asr 01 (telnet - r)
TRANSCRIPT
-
8/11/2019 ASR 01 (Telnet - r)
1/52
SERVICIOS DEINTERNET
M.Sc. Julio Santisteban Pablo
-
8/11/2019 ASR 01 (Telnet - r)
2/52
r - Utilities
SSH
-
8/11/2019 ASR 01 (Telnet - r)
3/52
r - UTILITIES
-
8/11/2019 ASR 01 (Telnet - r)
4/52
4
The "r" Utilities
Once upon a time, people thought they had a
need to be able to "easily" access other
machines without going through a normal login
Out of this desire, the "r-commands" were born rcpremote file copy
rloginremote login
rsh, remsh, remote_shellvariants of remote shell rwhowho is logged on other systems on your net
-
8/11/2019 ASR 01 (Telnet - r)
5/52
5
rcpRemote File Copy rcpallows you to copy files between systems
Syntax: rcp [-p] filename1 filename2
or rcp [-pr] filename directory
ptry to give each copy the same modificationtimes,
access times, and access rights as theoriginal file
rcopy each subtree rooted at filename; thedestination must be a directory
filenameeither a local file (containing no : or \characters) or a remote filename of the form
hostname:path orusername@hostname:path
-
8/11/2019 ASR 01 (Telnet - r)
6/52
6
rloginRemote LoginAllows you to establish a remote login from your
terminal to another host
Syntax: rlogin [-8EL]ec] [-l username] hostname
8pass 8 bit data across the net instead of 7-bitdata
ecspecify a different escape character (c) for theline
used to disconnect from the remote host
Estop any character from being recognized as anescape
l usernamelogin as a different usernamethan yourcurrent local login
hostnamehostname of the remote machine
-
8/11/2019 ASR 01 (Telnet - r)
7/52
7
rsh, remsh, remote_shell Remote
Shell rsh(or it's variants) let you connect to aremote machine and execute a specifiedcommand
Syntax: rsh [-n] [-l username] hostnamecommand
nredirect the input of rshto/dev/null
l usernameusername for login on remote
machine ifdifferent from login name on local machine
hostnamehostnameof remote system
commandcommand to execute of remote
systemNote: interactive commands, such as vi,
-
8/11/2019 ASR 01 (Telnet - r)
8/52
8
rwhoRemote who Display a list of users logged into all systems
in your network
Syntax: rwho [-a]
aReport all users regardless of whether theyhave
been idle for more than an hour
rwhodoes not work through gateways
The directory/var/spool/rwhmust exist on themachine you run rwhofrom
For large networks, the network bandwidthcosts of rwhomay well be prohibitive
-
8/11/2019 ASR 01 (Telnet - r)
9/52
9
Did I mention passwords? The/etc/hosts.equivand .rhostsfiles provide the
"remote authentication" database for rlogin, rsh,and rcp
The files specify remote hosts and users that areconsidered "trusted"
Trusted users are allowed to access the local systemwithout supplying a password
The/etc/hosts.equivfile applies to the entire system,
while individual users can maintain their own .rhostsfiles in their home directories
These files bypass the standard password-baseduser authentication mechanism.
-
8/11/2019 ASR 01 (Telnet - r)
10/52
10
The remote authentication proceduredetermines whether a user from a remotehost should be allowed to access the local
system with the identity of a local user This procedure first checks the
/etc/hosts.equiv file and then checks the.rhosts file in the home directory of the local
user who is requesting access Entries in these files can be of two forms. Positive entries allow access, while negative entries
deny access.
Did I mention passwords?
-
8/11/2019 ASR 01 (Telnet - r)
11/52
11
The authentication succeeds when a matchingpositive entry is found
The procedure fails when the first matchingnegative entry is found, or if no matching entries
are found in either file The order of entries is important If the files contain both positive and negative entries,
the entry that appears first will prevail. The rsh and rcp programs fail if the remote authentication
procedure fails The rlogin program falls back to the standard password-
based login procedure if the remote authentication fails.
Did I mention passwords?
-
8/11/2019 ASR 01 (Telnet - r)
12/52
12
Notes from the man page
When a system is listed in hosts.equiv, its
security must be as good as local security.
One insecure system listed in hosts.equivcan compromise the security of the entire
system.
Because of the security issues, many systemsno longer allow rcp, rlogin, or rsh
Instead, use something like ssh, the secure
shell
-
8/11/2019 ASR 01 (Telnet - r)
13/52
Local login
terminal
driver
kernel
user at a
terminal
login
shell
-
8/11/2019 ASR 01 (Telnet - r)
14/52
TELNET Client and Server
TELNET/rlogin
client
terminal
driverTCP/IP
kernel
user at aterminal
TELNET/rlogin
server
TCP/IP
pseudo-
terminal
driver
kernel
Fork shell
Sed ui
Only ONETCP connection !!!
-
8/11/2019 ASR 01 (Telnet - r)
15/52
Network Virtual Terminal
-
8/11/2019 ASR 01 (Telnet - r)
16/52
2007rLOGIN Protocol Start up Specified in RFC 1282
Use a single TCP connection
The rlogin process uses the TCP port 513
Protocol between client and server after connection is set up
Client writes 4 strings to server a byte of 0
login name of user on client, terminated by a byte of 0
login name of user on server, terminated by a byte of 0
name of users terminal type, a slash, terminal speed, terminated by a byte of0
(\0John\0John\0ibmpc3/9600\0)
Server responds with a byte of 0
Optionally server can ask user for a password
Server sends a request to client asking for terminals window size
-
8/11/2019 ASR 01 (Telnet - r)
17/52
2007Interactive input
Client
keystroke
Server
Server
display
echo
-
8/11/2019 ASR 01 (Telnet - r)
18/52
2007Flow control
Done by client
User type Control-S, Control-Q, asking
SERVER to stop sending data, or start
sending dataControl-Sstop writing to the network
Control-Qstart writing to the network
Control by Server
-
8/11/2019 ASR 01 (Telnet - r)
19/52
2007Server to Client Commands Need to mark command bytes because only one TCP connection is
used
Use TCPs urgent mode to mark command bytes
To send a command to client, server enters urgent mode andmakes command byte the last byte of urgent data
Four command bytes
0x02: client flushes output
0x10: client stops performing flow control
0x20: client resumes flow control
0x80: client sends current window size to server immediately andnotifies server if changing window size
-
8/11/2019 ASR 01 (Telnet - r)
20/52
2007Client to Server Command
When client receives command 0x80 from
server, client needs to send window size to
server
This command needs to be marked 2 bytes of 0xff
2 flag bytes of ASCII char s
4 16-bit values: #rows, #chars per row, #pixels in X
direction, #pixels in Y direction
-
8/11/2019 ASR 01 (Telnet - r)
21/52
2007rLOGIN Client Escape
Talk to client directly instead of sending the input
to server
Start with a tilde ~
Followed by one of four characters .: terminate client
EOF (Ctrl-D): terminate client
Job control suspend char (Ctrl-Z): suspend client
Job control delayed suspend char (Ctrl-Y): suspend
only client input but keep server output
-
8/11/2019 ASR 01 (Telnet - r)
22/52
William Nelson Joy (born November 8,1954), commonly known as Bill Joy, is an
American computer scientist.
As a UC Berkeley graduate student, Joy worked for Fabry'sComputer Systems Research Group CSRG in managing theBSD support and rollout where many claim he was largelyresponsible for managing the authorship of BSD UNIX, fromwhich sprang many modern forms of UNIX, includingFreeBSD, NetBSD, and OpenBSD. Apple Inc. has basedmuch of the Mac OS X kernel and OS Services on the BSDtechnology.
Some of his most notable contributions were the vi editor,NFS, and csh.
Bill Joy
-
8/11/2019 ASR 01 (Telnet - r)
23/52
SSH
-
8/11/2019 ASR 01 (Telnet - r)
24/52
24
SSHThe Secure Shell
Protocol SSH provides secure replacements for rsh,rlogin, rcp, ftp, andtelnet, all of which transmitdata over the network as clear text
The SSH protocol was developed in 1995 toaddress the various security issues associatedwith the "r-commands"
Developed by Tatu Ylnen, a researcher at the
Helsinki University of TechnologyMotivated by a password-sniffing attack on the
university network
Note: Following figures are from "SSH, The Secure Shell" by Daniel J. Barrett and Richard E.Silverman
-
8/11/2019 ASR 01 (Telnet - r)
25/52
25
SSH Architecture SSH protocol is based on a client/server
architecture
A user who wants to connect to a remote host willexecute the ssh command (the client) on his localmachine
It will connect to the remote computer's sshdaemon (the server)
There are two primary versions of the SSHprotocol
SSH-1
SSH-2
-
8/11/2019 ASR 01 (Telnet - r)
26/52
26
SSH Architecture
-
8/11/2019 ASR 01 (Telnet - r)
27/52
27
SSH-2 Specifics SSH-2 is a complete rewrite of SSH-2 that
improves both security and performance
It also supports two forms of encryption RSA (Rivest-Shamir-Adleman), patented until
September 21, 2000 DSA (Digital Signature Algorithm) non-patented
SSH-2 uses a three layer architecture Transport layer Usually runs over TCP/IP
Responsible for data encryption, host authentication, anddata integrity by including a message authenticationcode(MAC) in each data packet
-
8/11/2019 ASR 01 (Telnet - r)
28/52
-
8/11/2019 ASR 01 (Telnet - r)
29/52
29
The user authenticationlayer assumes thetransport layer is providing data encryption andintegrity
Responsible for actually logging a user onto the
remote server, authenticating the user, and requestingspecific services from the server
The connectionlayer assumes that the two lowerlayers are providing security and user
authentication Used to open channels for psuedo terminals, port
forwarding, and X11 forwarding
This allows you to run applications such a xterms and
have them communicate securely
SSH-2 Specifics
-
8/11/2019 ASR 01 (Telnet - r)
30/52
Authentication, Encryption, and Integrity
-
8/11/2019 ASR 01 (Telnet - r)
31/52
31
Using SSH
Although SSH is a protocol, there are several
utilities provided with most SSH
implementations
sshreplacement for rsh, basically a securetelnet
scpsecure file copy
sloginsecure replacement for rlogin, generally
simplya link to ssh
sftpa secure version of ftp
There are also several utilities for managing
-
8/11/2019 ASR 01 (Telnet - r)
32/52
32
ssh Syntax: ssh [-l username] remotehost
l usernameusername you want to use on theremote
machine, sshdefaults to your login id on the local
machine remotehostname of the remote machine if on the
local network or fully qualified internet name if ona
remote network neptune
neptune.dcccd.edu
You can also provide the username with theremotehost name
-
8/11/2019 ASR 01 (Telnet - r)
33/52
33
scp
Syntax: scp source_file destination_file
source_file and destination_file can either or both
use the full user and system name like in ssh
scp [email protected]:my_file my_local_file
-
8/11/2019 ASR 01 (Telnet - r)
34/52
34
sftp Syntax is similar to ftp Has several advantages It's secure
Multiple file commands can be performed in one sftp
session; scprequires a separate session for eachaction
It has command line editing, similar to the emacsmode of ksh
Regular expression matching for filenames
However, it does not have separate ASCII andbinary transfer modes so if you move text filesbetween Unix and Windows, you will have tohandle line ending conversion
-
8/11/2019 ASR 01 (Telnet - r)
35/52
35
User Authentication
All of the previous commands will ask you to
supply the password for the remote system
Passwords have several problems
Good passwords are hard to remember
If a password is sent across the net, even
encrypted, it can still be captured if the remote
host has been compromised
SSH has the option to usepublic-key
authenticationinstead
-
8/11/2019 ASR 01 (Telnet - r)
36/52
36
Key-Based Cryptography
In the world of cryptography, a key is a
computer-generated numeric value that
cryptographic algorithms (such as RSA and
DSA) use for the purpose of encrypting ordecrypting data
The key can be of various lengths, with longer
keys
providing more secure encryption
You may have heard people referring to 512-bit or
1024-bit encryption, they were talking about the
length of the key
-
8/11/2019 ASR 01 (Telnet - r)
37/52
37
Secure protocols such as SSH use these keys
to authenticate users and hosts.
Authentication is the act of insuring that a given
host or user is who they say they are, and not animposter
There are two types of keys -- private and
public
There are also two different methods for using
those keys to authenticate users and hosts
Private key cryptography
Public key cryptography
Key-Based Cryptography
-
8/11/2019 ASR 01 (Telnet - r)
38/52
38
Private Key Cryptography
Private key cryptography (aka symmetric
cryptography, because one key is used to both
encrypt and decrypt messages) was the first
popular key-based cryptographic method It involved generating an encryption key and then
sharing that key only with people that you trust
Having your private key allowed people to
encrypt messages to you and decrypt
messages or data from you
-
8/11/2019 ASR 01 (Telnet - r)
39/52
39
The problem was if someone got hold of your
private key (which had to be passed around a
bit if anyone was going to be able to encrypt or
decrypt messages to or from you), or if youlost your private key, anyone who gained
access to that key could then read all of your
transmissions
Private Key Cryptography
-
8/11/2019 ASR 01 (Telnet - r)
40/52
40
Public Key Cryptography
Public key encryption (aka asymmetric
cryptography, because different keys of
different lengths are used to encrypt and
decrypt messages) took a different approachto the problem
With public key cryptography, there are two
keys
A private key that only you use
A public key that anyone can have access to
The private and public keys are both
generated at the same time, using the same
-
8/11/2019 ASR 01 (Telnet - r)
41/52
41
If someone wants to send you a message,
they encrypt the message by using your public
key
Only you are able to decrypt it with your privatekey
Private keys are never exchanged or sent over
the network
This also makes it possible to identify yourself
by signing your e-mail with a digital certificate
or signature that can only be decrypted with
your public key
Public Key Cryptography
-
8/11/2019 ASR 01 (Telnet - r)
42/52
42
Public-key Authentication
-
8/11/2019 ASR 01 (Telnet - r)
43/52
43
Passphrases All of the sshclient commands ask for a
passphrase in order to decrypt your private key If you transfer multiple files using scp, you will have to
enter your passphrase each time L
Wouldn't it be nice if your machine wouldremember your passphrase for you?
SSH has a concept called agents
Agentskeep your private keys in memory andprovide authentication services to sshclients
By using agents, you only have to provide yourpassphrase once for each login
-
8/11/2019 ASR 01 (Telnet - r)
44/52
44
How the SSH Agent Works
-
8/11/2019 ASR 01 (Telnet - r)
45/52
SSH Login Annoyances
SSH is great, but its annoying to have to typeyour password/passphrase every time you login, run a remote command or copy some files
across the network. SSH doesnt allow ~/.rhosts functionality for
security reasons.
Passphrase-less keys are quite insecure and
not recommended practice. Can users log in securely without typing their
password all the time?
-
8/11/2019 ASR 01 (Telnet - r)
46/52
The SSH Agent
The agent solves these problems
Only available for key-based login, however
You authenticate once to the agent at the
beginning of your session The agent holds your SSH private keys in
memory and provides them to ssh and scpcommands when necessary
You dont have to unlock them each time
Agent goes away when you log out so unlockedkeys are never stored on disk
-
8/11/2019 ASR 01 (Telnet - r)
47/52
Preparing To Use The Agent
First, get key-based login working
Distribute your public key to all non-CUE hosts
you need to log into
CUE hosts all share your home directory so the
key is already there
scpp ~/.ssh/authorized_keys
remotehost:/home//.ssh Use normal SSH and make sure youre
prompted for a passphrase and not a password
-
8/11/2019 ASR 01 (Telnet - r)
48/52
Using the Agent Interactively
Run ssh-agentc to start the agent
Will print some output that you need to type into
the same shell or cut-n-paste
Save yourself some typing and do it the clever way
Now other commands in the same window will be
able to use the agent
jlabs2:/home/jdoe> ssh-agent -csetenv SSH2_AUTH_SOCK /tmp/ssh-jdoe/ssh2-8765-agent;
setenv SSH2_AGENT_PID 8766;
echo Agent pid 8766;
jlabl1:/home/jdoe> eval `ssh-agent c`
Agent pid 8766
-
8/11/2019 ASR 01 (Telnet - r)
49/52
Logging In To The Agent
Use the ssh-add command to authenticateyourself to the agent
After you do this, you wont need to log in with
SSH or scp!
jlabl1:/home/jdoe> ssh-add
Enter passphrase for /home/jdoe/.ssh/id_dsa:
Identity added: /home/jdoe/.ssh/id_dsa
jlabl1:/home/jdoe> ssh-add -l
2048 6e:ef:22:a4:83:a1:98:39:22:44:57:21:2c:ee:d3:33 /home/jdoe/.ssh/id_dsa (DSA)jlabl1:/home/jdoe> ssh jlabs1
[login proceeds normally without a password]
jlabs1:/home/jdoe>
-
8/11/2019 ASR 01 (Telnet - r)
50/52
UsesFor login to a shell on a remote host (replacing Telnet and rlogin)For executing a single command on a remote host (replacing rsh)For copying files from a local server to a remote host. See SCP, as analternative for rcpIn combination with SFTP, as a secure alternative to FTP file transferIn combination with rsync to backup, copy and mirror files efficiently andsecurelyFor forwarding or tunneling a port (not to be confused with a VPN whichroutes packets between different networks or bridges two broadcastdomains into one.).For using as a full-fledged encrypted VPN. Note that only OpenSSH
server and client supports this feature.For forwarding X from a remote host (possible through multipleintermediate hosts)For browsing the web through an encrypted proxy connection with SSHclients that support the SOCKS protocol.For securely mounting a directory on a remote server as a filesystem on
a local computer using SSHFS.
-
8/11/2019 ASR 01 (Telnet - r)
51/52
Uses
Port forwardingsshL localport:tohost:toport remotehostTunnels localhost:localport to remotehost's resolution oftohost:toportCan use to punch through firewalls
Example: access from classroom to Mercury rupdate-D for SOCKS forwarding andR for remote-to-localforwarding
VPNs
Can run PPP connection over SSHA bit convoluted, but it works
-
8/11/2019 ASR 01 (Telnet - r)
52/52
Uses