360
Information Security

The Magnificent 7

What Is It?

Secure SHell is a protocol and set of standards to facilitate private, secure communications between 2 computers over an IP network. It is most commonly thought of within the context of its most popular application as a "secure telnet" alternative, but in reality it is much much more than this. SSH can be used to secure not only interactive "terminal" access but also provides file transfer and generic "VPN" tunnelling.

How did it come about?

In 1995, Tatu Ylönen, a researcher at Helsinki University of Technology, Finland, designed the first version of the protocol (now called SSH-1) prompted by a password-sniffing attack at his university network. The goal of SSH was to replace the earlier rlogin, TELNET and rsh protocols, which did not provide strong authentication or guarantee confidentiality. Ylönen released his implementation as freeware in July 1995, and the tool quickly gained in popularity.

Where would I use it?

As with sudo, we recommend SSH very widely both "invisibly" as a transport combined with other utilities like rsync, and visibly as a telnet replacement. It is available on just about every platform you will find in common use from IBM z/OS mainframes to the java capable phone in your pocket. However I'll cover the 2 most popular uses here in a little more detail.

There is no excuse for running Telnet on your systems. Although one of the oldest (if not the oldest) network services time after time we still see vendors get it wrong and poor selection of passwords by users is a problem that just wont go away. Although there have been bugs in SSH itself, they tend to be fixed quickly and can be mitigated with tight configuration while awaiting patches from the community. Ensure telnet is not running as a service, deploy ssh, and invest some time in configuring it securely at a systemwide level.

Do you need to move files from one system to another in an automated manner? How do you achieve this? NFS? Samba? rcp? ftp? There is a good chance that ssh's secure file copy or "scp" is a more secure, more efficient, less complex way of doing it. Particularly if you invest some time in learning about SSH identity management capabilities and the ssh-add command. It is possible to setup an automated, strongly authenticated, private file transfer on demand that likely will not require you to open up extra firewall and router filters, or compromise endpoint security. You can even chain together transfers across administrative domains.

Why is it so good?

SSH is almost ubiquitous, most UNIX distributions have it and there are now a number of stable options for running SSH on windows platforms too. Single tools that work cross-platform save time and complexity. SSH can be as simple as telnet, while retaining a hidden depth of features for those who need to use them. Finally, although ssh is not without vulnerabilities, considering the battering it takes every day on thousands of systems exposed to the internet, it has shown itself to be a very reliable gatekeeper provided you are prepared to invest some time (minutes not hours) in locking down its configuration.

  • Use digital certificates exclusively rather than passwords
  • Use only the most up-to-date SSH protocols
  • Restrict SSH to only the users/groups that need it
  • Restrict the number of login failures before connections are dropped

Who uses it?

Towards the end of 1995, the SSH user base had grown to 20,000 users in fifty countries, one can only guess at the number of people using the various implementations of SSH now. I suspect it is the most widely deployed open-source application deployed on servers today.

Where do I start?

http://kimmo.suominen.com/docs/ssh