Wise people learn when they can; fools learn when they must - Arthur Wellesley

Sunday, 28 December 2014

SSH in Solaris


     SSH IN SOLARIS

What we are going to learn,

·         ssh basics
·         ssh files
·         ssh with / without Password
·         ssh config file modification [permit root login, banner]
·         ssh security [allow / deny users, hosts, groups]
·         ssh log generation


WHAT is SSH?

SSH (secure shell) is a secure communication protocol to access a remote client

WHY it is in use?

Though there are several protocols for remote communications like rlogin, rcp, rsh, telnet… they all offer the same thing “access to remote client” then why we need SSH?
SSH provides a secure connection between two remote hosts, means whatever the communication goes between ssh client & ssh server are in encrypted texts.

WHEN to use?

Should every time when we connect to other hosts

WHERE it is located/stored?

Works on port 22 following protocol TCP

#cd /.ssh

We cannot find this hidden dir until we do ssh to any system or itself

root@sol-tst-2:>/# ssh 0
The authenticity of host '0 (0.0.0.0)' can't be established.
RSA key fingerprint is d2:db:43:d2:e4:56:76:17:21:8e:3a:ec:49:9d:64:c7.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '0,0.0.0.0' (RSA) to the list of known hosts.
Password:

After that /.ssh will be created automatically

root@sol-tst-2:>/# ls -l /.ssh
total 2
-rw-r--r--   1 root     root         444 Dec 27 13:18 known_hosts

root@sol-test-1:>/# svcs -a |grep -i ssh
online         Dec_23   svc:/network/ssh:default

root@sol-test-1:>/# ps -elf |grep -i ssh
 0 S     root   618     1   0  70 20        ?    981        ?   Dec 23 ?           0:00 /usr/lib/ssh/sshd
 0 S     root  8186     1   0  41 20        ?    981        ? 17:03:35 ?           0:00 /usr/lib/ssh/sshd
 0 S     root 25679     1   0  70 20        ?    981        ? 21:59:14 ?           0:00 /usr/lib/ssh/sshd
 0 S     root   571     1   0  42 20        ?    981        ? 12:36:56 ?           0:00 /usr/lib/ssh/sshd
 0 S     root  1389     1   0  70 20        ?    981        ? 13:16:24 ?           0:00 /usr/lib/ssh/sshd
 0 S     root  8805  8650   0  40 20        ?    360        ? 21:18:57 pts/2       0:00 grep -i ssh

sshd is the daemon responsible to run ssh

root@sol-test-1:>/# ls -l /etc/ssh/
total 194
-rw-r--r--   1 root     sys        88301 Jan 22  2005 moduli
-rw-r--r--   1 root     sys          861 Jan 22  2005 ssh_config
-rw-------   1 root     root         668 Apr 25  2014 ssh_host_dsa_key
-rw-r--r--   1 root     root         605 Apr 25  2014 ssh_host_dsa_key.pub
-rw-------   1 root     root         887 Apr 25  2014 ssh_host_rsa_key
-rw-r--r--   1 root     root         225 Apr 25  2014 ssh_host_rsa_key.pub
-rw-r--r--   1 root     sys         4999 Apr 25  2014 sshd_config

root@sol-test-1:>/# pkginfo -x |grep -i ssh
SUNWsshcu                         SSH Common, (Usr)
SUNWsshdr                         SSH Server, (Root)
SUNWsshdu                         SSH Server, (Usr)
SUNWsshr                          SSH Client and utilities, (Root)
SUNWsshu                          SSH Client and utilities, (Usr)

root@sol-test-1:>/# which ssh
/usr/bin/ssh

HOW to perform ssh?

Ssh security is based on encrypted keys, each server and each user has unique keys,

Public keys
Private keys

These two keys are linked in such a manner like lock & key, the decryption of public key can be done only via private key.

When establishing a connection, each side sends its public key to the other. Then, each side encrypts data with the other side’s public key, ensuring that the data can be decrypted only by the intended recipient

When we ssh to any system it collects its pub key and stores in /.ssh/known_hosts file

With Password SSH…

Just ssh to other system, it will ask for password, provide it and done.

Root login is disabled by default, and if we just write ssh followed by IP then system understands that root is about to make a connection.

root@sol-tst-2:>/# ssh 192.168.234.133
Password:
Password:
Password:
Permission denied (gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive).

I had given the root passwd of 192.168.234.133, but denied b’coz root is disabled by default.

Ok… I have a user anurag on 192.168.234.133, which wants to connect 192.168.234.133 from sol-tst-2

root@sol-tst-2:>/# ssh anurag@192.168.234.133
Password:
Last login: Wed Dec 24 21:45:21 2014 from sol-tst-2
Oracle Corporation      SunOS 5.10      Generic Patch   January 2005
-bash-3.2$ hostname
sol-test-1
-bash-3.2$

Without Password SSH…

Now I want to login without giving password, for this we need to do the following,

SYSTEM 1
Here a user anurag wants password less login from SYSTEM 2, means we need pub key of SYSTEM 2 permanently stored under the .ssh of home dir of user anurag

We need to create a “authorized_keys” file under /.ssh of the home dir of user who wants password less login.

Well, first get the .pub of SYSTEM-2

SYSTEM-2
Generate the ssh keys
root@sol-tst-2:>/# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (//.ssh/id_rsa): [enter]
Enter passphrase (empty for no passphrase): [enter]
Enter same passphrase again: [enter]
Your identification has been saved in //.ssh/id_rsa.
Your public key has been saved in //.ssh/id_rsa.pub.
The key fingerprint is:
ae:91:8f:ea:42:fc:74:71:37:97:87:5a:fe:aa:c3:69 root@sol-tst-2

root@sol-tst-2:>/# cd /.ssh

root@sol-tst-2:>/.ssh# ls -l
-rw-------   1 root     root         883 Dec 27 15:00 id_rsa
-rw-r--r--   1 root     root         224 Dec 27 15:00 id_rsa.pub
-rw-r--r--   1 root     root         444 Dec 27 13:39 known_hosts

The id_rsa & id_rsa.pub are generated,

We need to send the id_rsa.pub to SYSTEM-1

root@sol-tst-2:>/.ssh# scp id_rsa.pub 192.168.234.133:/tmp/
Password:
id_rsa.pub           100% |******************************************************|   224       00:00

ON SYSTEM-1

root@sol-test-1:>/# cd /tmp
root@sol-test-1:>/tmp# ls -l |grep *.pub
-rw-r--r--   1 root     root         224 Dec 24 23:06 id_rsa.pub

We need to send the contents of this file under the dir .ssh located in user anurag’s home dir

/export/home/anurag/.ssh/

Here we need to create blank file “authorized_keys”

root@sol-test-1:>/tmp# cat id_rsa.pub >/export/home/anurag/.ssh/authorized_keys

root@sol-test-1:>/tmp# svcadm restart ssh

ON SYSTEM-2

root@sol-tst-2:>/.ssh# svcadm restart ssh

root@sol-tst-2:>/# ssh anurag@192.168.234.133
Last login: Wed Dec 24 23:07:52 2014 from sol-tst-2
Oracle Corporation      SunOS 5.10      Generic Patch   January 2005
-bash-3.2$

Great…

Let’s do it again,

Keys are already generated, Now this time I will send the keys on Linux system with ip 192.168.234.200

root@sol-tst-2:>/.ssh# scp id_rsa.pub 192.168.234.200:/tmp/
root@192.168.234.200's password:
id_rsa.pub           100% |******************************************************|   224       00:00

ON LINUX SYSTEM

[root@rh-server ~]# cd /tmp
[root@rh-server tmp]# ls -l |grep *.pub
-rw-r--r--. 1 root root      224 Dec 27 15:25 id_rsa.pub

Here I want that sol-tst-2 will directly log in to this server as root, so I have to put this .pub file into root’s home dir

[root@rh-server tmp]# cat id_rsa.pub >/root/.ssh/authorized_keys

[root@rh-server tmp]# service sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd:                                             [  OK  ]

root@sol-tst-2:>/# ssh 192.168.234.200
Last login: Sat Dec 27 15:26:43 2014 from 192.168.234.134
[root@rh-server ~]#


========================/////==============================

CONFIG ALTERATION…

Main config file which control the ssh behavior globally is


/etc/ssh/sshd_config

Let’s do some changes in config file,

Permit root login

root@sol-test-1:>/# vi /etc/ssh/sshd_config

[Search the parameter PermitRootLogin no & make this to yes]

PermitRootLogin yes

wq!

By doing this other systems can ssh login to this system via root, but this system cannot do ssh root login to other system until they permit root login in same manner

root@sol-test-1:>/# svcadm refresh ssh

Display Banner

I want that when anybody do ssh login to this system, he will get a warning msg

Before that I need to create a file which contains the warning msg

root@sol-test-1:>/# vi /etc/ssh/banner
"/etc/ssh/banner" [New file]

THIS IS SECURE SYSTEM,
DON'T SMILE B'COZ UR ACTIVITIES ARE RECORDED

"TRESSPASSERS WILL BE EXECUTED"

        * *
         '

   HA HA HA HA HA HA

wq!

root@sol-test-1:>/# vi /etc/ssh/sshd_config

[add this to the end of file]

Banner /etc/ssh/banner

wq!

root@sol-test-1:>/# svcadm refresh ssh

Now check this,

root@sol-tst-2:>/# ssh anurag@192.168.234.133
THIS IS SECURE SYSTEM,
DON'T SMILE B'COZ UR ACTIVITIES ARE RECORDED

"TRESSPASSERS WILL BE EXECUTED"

        * *
         '

   HA HA HA HA HA HA
Last login: Wed Dec 24 23:26:47 2014 from sol-tst-2
Oracle Corporation      SunOS 5.10      Generic Patch   January 2005
-bash-3.2$


SECURITY---

HOST BLOCK…

On sol-test-1, I want that every user from every host can ssh except sol-tst-2

Let’s do this

root@sol-test-1:>/# vi /etc/ssh/sshd_config

[add this to the end of file]

DenyHosts sol-tst-2

wq!

root@sol-test-1:>/# svcadm refresh ssh

check this,

root@sol-tst-2:>/# ssh anurag@192.168.234.133
ssh: connect to host 192.168.234.133 port 22: Connection refused

USER BLOCK…
Users whose names are in this DenyUsers list cannot login to this system from anywhere

We can block the users in same way by adding

DenyUsers anurag test1 test2


At the end of /etc/ssh/sshd_config


Group Block…

In same manner we can deny groups also,like

DenyGroups xxxxx

Allow Users…

Well… here we have both allow user & deny user parameter,

But i don't think there is any sense of listing users in this list.
Better,
If there are only few famous users then they can be listed in

DenyUsers  user1 user2 user3

Except these 3 users everybody else will allowed

==========================/////================================

SSH LOG’S…

Have u noticed one thing that we did so much things related to ssh, but we do not have a single log except service restart
It is very imp to know that who is logged in from where, but at this stage we are empty handed

Well… we can know this via last command,But I need this particularly as ssh log

Let’s enable the ssh log.

root@sol-test-1:>/# vi /etc/syslog.conf

[this line is of our need]

#auth.notice     ifdef(`LOGHOST', /var/log/authlog, @loghost)

[change the auth.notice to auth.info and remove the #]

auth.info        ifdef(`LOGHOST', /var/log/authlog, @loghost)

wq!

Restart the log services

root@sol-test-1:>/# svcadm restart system/system-log

Great… all set,

Let’s verify this

root@sol-tst-2:>/# ssh 192.168.234.133
Password:

root@sol-test-1:>/# cat /var/log/authlog
Dec 27 16:34:56 sol-test-1 sshd[3694]: [ID 800047 auth.info] Accepted keyboard-interactive for root from 192.168.234.134 port 32863 ssh2

root@sol-tst-2:>/# ssh anurag@192.168.234.133
Last login: Wed Dec 24 23:55:51 2014 from sol-tst-2
Oracle Corporation      SunOS 5.10      Generic Patch   January 2005
-bash-3.2$

root@sol-test-1:>/# cat /var/log/authlog
Dec 27 16:35:31 sol-test-1 sshd[3711]: [ID 800047 auth.info] Accepted publickey for anurag from 192.168.234.134 port 32864 ssh2

=====================/////==============================

Scp is used to copy the file


& sftp works as ftp but it is secured here 
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)