Operating Systems 2017F Lecture 21
Video
Notes
In Class
Lecture 21
----------
ssh part of a long tradition in remote access to UNIX-like systems
(and other systems with command lines)
* hard link via a serial line to a terminal
* modem-mediated serial connection to a terminal
* telnet - connect in a serial-like fashion over the internet
- have a program listening for remote access on a fixed port
- when there's a connection, connect remote program to login
- login takes username, password
- if correct, starts command shell for the user
* Problems with telnet
- annoying to type in username and password every time
- username and password (and everything else) goes in the clear, so
subject to eavesdropping, modification
* rsh - remote shell
- idea: allow login without passwords and running of one-off commands
- how? check IP address/hostname of source
- but...IP addresses are not a secure authenticator
- also...trusting configuration of remote system
- and...all communication again in the clear
* ssh was designed as a drop-in replacement for rsh
- but with better security
- and also with better features, specifically X11 forwarding
X11 is a system for displaying graphics and handing input
- windows, keyboard, mice
- developed in late 1980's, early 1990's
- designed to allow remote connections
- primarily a network protocol
- X11 connections went in the clear
- and were a pain to set up
public and private keys
- asymmetric cryptography
- used for key establishment and signatures (authentication)
symmetric crypto
- encrypt with a key, decrypt with the same key
- modern form: block ciphers (e.g., AES)
- fast and very secure
asymmetric crypto is based on "one way" functions
- easy one way
- hard to invert (unless you know extra info)
To send someone a secret message
- get their public key
- encrypt message with their public key
- really, encrypt random symmetric key (session key) with public key and
encrypt message with symmetric key
To receive a secret message
- decrypt session key with your private key
- use session key to decrypt message
NEVER IMPLEMENT CRYPTO ON YOUR OWN
PLAN TO FIX CRYPTO CODE/PROTOCOLS OFTEN
ADDITIONAL NOTES
Remote access : are processes accessed through command lines aka terminal.
- > hard link via serial line : first thing you should think about
- How to access the computer else where from somewhere else(remote access ) this is called a modem mediated serial connection to terminal .
Network: computer talk to each other
What is wrong with telnet :
1) Insecure, everything you type in including your password and user name is watched (and modifiable)
2) Annoying since it requires you to constantly log in
RSH : is a remote shell . the ability to run a command by giving it arguments simply How does it allow you to do so without password? Since it has your IP address and hostname of source.
- however this is not secure enough since the IP address can be faked.
Ssh : developed to replace rsh with better improved security and features such as x11 forwarding. When killing ssh , the x clock & program ended since it used that to mediate through. X11: windows focused, remote desktops are different. system which displays graphics, it is weird in a way that it is used be useful but not anymore. It is a network protocol and which the program will display something on screen will talk to the computer (ask?) . -Example : The server is the display and the terminal is client. -disadvantages : difficult to set up . -How do I talk to the current display and connect to it?
-Using an environment variable. (display environment variable)
- Env | grep DISPLAY . if it is :=0 like our case then we have none. Goal : use a local computer like running remote computers , use graphic access remotely Clone of ssh syntax
- example : su –soma, rsh it then do ls
Xterm command after ssh? : Xclock & : where is this program running? It is not running locally. It is running a program remotely but it is displaying here. -x option to ssh : setting the display environment variable to the remote system --ford their own their own things magically -x , can you run the x clock & without –x : NO unless you do things on command lines Ssh : can manage redirection from a local port to another machine (ssh tunnel). Known_hosts: Public VS private keys: asymmetric cryptography: when you encrypt a file with a password, you must use the same password to decrypt it. -used for key establishments and signatures (key authentication) - easy to go one way (hard to go the other way and invert )
Modern for : fixed size units , block ciphers Symmetric cryptography : is much more efficient and harder to break than asymmetric.
- Fast and very secure - Disadvantages: required a way over network to obtain a key to connect
To send someone privately : -obtain their public key (in directories ex) -then use it to encrypt symmetric -send both , attach the key with the message
- to receive a message :
-use the session key to decrypt it : assymetric algorithms are slow and less secure , why RSA isn’t used alone - NEVER IMPLEMENT CRYPTO ON YOUR OWN because you cant implement it in the same algorithm, too many numbers of attacks and unreliable but if you do use it in your system , use it with libraries but expect them to be changed. Cryptography is the base of ssh The lock icon : secure connection , uses same thing as ssh. Info about the public key.] -Symantec : dangerous because anyone can sign. Fire fox : has public keys of certificates so you are able to send secure message and anyone can do the inverse operation using the public keys. Ssh : stores on first use . Rm .ssh/known_hosts : Less known_hosts Cd /etc/ssh : host keys and configurations. What happens if you change those keys? : it will give you a warning Transfer the public key to the remote system and make sure I don’t share my private one We are stuck using passwords because of usability and dangerous