SCS Computing Facilities: SSH in the SCS Environment

1
SCS Computing Facilities SSH in the SCS
Environment

• Carnegie Mellon University
• October 9, 2007

2
SSH in SCS Environment

• ssh means Secure Shell
• Connections are encrypted so passwords and data
  are not sent in the clear.
• Other features include
• Secure file transfer
• X session forwarding

3
SSH in SCS Environment

• ssh on RH9
• Version 1 of the ssh protocol supported
• V4 Kerberos Keys only supported (although V5
  tickets are generated with login or kinit)
• ssh on FC3, FC5 and F7
• Versions 1 and 2 of ssh protocol supported
• V4 and V5 Kerberos supported on ssh client
• V5 only supported on sshd server

4
SSH in SCS Environment

• RH9 Client ? FC Server (With K4 and K5 tickets)
• You are prompted for a password because there is
  no K4 Ticket support on FC Server
• FC Client ? RH9 Server (with Kerberos Tickets)
• Will work, using V1 protocol
• Can force use of V1 protocol with -1 flag

5
SSH in SCS Environment

• More Complication ssh can work with RSA keys
  (and without K4 or K5 tickets)
• To create RSA keys use sshkeygen with
  appropriate arguments to generate the type of key
  you want to use.
• Using this, V2 protocol can be used from RH9
  machines to FC machines.
• Beware if you dont have Kerberos tickets this
  may fail because you cant write to your Home
  directory (if it is in AFS)

6
SSH in SCS Environment

• Ssh keys
• Are essentially passwords that are stored in your
  /.ssh directory and must be guarded
• Can be encrypted to safeguard them
• Are distinct from Kerberos Tickets or AFS Tokens

7
SSH in SCS Environment

• Ssh keys for Machines
• Are generated for a machine when sshd starts
• See /usr/local/etc/launchsshd for details
• Protect you from man in the middle attacks or
  spoofing
• False alarm can be raised if a machine has been
  re-keyed and the clients cache is out of date.

8
SSH in SCS Environment

• Other Problems
• Macs running Mac OSX with the stock version of
  ssh will not work with facilitized Linux boxes
• Issue is that the krb5.conf file used by the Macs
  differs (supports different encoding) that then
  one distributed to facilitized machines.
• Solution is to grab a krb5.conf file from an FC
  machine and install it on the Mac
• Overwrite /Library/Preferences/edu.mit.kerberos

9
SSH in SCS Environment

• Other Problems
• Xwin32 on Windows Machines can be configured to
  use ssh
• Under advanced options check Send Xauth and
  Delegate GSS Credentials
• Not sure if this is the only configuration that
  works

10
SSH in SCS Environment

• Other Problems
• Weve seen ssh problems indicate other more
  significant issues with a machine
• It pays to investigate the health of the machine
• Sometimes issues are related to User environments
  

11
SSH in SCS Environment

• When in doubt, upgrade!
• Most issues with ssh are addressed when you move
  to FC5 or F7
• Ticket forwarding is supported
• Use o GSSAPIdelegatecredentials to get tickets
  and tokens on remote (trusted) hosts
• The global default is off due to security issues

12
SSH in SCS Environment

• Other ssh Features on FC machines
• -X and Y sets up tunnels for X, allowing you to
  run X application on the remote machine with the
  display running locally
• Like a secure version of the old xhost, setenv
  DISPLAYfoo0.0 dance
• -Y is more insecure than X
• Recently repaired an issue where the .Xauthority
  file was in the Users homedir, now in /tkt (or
  /tmp).