Limits of This Technique
by Robert G. Byrnes, Richard E. Silverman, Daniel J. Barrett
SSH, The Secure Shell: The Definitive Guide, 2nd Edition
- SSH, the Secure Shell, 2nd Edition
- Preface
- 1. Introduction to SSH
- Overview of SSH Features
- History of SSH
- Related Technologies
- Summary
- 2. Basic Client Use
- Authentication by Cryptographic Key
- The SSH Agent
- Connecting Without a Password or Passphrase
- Miscellaneous Clients
- Summary
- 3. Inside SSH
- Overview of Features
- A Cryptography Primer
- Inside SSH-2
- Inside SSH-1
- Implementation Issues
- SSH and File Transfers (scp and sftp)
- Algorithms Used by SSH
- Threats SSH Can Counter
- Threats SSH Doesn’t Prevent
- Threats Caused by SSH
- Summary
- 4. Installation and Compile-Time Configuration
- 5. Serverwide Configuration
- Running the Server
- Server Configuration: An Overview
- Getting Ready: Initial Setup
- 5.3.1 File Locations
- 5.3.2 File Permissions
- 5.3.3 TCP/IP Settings
- 5.3.3.1 Port number and network interface
- 5.3.3.2 Invocation by inetd or xinetd
- 5.3.3.3 Restarting the SSH server for each connection
- 5.3.3.4 Keepalive messages
- 5.3.3.5 Idle connections
- 5.3.3.6 Failed logins
- 5.3.3.7 Limiting simultaneous connections
- 5.3.3.8 Reverse IP mappings
- 5.3.3.9 Controlling the Nagle Algorithm
- 5.3.3.10 Discovering other servers
- 5.3.4 Key Regeneration
- 5.3.5 Encryption Algorithms
- 5.3.6 Integrity-Checking (MAC) Algorithms
- 5.3.7 SSH Protocol Settings
- 5.3.8 Compression
- Authentication: Verifying Identities
- 5.4.1 Authentication Syntax
- 5.4.2 Password Authentication
- 5.4.3 Public-Key Authentication
- 5.4.4 Hostbased Authentication
- 5.4.5 Keyboard-Interactive Authentication
- 5.4.6 PGP Authentication
- 5.4.7 Kerberos Authentication
- 5.4.8 PAM Authentication
- 5.4.9 Privilege Separation
- 5.4.10 Selecting a Login Program
- Access Control: Letting People In
- User Logins and Accounts
- Forwarding
- Subsystems
- Logging and Debugging
- Compatibility Between SSH-1 and SSH-2 Servers
- Summary
- 6. Key Management and Agents
- What Is an Identity?
- Creating an Identity
- SSH Agents
- Multiple Identities
- PGP Authentication in Tectia
- Tectia External Keys
- Summary
- 7. Advanced Client Use
- How to Configure Clients
- Precedence
- Introduction to Verbose Mode
- Client Configuration in Depth
- 7.4.1 Remote Account Name
- 7.4.2 User Identity
- 7.4.3 Host Keys and Known-Hosts Databases
- 7.4.4 SSH Protocol Settings
- 7.4.5 TCP/IP Settings
- 7.4.6 Making Connections
- 7.4.6.1 Number of connection attempts
- 7.4.6.2 Password prompting in OpenSSH
- 7.4.6.3 Password prompting in Tectia
- 7.4.6.4 Batch mode: suppressing prompts
- 7.4.6.5 Pseudo-terminal allocation (TTY/PTY/PTTY)
- 7.4.6.6 Backgrounding a remote command
- 7.4.6.7 Backgrounding a remote command, take two
- 7.4.6.8 Escaping
- 7.4.7 Proxies and SOCKS
- 7.4.8 Forwarding
- 7.4.9 Encryption Algorithms
- 7.4.10 Integrity-Checking (MAC) Algorithms
- 7.4.11 Host Key Types
- 7.4.12 Session Rekeying
- 7.4.13 Authentication
- 7.4.14 Data Compression
- 7.4.15 Program Locations
- 7.4.16 Subsystems
- 7.4.17 Logging and Debugging
- 7.4.18 Random Seeds
- Secure Copy with scp
- 7.5.1 Full Syntax of scp
- 7.5.2 Handling of Wildcards
- 7.5.3 Recursive Copy of Directories
- 7.5.4 Preserving Permissions
- 7.5.5 Automatic Removal of Original File
- 7.5.6 Safety Features
- 7.5.7 Batch Mode
- 7.5.8 User Identity
- 7.5.9 SSH Protocol Settings
- 7.5.10 TCP/IP Settings
- 7.5.11 Encryption Algorithms
- 7.5.12 Controlling Bandwidth
- 7.5.13 Data Compression
- 7.5.14 File Conversion
- 7.5.15 Optimizations
- 7.5.16 Statistics Display
- 7.5.17 Locating the ssh Executable
- 7.5.18 Getting Help
- 7.5.19 For Internal Use Only
- 7.5.20 Further Configuration
- Summary
- 8. Per-Account Server Configuration
- Limits of This Technique
- Public-Key-Based Configuration
- Hostbased Access Control
- The User rc File
- Summary
- 9. Port Forwarding and X Forwarding
- Port Forwarding
- 9.2.1 Local Forwarding
- 9.2.2 Trouble with Multiple Connections
- 9.2.3 Comparing Local and Remote Port Forwarding
- 9.2.4 Forwarding Off-Host
- 9.2.5 Bypassing a Firewall
- 9.2.6 Port Forwarding Without a Remote Login
- 9.2.7 The Listening Port Number
- 9.2.8 Choosing the Target Forwarding Address
- 9.2.9 Termination
- 9.2.10 Configuring Port Forwarding in the Server
- 9.2.11 Protocol-Specific Forwarding: FTP
- Dynamic Port Forwarding
- X Forwarding
- Forwarding Security: TCP-Wrappers and libwrap
- Summary
- Port Forwarding
- 10. A Recommended Setup
- 11. Case Studies
- Unattended SSH: Batch or cron Jobs
- FTP and SSH
- 11.2.1 FTP-Specific Tools for SSH
- 11.2.2 Static Port Forwarding and FTP: A Study in Pain
- 11.2.3 The FTP Protocol
- 11.2.4 Forwarding the Control Connection
- 11.2.5 FTP, Firewalls, and Passive Mode
- 11.2.6 FTP and Network Address Translation (NAT)
- 11.2.7 All About Data Connections
- 11.2.8 Forwarding the Data Connection
- Pine, IMAP, and SSH
- Connecting Through a Gateway Host
- Scalable Authentication for SSH
- 11.5.1 Tectia with X.509 Certificates
- 11.5.1.1 What’s a PKI?
- 11.5.1.2 Using certificates with Tectia host keys
- 11.5.1.3 A simple configuration
- 11.5.1.4 Getting a certificate
- 11.5.1.5 Hostkey verification: configuring the server
- 11.5.1.6 Hostkey verification: configuring the Client
- 11.5.1.7 User authentication: configuring the client
- 11.5.1.8 User authentication: configuring the server
- 11.5.2 OpenSSH and Tectia with Kerberos
- 11.5.1 Tectia with X.509 Certificates
- Tectia Extensions to Server Configuration Files
- Tectia Plugins
- 12. Troubleshooting and FAQ
- 13. Overview of Other Implementations
- 14. OpenSSH for Windows
- 15. OpenSSH for Macintosh
- 16. Tectia for Windows
- 17. SecureCRT and SecureFX for Windows
- 18. PuTTY for Windows
- File Transfer
- Key Management
- Advanced Client Use
- Forwarding
- Summary
- A. OpenSSH 4.0 New Features
- B. Tectia Manpage for sshregex
- C. Tectia Module Names for Debugging
- D. SSH-1 Features of OpenSSH and Tectia
- E. SSH Quick Reference
- Index
- About the Authors
- Colophon
- Copyright
Per-account configuration can do many interesting things, but it has some restrictions that we will discuss:
It can’t defeat security measures put in place by compile-time or serverwide configuration. (Thank goodness.)
It is most flexible and secure if you use public-key authentication. Hostbased and password authentication provide a much narrower range of options.
SSH settings in a user’s account may only restrict the authentication of incoming connections. They can’t enable any SSH features that have been turned off more globally, and they can’t permit a forbidden user or host to authenticate. For example, if your SSH server rejects all connections from the domain evil.org, you can’t override this restriction within your account by per-account configuration.[118]
This limitation makes sense. No end-user tool should be able to violate a server security policy. However, end users should be (and are) allowed to restrict incoming connections to their accounts.
A few features of the server may be overridden by per-account configuration. The most notable one is the server’s idle timeout, which may be extended beyond the serverwide setting. But such features can’t coerce the server to accept a connection it has been globally configured to reject.
If you are an end user, and per-account configuration doesn’t provide enough flexibility, you can run your own instance of the SSH server, which you may configure to your heart’s content. [5.1.2] Be cautious, though, since this is seldom the right thing to do. The restrictions you’re trying to circumvent are part of the security policy defined for the machine by its administrators, and you shouldn’t run a program that flouts this policy just because you can. If the machine in question is under your administrative control, simply configure the main SSH server as you wish. If not, then installing and running your own sshd might violate your usage agreement and/or certainly annoy your sysadmin. And that’s never a wise thing to do.
To make the best use of per-account configuration, use public-key authentication. Password authentication is too limited, since the only way to control access is with the password itself. Hostbased authentication permits a small amount of flexibility, but not nearly as much as public-key authentication.
If you’re still stuck in the password-authentication dark ages, let this be another reason to switch to public keys. Even though passwords and public-key passphrases might seem similar (you type a secret word, and voilà, you’re logged in), public keys are far more flexible for permitting or denying access to your account. Read on and learn how.
-
No Comment