KEMBAR78
2.4 Data Encryption With SSH | PDF | Public Key Cryptography | Cryptography
Scribd
Upload
46 views2 pages

2.4 Data Encryption With SSH

This document discusses securing data transmission with SSH. It explains how to [1] configure SSH servers to accept encrypted connections, [2] generate new public/private key pairs for stronger encryption, and [3] set up SSH port tunnels to encrypt unsecured traffic like telnet. The keys are stored on servers at /etc/ssh and cached locally or system-wide. SSH clients can retrieve public keys to verify connections. Port tunnels redirect local ports over the SSH connection to encrypt traffic to remote services.

Uploaded by

DDDD
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
46 views2 pages

2.4 Data Encryption With SSH

This document discusses securing data transmission with SSH. It explains how to [1] configure SSH servers to accept encrypted connections, [2] generate new public/private key pairs for stronger encryption, and [3] set up SSH port tunnels to encrypt unsecured traffic like telnet. The keys are stored on servers at /etc/ssh and cached locally or system-wide. SSH clients can retrieve public keys to verify connections. Port tunnels redirect local ports over the SSH connection to encrypt traffic to remote services.

Uploaded by

DDDD
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

Linux Security Techniques - 2.

0 Data Security

============================================================

Filename: techskills-linuxsecurity-2-4-data_encryption_with_ssh
Title: Data Encryption with SSH
Subtitle: Linux Security Techniques

2.4 Data Encryption with SSH


What do we need to get started with SSH?

SSH on most platforms is powered by OpenSSH


Installed by default
May need to be allowed through the firewall
Certificate authentication may need to be configured

How do we get our server ready to accept SSH connections?

Disable SSHv1
vi /etc/ssh/sshd_config
Protocol 2
systemctl restart sshd
Take note of key names/locations
Server keys are stored in /etc/ssh
You will want to generate new keys

What is wrong with the default keys?

You cannot verify the strength of the default keys


Some distros (LiveCDs) use pre-packaged keys
Others generate keys prior to hardware RNGs kicking in
It is best to generate new ones.

Is it hard to generate new keys?

Generating new keys


1. Delete the key files (rm -f /etc/ssh/*key*)
2. ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key
For SSHv1
3. ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
4. ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key
5. ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key

File Description
ssh_host_key SSHv1 Private Key
ssh_host_key.pub SSHv1 Public Key
ssh_host_rsa_key SSHv2 RSA Private Key
ssh_host_rsa_key.pub SSHv2 RSA Public Key
ssh_host_dsa_key SSHv2 DSA Private Key
ssh_host_dsa_key.pub SSHv2 DSA Public Key
ssh_host_ecdsa_key SSHv2 ECDSA Private Key
ssh_host_ecdsa_key.pub SSHv2 ECDSA Public Key

How does a client get the public key?

OpenSSH client configuration and usage


Public key is cached in ~/.ssh/known_hosts for individual users
Cached in /etc/ssh/ssh_known_hosts for the entire system
If you receive a key before hand you can pre-load it
/etc/ssh/ssh_host_ecdsa_key.pub
ssh-keyscan <host>
ssh-keyscan 192.168.0.100 >> ~/.ssh/known_hosts
Viewing the fingerprint (on server)
ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key.pub
Can require key to pre-exist in /etc/ssh/ssh_config
StrictHostKeyChecking

Once we know the key is good, are we ready to connect?

Client connections
ssh <username>@<hostname>
ssh -l <username> <hostname>
Configuration file is /etc/ssh/ssh_config
Options
-1 v1 Only
-2 v2 Only
-4 IPv4 Only
-6 IPv6 Only

That gives us an encrypted shell, but can we encrypt other traffic?

SSH port tunnels


Send any port's traffic over an SSH tunnel
Useful for encrypting any traffic regardless of protocol
Telnet, for example, does not support encryption
Telnet can be run on top of SSH to provide security

How do we build a secure tunnel?

Establish the SSH tunnel


ssh -f <username>@<hostname> -L <localport>:<hostname>:<remoteport> -N
-f Go to background after execution
-L Local port to be redirected
-N Do not execute any remote commands
Just build the tunnel
ssh -f dpezet@172.16.0.128 -L 65023:172.16.0.128:23 -N

How does software know to use the tunnel?

Telnet through the tunnel


telnet 127.0.0.1 65023

PRESENTER NOTE

Telnet example setup

1. yum install telnet telnet-server


2. vi /etc/xinetd.d/telnet
disable=no
3. vi /etc/xinetd.conf
enabled=rsh telnet
4. systemctl enable --now telnet.socket
5. firewall-cmd --add-service=telnet
6. semanage port -a -t telnetd_port_t -p tcp 23

You might also like