On Feb 15, 2000, Kent Langley hosted a discussion on how to use a secure replacement for Telnet, called SSH (Secure Shell). This encrypted method of remote administration can benefit anyone who Telnets to a server. Read the transcript and find out how. If you couldn’t join us then, we hope to see you on our next live Guild Meeting.
Note: TechProGuild edits Guild Meeting transcripts for clarity.
Moderator: Tonight's chat is all about how to enable remote Web administration—the secure way. We're lucky to have network guru Kent Langley as tonight's speaker. Kent is one of the principle designers of TechRepublic's (and TechProGuild's) network.
Moderator: As you know—many sites have shown themselves to be insecure these days—so tonight's meeting seems especially timely, doesn't it?
KL: Hello everyone!
Moderator: Don't forget, we have prizes to give the best chatters—tonight we have a copy of Symantec's Internet Security 2000, O'Reilly's book Windows 2000 Active Directory, and Advanced Windows, by Microsoft Press.
Moderator: Ok, Kent—I'll sit back now and prepare to be awed.
Q: Very timely. And I have a class to teach next week on this subject.
KL: Uh oh...teacher's in the house! Well, we'll start with a quick explanation of what I'm basically here for. Then I'll pretty much just open the floor. the general purpose of this meeting is to discuss the who, what and why of administering your Web site remotely and securely at the same time.
Moderator: Folks, sometimes there are network delays, so please be patient...
KL: Tools such as SSH, TCP Wrappers, and firewalls make this possible.
Q: Will we be able to get a transcript of tonight’s chat?
KL: So, let's get started. First, let's see what questions there might be on the floor tonight?
Moderator: Yes—transcripts of all meetings are posted on the Web—eventually ;-). Since I have to edit them, sometimes there's a bandwidth problem...
KL: Hmm. no questions? Okay... couple of more seconds then I just start talking! Careful folks.. :o).
What is SSH?
KL: Let's begin with a review of a very good piece of software called SSH. Please excuse my typos. :L).
KL: What is SSH? How about a nice book definition. SSH is a secure replacement for all the other methods you might use to remotely access boxes that are located somewhere else over the Internet.
KL: It is a replacement for things like Telnet, rlogin, rcp and rsh. And personally it makes my life a lot easier! Fewer passwords to remember!
Q: Oh—my ISP just offered SSH as a replacement for Telnet, but I haven't had a chance to check it out yet. Thanks for the explanation!
KL: you're welcome. I'd definitely check it out!
Q: I hope I don’t ask stupid questions, but is this available on a frac T1 line intranet?
KL: Yes. Your method of actual connection to the Internet does not affect the SSH session. So it will work over a frac T1.
KL: SSH uses strong encryption technology. public/private RSA authentication using algorithms such as blowfish, 3DES and IDEA.A. What's it good for really? Another good question! (please ask me questions... I don't usually bite.).
KL: Here's a quick list:
· No more eavesdropping via packet sniffing and other insidious methods
· No more IP address spoofing
Q: Do you mean SSH does all this on the fly?
KL: Once SSH is properly installed, all transmissions between the client and host are secured via the client and server on the fly.
Q: I use a shell account to Telnet to my remote server. Should I be concerned about SSH?
Q: Do you mean you're running SSH through a shell?
KL: You should be concerned if the information you transfer is proprietary or sensitive in any way. If it would harm you to have that data available to someone else, then yes, you should be concerned.
Moderator: Kent's a slow typist!
KL: Hehe... sorry... I'm not slow! I provide thoughtful answers! :o)
Q: How would SSH be different? Should the software be available from my ISP?
Q: as well as at my remote server?
How do you install SSH?
KL: As I mentioned, SSH is a client and a server. You install the server part on the host you wish to secure and then you install the client on the machine you normally access the host from.
KL: SSH basically encrypts the data using various types of encryption algorithms as chosen by the flavor of SSH you use, and the choices made at compile time during SSH server side install. If you co-locate your servers at a hosting provider then it would most likely be your responsibility to provide the SSH service. If you host your site on your ISP's machines, then yes, I would say they should offer you secure access to your site.
Q: The security of SSH sounds impressive.
KL: It is. I wouldn't connect remotely without it, given a choice.
Q: So no one can see what IP address or port is being used?
KL: well, depending on what they do and what tools they use, they may figure that out, but they wouldn't be able to use the data. It's all encrypted.
Q: I recall several years ago when there were several hacks on a shell account I used, that they required encryption and it was something I used then. My current ISP doesn't require it, but with all the break-ins lately I would certainly feel safer having additional protection. But do I need administrative access to install this in my shell account on both sites or can I do this myself?
KL: Yes, I agree. I suspect that as the general population becomes ever more sophisticated that we will see more and more hack attempts. Some for "fun," some malicious. Your ISP should be able to tell you if your account is SSH enabled. If you host with a provider and do not own the machine, you will likely have to have their assistance. They would then most likely provide you with a client to use. Once you have SSH properly set up, its use is transparent to the user.
Q: Thanks. I understand.
Q: I've been Telnetting from Windows—I'd better hurry and switch.
Q: OK—sorry if I interrupt the flow—but will you be talking also about how to hide IP addresses? Just curious.
KL: I hadn't planned to, I'm not sure about hiding a public IP address. You can, however, hide your hosts behind a firewall.
Q: So, essentially, you move the data encrypted to your remote server and then you unencrypt it, like uncompress and then use the data the way you would normally?
Q: I use SSH everyday.
Q: How is it invoked? Perhaps I have it already installed and don't know it?
Q: How 'bout SSH2?
KL: nate, SSH2 is very restrictive in its licensing. I believe that only not-for-profits can use it. Please correct me if I am wrong.
Q: yep only non-profit. Server SSH2 costs $500 for Solaris or Linux.
KL: Seems like we have a few people in here now. I'd be very interested to hear who you all are and what types of things you do for a living. Any takers?
Q: Web designer—and writer.
Q: system support supervisor.
Q: hi, I am it tech.
Q: Beginning network administrator.
Q: system administrator.
Q: Office Manager and Network Administrator for a small office.
Q: I do security engineering for a bank.
Q: Have you heard of or use Timbuktu?
Q: I'm a 61 year old student of the Internet, on it since its inception when nobody knew there was an Internet, but not in the same league with most here.
KL: I'm personally quite excited about the OpenSSH project myself. Although I must admit I haven't had the time to check it out thoroughly yet.www.openssh.org.
Q: have you used scp?
KL: I have not.
Q: Do you know of any SSH servers which run on Win32? I know there are tons of clients.
Q: What is scp?
KL: To my knowledge SSH servers run on UNIX, Linux, BSD and VAX.
Q: secure copy—scp—uses SSH and the same key or passphrase technique. A secure FTP of sorts.
Q: that's what I thought. I've seen Teraterm clients for NT/Win9x. I shudder every time I type an unencrypted password over Telnet or FTP onto my NT server running on my DSL box at home. gotta get a Linux box up.
KL: Yes, I KNOW what you mean!!
Q: anyone know how to copy the messages in this chat?
KL: Thanks. All input is much appreciated. There will be a transcript of this chat on the Web site.
Q: Isn't Timbuktu like pcAnywhere?
Q: So what do we use to remotely administrate NT boxes with encryption?
Q: I believe there is an .shost file you can create to simplify the scp and SSH connection.
KL: I believe that most of the GUI based remote access products provide their own ways to do this, although, I'm sketchy on the details there.
KL: Things like pcAnywhere and the like.
Q: I just checked with my remote server and it says it uses Telnet with SSH. Now what?
Q: pGP suite can encrypt all data going though a NIC and decrypt at the other NIC.
Q: pcAnywhere is what we use all the time. Is it secure at all?
Q: You could use pcAnywhere with the PGP suite to create a tough remote encrypted connection.
Q: The authentication part of a "net use" statement is encrypted, but not the data which follows. pcAnywhere is secure if you choose an encrypted level (an option when you define a host).
Q: Without help, as suggested, I think that pcAnywhere would not be very secure.
Moderator: For everyone's info—when you click "Guild Meeting" you can now browse transcripts—the choice is on the right hand navigation link.
Q: does anyone know how to connect remotely, say from home PC to connect to a company NT server?
Q: Same for remotely possible, remotely anywhere, and most others. All can be encrypted. But I haven't seen a Telnet or FTP server that utilizes encryption except for PGP by Network Associates. It encrypts all traffic over a NIC and uses either a passphrase or public/private keys. Pretty slick stuff.
KL:Very nice. I'll be checking that out.
Q: via a VPN?
KL: I suspect that you will need to speak w/ your ISP. They may have to provide you a client or make some setup changes to your account.
Q: Kerberos in NT5 will be the way to go.
Types of Secure Shell available
KL: Here's a quick rundown of the different types of SSH out there. I'm sure there are more, but these are the biggies. I meant to type this earlier but didn't get to: SSH, SSH2 and OpenSSH. Oh yeah, LSH too, but I haven't checked into that project lately.
Q: www.microsoft.com/windows2000/library/planning/security/kerbsteps.asp for Kerberos details.
KL: Some cost money, some are free all the time, and some are free in certain situations.
Q: thanks. Can anyone answer the previous questions on how to connect remotely w/o any installation of software?
KL: well, I'm considering your question.
Q: That cost can get confusing.
Q: I just saw this message when checking out SSH clients, “Due to strong cryptographic export restrictions, you cannot download.”
Q: SecureCRT or F-Secure SSH if you are located outside of the United States.
Q: Right, depends on whether it's SSH/1/2, and if you're using it commercially.
Q: Doesn't regular SSH say it can be used by anyone if it's not for profit?
Q: I think so.
Q: Bummer if you're not a US user. What about that?
KL: The original SSH is free to anyone up to version 1.2.12. The versions after that have to be purchased from Data Fellows, I believe. There are some versions of SSH that were developed in Finland, I think, that are downloadable just about anywhere.
Q: I just Telnetted to my remote server and typed SSH. It gave me a list of all the options so it is installed at the host. I obviously need to learn more about the options, but was not even aware of it before this conference.
KL: Good! I'm glad we've got you heading the secure path. You won’t be sorry.
Q: Well, what are you trying to connect to, and from? Do you have to go through a firewall?
Q: from home PC to company NT server.
Q: www.zedz.net/ has SSH and SSH2. They live outside the US, and are not hindered by the RSA copyright. Although your location may be. So use at own risk. <g>.
Q: Don't you need SSH 1.2.27 to avoid the buffer overruns?
Moderator: 5 minute warning folks—in a few minutes I'll announce tonight's winners.
KL: I don't know about the buffer over runs. I'll have to look that up. Is that it?
Q: Do you know if your company server has a firewall? If so, they have to grant you access. You can't just connect if they've configured it properly.
KL: I haven't got the answer to that. Sorry. I'll have to look it up. Maybe our moderator will include that when he edits the transcripts! :o).
Moderator: Sure. I'm happy for the extra work. ;-).
Q: Does anyone use PGP to send encrypted e-mail in a large environment?
KL: Hmm... no, not in a large environ myself, just between friends and some family when I think it's necessary. Also sometimes here at work for sensitive materials.
Moderator: This was a very diverse group of people, as we could tell from your introductions. Even though there were a lot of lurkers, I know everyone benefited.
The winners are…
Moderator: And tonight's winners are....
Moderator: Odin for a copy of Symantec's Internet Security 2000 (he might need it!) ;-)
Moderator: Lequin for the O'Reilly book: Windows 2000 Active Directory.
Moderator: And Nate for a brand new book on security from Microsoft Press: Advanced Windows, by Jeffrey Richter.
Q: We're rolling it out to 100 clients now, it's not very manageable.
Q: yea Odin.
Moderator: Congratulations to the winners.
KL: I hope everyone enjoyed tonight’s chat. I certainly did. Thank you all very much for coming. I learned things too! That's my favorite kind of chat.
Moderator: Please send your snail mail and phone number to firstname.lastname@example.org. I'll send you your prizes 2-day air.
Moderator: Thanks everyone for coming. Great meeting. Don't forget to tune in on Thursday, and have a chance to win more prizes.
Q: there is no firewall.
Q: Hey thanks for the book. Does it include security for Linux?
Moderator: thursday we cover Linux Security.
KL: How timely Nate! You’ll have to come Thursday!
Moderator: Very funny, Nate—like MS Press would cover Linux LOL!!!!
Q: Very interesting topic. Thanks!
Q: Looking forward to it.
Q: I just got here, Is it too late to ask a question?
Q: when surf the Web it will log into one file, how to escape from log into it? the server is Netscape messaging.
Q: They would cover the exploits I'm sure.
Moderator: That's up to our speaker.
Moderator: But we'll have a transcript up, uh, real soon.
KL: I will take one last question, then it's off to pack for Silicon Valley.
Moderator: Kent's got tons of servers to install, secure, balance, etc. etc. etc.
Q: please give e-mail address to ask some questions.
Q: I am running a Linux firewall at home and can’t get pcAnywhere to go thru? Help.
Moderator: Well, send to email@example.com—however, we will probably refer you to our forums. You guys know we have online forums, right?
KL: I'm afraid your question is a bit outside the scope of this chat. What I would suggest is that you log onto our forums on the Web site. We get VERY good answers posted by our members for the questions they ask. REALLY! I use it all the time! :o).
Moderator: Also, I am sure firstname.lastname@example.org will be happy to answer Linux security questions.
Q: OK. Thanks.
Q: 'night all.
KL: goodnight. Thank you for attending.
Q: Thanks to the speakers.
KL: thank you. It's nothing w/o great ppl to talk to!
KL: Logging off. Be well everyone and goodnight.
Moderator: Looks like that's a wrap—thanks to all for attending.
Our Guild Meetings feature top-flight professionals leading discussions on interesting and valuable IT issues. You can find a schedule of Guild Meetings in your weekly TechProGuild Notes TechMail, or on the Guild Meeting calendar.