Internet Infrastructure Security (COMP 5351)
Laboratory Session
A. Introduction
Secure Shell (SSH) is a standard network protocol that establishes a secure channel between a local host and a remote host over an insecure network. Unlike the traditional cleartext based protocols, e.g., rlogin and TELNET, it provides strong authentication and guarantees confidentiality of data exchanged between the two hosts to protect the connection against eavesdropping, hijacking and other attacks. It is usually used to log into a remote machine and execute commands. However, it also supports tunneling for other TCP services; it can transfer files using the associated SFTP or SCP protocols.
SSH comprises three major components: The transport layer protocol [RFC4253] provides server authentication, confidentiality, and integrity; the user authentication protocol [RFC4252] authenticates the client to the server; and the connection protocol [RFC4254] multiplexes the encrypted tunnel into several logical channels. It uses public-key cryptography to authenticate the remote host, and provides confidentiality and integrity of data using encryption and message authentication codes (MACs).
B. Demonstrations
1. Public Key Authentication
The client authentication is handled by the user authentication layer. Widely used user authentication methods include password authentication, public key authentication, and keyboard-interactive authentication. In this demonstration, you will learn how to login a departmental SSH host cs-cs01.comp.polyu.edu.hk with the public key authentication method.
I. Go to http://www.chiark.greenend.org.uk/~sgtatham/putty/ to download PuTTY and PuTTYgen. PuTTY is a SSH client; PuTTYgen is used to generate asymmetric (public and private) key pairs.
II. Launch PuTTYgen to generate the public and private key pairs. Enter “Save private key” to save your private key in your J drive, e.g. j:\private.ppk. You must protect your private key securely; otherwise, anyone knowing the private key has full access to your remote shell.
Then, login cs-cs01.comp.polyu.edu.hk (or simply cs-cs01 within the departmental network) with your departmental account and password. Create a .ssh directory in your home directory with the command mkdir ~/.ssh, then edit ~/.ssh/authorized_keys by issuing the command pico ~/.ssh/authorized_keys2. Copy the entire “Public key for pasting into OpenSSH authorized_keys file” area and paste it to the file. Ensure that the .ssh directory and the files within it are readable only by you by issuing the command chmod –R go= ~/.ssh. (Note: The public key MUST BE contained in a single line.)
III. Launch PuTTY, navigate to Connection -> SSH -> Auth, then specify your private key location into the “Private key file for authentication”, e.g. j:\private.ppk. Return to Session category and specify the Host Name with cs-cs01.comp.polyu.edu.hk. Click open and enter your username of your departmental account. You’re now ready to login using public key mechanism without the password step. Note that if it is your first time to login the host, a PuTTY Security Alert will be prompted to ask you to verify the server’s public key fingerprint; enter yes to add the key to the Putty’s cache.
2. SSH Port Forwarding (Tunneling)
The SSH Tunneling allows you to protect arbitrary TCP connection types. In this demonstration, you will learn how to build a secure connection between the email client from your local machine and the department’s POP3 server pop3.comp.polyu.edu.hk:110.
I. Launch PuTTY, navigate to Connection -> SSH -> Tunnels, then specify the source port of 220 and destination of 127.0.0.1:110 in the corresponding fields. Make sure to select local bullet before you press the add button. This setting actually tells PuTTY to forward the local port 220 to the remote destination 127.0.0.1 (or localhost) of port 110. Return to Session category and specify the Host Name with pop3.comp.polyu.edu.hk. Keep the default SSH port (22). Click open and enter your username and password of your departmental account. Note that you can avoid the password step if you use the Public Key Authentication method. Note also that we use the remote destination 127.0.0.1 instead of pop3.comp.polyu.edu.hk because your local machine would directly connect to the POP3 server.
II. Launch your email client, like Mozilla Thunderbird, and configure the department POP3 mail server name as 127.0.0.1 (or localhost) and port 220. Finally, send a test mail to your email account to verify your settings. Note that closing the PuTTY client will terminate the SSH tunnel to the server, therefore, do not close the PuTTY client before closing your email client.
C. Lab assignment
1. Examining SSH Protocol during Connection Establishment [15 marks]
You are required to use Wireshark (www.wireshark.org) or Ethereal (www.ethereal.com) to capture the SSH traffic between your local machine and the remote server cs-cs01.comp.polyu.edu.hk.
Preparation:
I. Launch Wireshark/Ethereal, navigate to Capture -> Options, then specify the capture filter with host cs-cs01.comp.polyu.edu.hk and port 22, and enter start to begin the capture.
II. Establish an SSH connection to cs-cs01.comp.polyu.edu.hk using PuTTY and the default SSH port 22. Enter username and password of your departmental account.
III. Enter stop from the Wireshark/Ethereal pop-up window, and answer the following questions.
i. What are the Key Exchange algorithms, the Server Host Key algorithms, the Encryption algorithms, and the MAC algorithms supported by cs-cs01? [9 marks]
Answer: [1 mark @]
ii. Complete the following protocol exchange diagram: [4 marks]
Answer:
iii.
What is the use of the server’s host key? [2 marks]
Answer: [1 mark @]
2. Browsing an Access-restricted Web Page
A web page http://www4.comp.polyu.edu.hk/~comp444/q2/index.htm has been setup with the following access control:
Order deny, allow
Deny from all
Allow from csdoor2 csdoor3 csdoor
such that users only from remote hosts csdoor2, csdoor3 and csdoor can access to the web page.
I. What is the procedure to access the restricted web page from your local machine, provided that you are not able to issue any Unix commands, e.g. lynx, directly from the remote hosts to retrieve the web page? [12 marks] [Hint: using PuTTY’s SSH port forwarding and the browser’s Internet proxy settings.]
Answer: [3 marks @]
II. What is the content of the web page? [3 marks]
Answer:
You have completed the lab assignment!
Very well done!
1