8/11/2019 ASR 01 (Telnet - r)

1/52

SERVICIOS DEINTERNET

M.Sc. Julio Santisteban Pablo

8/11/2019 ASR 01 (Telnet - r)

2/52

r - Utilities

SSH

8/11/2019 ASR 01 (Telnet - r)

3/52

r - UTILITIES

8/11/2019 ASR 01 (Telnet - r)

4/52

4

The "r" Utilities

Once upon a time, people thought they had a

need to be able to "easily" access other

machines without going through a normal login

Out of this desire, the "r-commands" were born rcpremote file copy

rloginremote login

rsh, remsh, remote_shellvariants of remote shell rwhowho is logged on other systems on your net

8/11/2019 ASR 01 (Telnet - r)

5/52

5

rcpRemote File Copy rcpallows you to copy files between systems

Syntax: rcp [-p] filename1 filename2

or rcp [-pr] filename directory

ptry to give each copy the same modificationtimes,

access times, and access rights as theoriginal file

rcopy each subtree rooted at filename; thedestination must be a directory

filenameeither a local file (containing no : or \characters) or a remote filename of the form

hostname:path orusername@hostname:path

8/11/2019 ASR 01 (Telnet - r)

6/52

6

rloginRemote LoginAllows you to establish a remote login from your

terminal to another host

Syntax: rlogin [-8EL]ec] [-l username] hostname

8pass 8 bit data across the net instead of 7-bitdata

ecspecify a different escape character (c) for theline

used to disconnect from the remote host

Estop any character from being recognized as anescape

l usernamelogin as a different usernamethan yourcurrent local login

hostnamehostname of the remote machine

8/11/2019 ASR 01 (Telnet - r)

7/52

7

rsh, remsh, remote_shell Remote

Shell rsh(or it's variants) let you connect to aremote machine and execute a specifiedcommand

Syntax: rsh [-n] [-l username] hostnamecommand

nredirect the input of rshto/dev/null

l usernameusername for login on remote

machine ifdifferent from login name on local machine

hostnamehostnameof remote system

commandcommand to execute of remote

systemNote: interactive commands, such as vi,

8/11/2019 ASR 01 (Telnet - r)

8/52

8

rwhoRemote who Display a list of users logged into all systems

in your network

Syntax: rwho [-a]

aReport all users regardless of whether theyhave

been idle for more than an hour

rwhodoes not work through gateways

The directory/var/spool/rwhmust exist on themachine you run rwhofrom

For large networks, the network bandwidthcosts of rwhomay well be prohibitive

8/11/2019 ASR 01 (Telnet - r)

9/52

9

Did I mention passwords? The/etc/hosts.equivand .rhostsfiles provide the

"remote authentication" database for rlogin, rsh,and rcp

The files specify remote hosts and users that areconsidered "trusted"

Trusted users are allowed to access the local systemwithout supplying a password

The/etc/hosts.equivfile applies to the entire system,

while individual users can maintain their own .rhostsfiles in their home directories

These files bypass the standard password-baseduser authentication mechanism.

8/11/2019 ASR 01 (Telnet - r)

10/52

10

The remote authentication proceduredetermines whether a user from a remotehost should be allowed to access the local

system with the identity of a local user This procedure first checks the

/etc/hosts.equiv file and then checks the.rhosts file in the home directory of the local

user who is requesting access Entries in these files can be of two forms. Positive entries allow access, while negative entries

deny access.

Did I mention passwords?

8/11/2019 ASR 01 (Telnet - r)

11/52

11

The authentication succeeds when a matchingpositive entry is found

The procedure fails when the first matchingnegative entry is found, or if no matching entries

are found in either file The order of entries is important If the files contain both positive and negative entries,

the entry that appears first will prevail. The rsh and rcp programs fail if the remote authentication

procedure fails The rlogin program falls back to the standard password-

based login procedure if the remote authentication fails.

Did I mention passwords?

8/11/2019 ASR 01 (Telnet - r)

12/52

12

Notes from the man page

When a system is listed in hosts.equiv, its

security must be as good as local security.

One insecure system listed in hosts.equivcan compromise the security of the entire

system.

Because of the security issues, many systemsno longer allow rcp, rlogin, or rsh

Instead, use something like ssh, the secure

shell

8/11/2019 ASR 01 (Telnet - r)

13/52

Local login

terminal

driver

kernel

user at a

terminal

login

shell

8/11/2019 ASR 01 (Telnet - r)

14/52

TELNET Client and Server

TELNET/rlogin

client

terminal

driverTCP/IP

kernel

user at aterminal

TELNET/rlogin

server

TCP/IP

pseudo-

terminal

driver

kernel

Fork shell

Sed ui

Only ONETCP connection !!!

8/11/2019 ASR 01 (Telnet - r)

15/52

Network Virtual Terminal

8/11/2019 ASR 01 (Telnet - r)

16/52

2007rLOGIN Protocol Start up Specified in RFC 1282

Use a single TCP connection

The rlogin process uses the TCP port 513

Protocol between client and server after connection is set up

Client writes 4 strings to server a byte of 0

login name of user on client, terminated by a byte of 0

login name of user on server, terminated by a byte of 0

name of users terminal type, a slash, terminal speed, terminated by a byte of0

(\0John\0John\0ibmpc3/9600\0)

Server responds with a byte of 0

Optionally server can ask user for a password

Server sends a request to client asking for terminals window size

8/11/2019 ASR 01 (Telnet - r)

17/52

2007Interactive input

Client

keystroke

Server

Server

display

echo

8/11/2019 ASR 01 (Telnet - r)

18/52

2007Flow control

Done by client

User type Control-S, Control-Q, asking

SERVER to stop sending data, or start

sending dataControl-Sstop writing to the network

Control-Qstart writing to the network

Control by Server

8/11/2019 ASR 01 (Telnet - r)

19/52

2007Server to Client Commands Need to mark command bytes because only one TCP connection is

used

Use TCPs urgent mode to mark command bytes

To send a command to client, server enters urgent mode andmakes command byte the last byte of urgent data

Four command bytes

0x02: client flushes output

0x10: client stops performing flow control

0x20: client resumes flow control

0x80: client sends current window size to server immediately andnotifies server if changing window size

8/11/2019 ASR 01 (Telnet - r)

20/52

2007Client to Server Command

When client receives command 0x80 from

server, client needs to send window size to

server

This command needs to be marked 2 bytes of 0xff

2 flag bytes of ASCII char s

4 16-bit values: #rows, #chars per row, #pixels in X

direction, #pixels in Y direction

8/11/2019 ASR 01 (Telnet - r)

21/52

2007rLOGIN Client Escape

Talk to client directly instead of sending the input

to server

Start with a tilde ~

Followed by one of four characters .: terminate client

EOF (Ctrl-D): terminate client

Job control suspend char (Ctrl-Z): suspend client

Job control delayed suspend char (Ctrl-Y): suspend

only client input but keep server output

8/11/2019 ASR 01 (Telnet - r)

22/52

William Nelson Joy (born November 8,1954), commonly known as Bill Joy, is an

American computer scientist.

As a UC Berkeley graduate student, Joy worked for Fabry'sComputer Systems Research Group CSRG in managing theBSD support and rollout where many claim he was largelyresponsible for managing the authorship of BSD UNIX, fromwhich sprang many modern forms of UNIX, includingFreeBSD, NetBSD, and OpenBSD. Apple Inc. has basedmuch of the Mac OS X kernel and OS Services on the BSDtechnology.

Some of his most notable contributions were the vi editor,NFS, and csh.

Bill Joy

8/11/2019 ASR 01 (Telnet - r)

23/52

SSH

8/11/2019 ASR 01 (Telnet - r)

24/52

24

SSHThe Secure Shell

Protocol SSH provides secure replacements for rsh,rlogin, rcp, ftp, andtelnet, all of which transmitdata over the network as clear text

The SSH protocol was developed in 1995 toaddress the various security issues associatedwith the "r-commands"

Developed by Tatu Ylnen, a researcher at the

Helsinki University of TechnologyMotivated by a password-sniffing attack on the

university network

Note: Following figures are from "SSH, The Secure Shell" by Daniel J. Barrett and Richard E.Silverman

8/11/2019 ASR 01 (Telnet - r)

25/52

25

SSH Architecture SSH protocol is based on a client/server

architecture

A user who wants to connect to a remote host willexecute the ssh command (the client) on his localmachine

It will connect to the remote computer's sshdaemon (the server)

There are two primary versions of the SSHprotocol

SSH-1

SSH-2

8/11/2019 ASR 01 (Telnet - r)

26/52

26

SSH Architecture

8/11/2019 ASR 01 (Telnet - r)

27/52

27

SSH-2 Specifics SSH-2 is a complete rewrite of SSH-2 that

improves both security and performance

It also supports two forms of encryption RSA (Rivest-Shamir-Adleman), patented until

September 21, 2000 DSA (Digital Signature Algorithm) non-patented

SSH-2 uses a three layer architecture Transport layer Usually runs over TCP/IP

Responsible for data encryption, host authentication, anddata integrity by including a message authenticationcode(MAC) in each data packet

8/11/2019 ASR 01 (Telnet - r)

28/52

8/11/2019 ASR 01 (Telnet - r)

29/52

29

The user authenticationlayer assumes thetransport layer is providing data encryption andintegrity

Responsible for actually logging a user onto the

remote server, authenticating the user, and requestingspecific services from the server

The connectionlayer assumes that the two lowerlayers are providing security and user

authentication Used to open channels for psuedo terminals, port

forwarding, and X11 forwarding

This allows you to run applications such a xterms and

have them communicate securely

SSH-2 Specifics

8/11/2019 ASR 01 (Telnet - r)

30/52

Authentication, Encryption, and Integrity

8/11/2019 ASR 01 (Telnet - r)

31/52

31

Using SSH

Although SSH is a protocol, there are several

utilities provided with most SSH

implementations

sshreplacement for rsh, basically a securetelnet

scpsecure file copy

sloginsecure replacement for rlogin, generally

simplya link to ssh

sftpa secure version of ftp

There are also several utilities for managing

8/11/2019 ASR 01 (Telnet - r)

32/52

32

ssh Syntax: ssh [-l username] remotehost

l usernameusername you want to use on theremote

machine, sshdefaults to your login id on the local

machine remotehostname of the remote machine if on the

local network or fully qualified internet name if ona

remote network neptune

neptune.dcccd.edu

You can also provide the username with theremotehost name

ssh frazer@neptune.dcccd.edu

8/11/2019 ASR 01 (Telnet - r)

33/52

33

scp

Syntax: scp source_file destination_file

source_file and destination_file can either or both

use the full user and system name like in ssh

scp klh@dizzy.uucc.com:my_file my_local_file

8/11/2019 ASR 01 (Telnet - r)

34/52

34

sftp Syntax is similar to ftp Has several advantages It's secure

Multiple file commands can be performed in one sftp

session; scprequires a separate session for eachaction

It has command line editing, similar to the emacsmode of ksh

Regular expression matching for filenames

However, it does not have separate ASCII andbinary transfer modes so if you move text filesbetween Unix and Windows, you will have tohandle line ending conversion

8/11/2019 ASR 01 (Telnet - r)

35/52

35

User Authentication

All of the previous commands will ask you to

supply the password for the remote system

Passwords have several problems

Good passwords are hard to remember

If a password is sent across the net, even

encrypted, it can still be captured if the remote

host has been compromised

SSH has the option to usepublic-key

authenticationinstead

8/11/2019 ASR 01 (Telnet - r)

36/52

36

Key-Based Cryptography

In the world of cryptography, a key is a

computer-generated numeric value that

cryptographic algorithms (such as RSA and

DSA) use for the purpose of encrypting ordecrypting data

The key can be of various lengths, with longer

keys

providing more secure encryption

You may have heard people referring to 512-bit or

1024-bit encryption, they were talking about the

length of the key

8/11/2019 ASR 01 (Telnet - r)

37/52

37

Secure protocols such as SSH use these keys

to authenticate users and hosts.

Authentication is the act of insuring that a given

host or user is who they say they are, and not animposter

There are two types of keys -- private and

public

There are also two different methods for using

those keys to authenticate users and hosts

Private key cryptography

Public key cryptography

Key-Based Cryptography

8/11/2019 ASR 01 (Telnet - r)

38/52

38

Private Key Cryptography

Private key cryptography (aka symmetric

cryptography, because one key is used to both

encrypt and decrypt messages) was the first

popular key-based cryptographic method It involved generating an encryption key and then

sharing that key only with people that you trust

Having your private key allowed people to

encrypt messages to you and decrypt

messages or data from you

8/11/2019 ASR 01 (Telnet - r)

39/52

39

The problem was if someone got hold of your

private key (which had to be passed around a

bit if anyone was going to be able to encrypt or

decrypt messages to or from you), or if youlost your private key, anyone who gained

access to that key could then read all of your

transmissions

Private Key Cryptography

8/11/2019 ASR 01 (Telnet - r)

40/52

40

Public Key Cryptography

Public key encryption (aka asymmetric

cryptography, because different keys of

different lengths are used to encrypt and

decrypt messages) took a different approachto the problem

With public key cryptography, there are two

keys

A private key that only you use

A public key that anyone can have access to

The private and public keys are both

generated at the same time, using the same

8/11/2019 ASR 01 (Telnet - r)

41/52

41

If someone wants to send you a message,

they encrypt the message by using your public

key

Only you are able to decrypt it with your privatekey

Private keys are never exchanged or sent over

the network

This also makes it possible to identify yourself

by signing your e-mail with a digital certificate

or signature that can only be decrypted with

your public key

Public Key Cryptography

8/11/2019 ASR 01 (Telnet - r)

42/52

42

Public-key Authentication

8/11/2019 ASR 01 (Telnet - r)

43/52

43

Passphrases All of the sshclient commands ask for a

passphrase in order to decrypt your private key If you transfer multiple files using scp, you will have to

enter your passphrase each time L

Wouldn't it be nice if your machine wouldremember your passphrase for you?

SSH has a concept called agents

Agentskeep your private keys in memory andprovide authentication services to sshclients

By using agents, you only have to provide yourpassphrase once for each login

8/11/2019 ASR 01 (Telnet - r)

44/52

44

How the SSH Agent Works

8/11/2019 ASR 01 (Telnet - r)

45/52

SSH Login Annoyances

SSH is great, but its annoying to have to typeyour password/passphrase every time you login, run a remote command or copy some files

across the network. SSH doesnt allow ~/.rhosts functionality for

security reasons.

Passphrase-less keys are quite insecure and

not recommended practice. Can users log in securely without typing their

password all the time?

8/11/2019 ASR 01 (Telnet - r)

46/52

The SSH Agent

The agent solves these problems

Only available for key-based login, however

You authenticate once to the agent at the

beginning of your session The agent holds your SSH private keys in

memory and provides them to ssh and scpcommands when necessary

You dont have to unlock them each time

Agent goes away when you log out so unlockedkeys are never stored on disk

8/11/2019 ASR 01 (Telnet - r)

47/52

Preparing To Use The Agent

First, get key-based login working

Distribute your public key to all non-CUE hosts

you need to log into

CUE hosts all share your home directory so the

key is already there

scpp ~/.ssh/authorized_keys

remotehost:/home//.ssh Use normal SSH and make sure youre

prompted for a passphrase and not a password

8/11/2019 ASR 01 (Telnet - r)

48/52

Using the Agent Interactively

Run ssh-agentc to start the agent

Will print some output that you need to type into

the same shell or cut-n-paste

Save yourself some typing and do it the clever way

Now other commands in the same window will be

able to use the agent

jlabs2:/home/jdoe> ssh-agent -csetenv SSH2_AUTH_SOCK /tmp/ssh-jdoe/ssh2-8765-agent;

setenv SSH2_AGENT_PID 8766;

echo Agent pid 8766;

jlabl1:/home/jdoe> eval `ssh-agent c`

Agent pid 8766

8/11/2019 ASR 01 (Telnet - r)

49/52

Logging In To The Agent

Use the ssh-add command to authenticateyourself to the agent

After you do this, you wont need to log in with

SSH or scp!

jlabl1:/home/jdoe> ssh-add

Enter passphrase for /home/jdoe/.ssh/id_dsa:

Identity added: /home/jdoe/.ssh/id_dsa

jlabl1:/home/jdoe> ssh-add -l

2048 6e:ef:22:a4:83:a1:98:39:22:44:57:21:2c:ee:d3:33 /home/jdoe/.ssh/id_dsa (DSA)jlabl1:/home/jdoe> ssh jlabs1

[login proceeds normally without a password]

jlabs1:/home/jdoe>

8/11/2019 ASR 01 (Telnet - r)

50/52

UsesFor login to a shell on a remote host (replacing Telnet and rlogin)For executing a single command on a remote host (replacing rsh)For copying files from a local server to a remote host. See SCP, as analternative for rcpIn combination with SFTP, as a secure alternative to FTP file transferIn combination with rsync to backup, copy and mirror files efficiently andsecurelyFor forwarding or tunneling a port (not to be confused with a VPN whichroutes packets between different networks or bridges two broadcastdomains into one.).For using as a full-fledged encrypted VPN. Note that only OpenSSH

server and client supports this feature.For forwarding X from a remote host (possible through multipleintermediate hosts)For browsing the web through an encrypted proxy connection with SSHclients that support the SOCKS protocol.For securely mounting a directory on a remote server as a filesystem on

a local computer using SSHFS.

8/11/2019 ASR 01 (Telnet - r)

51/52

Uses

Port forwardingsshL localport:tohost:toport remotehostTunnels localhost:localport to remotehost's resolution oftohost:toportCan use to punch through firewalls

Example: access from classroom to Mercury rupdate-D for SOCKS forwarding andR for remote-to-localforwarding

VPNs

Can run PPP connection over SSHA bit convoluted, but it works

8/11/2019 ASR 01 (Telnet - r)

52/52

Uses