Public-Key Authentication
by Robert G. Byrnes, Richard E. Silverman, Daniel J. Barrett
SSH, The Secure Shell: The Definitive Guide, 2nd Edition
- SSH, the Secure Shell, 2nd Edition
- Preface
- 1. Introduction to SSH
- Overview of SSH Features
- History of SSH
- Related Technologies
- Summary
- 2. Basic Client Use
- Authentication by Cryptographic Key
- The SSH Agent
- Connecting Without a Password or Passphrase
- Miscellaneous Clients
- Summary
- 3. Inside SSH
- Overview of Features
- A Cryptography Primer
- Inside SSH-2
- Inside SSH-1
- Implementation Issues
- SSH and File Transfers (scp and sftp)
- Algorithms Used by SSH
- Threats SSH Can Counter
- Threats SSH Doesn’t Prevent
- Threats Caused by SSH
- Summary
- 4. Installation and Compile-Time Configuration
- 5. Serverwide Configuration
- Running the Server
- Server Configuration: An Overview
- Getting Ready: Initial Setup
- 5.3.1 File Locations
- 5.3.2 File Permissions
- 5.3.3 TCP/IP Settings
- 5.3.3.1 Port number and network interface
- 5.3.3.2 Invocation by inetd or xinetd
- 5.3.3.3 Restarting the SSH server for each connection
- 5.3.3.4 Keepalive messages
- 5.3.3.5 Idle connections
- 5.3.3.6 Failed logins
- 5.3.3.7 Limiting simultaneous connections
- 5.3.3.8 Reverse IP mappings
- 5.3.3.9 Controlling the Nagle Algorithm
- 5.3.3.10 Discovering other servers
- 5.3.4 Key Regeneration
- 5.3.5 Encryption Algorithms
- 5.3.6 Integrity-Checking (MAC) Algorithms
- 5.3.7 SSH Protocol Settings
- 5.3.8 Compression
- Authentication: Verifying Identities
- 5.4.1 Authentication Syntax
- 5.4.2 Password Authentication
- 5.4.3 Public-Key Authentication
- 5.4.4 Hostbased Authentication
- 5.4.5 Keyboard-Interactive Authentication
- 5.4.6 PGP Authentication
- 5.4.7 Kerberos Authentication
- 5.4.8 PAM Authentication
- 5.4.9 Privilege Separation
- 5.4.10 Selecting a Login Program
- Access Control: Letting People In
- User Logins and Accounts
- Forwarding
- Subsystems
- Logging and Debugging
- Compatibility Between SSH-1 and SSH-2 Servers
- Summary
- 6. Key Management and Agents
- What Is an Identity?
- Creating an Identity
- SSH Agents
- Multiple Identities
- PGP Authentication in Tectia
- Tectia External Keys
- Summary
- 7. Advanced Client Use
- How to Configure Clients
- Precedence
- Introduction to Verbose Mode
- Client Configuration in Depth
- 7.4.1 Remote Account Name
- 7.4.2 User Identity
- 7.4.3 Host Keys and Known-Hosts Databases
- 7.4.4 SSH Protocol Settings
- 7.4.5 TCP/IP Settings
- 7.4.6 Making Connections
- 7.4.6.1 Number of connection attempts
- 7.4.6.2 Password prompting in OpenSSH
- 7.4.6.3 Password prompting in Tectia
- 7.4.6.4 Batch mode: suppressing prompts
- 7.4.6.5 Pseudo-terminal allocation (TTY/PTY/PTTY)
- 7.4.6.6 Backgrounding a remote command
- 7.4.6.7 Backgrounding a remote command, take two
- 7.4.6.8 Escaping
- 7.4.7 Proxies and SOCKS
- 7.4.8 Forwarding
- 7.4.9 Encryption Algorithms
- 7.4.10 Integrity-Checking (MAC) Algorithms
- 7.4.11 Host Key Types
- 7.4.12 Session Rekeying
- 7.4.13 Authentication
- 7.4.14 Data Compression
- 7.4.15 Program Locations
- 7.4.16 Subsystems
- 7.4.17 Logging and Debugging
- 7.4.18 Random Seeds
- Secure Copy with scp
- 7.5.1 Full Syntax of scp
- 7.5.2 Handling of Wildcards
- 7.5.3 Recursive Copy of Directories
- 7.5.4 Preserving Permissions
- 7.5.5 Automatic Removal of Original File
- 7.5.6 Safety Features
- 7.5.7 Batch Mode
- 7.5.8 User Identity
- 7.5.9 SSH Protocol Settings
- 7.5.10 TCP/IP Settings
- 7.5.11 Encryption Algorithms
- 7.5.12 Controlling Bandwidth
- 7.5.13 Data Compression
- 7.5.14 File Conversion
- 7.5.15 Optimizations
- 7.5.16 Statistics Display
- 7.5.17 Locating the ssh Executable
- 7.5.18 Getting Help
- 7.5.19 For Internal Use Only
- 7.5.20 Further Configuration
- Summary
- 8. Per-Account Server Configuration
- Limits of This Technique
- Public-Key-Based Configuration
- Hostbased Access Control
- The User rc File
- Summary
- 9. Port Forwarding and X Forwarding
- Port Forwarding
- 9.2.1 Local Forwarding
- 9.2.2 Trouble with Multiple Connections
- 9.2.3 Comparing Local and Remote Port Forwarding
- 9.2.4 Forwarding Off-Host
- 9.2.5 Bypassing a Firewall
- 9.2.6 Port Forwarding Without a Remote Login
- 9.2.7 The Listening Port Number
- 9.2.8 Choosing the Target Forwarding Address
- 9.2.9 Termination
- 9.2.10 Configuring Port Forwarding in the Server
- 9.2.11 Protocol-Specific Forwarding: FTP
- Dynamic Port Forwarding
- X Forwarding
- Forwarding Security: TCP-Wrappers and libwrap
- Summary
- Port Forwarding
- 10. A Recommended Setup
- 11. Case Studies
- Unattended SSH: Batch or cron Jobs
- FTP and SSH
- 11.2.1 FTP-Specific Tools for SSH
- 11.2.2 Static Port Forwarding and FTP: A Study in Pain
- 11.2.3 The FTP Protocol
- 11.2.4 Forwarding the Control Connection
- 11.2.5 FTP, Firewalls, and Passive Mode
- 11.2.6 FTP and Network Address Translation (NAT)
- 11.2.7 All About Data Connections
- 11.2.8 Forwarding the Data Connection
- Pine, IMAP, and SSH
- Connecting Through a Gateway Host
- Scalable Authentication for SSH
- 11.5.1 Tectia with X.509 Certificates
- 11.5.1.1 What’s a PKI?
- 11.5.1.2 Using certificates with Tectia host keys
- 11.5.1.3 A simple configuration
- 11.5.1.4 Getting a certificate
- 11.5.1.5 Hostkey verification: configuring the server
- 11.5.1.6 Hostkey verification: configuring the Client
- 11.5.1.7 User authentication: configuring the client
- 11.5.1.8 User authentication: configuring the server
- 11.5.2 OpenSSH and Tectia with Kerberos
- 11.5.1 Tectia with X.509 Certificates
- Tectia Extensions to Server Configuration Files
- Tectia Plugins
- 12. Troubleshooting and FAQ
- 13. Overview of Other Implementations
- 14. OpenSSH for Windows
- 15. OpenSSH for Macintosh
- 16. Tectia for Windows
- 17. SecureCRT and SecureFX for Windows
- 18. PuTTY for Windows
- File Transfer
- Key Management
- Advanced Client Use
- Forwarding
- Summary
- A. OpenSSH 4.0 New Features
- B. Tectia Manpage for sshregex
- C. Tectia Module Names for Debugging
- D. SSH-1 Features of OpenSSH and Tectia
- E. SSH Quick Reference
- Index
- About the Authors
- Colophon
- Copyright
The OpenSSH clients--ssh, scp, and sftp--and the key-related programs--ssh-keygen, ssh-agent, and ssh-add (covered in Chapter 6)--use public-key authentication just as they do under Unix. You might need to know where your ~/.ssh folder is to refer to keys. [14.2]
When connecting to the Cygwin SSHD Service (sshd) from the outside world, there are a few things to think about:
Make sure your ~/.ssh/authorized_keys file contains the appropriate public keys. [6.1.1]
Check the
Cygwin SSHD Servicein the Services control panel, and note the NT user account under which it is running. Then make sure that this account:Has read access to your ~/.ssh directory and your ~/.ssh/authorized_keys file.
Has read access to the host keys in the Cygwin /etc directory.
Has write access to the log file /var/log/sshd.log.
Is in the local Administrators group, if you plan to invoke operations by SSH that require administrative privileges. Then authenticate using this account. (For more flexible credentials, consider a PKI solution. [11.5] Cygwin includes a Kerberos package.[166])
Is listed in the Cygwin /etc/passwd file. Use the Cygwin mkpasswd program to generate this file if you need; for example, in the Cygwin shell:
$ mkpasswd -l > /etc/passwd
but make sure you understand what you’re doing so that you don’t wipe out vital accounts! Run man mkpasswd to learn more.
An agent is a program that keeps private keys in memory and provides authentication services to SSH clients. If you preload an agent with private keys at the beginning of a login session, your SSH clients won’t prompt for passphrases. Instead, they communicate with the agent as needed. [2.5] The OpenSSH agent program is ssh-agent.
In order for ssh-agent to work, it communicates via environment variables. [6.3.2] If you’re using the Cygwin shell (bash), you can start the agent via the same methods as on Unix. Unfortunately, these methods don’t work immediately on Windows if you’re using the command shell (cmd.exe or command.exe), so here is a quick recipe:
Run the agent:
C:> ssh-agent SSH_AUTH_SOCK=/tmp/ssh-agent.1468; export SSH_AUTH_SOCK; SSH_AGENT_PID=3212; export SSH_AGENT_PID; echo Agent pid 3212;Notice the output includes some environment variables:
SSH_AUTH_SOCK=/tmp/ssh-agent.1468; export SSH_AUTH_SOCK; SSH_AGENT_PID=3212; export SSH_AGENT_PID;
Set the environment variables by hand:
C:> set SSH_AUTH_SOCK=/tmp/ssh-agent.1468 C:> set SSH_AGENT_PID=3212Your agent is ready to load with keys: [2.5]
C:> ssh-add Enter passphrase for /home/you/.ssh/id_dsa:********Identity added: /home/you/.ssh/id_dsa (/home/you/.ssh/id_dsa)
[166] For Kerberos or GSSAPI support., you might need to
recompile OpenSSH. At press time, KerberosAuthentication and
GSSAPIAuthentication are
disabled in the Cygwin binaries for OpenSSH. You’ll need to
download the OpenSSH source code and recompile it with the
GNU C compiler, gcc, also included with
Cygwin. Once things are set up, they do work as in our case
study. [11.5.2]
-
No Comment