OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. SSH replaces rlogin and rsh, to provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. Public key authentication may be used for "passwordless" access to servers. This package includes the core files necessary for both the OpenSSH client and server. To make this package useful, you should also install openssh-clients, openssh-server, or both.
Demo ftp (to localhost with test account) captured with ethereal.
Follow tcp stream.
Demo scp or ssh to localhost - capture with ethereal
OpenSSH also uses asymmetric keys - or public key and private key pairs.
The first occurrence of this is for something called "Host Authentication".
Host Authentication allows a user to better trust that they are reaching
the system they think they are reaching - and thus prevent man-in-the middle
types of attacks.
(verify that isis isn't listed in local known hosts file)
Demo - connect to isis and get prompt for do you want to accept?
This downloads the public key of the host and appends it to a local
known_hosts file. (show host pub file on isis, disconnect, show
local known_hosts file)
Demo - reconnect showing no prompt.
Now that the host is known - future attempts use these key pairs to verify it is the same host. If there was another system trying to be isis, the keys would not match and a warning would occur. If isis is reloaded, it would have a new key, and the keys would not match and a warning would occur.
Of course this only works if the known host file gets updated with the correct key - if another machine had answered for isis in the first place, as long as I connected to the same machine again, I would see no warnings!
There are ways to ensure that you get the correct public host key to begin with - one would be to have physical access to the system (in this case isis) and copy the file on a floppy and sneaker-net it to the local system. Another would be to trust a person to send you the key. Another is to trust the fingerprint that was displayed when I choose to accept the key.
One thing to be aware of is that the client can be configured to use the known_hosts information or not. For example, both my system (a RedHat Enterprise 3 system) and isis appear to be using the default ssh_config files (show files). However, the man page for ssh_config on my system points out that StrictHostChecking defaults to ask and the isis man page show the parameter defaulting to no. This is why I get prompted from my system, but on isis to another system, I just get a message saying "adding to known_hosts file" (demo if time).
Description : The OpenSSL toolkit provides support for secure communications between machines. OpenSSL includes a certificate management tool and shared libraries which provide various cryptographic algorithms and protocols.This package provides the tools (and math) to actually encrypt and decrypt and make keys, key pairs, and certificates. Programs like openssh make library calls to to openssl. There are also openssl commands that can be run at the command line.
[susan@sony inls187]$ openssl passwd foo VqwyYfkdlAgKkIf repeated, this will give a different encrypted result:
[susan@sony inls187]$ openssl passwd foo dO4KnwvXL.ox2To get the same thing each time, use a salt:
[susan@sony inls187]$ openssl passwd -salt az foo aznL8ZELUcerQ [susan@sony inls187]$ openssl passwd -salt az foo aznL8ZELUcerQNotice that the salt became part of the encrypted string.
Here's another example - to encrypt a file with a passphrase (symmetric key):
[susan@sony inls187]$ openssl bf < /etc/passwd > passwd.bf enter bf-cbc encryption password: Verifying - enter bf-cbc encryption password: [susan@sony inls187]$ file passwd.bf passwd.bf: data [susan@sony inls187]$ openssl bf -d < passwd.bf enter bf-cbc decryption password: root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin [truncated]
OpenSSL can also be run interactively. Here are some of the options:
[susan@sony inls187]$ openssl OpenSSL> ? openssl:Error: '?' is an invalid command. Standard commands asn1parse ca ciphers crl crl2pkcs7 dgst dh dhparam dsa dsaparam enc engine errstr gendh gendsa genrsa nseq ocsp passwd pkcs12 pkcs7 pkcs8 rand req rsa rsautl s_client s_server s_time sess_id smime speed spkac verify version x509 Message Digest commands (see the `dgst' command for more details) md2 md4 md5 rmd160 sha sha1 Cipher commands (see the `enc' command for more details) aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc aes-256-ecb base64 bf bf-cbc bf-cfb bf-ecb bf-ofb cast cast-cbc cast5-cbc cast5-cfb cast5-ecb cast5-ofb des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofb des3 desx rc2 rc2-40-cbc rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb rc4 rc4-40 OpenSSL> passwd foo datkFUeyN/xFU OpenSSL> passwd -salt az foo aznL8ZELUcerQ OpenSSL>
Some people may also be interested in sshscan software.