Benefits Of Securing OpenSSH


SSH service is very widely used in the open source infrastructure setups. Due to its small footprint on network, as well as ease of installation and maintenance, SSH replaces many remote shells in the modern data centers. OpenSSH is a very famous flavor of this protocol, and this article talks about such challenges and solutions.


How OpenSSH Works

OpenSSH is a free Secure Shell software which provides great services in terms of protocol based connectivity as well as security. It replaces almost all legacy applications such as telnet, rlogin etc. It is important to understand how the protocol works and the bells and whistles provided in terms of features. Please refer to Fig1. which shows protocol stack which forms the OpenSSH protocol services. For those who know how Telnet works, it is easy to understand the working operations of OpenSSH. Similar to Telnet, it runs as a daemon service on Linux servers, while the client uses an SSH client utility such as putty to connect to the server. SSH is available on Windows as well as Unix platforms, and is widely used one Linux infrastructures. By default it uses TCP port 22 for communication. However unlike the telnet protocol, OpenSSH is primarily used to ensure data security and to that end it uses cryptography for authenticating client and server, and also for the data transfer purposes. This ensures confidentiality and integrity for the data which flows on the wire. Its communication has three basic steps, client-server handshake, and authentication and secures data exchange. During handshake phase, both the sides exchange information about OpenSSH protocol version and the cipher algorithms they support (which are typically the combinations of asymmetric, symmetric encryption and hashing algorithms) and compression algorithms. Unlike SSL, in this protocol the server sends the first data block to the client.

As for authentication, the server is authenticated using host key, whereas the client typically stores the key fingerprint at some predefined location and validates it later in the process. Please see the table below which show supported client authentication methods.


Client Authentication Method Description
Public Authentication Client and Server has key pairs and exchange public keys during authentication process
Password Authentication Plain text password for the given login user is used for authentication
Host based Authentication Limits client access to a particular host/hosts
Keyboard Authentication Works on the basis of pre-stored security question challenge and answer

It is often mis-understood that OpenSSH is a single utility which is installed on the server side, that's not true. In fact it contains many small executables each for a specific feature or purpose. Following table lists such important tools from the protocol stack.


sshd Server daemon service
ssh Client program to connect to daemon
sftp Secure FTP for file transfer
scp Secure file copy utility
ssh-keygen Helps create keys for public key and host key based authentication

Now let's look at the operations of each component as shown in Fig 1. Benefits of OpenSSH


Open SSH Protocol Stack
SSH - Connection Management , TCP forwarding, Session multiplexing
SSH - User Auth Layer, PAM & password based authentication
SSH - Transport Management, Key based authentication & key creation
TCP
IP

The bottom layer which rides on TCP protocol is transport management layer which is very important, because it takes care of crypto operations such as key generation and management. The next one is user authentication layer which is responsible for authenticating end users to the sshd daemon services which is hosted on the server side. Once authentication is completed, a secure tunnel is created for data communication. This layer also ensures that the users can use one of the multiple available ways of authentication such as the legacy username and password style or the more advanced smart cards. The topmost layer is connection management, which adds features such as session multiplexing and also ensures additional security by blocking application layered attacks.


Installation of OpenSSH

OpenSSH can be downloaded from openssh.com and the installation steps are as easy as installing any other binary installation on a Linux distro. On Windows machines, running the installable exe file guides you through the steps. It is advised to check to if OpenSSH already exists on the machine, this is because many open source distributions come equipped with OpenSSH as a default SSH daemon. It is also important to secure the OpenSSH protocol, because by default it runs services in an un-secure fashion. Securing it involves studying and manipulating multiple parameters in the configuration files, which is covered in some articles in the past.


Features of OpenSSH

While there are many features available in OpenSSH, let's discuss those which are important from security and operations point of view. First and foremost, it supports almost all operating systems available, right from the legacy openbsd project to the most recent Linux or Windows distribution. As mentioned earlier, it is an open source protocol stack and available under free licensing. OpenSSH has strong authentication capabilities. This is achieved by various levels of encryption as well as few built-in facilities which block security holes especially in the areas of routing and DNS spoofing. It also provides very strong encryption standards such as 3DES, AES etc, which makes it a perfect fit for industry standard installations. Protocol privacy is a feature available, by which all authentications happen seamlessly and transparent to the user and systems, but at the same time a robust and verbose logging system ensure audit trails of each activity. The way security is designed in the protocol, it never trusts the network or the remote connection. As for the utilities, SFTP and SCP help copy files securely over the SSH tunnel between clients, or the client and server. OpenSSH also supports data compression which reduces chatter on the network, thus making more bandwidth available to other nodes. It also supports protocol tunneling whereby legacy protocols such as telnet or tftp can piggy-back over an existing authenticated ssh tunnel. For advanced IT implementation, most secure protocols such as Kerberos and AFS ticket passing are also supported.


Summary

While OpenSSH is a versatile, robust and secure protocol, it is imperative to tune it up in order to ensure security. OpenSSH is available on all Linux distros as well as various versions of Windows. Documentation needs to be followed to understand the right and secure way of installing and configuring the protocol.