28 Oct 2010

Secure SSH with Snow Leopard Server

Ok so I thought I would do a post about SSH security. This is important for keeping your server secure from attacks, especially if you want to be able to SSH into your server from other computers on the internet.

Firstly some info. Why SSH? SSH is a great tool that enables you to log into your server at the command line level using the Mac OS X Utility app "Terminal". SSH provides a great way to issue remote commands to your server and make configuration changes with out being sat in front of the box. Especially useful if the server lives in a cupboard. SSH also has a network connection tunnelling feature. This means you can forward services on your server to the current computer you're working at or even use your server as an encrypted proxy server (facebook at work anyone?)

You can log in with SSH using one of several login methods, only one of which involves typing in a password. You really don't want to be able to log in by typing a password, as that means that someone else can log in if they know, guess, or brute force your password. Or more importantly if they guess another user's password which may be less secure than yours. While you might not worry if you don't open port 22 on your router I would never make an SSH server internet facing with password authentication on.

This tech tip will require typing commands at the command line in the "Terminal" app. You will need to know how to use a terminal editor like nano or vim (the authors favourite). However you should be able to do it easily by following the instructions so I've ranked this as "medium difficulty". I'm going to assume you have Open Directory setup and working, that you have an admin open directory account and that Kerberos is running on your domain.

First things first, lets sort out our server's accepted authentication systems. On the Mac OS X server open up a Terminal window. Terminal can be found in Applications>Utilities>Terminal

We're going to edit the server's SSH configuration file.

Type this into terminal "sudo vim /etc/sshd_config"
I like to use vim for editing, you may prefer pico. I'll walk through assuming you know what you need to press so if you get confused you might prefer to use pico "sudo pico /etc/sshd_config"

You'll need to type in your password
You'll have the configuration file open now. It should look a little like this.

You can now go through the file using the arrow keys to find the parts we need to change. I've put pictures of the settings we need to make below with explanations of what they do. Bear in mind each line you change should have any comment symbol (#) deleted from the start of the line to work.

These options are all about making it easy for you to log in via SSH when you are on the same network as your server. You will be able to log in using your Kerberos Ticket which should mean you wont need to type your password (as you supplied it when you logged into your computer). This authentication method is secure.

This option set to "no" disables logging in by typing your password at a prompt. I would always recommend having this set to off.

These options allow logins using private keys. This is a great way of logging in from outside your network and uses a file that you keep safe to log you in.

This option is the one that lets you tunnel your network connections through SSH. It means you can use local services outside your network.

Ok now you have made those changes its time to esc :wq
(in vim esc puts you back into command mode, we then type the command :wq which stands for Write the changes to the file, Quit the program)
You should be returned to the command prompt we saw at the beginning.

We don't need to restart the SSH server on mac OS X as services are started and stopped dynamically by launchd. Configuration changes are immediate.

Now lets try logging in on our local network. This shouldn't require a password as authentication will be done by kerberos. With Kerberos you authenticate when you log into your computer and the credentials are cached in a secure way to use for other services like SSH and AFP.

In a terminal window, on the computer you want to log in to your server from, type the following: 
"ssh -K your.server.com"

You should be instantly logged in without typing a password. Hooray! If not check your kerberos tickets. You can do this with the "Ticket Viewer" app System>Library>Core Services>Ticket Viewer

You should have a ticket like above. If you have no ticket it will say "No Ticket" under your server's DNS name. If nothing shows up in this list you have no Kerberos Identity which means you don't have kerberos and Open Directory set up properly. Setting that up is beyond the scope of this article.

So you logged in with SSH using Kerberos (no password on your local network). We used the command "ssh -K your.server.com". If you have an admin machine and you want to stop typing that K every time, then you can edit your admin computer's /etc/ssh_config file to have the following lines:

Just use the same method we used to edit the other file. The command (on your admin machine) would be "sudo vim /etc/ssh_config"

Now when you want to log in by SSH all you need to type is "ssh your.server.com" as we have specified that SSH should try the GSSAPI authentication by default.

Awesome. Now to set up logging in from outside your local network! This is done using "private keys". Similar idea to having keys to your car, now you have keys to your server. They are very secure and can even be secured with passwords to have 2 factor authentication. Keys have a public part and a private part. You need to keep the private part to yourself (like your actual car key) and the public part goes on whatever server you want to be able to log into with your key (kind of like the actual lock that the key fits into).

On the machine you want to be able to log in with from outside your network (or even a machine with a user that is not part of your directory) you'll want to fire up Terminal again (I'm assuming its a mac, windows users look up PuTTYGen) and type in the command "ssh-keygen"

You can just press enter for all the prompts to create a default key file without a password. This is ok. You'll then need to copy the public part of the key to your server. The best way to do this is to copy it to your desktop and then to a USB stick.
 "cp ~/.ssh/id_rsa.pub ~/Desktop/"

On your server you then need to copy the file into the right place for it to work. On your server log in as the user you want to use this key with. Put the file from the USB stick onto the server's desktop and rename it "authorized_keys". We then copy this into the right location using "Terminal".
"mkdir ~/.ssh"
"cp ~/Desktop/authorized_keys ~/.ssh/"
"chmod 400 ~/.ssh/authorized_keys"

All done. Go back to the original machine you created the key on. Fire up Terminal. If you are logged in as a network user destroy your kerberos tickets so that you can test it properly


Now try logging in.

"ssh your.server.com"

If it logs you into your server, hooray it worked! Now go have a cup of tea or something.

If not its troubleshooting time. Check the output of "ssh -vvv your.server.com" and see what comes out. Try repeating the process again or post a comment saying where you got stuck.

Further Reading:

No comments: