(RHCA)Red Hat Enterprise Linux RHS333: Red Hat Enterprise Security: Network Services
精选
转载
Unit 7
Objectives
Upon completion of this unit, you should be able to:
- SSH server configuration
- SSH client configuration
- TCP port and X11 forwarding
|
Vulnerabilities
- Unencrypted network connections prone to sniffing, spoofing, and hijacking
- Need to protect authentication
- Defend against credential capture attacks
- Permit alternative authentication methods
- Need to protect data
- Provide interactive login security
- Provide security for other data channels
|
Resolutions
- Use SSH for interactive login sessions
- Configure public key user authentication between trusted hosts
- Protect unencrypted data channels with TCP port forwarding
|
Service Profile: sshd
- Type: System V-launched service
- Packages: openssh, openssh-server
- Daemons: sshd
- Scripts: sshd
- Port: 22/tcp (ssh)
- Configuration: /etc/ssh/sshd_config
- Related: openssh-{askpass, askpass-gnome}, openssh-clients, openssl
|
Server Configuration
- /etc/ssh/sshd_config
- Protocols
- User authentication methods
- User access controls
- Login messages and logging
- Host key files
- ssh_host*_key
- ssh_host*_key.pub
- moduli
|
SSH Protocols
- Two major versions of the protocol
- Use protocol version 2 whenever possible
- SSH protocol version 1 is subject to message integrity attacks
- Protocol directive
- Lists protocols offered to the client; client gets to pick which one will be used
|
Server Authentication
- Transport layer authentication
- Encryption cipher and MAC is negotiated
- Diffie-Hellman key exchange, server is authenticated by DSA or RSA public key
- Client compares server public key against file containing public keys of known hosts
- If server key is not in client's known hosts file, client can not tell if key is legitimate or not
|
User Authentication
- Once secure connection is established, user authentication method is negotiated
- PasswordAuthentication
- PubkeyAuthentication
- RSAAuthentication for SSHv1
- HostbasedAuthentication
- Other methods are available but not as well supported
|
User Access Control
- User access
- AllowUsers/AllowGroups
- DenyUsers/DenyGroups
- PermitRootLogin
- StrictModes
- If a user's SSH configuration files or home directory are world-writable, deny access
|
Login Messages
- Banner
- Specifies a file containing a message to print out prior to authentication
- Useful for acceptable use warning
- PrintMotd
- Print out /etc/motd on interactive login
|
Logging Activity
- SyslogFacility
- Red Hat uses AUTHPRIV by default
- LogLevel
- Not the same as syslog log levels
- DEBUG log levels not recommended for normal operation
|
Client Configuration
- /etc/ssh/ssh_config
- Users may use command line options or their ~/.ssh/config to override
- Divided into Host sections
- Protocol directive
- Which versions of the SSH protocol to try, in which order
|
Client-side Server Authentication
- /etc/ssh/ssh_known_hosts
- Users may have ~/.ssh/known_hosts
- UserKnownHostsFile
- StrictHostKeyChecking
- Default ask lets users decide whether to accept an unknown server key
|
Client-side User Authentication
- User authentication methods to request
- PasswordAuthentication
- PubkeyAuthentication
- Key files and ~/.ssh/authorized_keys
- HostbasedAuthentication
- Methods actually available are under the control of the remote server
|
Protecting Private Keys
- Can password protect private keys
- ssh-agent can hold key passwords
- Enter passwords once at start of session
- Manage passwords with ssh-add
- Makes key theft harder, not impossible
|
authorized_keys Options
- Limits how a particular public key is used for authentication
- Comma separated options precede the key on its line in authorized_keys
- from="hostpattern"
- command="command"
- no-port-forwarding
|
stunnel
- Provides secure access to insecure services
- Uses SSL, no built in cryptography
- Protect against interception of data
- Prevents data manipulation
|
Port Forwarding
- ssh and sshd can forward TCP traffic
- Obtuse syntax can be confusing
- -L clientport:host:hostport
- -R serverport:host:hostport
- Can be used to bypass access controls
- Requires successful authentication to remote sshd by client
- AllowTcpForwarding
|
X11 Forwarding
- Special case of port forwarding
- sshd forwards a port on the server over the SSH channel to client's local X server
- $DISPLAY and xauth keys are set on the server automatically
- Attacker that controls the remote server can eavesdrop on your client's X display
|
End of Unit 7
- Questions and Answers
- Summary
- Server authentication
- User authentication
- Port forwarding security issues
|