SSH – How it works :
- SSH client initiates connection. If it is first time then servers sends host key – verify and say YES OR NO.
- Once you accept it – SSH server sends the versions it supports, Encryption ( AES256, 3DES) and Hash techniques ( SHA, MD5 ) it supports.
- Client should agree to version, encryption and hash.
- Each session requires unique symmetric key for encryption and decryption. ( Generate primary number, key pair etc )
- After generating symmetric key and sharing across server and client now comes authentication channel.
- Authentication can be Password, Key based, GSSAPI ( Kerberos , Single Sign On ).
- Most used – Key based autehtnication. ssh-keygen -t rsa -b 2048 on client, generated public key should be placed in authorized_keys on server.
- Client sends an ID, Server checks the authroized_keys for matching ID, if matching then genreates a random number encrypts using public key and challenges client to decrypt it.
So asymmetric key is used for authetication and symmetric key is used for session.
SSH – Configuration
ssh server side ( /etc/ssh/sshd_config )
# PermitRootLogin No – SSH as root user is not allowed
#X11 Forwarding No – Tunnel forward to any X11 application is not allowed
#PasswordAuthentication No – Do not allow password based authentication
ssh client side (~/.ssh/config )
#Hostname, IdentityFile, port, StrictHostKeyChecking
SSH -A is used to forward your credentials from one server to another.
SSH – Tunneling
Local Tunneling: connect to port 80 on remote-server over SSH
#ssh -f firstname.lastname@example.org -L 9000:remote-server:80
Remote Tunneling: consider you have an intranet site running on port 8080 which is not allowed from outside but you are allowed to connect to a server exposed to internet on port 9000
# ssh -R 9000:intranet site:80 “home” ( run on work )
Dynamic Port Forwarding:
#ssh -f -N -D 7000 username@remote-host then configure your web browser as proxy.
Then how can I stop this happening ??
AllowTCPForwarding No – (/etc/ssh/sshd_config)
“no-port-forwarding” to (~/.ssh/authorized_keys )