Data compression
The implementation version (1.2.27) is just a comment and is optional in the string. But, some implementations examine the comment to recognize particular software versions and work around known bugs or incompatibilities.[19]$ telnet server 22 Trying 192.168.10.1 Connected to server (192.168.10.1). Escape character is '^]'. SSH-1.5-1.2.27
[19]Some system administrators remove the comment, preferring not to announce their software package and version to the world, which provides clues to an attacker.If the client and server decide their versions are compatible, the connection process continues; otherwise either party may decide to terminate the connection. For instance, if an SSH-1-only client encounters an SSH-2-only server, the client disconnects and prints an error message. Other actions are possible: for example, the SSH-2-only server can invoke an SSH-1 server to handle the connection.
[20]This method isn't available by default; it must be requested at compile time.
[21]An RSA key consists of two parts: the exponent and the modulus. The modulus is the long number in the public key (.pub) file.The key is implicitly RSA; the SSH-1 protocol specifies the RSA algorithm particularly and exclusively for public-key operations.
[22]In a chosen-plaintext attack, the cryptanalyst is allowed to examine plaintext/ciphertext pairs of her choosing, encrypted with the key she's trying to break. The RSA algorithm is particularly vulnerable to chosen-plaintext attacks, so it's important for a protocol using RSA to avoid them.
[23]Don't confuse impersonating the client host with compromising it, however. If you actually break into the client host and compromise its security, all bets are off; you can then steal the keys, passwords, etc., of any users on that host. SSH doesn't protect against host compromise.Public-key authentication is also the most flexible method in SSH for its additional control over authorization. You may tag each public key with restrictions to be applied after authentication succeeds: which client hosts may connect, what commands may be run, and so on. [Section 8.2, "Public Key-Based Configuration "] This isn't an intrinsic advantage of the public-key method, of course, but rather an implementation detail of SSH, albeit an important one.[24]
[24]We wish this were done differently. Rather than entangling the authentication and authorization functions in this way, SSH should be able to apply any restriction to any connection, regardless of the authentication method. However, no implementation of SSH, to our knowledge, keeps authentication and authorization truly orthogonal.On the down side, public-key authentication is more cumbersome than the other methods. It requires users to generate and maintain their keys and authorization files, with all the attendant possibilities for error: syntax errors in authorized_keys entries, incorrect permissions on SSH directories or files, lost private key files requiring new keys and updates to all target accounts, etc. SSH doesn't provide any management infrastructure for distributing and maintaining keys on a large scale. You can combine SSH with the Kerberos authentication system, which does provide such management, to obtain the advantages of both. [Section 11.4, "Kerberos and SSH"]
WARNING: One technical limitation regarding public-key authentication arises in connection with the RSAref encryption library. [Section 3.9.1.1, "Rivest-Shamir-Adleman (RSA)"] RSAref supports key lengths only up to 1024 bits, whereas the SSH internal RSA software supports longer keys. If you try to use a longer key with SSH/RSAref, you get an error. This can happen with either user or host keys, perhaps preexisting ones if you've recently switched to RSAref, or keys transferred from systems running the non-RSAref version of SSH. In all these cases, you have to replace the keys with shorter ones.
[25]The term "trusted-host" is our own; it refers to the Rhosts, SSH-1 RhostsRSA, and SSH-2 hostbased authentication methods as a related group.Let's follow this authentication process step by step:
[26]SSH1 has a UsePrivilegedPort configuration keyword, but it tells the client not to use a privileged port in its source socket, which renders the session unusable for rhosts or RhostsRSA authentication. The purpose of this feature is to get around firewalls that might block connections coming from privileged ports and requires that some other authentication method be used.
WARNING: If any of the four access files allows access for a particular connection, it's allowed, even if another of the files forbids it.The /etc/hosts.equiv and ~/.rhosts files originated with the insecure r-commands. For backward compatibility, SSH can also use these files for making its trusted-host authentication decisions. If using both the r-commands and SSH, however, you might not want the two systems to have the same configuration. Also, because of their poor security, it's common to disable the r-commands, by turning off the servers in your inetd.conf files and/or removing the software. In that case, you may not want to have any traditional control files lying around, as a defensive measure in case an attacker managed to get one of these services turned on again. To separate itself from the r-commands, SSH reads two additional files, /etc/shosts.equiv and ~/.shosts, which have the same syntax and meaning as /etc/hosts.equiv and ~/.rhosts, but are specific to SSH. If you use only the SSH-specific files, you can have SSH trusted-host authentication without leaving any files the r-commands would look at.[27]
[27]Unfortunately, you can't configure the server to look at one set but not the other. If it looks at ~/.shosts, then it also considers ~/.rhosts, and both global files are always considered.All four files have the same syntax, and SSH interprets them very similarly -- but not identically -- to the way the r-commands do. Read the following sections carefully to make sure you understand this behavior.
The two tokens indicate host(s) and user(s), respectively; the userspec may be omitted. If the at-sign (@) is present, then the token is interpreted as a netgroup (see the sidebar "Netgroups"), looked up using the innetgr( ) library call, and the resulting list of user or hostnames is substituted. Otherwise, the token is interpreted as a single host or username. Hostnames must be canonical as reported by gethostbyaddr( ) on the server host; other names won't work.# example control file entry [+-][@]hostspec [+-][@]userspec # comment
If either or both tokens are preceded by a minus sign (-), the whole entry is considered negated. It doesn't matter which token has the minus sign; the effect is the same. Let's see some examples before explaining the full rules. The following hostspec allows anyone from fred.flintstone.gov to log in if the remote and local usernames are the same:
Netgroups
A netgroup defines a list of (host, user, domain) triples. Netgroups are used to define lists of users, machines, or accounts, usually for access-control purposes; for instance, one can usually use a netgroup to specify what hosts are allowed to mount an NFS filesystem (e.g., in the Solaris share command or BSD exportfs). Different flavors of Unix vary in how they implement netgroups, though you must always be the system administrator to define a netgroup. Possible sources for netgroup definitions include:On many modern Unix flavors, the source of netgroup information is configurable with the Network Service Switch facility; see the file /etc/nsswitch.conf. Be aware that in some versions of SunOS and Solaris, netgroups may be defined only in NIS; it doesn't complain if you specify "files" as the source in nsswitch.conf, but it doesn't work either. Recent Linux systems support /etc/netgroup, though C libraries before glibc 2.1 support netgroups only over NIS. Some typical netgroup definitions might look like this:
- A plain file, e.g., /etc/netgroup
- A database file in various formats, e.g., /etc/netgroup.db
- An information service, such as Sun's YP/NIS
When deciding membership in a netgroup, the thing being matched is always construed as an appropriate triple. A triple (x, y, z) matches a netgroup N if there exists a triple (a, b, c) in N which matches (x, y, z). In turn, you define that these two triples match if and only if the following conditions are met: x=a or x is null or a is null and: y=b or y is null or b is null and: z=c or z is null or c is null This means that a null field in a triple acts as wildcard. By "null," we mean missing; that is, in the triple (, user, domain), the host part is null. This isn't the same as the empty string: ("", user, domain). In this triple, the host part isn't null. It is the empty string, and the triple can match only another whose host part is also the empty string. When SSH matches a username U againsta netgroup, it matches the triple (, U,); similarly, when matching a hostname H, it matches (H, ,). You might expect it to use (, U, D) and (H, , D) where D is the host's domain, but it doesn't.# defines a group consisting of two hosts: hostnames "print1" and # "print2", in the (probably NIS) domains one.foo.org and two.foo.com. print-servers (print1,,one.foo.com) (print2,,two.foo.com) # a list of three login servers login-servers (login1,,foo.com) (login2,,foo.com) (login1,,foo.com) # Use two existing netgroups to define a list of all hosts, throwing in # another.foo.com as well. all-hosts print-servers login-servers (another,,foo.com) # A list of users for some access-control purpose. Mary is allowed from # anywhere in the foo.com domain, but Peter only from one host. Alice # is allowed from anywhere at all. allowed-users (,mary,foo.com) (login1,peter,foo.com) (,alice,)
The following hostspecs allow anyone from any host in the netgroup "trusted-hosts" to log in, if the remote and local usernames are the same, but not from evil.empire.org, even if it is in the trusted-hosts netgroup.# /etc/shosts.equiv fred.flintstone.gov
This next entry (hostspec and userspec) allows [email protected] to log into any local account! Even if a user has -way.too.trusted mark in ~/.shosts, it won't prevent access since the global file is consulted first. You probably never want to do this.# /etc/shosts.equiv -evil.empire.org @trusted-hosts
On the other hand, the following entries allow anyone from sister.host.org to connect under the same account name, except mark, who can't access any local account. Remember, however, that a target account can override this restriction by placing sister.host.org mark in ~/.shosts. Note also, as shown earlier, that the negated line must come first; in the other order, it's ineffective.# /etc/shosts.equiv way.too.trusted mark
This next hostspec allows user wilma on fred.flintstone.gov to log into the local wilma account:# /etc/shosts.equiv sister.host.org -mark sister.host.org
This entry allows user fred on fred.flintstone.gov to log into the local wilma account, but no one else -- not even [email protected]:# ~wilma/.shosts fred.flintstone.gov
These entries allow both fred and wilma on fred.flintstone.gov to log into the local wilma account:# ~wilma/.shosts fred.flintstone.gov fred
Now that we've covered some examples, let's discuss the precise rules. Suppose the client username is C, and the target account of the SSH command is T. Then:# ~wilma/.shosts fred.flintstone.gov fred fred.flintstone.gov
~/.rhosts
the following /etc/shosts.equiv file permits access only from host three:set (one,,) (two,,) (three,,) subset (one,,) (two,,)
But this next one allows access from all three:-@subset @set
The second line has no effect, because all its hosts have already been accepted by a previous line. The second rule is: if any file accepts the connection, it's allowed. That is, if /etc/shosts.equiv forbids a connection but the target user's ~/.shosts file accepts it, then it is accepted. Therefore the sysadmin can't rely on the global file to block connections. Similarly, if your per-account file forbids a connection, it can be overridden by a global file that accepts it. Keep these facts carefully in mind when using trusted-host authentication.[28]@set -@subset
[28]By setting the server's IgnoreRhosts keyword to yes, you can cause the server to ignore the per-account files completely and consult the global files exclusively instead. [Section 5.5.1.3, "Rhosts authentication"]
However, there's still a way to get the effect of a wildcard: using the wildcards available in netgroups. An empty netgroup:Remote: Ignoring wild host/user names in /etc/shosts.equiv
matches nothing at all. However, this netgroup:empty # nothing here
matches everything. In fact, a netgroup containing (,,) anywhere matches everything, regardless of what else is in the netgroup. So this entry:wild (,,)
allows access from any host at all,[29] as long as the remote and local usernames match. This one:# ~/.shosts @wild
[29]If strong trusted-host authentication is in use, this means any host verified by public key against the server's known hosts database.
allows any user on way.too.trusted to log into this account, while this entry:# ~/.shosts way.too.trusted @wild
allows any user access from anywhere. Given this wildcard behavior, it's important to pay careful attention to netgroup definitions. It's easier to create a wildcard netgroup than you might think. Including the null triple (,,) is the obvious approach. However, remember that the order of elements in a netgroup triple is (host,user,domain). Suppose you define a group "oops" like this:# ~/.shosts @wild @wild
You intend for this to be a group of usernames, but you've placed the usernames in the host slots, and the username fields are left null. If you use this group as the userspec of a rule, it will act as a wildcard. Thus this entry:oops (fred,,) (wilma,,) (barney,,)
allows anyone on home.flintstones.gov, not just your three friends, to log into your account. Beware!# ~/.shosts home.flintstones.gov @oops
[30]At press time, experimental Kerberos support is being integrated into SSH2 2.3.0.
Product | Kerberos Version | Tickets | Password Authentication | AFS | Forwarding |
---|---|---|---|---|---|
SSH1 | 5 | Yes | Yes | No | Yes |
OpenSSH | 4 | Yes | Yes | Yes | Only with AFS |
The following list explains the columns:
TIP: OpenSSH provides Kerberos support only when using the SSH-1 protocol.
3.3. The Architecture of an SSH System | 3.5. Inside SSH-2 |
Copyright © 2002 O'Reilly & Associates. All rights reserved.