPTION AND USAGE Terminal Answerback: Set the type of emulator to receive from the SSH server. Valid choices range from VT100 to xterm. - Connect Through Firewall: This checkbox determines if the connection will be taken through a SOCKS or proxy server. - Request Tunnels Only (Disable Terminal): Enables/Disables the terminal window from appearing. If this is enabled, the user will not receive a command-line shell to execute commands, but only the session itself to port forward to. Cipher List Lists the types of Ciphers that can be used. Options can be 3DES, Blowfish, Twofish, AES, Arcfour, and CAST128. (The option chosen must be supported by the SSH server.) Colors Allows the cosmetic appearance to be modified. Keyboard Changes the keyboard functions. Tunneling Provides the ability to secure X11 connections via the SSH connection by tunneling the X11 packets inside SSH. - Outgoing: Sets Outgoing tunnels for the session (discussed more in the port-forwarding chapter). - Incoming: Sets Incoming tunnels for the session (discussed more in the port-forwarding chapter). Global Settings The global settings are used for any SSH connection attempt, regardless of the profile that might be used. All options under the Global Settings section directly correlate to settings used by default when attempting to connect to an SSH server. The description and usage of the settings are shown in Table 3.12. Table 3.12 Options Under the Global Settings SETTING DESCRIPTION AND USAGE Appearance Sets some of the cosmetic items to display by default, such as profiles, hostname, color, and font. User Keys Manages the public and private-key pairs that can be used for authentication (instead of a password). This section allows you to create a key pair, delete an old key pair, export a key to a flat *.pub file, import a key pair to a flat *.pub file, view the flat connects of a public key, change the passphrase in order to use the public key, and upload a public key to an SSH server (the SSH server must be compatible with the type of key created). The User Keys section is discussed further in Chapter 4. (continued) Secure Shell Clients 101 Table 3.12 (continued) SETTING DESCRIPTION AND USAGE Host Key Identifies the SSH server. The host key is a virtual fingerprint of the server. The use of host keys protects against IP address attacks on IPv4 networks, such as Man-in-the-Middle and spoofing attacks. Public Key Provides support for a certificate-based authentication system. Infrastructure The options can include certificates from SSH clients, certificates (PKI) from integrated directory services architecture, such as LDAP, or using hardware devices. - Certificates: Allows the SSH client to import, enroll, view, delete, or change the passphrase of a certificate. - LDAP: Provides LDAP directory integration with PKI certificates. - PKCS #11: Provides a certificate-based system to access hardware devices. File Transfer Configures Secure FTP and Secure Copy. Options that can be configured are the display types of Icons, the display of hidden or root directories, and the ability to confirm the deletion or overwriting of a file on the SFTP server. Also, allows the configuration of the default file viewing application of an extension that is not available for a particular file. Firewall Configures SOCKS firewall operability. For example, socks://172.16.1.100:1117 would be used to make an SSH connection via a SOCKS server (172.16.1.100) on port 1117. Security Configures basic security options, such as the option to clear the host name upon exit or deleting the contents of the clipbook upon exit. Printing Sets the options for printing, such as fonts, margins, and header/footer information. The profile and global settings are the primary areas where the SSH client can be configured for functionality. Like the command-line clients, the GUI client can save settings based on different SSH servers. To customize the pro- file settings based on a particular SSH server, go to the File Menu bar and select File ➪ Profiles ➪ Add/Edit Profiles. A profile can automatically be set up after the initial valid connection to an SSH server. As shown in Figure 3.2, once the initial connect is made, the option to save the profile appears in the upper right-hand corner. The Add/Edit pro- file option is a simple way to customize SSH connections. After opening the File ➪ Profiles ➪ Edit/Add profile option, you should notice the same profile options that are available with the Edit/Setting menu. However, these options do not globally change all options; they make changes based on the specific connection. 102 Chapter 3 Figure 3.2 Automatic Profile save option. One of the most useful options with SSH Communications’ SSH client is the built-in SFTP client. It allows the SFTP client to be executed without the need for any secondary client or another SSH connection. The SFTP client can be executed from the menu bar with Windows ➪ New File Transfer. After this option has been selected, the SFTP client, with the original session to the SSH server enabled, displays the contents of the local machine on the left pane, which is the SSH Client machine, and the contents of the remote SSH server on the right pane. This allows safe and simple SFTP usage for the SSH session. Figure 3.3 demonstrates the use of the SFTP client option with an SSH session that has already been established. The last option I will discuss for the SSH Communications’ SSH client is the Log Session. This option logs the entire connection, including commands, out- puts, and inputs, to a log file. The log file can be saved locally on the client machine for viewing at a later time. The log session option is also located at the file menu bar at File ➪ Log Session. After Log Session is chosen, the client will display a prompt for a location to save the log file to. Session-logging capabilities will be enabled for the follow- ing connection after the option is enabled. Secure Shell Clients 103 Figure 3.3 SFTP client option on an established SSH session. VanDyke Software’s SecureCRT VanDyke Software has an SSH client called SecureCRT. Open the SSH client and initiate a simple SSH connection by selecting Start ➪ Programs ➪ Secure- CRT 4.0 ➪ SecureCRT 4.0. After you select the shortcut, SecureCRT will automatically open its Quick Connect menu (see Figure 3.4) to begin an SSH connection. 104 Chapter 3 [...]... server offers a few options for authentication Open the VShell configuration screen (Start ➪ Programs ➪ VShell ➪ VShell) and highlight the Authentication section of the screen (See Figure 4. 2.) Table 4. 5 describes the general authentication options for VShell Figure 4. 2 The User Authentication screen for VShell SSH server 121 122 Chapter 4 Table 4. 5 Authentication Options for VShell OPTION DESCRIPTION... ➪ Configuration) and highlight the User Authentication section of the screen See Figure 4. 1 for the authentication screen Figure 4. 1 The User Authentication section of the screen for SSH Communications’ SSH server Authentication Tables 4. 1 through 4. 3 describe the general authentication options for SSH Communications’ SSH server Table 4. 1 describes the general user-authentication options Parameters... (discussed in the following section) Figure 4. 3 shows VShell’s Authentication menu Figure 4. 3 Authentication section for VShell SSH server Authentication Figure 4. 4 User Authentication section for SSH Communications SSH Server Similarly, enabling password authentication for SSH Communications’ SSH server on Windows platforms is quite easy Using the configuration menu (Start ➪ Programs ➪ SSH Secure Shell Server... that they will be communicating with Table 4. 8 shows the location of the host-key database for SSH clients SecureCRT and SSH Communications’ SSH clients both show the host-key database on their respective client GUI, as shown in Figures 4. 5 and 4. 6 Figure 4. 5 shows the host-key database for SecureCRT This is the repository for the SSH client for all host keys obtained after a connection is made to a SSH. .. Communications’ server (Unix) /etc /ssh2 SSH Communications’ server (Windows) Program Files \SSH Secure Shell Server VShell SSH server Program Files\VShell\hostkey OpenSSH server /etc /ssh 5 Configure the OM SSH server to accept host-based authentication by editing the configuration file Edit sshd2_config to enable host keys for authentication for SSH Communications’ SSH server: ## Authentication ## publickey... that the SSH client stores locally on the client machine Each time the SSH client attempts to log in to the SSH server, the client will compare the SSH server’s host key with the host key in the SSH client’s host-key database to make sure it matches If the keys do not match, the SSH client can choose not to log in to the SSH server, due to possible tampering with the SSH server or possibly a man-in-themiddle... depending on the type of SSH server deployed The options range from valid password attempts to the use of blank passwords The following paragraphs describe the SSH servers and the authentication options they provide SSH Communications’ SSH server (Windows) SSH Communications’ SSH server offers a few options for authentication Open the SSH Server configuration screen (Start ➪ Programs ➪ SSH Secure Shell Server... different.) The following is a list of the syntax depending on the environment: ssh- keygen –P Aum (OpenSSH) ssh- keygen2 –P Aum (SSH Communications) 2 This will create the private host key and the public host key The public host-key file is Aum.pub and the private host-key file is Aum 3 Copy Aum.pub to the knownhost folder in /etc /ssh2 for SSH Communications’ SSH server and /etc /ssh/ ssh_known_hosts for OpenSSH... chosen, the client will save the session under the location specified in the Session Options section The only difference between the two settings is that the Raw Log Session records connections between the SecureCRT client and the SSH service, including escape commands The Trace options menu allows the display of hidden communication between the SSH server and the SecureCRT SSH client To enable the Trace... where the users’ public keys will be stored The default is Program Files\VShell\ Publickey\ OpenSSH (Unix and Windows) OpenSSH server offers similar authentication options to those of VShell and SSH Communications’ SSH server To view the authentication options, enter the following commands: #cd /etc /ssh #more sshd_config or c:\cd “Program Files”\OpenSSH \ssh c:\notepad sshd_config The options for . UNIX OS OpenSSH Program FilesOpenSSHetc /etc /ssh_ config SSH Communications Program Files SSH Secure Shell /etc /ssh2 /ssh2 _config ssh2 _config General The general section of the of the configuration. for the password length Secure Shell Clients 97 Authentication The Authentication section of the configuration file specifies the options sup- ported for authentication. This section allows the. Programs ➪ SSH Secure Shell ➪ Secure Shell Client 2. File ➪ Open ➪ Quick Connect As shown in Figure 3.1, the Host Name field is either the fully qualified DSN name for the SSH server, such as sshserver.aum.com,