All About SSH - Part I/II

Replacing telnet/rlogin/rsh with SSH

Denial of Service Research Center

By SeáÏ Boran

Feb 14, 2000. This article presents an overview of SSH, the Secure SHell. This is the first part of a two part series, introducing SSH and the major implementations - except OpenSSH.
Part2 will focus on the new OpenSSH.

SSH is so useful, easy to use and so much more secure than the archaic telnet/rlogin/rsh, that no UNIX system should be installed without it. Ideally all OS vendors would follow the example of OpenBSD & Suse, and bundle SSH with the OS.

We welcome your feedback on this article.

1. SSH Overview

Why SSH?
Features
Licensing & cost
U.S. Export and Patent Restrictions
Advantages
Disadvantages

2. Implementations
• SSH server/client for UNIX/Linux: SSH1, SSH2 , LSH
• Mindterm SSH (Free Java SSH client)
• Windows SSH clients
• Other architectures: Mac, Palm Pilot, VAX
3. Compiling & Configuring
• SSH1 Compiling
• SSH1 Configuration
• Mindterm SSH client installation
4. Doing even more with SSH
5. References

SSH Overview

Secure Shell (SSH) was originally authored by Tatu Ylen, Finland, is a secure replacement for Telnet, rlogin, rcp, rsh and provides secured TCP tunnels. Optional compression of traffic is provided and can also be used together with many Authentication schemes such as SecurID, Kerberos, S/KEY to provide a highly secure remote access point to UNIX servers.

SSH1 was the the first version (protocol v1.2 and v1.5) that was free in the earlier days, but licensing has become more restrictive and SSH Communications and DataFellows are trying to get people to move to the newer SSH2 (which is commercial). However SSH1 is destined for a long life as freeware, now that OpenSSH has been produced by the OpenBSD team and community.

Why SSH?

The Telnet, rlogin, rcp, rsh commands have a number of security weakness: all communications are in clear text and no machine authentication takes place. These commands are open to eavesdropping and tcp/ip address spoofing. A second key UNIX tool, the X11 windows system, also communicates in clear text, uses dynamic ports (making packet filtering difficult) and has a difficult-to-use access control mechanism "xhosts" and "xauth", that few users understand and hence X11 access control is often insecure on UNIX desktops.

SSH uses public/private key RSA authentication to check the identity of communicating peer machines, encryption of all data exchanged (with strong algorithms such as blowfish, 3DES, IDEA etc.). Backwards compatibility to rlogin/rsh and their trust files (rhosts, hosts.equiv) is provided to allow communication with non SSH servers. Optionally, an encrypted tunnel for X11 communications can be automatically setup by SSH (using the xauth access control and DISPLAY environment variable).

So SSH protects against:

• Eavesdropping of data transmitted over the network.
• Manipulation of data at intermediate elements in the network (e.g. routers).
• IP address spoofing where an attack hosts pretends to be a trusted host by sending packets with the source address of the trusted host.
• DNS spoofing of trusted host names/IP addresses.
• IP source routing

SSH does not protect against:

• Incorrect configuration or usage (see disadvantages below).
• A compromised root account. If you login from a host to a server and an attacker has control of root on either side, he/she can listen to your session by reading from the pseudo-terminal device, even though SSH is encrypted on the network, it must communicate in clear text with the terminal device.
• Insecure home directories: if an attacker can modify files in your home directory (e.g. via NFS) he may be able to fool SSH.

Features

SSH can be used to log-in securely into another computer over a network, execute commands on a remote machine, and copy files from one machine to another. SSH provides strong authentication and secure communications over insecure channels. It is intended as a replacement for rlogin, rsh, and rcp. Additionally, SSH provides secure X11 connections and secure forwarding of arbitrary TCP connections.

• Supports strong, proven authentication systems such as RSA, SecurID, S/Key, Kerberos and TIS (as well as the usual UNIX username/password authentication).
• Three types of trust exist: shosts, rhosts compatible and RSA. RSA trust is stronger (using a private/public key system to identify peers), but bypasses the username/password authentication of UNIX.
• The SSH Server runs on UNIX, Linux and VAX.
  Client runs on the above, plus Windows and many other platforms.
• Data compression can be enabled to improve performance over slow network links.
• SSH Internet Proxies:
  • I don't know of any real working SSH proxies: Magosanyi Arpad started working on one based on OpenSSH (see the OpenSSH developers list, message dated 2000-01-13 17:10:05), but hasn't time to finish it.
  • SSH can be compiled so that it can traverse SOCKS proxies. SOCKS is a general proxy protocol, originally sponsored by NEC, but now available from several vendors.

SSH2 is the new protocol version, submitted to the IETF for approval by SSH Communications. It is rewritten (improved cryptography) and is designed for more general purpose VPNs. SSH2:

• Includes sftp, an SSH2 tunneled ftp.
• Uses separate config files to SSH1 (e.g. /etc/ssh2/ssh2_config), but can call SSH1 if a client requests SSH1 protocols and SSH1 is available.
• Compatible with SSH1, when ssh1 has been installed prior to ssh2.
• DSA and Diffie-Hellman key exchange are supported.
• Because of the commercialisation (see licencing below), acceptance of SSH2 has been slow.

Licencing and Cost

Today there are many versions of SSH, some implement client only, some both client and server. Commercial, freeware and "restricted freeware" licensing is in use. The original SSH (SSH1) implemented by Tatu Ylen was free, but versions later than 1.2.12 have restrictive licensing. The current SSH1 v1.2.27 indicates that it may only be used for non-commercial purposes only, but it would seem that most situations would allow free usage:

For commercial licensing please contact Data Fellows, Ltd. Data Fellows has exclusive licensing rights for the technology for commercial purposes.....
You may use the program for non-commercial purposes only, meaning that the program must not be sold commercially as a separate product, as part of a bigger product or project, or otherwise used for financial gain without a separate license...
Use by individuals and non-profit organizations is always allowed...
Companies are permitted to use this program as long as it is not used for revenue-generating purposes..

SSH2 has a more restrictive licensing, basically meaning it is only free for non-profit organisations:

NON-COMMERCIAL: any use that takes place in commercial, governmental, military, or similar organizations and where a salary or similar monetary compensation is paid, unless the use can be considered to be EDUCATIONAL USE or is purely for charity.

Commercial versions are produced by DataFellows and cost about $99 for clients and $500 for servers.

U.S. Export and Patent Restrictions

SSH contains strong cryptography (no weak versions exist), which make it a no-no to export from the U.S., under the current regulations (which will hopefully change in the coming months). Luckily, SSH1 was developed in Finland meaning export to the U.S. and the rest of the world is no problem.

The RSA algorithm is patented in the U.S., so U.S. users of SSH have to use RSAREF, an official RSA library and pay royalties to RSA. This patent expires in September 2000 however.

Both of these issues make is very difficult for U.S. Operating System vendors to bundle SSH with their product. OpenBSD (based in Canada) and S.u.s.e Linux (Germany) both bundle SSH.

The IDEA algorithm is patented by Ascom in Switzerland (and only free for non-commercial use), is used by SSH, but it can be disabled when compiling the SSH server.

Advantages

• Proven technology - I've been using SSH for 4 years and find it to be robust and reliable.
• Strong international encryption - and no watered down, weak versions exist.
• Both free and commercial versions exist.
• SSH client runs of most platforms, the server runs on UNIX, Linux and VMS.
• Tunneling of static TCP ports works well and can be automated to use for simple VPNs.
• Many authentication methods including Kerberos, TIS, SecurID and RSA.
• SOCKS5 proxy aware.

Disadvantages

• Port ranges & dynamic ports can't be forwarded.
• Few Windows versions implement secure file copy or key generation.
• SSH1 daemon:
  • Cannot restrict what ports may or may not be forwarded, per user.
  • When a user is authenticated by password, the client's RSA identity is not verified (against ssh_known_hosts). The verification only takes place when .[sr]hosts trust is used.
• Performance can be a problem on old machines (e.g. Sun SPARC1 with 16MB of ram, but how many of these are still around?)
• The standard SSH1 distribution's defaults include a clear text option and patented algorithms such as IDEA. However, these can be switched off (see configuration section below).
• Licensing of the original source has become very restrictive (see above).

Implementations



SSH server & client for UNIX/Linux

SSH1 for UNIX is available as a free or commercial product (from DataFellows). It is the "original" SSH, but is not being further developed at the moment (except for fixes). The emphasis is now on the commercial SSH2.

• The author has been running the free versions V1.2.13 - 1.2.27 on the following platforms for since late 1995: Solaris 2.4, 2.5, 2.6, 2.7, SunOS 4.1.3, OSF1.3, IRIX 5.3. Works very well on Solaris, with some problems on IRIX.
• POP, SMTP, FTP authentication and other TCP socket sessions can be tunneled, e.g. for SMTP:
   ssh -L 25:mailhost.target.domain:25 target &
• V1.2.17 (and later) work with SOCKS5 proxies and SecurID authentication is also supported (the author has used both since 1996).
• See the main FTP site: ftp.cs.hut.fi/pub/ssh or one if it's mirrors such as ftp.cert.dfn.de/pub/tools/net/ssh .

SSH2 from DataFellows is a commercial product for UNIX, Windows or Mac. There is a free version for non-commercial use, but licensing is pretty restrictive. The SSH2 home page is www.ssh.fi.

LSH: Efforts are underway to develop LSH, a free version of SSH2 www.net.lut.ac.uk/psst. It has not yet reached a stable release status.

Mindterm SSH (Free Java SSH client)

Mindterm is a free (GPL) SSH client written in 100% pure Java. It can be run as a stand-alone program or as an applet in a webpage. It can be run with or without a GUI. It has other useful features: scp - file copying and a special ftp-tunnel which works with "ordinary" ftpd's "behind" the sshd.

The current version is v1.1.5, see http://www.onlineitdegree.net/mindterm/ . Mindterm SSH has been tested by the author for several months as a standalone application (not an applet) on NT4, Win95 and Solaris 2.5:

• Multi-platform: should run wherever a JVM exists?
• Stable, pretty, flexible terminal emulation, saves properties per server, can generate RSA keys, session can be logged to file, can be used as GUI or command line, X11 and port forwarding works. Brilliant!
  Some nifty extras: "clone terminal", "copy on select", capture to file.
• It has scp (file copy) and ftp tunneling (in PASV mode).
  Example ftp tunnel instructions:
  1) On Mindterm client: Go to menu Tunnels -> Basic... Enter a local port of your choice.. Select protocol ftp... Give host-name of ftp-server behind sshd... Click Add button
  2) On the FTP client (e.g. ws_ftp): Define a new "site" with address localhost... go to "Site properties"... in "folder" advanced set "Remote Port:" to local port selected above... enable "Passive transfers"
• Problems: no serious ones, but....
  scp will only copy files to the connected server and does not understand target syntax like john@server3:/mydir or ~john for home directories.
  There's no online help (but the readme is good).
  I've also had occasional blocked tunnels and had to restart.
  The encryption algorithm can be set to none (not at all desirable!).

Windows SSH clients

• TTSSH (TeraTerm SSH) - free
  • TTSSH is a SSH add on (DLL) to TeraTerm Pro (a free terminal emulation package) .
    TTSSH www.zip.com.au/~roca/ttssh.html
    TeraTerm hp.vector.co.jp/authors/VA002416/teraterm.html 
  • Version 1.4 of TTSSH (Dec'98) includes the following features: Compatible with SSH protocol version 1.5 Ciphers: 3DES, IDEA, Blowfish, DES, RC4 Server authentication using the ssh_known_hosts database (including the option of adding a server's key to the database) Authentication using password, RSA, rhosts and rhosts+RSA. Compression support. Connection forwarding, including full support for X connection forwarding.
  • Note that the older V1.2 did not have X11 or port forwarding.
  • I've tested V1.4 and am impressed, but it doesn't have the ftp tunneling or scp of MindTerm. TeraTerm is a nice terminal emulation too, offering a good GUI and features such as session logging and custom key mapping.
    Tip: set TERATERM_EXTENSIONS=1 in your environment (so that Teraterm enables extensions and presents SSH by default) and edit teraterm.ini to change a few defaults.
• Other free Win32 implementations. Most of the following use the Cygnus Win32 libraries, you'll need usertools.exe from sourceware.cygnus.com/cygwin/download.html
  • Gorden Chaffee's command line port of ssh1 & scp1 bmrc.berkeley.edu/people/chaffee/winntutil.html
  • Raju Mathur/Gordon Chaffee wrote a Win32 patch for ssh-1.2.14, the binaries are in ftp.cs.hut.fi/pub/ssh/contrib. There's also a ssh-1_2_22-Win32-Beta1.
    Installation notes:
    Create a c:\ssh\etc directory to ssh_config, ssh_host_key, and ssh_host_key.pub. Generate keys on Unix with ssh-keygen (ssh-keygen doesn't work on NT).
    Set the your HOME environment variable (via Control Panel->System).
    Create a \.ssh directory and copy in your identity and identity.pub files (generated above by ssh-keygen)
  • A version based on 1.2.20 that hasn't been further developed, is at guardian.htu.tuwien.ac.at/therapy/ssh
  • Cedomir Igaly offers a free 16 and 32 bit version without sources. It uses Peter Gutmann's cryptographic library on Garbo. It was at www.doc.ic.ac.uk/~ci2/ssh .
  • Simon Tatham has developed PuTTY, a free Win32 Telnet/SSH Client. It is at beta v0.47 www.chiark.greenend.org.uk/~sgtatham/putty.html .
  • Sergey Okhapkin's SSH1 & SSH2 32bit servers/clients www.lexa.ru/sos
  • FiSSH is a free 32-bit SSH1 client www.massconfusion.com/ssh soon to be released.
  • Cynus Win32 port of SSH 1.2.2 by Raju Mathur reality.sgi.com/raju/software.html
• F-Secure SSH for Windows (16 and 32 bit) from Datafellows (www.datafellows.com/f-secure) is commercial.
  • Well integrated into the Windows environment. Easy to use. Stable.
  • Strong encryption: the DES, 3DES and Blowfish algorithms may be selected. This offers military grade encryption strength (assuming the algorithms have been correctly implemented!).
  • Can forward encrypted TCP sockets for created simple VPN tunnels. Works with SMTP, POP3, telnet etc. (where known static ports are used).
  • Although only a 16 bit version is currently available (V1.1), it works fine with Win95 & NT4.
  • Problems: There is no "secure file copy" feature, or ftp tunneling. Make sure you use v1.1 rather than v1.0, which is a bit unstable.
• VanDyke SSH for Win32 (U.S. users only). VanDyke offer a commercial 32bit client that is user friendly, but obviously is U.S. export restricted. It has a worrying option: it allows users to save passwords to allow "easier" login. See www.vandyke.com/products/securecrt/index.html 

Other architectures

• Cric Gourio also developed a Java based SSH for his diploma - www.cl.cam.ac.uk/~fapp2/software/java-ssh.
• Mac Versions
  NiftyTelnet SSH is a free ssh client for MacOS. It is an enhanced version of NiftyTelnet.
  Datafellows produce a commercial Mac client: www.datafellows.com/f-secure.
• Palm Pilot
  Top Gun ssh 1.2 at www.isaac.cs.berkeley.edu/pilot/ or ftp.zedz.net/pub/crypto outside the US.
• Windows CE: Mov Software has released sshCE. www.movsoftware.com/sshce.htm.
• BeOS: The BeOS R4 port of SSH1 for Intel and PowerPC is available from www.be.com/beware/Network/ssh.html
• OS/2: See ftp://hobbes.nmsu.edu/pub/os2/apps/internet/telnet/client/ssh-1.2.27-b1.zip for OS/2 Warp 3+.
• VAX/OpenVMS
  David Jones has created an OpenVMS SSH1 server www.er6.eng.ohio-state.edu/~jonesd/ssh.
  Christer Weinigel and Richard Levitte have created an OpenVMS SSH1 client www.free.lp.se/fish.
• Nokia firewalls (based on Firewall-1 and a hardened FreeBSD) have an SSH option - use it and disable telnet/ftp!

Compiling & Configuration

SSH1 Compilation

• An install tool for Linux RPMs was available at ftp.yellowdoglinux.com/pub/yellowdog/install-ssh.
• Compiling SSH1 for UNIX (the following examples are for Solaris) is straight forward. Assuming we want the standard options, but want to disable clear text, the old RSH/rlogin and avoid the IDEA algorithm:
  gzcat ssh-1.2.27.tar.gz | tar xf -
  cd ssh-1.2.27; ./configure --prefix=/usr --without-none --without-rsh --without-idea
  make
  make install
  The SSH daemon will have to be added to one of the system startup files, it is not done by "make install". An example for Solaris would be to create a startup file /etc/rc2.d/S10sshd.
• useful compilation options:
  --without-idea Don't use the patented IDEA algorithm
  --without-none: never allow clear text (unencrypted) communication if one of the servers has no key.
  --without-rsh: never allow rsh rhosts as an option when a server has no key.
  --prefix=/usr/bsd --sbindir=/usr/bsd --bindir=/usr/bsd : Installation in non standard locations.
  --with-securid=../ace  Add SecurID authentication support (you need the ACE libs)
  --with-socks5=/usr/local/lib Socks5 proxing support
• Preparing a binary install package: To make life easier, compile on (say) one machine as above, then create a tar file of the binaries (in the C-Shell). The following also assume that you have copied some SSH documents such as the FQ to /usr/localssh-docs.

  tar cvf ssh_bin.tar /usr/local/bin/{ssh,ssh1,scp,scp1,slogin}
  tar uvf ssh_bin.tar /usr/local/bin/{ssh-keygen1,ssh-keygen,ssh-agent1,ssh-agent}
  tar uvf ssh_bin.tar /usr/local/bin/{ssh-add1,ssh-add,ssh-askpass1,ssh-askpass}
  tar uvf ssh_bin.tar /usr/local/bin/{make-ssh-known-hosts1,make-ssh-known-hosts}
  tar uvf ssh_bin.tar /etc/{sshd_config,ssh_config}
  tar uvf ssh_bin.tar /etc/rc2.d/{S10sshd,K10sshd} /etc/init.d/sshd
  tar uvf ssh_bin.tar /usr/local/sbin/{sshd,sshd1}
  tar uvf ssh_bin.tar /usr/local/man/man1/{ssh-keygen.1,ssh-agent.1,ssh-add.1,ssh.1,ssh1.1,slogin.1,slogin1.1,scp.1,scp1.1,make-ssh-known-hosts.1} /usr/local/man/man8/{sshd.8,sshd1.8}
  tar uvf ssh_bin.tar /usr/local/ssh-docs
  compress ssh_bin.tar

• Installing on a number of machines:
  Copy ssh_bin.tar.Z (created in the last step) to the new target system,
  backup any existing config files,
  extract in root, "rehash" (if using csh) and then generate a host key:
   ssh-keygen -b 1024 -f /etc/ssh_host_key -N '';
  Add the ssh service, by adding the following to /etc/services:
   ssh 22/tcp  # Secure Shell
  Start the ssh daemon:
  sh /etc/rc2.d/S10sshd start
• On OpenBSD 2.6, OpenSSH is already installed, but let's say you want to install SSH1 or have an older version of OpenBSD and are not resident in the U.S., then either
  1. Install the binary package for the appropriate OS version and architecture
   pkg_add ftp.openbsd.org/pub/OpenBSD/2.6/packages/sparc/ssh-intl-1.2.27.tgz
  2. Or get the sources and compile:
  a) Update your ports listing if needed, but be aware that this takes time and you should select your CVS target server carefully (see www.openbsd.org/anoncvs.html ):
   setenv CVSROOT anoncvs@anoncvs.ca.openbsd.org:/cvs
   For a new ports listing:  cd /usr; cvs -q get ports
   To update an existing version: cd /usr; cvs -q update ports
  b) See what ssh versions are available:
   cd /usr/ports; make search key=ssh
   This reports that ssh-1.2.27 is available (for example) in /usr/ports/security/ssh
  c) cd /usr/ports/security/ssh;
   make all install USA_RESIDENT=no;
   This should download the source, plus a patch and compile it. If there are are make problems, update the ports listing (above) and rebuild.
  Use "pkg_info" to verify that it is registered as being installed on the system, it can later be deleted with "pkg_delete".

SSH1 configuration

• Configuration files: The server has a configuration file /etc/sshd_config, the client reads a configuration file /etc/ssh_config, which gives site-wide defaults for various options. Options in this file can be overridden by per-user configuration files (in ~user/.ssh directory).
• Server: Configure the ssh daemon so that access is restricted to named hosts with known public keys (/etc/ssh_known_hosts) and rhosts authentication is disabled. See commented example /etc/sshd_config, In particular, look at options such as:
  • The StrictHostKeyChecking option can be used to prevent logins to machines whose host key is not known or has changed. If this flag is set to "yes", ssh will never automatically add host keys to the /etc/ssh_known_host or $HOME/.ssh/known_hosts file, and refuses to connect hosts whose host key has changed. This provides maximum protection against trojan horse attacks. For many Administrator situations setting this flag to "ask" to prompt the user about whether to add the key to the known list of hosts is ideal.
  • RhostsRSAAuthentication when set to yes, allows ~/.shosts to define trust relationships. It may be set to "yes", "nopwd", or "no". The "nopwd" value disables password-authenticated root logins, unless there is an .shosts allowing access without a password.
    Root login with RSA authentication when the "command" option has been specified will be allowed regardless of the value of this setting (which may be useful for taking remote backups even if root login is normally not allowed.
  • An empty config file can be placed in the users home directory owned by root and writeable only by root. This will force the system wide settings for all users.
  • Use at least v1.2.26 to ensure forward compatibility with SSH2.
  • Logging in without passwords:
    • Avoid if possible, but if necessary, setup carefully. Use .shosts rather than .rhosts. Make sure trust files have mode 400. Don't use trust on NFS shared home directories.
    • Setting up /.shosts root trust from host A to host B: Add hostA to /.shosts and /etc/hosts on hostB, add the Public Key of HostA to /etc/ssh_known_hosts or ~/.ssh/known_hosts.
    • Setting up RSA trust from host A to host B: The .ssh/Identity.pub (public key) of the host A needs to be appended to the list of keys in .ssh/authorized_keys on the destination machine.
• Client configuration: Configure the system wide defaults for the SSH client. See commented example /etc/ssh_config
• SSH and SUID root security:
  SSH installs two programs that need special privileges. Ssh is the client program, and it is by default installed as suid root, because it needs to create a privileged port in order to use .rhosts files for authentication. If it is not installed as suid root, it will still be usable, but .rhosts authentication will not be available. Also, the private host key file is readable by root only.
  Sshd is the daemon that listens for connections. It should preferably be run as root, because it is by normally listening on a privileged port (22), and it needs to be able to do setuid(), update utmp, chown ptys etc. when a user logs in. If it is not run as root, explicit "-p port" option must be given to specify an alternate port (same port must also be specified for clients), "-h host_key_file_path" must be given to specify an alternate host key file, and it cannot be used to log in as any other user than the user running it (because it cannot call setuid()). Also, if your system uses shadow passwords, password authentication will not work when running as someone else than root.
  Both the server and the client have been carefully screened for possible security problems, and are believed to be secure. However, there can be no guarantee.

Mindterm SSH installation

• Installation on Windows (tested with v1.1.2, current version is v1.1.5):
  Get it from www.mindbright.se/mindterm and install a Java Runtime v1.1 from Sun,
  Or, download mindterm_install.zip (2MB file with Java runtime v118 and Mindterm V1.1.5), extract to C:\Progra~1, then setup a shortcut on your desktop to c:\Progra~1\mindterm\mindterm.bat . This will work with English, French, German and Italian (hence the use of the short name).
• Installation on Solaris:
  • An example startup script for Solaris is mindterm.sh. Copy this along with mindterm.zip to /usr/local/bin .
  • InstallJava(already installed on newer Solaris, make sure you have v118 or later).
  • Make sure /usr/local/bin is in your path and then just type mindterm.sh.

Doing even more with SSH

• SSH1:
  • SSH1 can easily forward single sockets (POP3, SMTP, etc..) out of the box, with either a PC or UNIX client, e.g. ssh -L 25:mailhost.target.domain:25 target &
    SSH cannot tunnel dynamic ports or ranges. Mindterm SSH include an option for FTP tunneling.
  • If PPP is redirected over an SSH socket, SSH can be used as a general purpose VPN. A practical example using Linux as a gateway on both sides is described the O'Reilly book "Virtual Private networks, 2nd Edition", chapter7 and more information is at sunsite.unc.edu/LDP/HOWTO/mini/VPN.html. You'll need Linux on both sides and it's a bit tricky (dated 1997). I've not yet tried this.
  • Try also sites.inka.de/sites/bigred/sw/ssh-ppp-new.txt (dated 1996)
• Rdist 6.1.2 (public domain version) runs over SSH (tested on Solaris 2 & SunOS) and can be used o synchronise file between two hosts, or report on differing files.
• Fsh is an add-on to keep an SSH tunnel open to allow several commands to be remotely executed without reopening the tunnel each time www.lysator.liu.se/fsh. I've not yet tried this.
• Using SSH with RPC/keyserv/NFS/NIS+ : see fy.chalmers.se/~appro/ssh_beyond.html
• Jean Chouanard has produced SecurID/ACE patches for SSH1 that add support for the "New Pin" and "Next Token", but which only work if both SSH server and client are modified accordingly. There is no sign of these patches being integrated into OpenSSH of Mindterm SSH just yet. See ftp.parc.xerox.com:/pub/jean/sshsdi/README
• Virtual Network Computing is a "remote control" program that allows you to see and use the desktop of another machine (NT, Win95, UNIX) over the network. It could also be used for teleworking over insecure networks such as the internet. Or SSH can be used to encrypt the VNC communications and hence increase it's security.
  • Install an NT VNC server on the intranet, one which is part of the usual NT domain and has accounts for those who need to logon. [It could also be UNIX, I'm just using NT as an example].
    Secure this machine by choosing a strong VNC password, enabling exclusive VNC access, by enabling a screen saver with password after 5 minutes of inactivity and by not putting it in a public area. Regularly monitor the event log.
  • Install an Intranet UNIX SSH server.
  • Install a SSH internet gateway, which allows SSH connections from the Internet. Successful logins are presented directly to the Intranet SSH server.
    Security: Put this host in the DMZ between two secure firewall filters. Harden. Disable all services except SSH. Allow no protocols except SSH from the Internet. Configure SSH to refuse root logins and disable trust mechanisms and RSA authentication. Configure all user accounts to use a strong authentication mechanism such as SecurID. Configure user shell to automatically login use to the Intranet UNIX server (don't allow local logins to this server). Be paranoid, monitor logs carefully and run integrity checks (such as tripwire) frequently.
  • Install an SSH client such as Mindterm on the VNC client (somewhere on the Internet).
    • SSH Client configuration: Connect to SSH gateway and authenticate with SecurID (or whatever). Login to UNIX Intranet server. Setup tunnel from local port 5902 to NT_VNC_server port 5900.
    • VNC Client: Start local VNC client, connect to localhost:2, enter the VNC password and voila, the desktop should appear. Now login to NT as usual.
    • Security: I suggest you use you own machine (not one in an Internet Cafe), with an up-to-date Virus checker, File shares disabled, and a personal firewall such as BlackICE installed (and set protection level to Paranoid, no file sharing). This machine should be physically protected and possibly fitted with encrypted disks (e.g. PGPdisk).

References

1. Security Portal Research Centre
2. Documentation:
   SSH FAQ www.employees.org/~satch/ssh/faq
   Getting Started with SSH by Kimmo Suominen www.tac.nyc.ny.us/~kim/ssh
3. Getting SSH
   See the links in the Implementation section above.
4. Search for SSH pages on the net: www.links2go.com/topic/SSH

SeáÏ Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.  Last Update: 03 February, 2000

Ž© Copyright 2000, SecurityPortal Inc., All Rights Reserved