Client Access Standards to Production Servers Using the SSH Protocol By: Craig Borysowich Chief Technology Architect Imagination Edge Inc. www.imedge.net Revision: 2.7 Client Access Standards to Production Facilities Overview This document describes and provides information on the tools and standards for access by clients to production facilities. The two most common technologies in use today for secure access to machines and networks are Virtual Private Networking (VPN) and/or Secure SHell (SSH). Note: • Information on SSH and VPN is available at www.ietf.org as a series of RFC documents in different categories (standard, informational, memorandum). • Information on TCP/UDP port assignment is available at www.iana.org. • The open standards initiative is supported by www.openssh.org. IP-based remote access to secure servers should standardize on SSH as a secure and effective method of providing client access to their production facilities at any datacenter. SSH was chosen over VPN technology for client access for the following reasons: • SSH like VPN provides encrypted, secure communications • SSH like VPN allows for tunneling • SSH provides end to end encryption, VPN encryption demarcates at the VPN appliance output, from that point forwards transmission is ‘in the clear’ • Unlike VPN, SSH does not appear as a member node of a network • Unlike VPN, SSH does not exchange full network information such as routing tables and broadcasts • SSH requires a lower overhead on computing resources than VPN; no need for a dedicated appliance Note: The use of VPN facilities should be limited to production support and key staff. This document covers: • Technical details of SSH • Use of SSH • Client installation In the appendix of the document there is a further in depth technical discussion on the SSH protocol and a FAQ. www.imedge.net Page 2 10/14/2004 Client Access Standards to Production Facilities SSH use in Datacenters Secure communications in any computing environment is a necessity either in all or portions of the enterprise. The security of systems in the infrastructure is usually guided by the corporate security department for establishing best practices. This document provides the guideline for the application of industry standards in securing systems, their data and communications using SSH. There is a need for clients to be able to access their systems for the following purposes: • Remote administration and maintenance of applications • GUI based management interfaces • Data movement The standard utilities and services like telnet and ftp have well documented, known and exploitable vulnerabilities. Allowing access to these and other services on a host machine is contrary to industry security best practices and hardening standards. Another consideration is securing the transmission data, an environment where usernames and passwords, or sensitive data is ‘in the clear’ could severely compromise systems and business applications. The use of SSH allows for: • encryption of usernames and passwords while communicating • secure and encrypted telnet and ftp • a pseudo VPN that allows protocol forwarding SSH is an encrypted protocol client/server application. Administrators configure and maintain the server side of the installation and management of the infrastructure on behalf of their users. The SSH server provides access control, authentication, encryption and auditing of sessions established on the server by external administrators and other power users that require direct access to the server for application or data maintenance. The client is configurable and can be either private label or public domain; the client communicates on port 22 in an encrypted and secure fashion. Note: The entire session between server and client is torn down when the client disconnects, it is good practice to terminate your session when not in use. There will also be disconnects of a session when preset idle timers have been exceeded in the network path. www.imedge.net Page 3 10/14/2004 Client Access Standards to Production Facilities Towards these goals the F-Secure SSH server has become defacto in its use to serve encrypted secure services from host to end node. Imagination Edge recommends the use of the F-Secure SSH Client for those who want a graphical interface for ftp transfers and as a qualified client for telnet, ftp, xwindows, tunneling and encryption (www.fsecure.com). It should also be pointed out that there is public domain SSH clients’ available dependant on your personal needs. The following are a couple of popular public domain clients: • PuTTY - http://www.chiark.greenend.org.uk/~sgtatham/putty/ • TerraTerm - http://hp.vector.co.jp/authors/VA002416/teraterm.html • TerraTerm (SSH module) - http://www.columbia.edu/acis/software/teraterm/teraterm.pdf F-Secure SSH Client Installation The following is general description of the F-Secure client installation with annotations for install specific configuration settings and deployment best practices. 1. Once you insert the CD in your drive the following splash screen appears: www.imedge.net Page 4 10/14/2004 Client Access Standards to Production Facilities At this screen you would select install, please make sure you have your CD key ready the installation will request this. 2. Once you have entered you key you will be provided with the selection to continue with the installation of the client. Accept the defaults when queried unless you wish to set your own installation setting where appropriate. 3. Once you have completed the installation you will be requested to restart your machine. 4. Upon restarting your machine there will be an F-Secure SSH client icon on your desktop or in your Start menu. Double click on the icon and start the program for the first time, at this time and only at this time a random seed is generated for your client, this is used to encrypt and decrypt your communications. When presented with the following screen you must continue to move your mouse around until there is sufficient randomness to generate your seed. www.imedge.net Page 5 10/14/2004 Client Access Standards to Production Facilities 5. On completion of the random seed generation you will be presented with the SSH client screen and you will now configure the software with the specifics for connecting to your production environments. 6. From the Edit dropdown menu select Settings to begin configuring your software as in the following screen. www.imedge.net Page 6 10/14/2004 Client Access Standards to Production Facilities Here you will enter: • Fully qualified host name • Your assigned username, this is provided to you by an administrator • Port 22 remains the same • Default authentication method stays as password The settings for Ciphers and Firewall are left at the default value. 7. Once you have completed your connection information you will now proceed to configuring your terminal, this also includes some X11 specific settings. At this screen continue to select the defaults or your preference for terminal emulation and any X11 specific settings. www.imedge.net Page 7 10/14/2004 Client Access Standards to Production Facilities 8. Now you will proceed to the configuration of your file transfer, generally the default values will be sufficient unless there are specifics you wish to change such as the missing file association application. www.imedge.net Page 8 10/14/2004 Client Access Standards to Production Facilities If you require X11 support then the next step is to configure tunneling of the SSH client software by selecting the ‘Tunnel X11 connections’ check box. The final item to configure if necessary is the Security option, again the default values are valid for connectivity. www.imedge.net Page 9 10/14/2004 Client Access Standards to Production Facilities APPENDIX www.imedge.net Page 10 10/14/2004 Client Access Standards to Production Facilities A Primer on the SSH Protocol By Craig Borysowich DESCRIPTION ssh (SSH client) is a program for logging into a remote machine and for executing commands on a remote machine. It is intended to replace rlogin and rsh, and provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. ssh connects and logs into the specified hostname. The user must prove his/her identity to the remote machine using one of several methods depending on the protocol version used. What is Secure Shell? To paraphrase the README file: Secure Shell is a program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over unsecured channels. It is intended as a replacement for telnet, rlogin, rsh, and rcp. For SSH2, there is a replacement for FTP: sftp. Additionally, Secure Shell provides secure X connections and secure forwarding of arbitrary TCP connections. You can also use Secure Shell as a tool for things like rsync and secure network backups. The traditional BSD 'r' - commands (rsh, rlogin, rcp) are vulnerable to different kinds of attacks. Somebody who has root access to machines on the network, or physical access to the wire, can gain unauthorized access to systems in a variety of ways. It is also possible for such a person to log all the traffic to and from your system, including passwords (which ssh never sends in the clear). The X Window System also has a number of severe vulnerabilities. With ssh, you can create secure remote X sessions which are transparent to the user. As a side effect, using remote X clients with ssh is more convenient for users. There are two versions of Secure Shell available: SSH1 and SSH2. This FAQ does its best to distinguish when the situation calls for the difference between the two. How widespread is its use? www.imedge.net Page 11 10/14/2004 Client Access Standards to Production Facilities The most current figures available are over 2 million Secure Shell users in over 60 countries.