Buchindex von SSH, The Secure Shell: The Definitive Guide

- Weitere Informationen zu diesem Buch:
  Inhaltsverzeichnis | Index | Probekapitel | Kolophon | Rezensionen |

SSH, The Secure Shell: The Definitive Guide

Daniel J. Barrett, Richard Silverman, & Robert Byrnes

Second Edition Mai 2005
ISBN 978-0-596-00895-6

Seiten 666

EUR38.00, SFR64.90

Weitere Informationen zu diesem Buch

Buch weiterempfehlen

Index

[ Numbers ], [ Symbols ], [ A ], [ B ], [ C ], [ D ], [ E ], [ F ], [ G ], [ H ], [ I ], [ J ], [ K ], [ L ], [ M ], [ N ], [ O ], [ P ], [ Q ], [ R ], [ S ], [ T ], [ U ], [ V ], [ W ], [ X ], [ Y ], [ Z ],

Numbers[ Top ]
3DES, 88

Symbols[ Top ]
$HOME environment variable, 6
-- (double dash), 103
~ (tilde), 21

A [ Top ]
AAA (authentication, authorization, and accounting), 109
AcceptEnv keyword, 199
Accession Lite, 536-539
Enable Key Compatibility, 538
account access control, 185-191
account permissions and security, 25
active-mode (FTP), 419
Address Space Layout Randomization (ASLR), 151
AddressFamily keyword, 294, 591, 620
addressing, single name, multiple address issue, 71
Advanced Encryption Standard (see AES)
AES (Advanced Encryption Standard), 87
AFS (Andrew File System), 406
agents, 28-32, 45, 242-260
access control, 253
agent forwarding, 30-32, 256-259, 350
connections in series, 32
enabling, 259
firewall example, 256
operation, 257
server configuration, 206
authentication agents, 8
automatic loading
single-shell method, 251
subshell method, 252
X Windows, 253
automation and, 29
client identification, 255
cpu usage, 259
debugging (OpenSSH), 259
double-remote copying with scp, 30-32
environment variable command format, 247
identities, listing and deleting, 248
invocation, login accounts, 243
keys, 29
listing, 29
loading, 28, 247-253
locking and unlocking, 29, 249
protected memory, 255
security aspects, 253-256
agent cracking, 255
single-shell invocation, 243-245
subshell invocation, 246
switching identities, 261
troubleshooting, 504
AllowAgentForwarding keyword (Tectia), 206
AllowedAuthentications keyword (Tectia), 172
gssapi, 182
hostbased, 175
keyboard interactive, 178
allow-from keyword, 197, 340
AllowGroups keyword, 191, 192, 195, 201, 371, 400, 402, 477, 493, 591, 613
AllowHosts keyword, 115, 158, 192, 193, 198, 225, 250, 340, 347, 402, 471, 472, 477, 493, 613
AllowSHosts keyword, 193, 198, 412, 477, 613
AllowTcpForwarding keyword, 201, 205, 370, 371, 400, 403, 477, 613
AllowTcpForwardingForGroups keyword, 201, 371, 477, 613
AllowTcpForwardingForUsers keyword, 201, 205, 371, 477, 613
AllowUsers keyword, 185
pattern matching, 186
AllowX11Forwarding keyword, 205, 381, 477, 613
ARCFOUR (see RC4)
ASLR (Address Space Layout Randomization), 151
asymmetric cryptography, 41
attacks, 91-96
agent cracking, 255
brute-force attacks, 40
connection hijacking, 91
covert channels, 96
dictionary attack, 27
eavesdropping, 91
IP attacks, 94
IP spoofing, 91
keystroke timing data and potential attacks, 96
man-in-the-middle attacks, 19, 92
name service spoofing, 91
password cracking, 93
replay attacks, 37
TCP attacks, 94
traffic analysis, 95
user or administrator carelessness and, 97
authentication, 3, 38
agents, using (see agents)
authorization in hostbased authentication (SSH), 71
failure messages, 20
passwordless, 32
per-account configuration and, 328
public-key authentication (see public-key authentication)
scalability case study, 452-468
SecurID hardware-based authentication, 180
server configuration for (see serverwide configuration, authentication)
ssh (client) configuration, 307-310
troubleshooting, 498-504
(see also SSH (Secure Shell), SSH-AUTH)
AuthenticationNotify keyword, 308, 309, 620
AuthenticationSuccessMsg keyword, 308, 309, 620
AuthInteractiveFailureTimeout keyword (Tectia), 173, 179
AuthKbdInt.NumOptional keyword (Tectia), 179
AuthKbdInt.Optional keyword, 179, 180, 477, 613
AuthKbdInt.Plugin keyword, 180, 477, 478, 479, 492, 613
AuthKbdInt.RADIUS.NASIdentifier keyword, 613
AuthKbdInt.RADIUS.Server keyword, 613
AuthKbdInt.Required keyword, 179, 180, 477, 613
AuthKbdInt.Retries keyword (Tectia), 179
authorization, 39
authorization files, server accounts, 329-331
AuthorizationFile keyword, 145, 330, 477, 614
authorized_keys, 24, 346
AuthorizedKeysFile keyword, 145, 614
AuthPassword.ChangePlugin keyword, 477, 480, 484, 614
AuthPublicKey.MinSize and MaxSize keywords (Tectia), 175
autoconf, 102
Axessh, 517

B [ Top ]
BAMSE, 520
Banner keyword (OpenSSH), 198
BannerMessageFile keyword (Tectia), 198
bastion host, 256
batch jobs, 408-415
hostbased authentication, 412
Kerberos authentication, 413
password authentication, 408
public-key authentication, 409-412
agents, 410-412
filesystem passphrase storage, 409
plaintext keys, 410
security precautions, 413
least-privilege accounts, 414
locked-down automation accounts, 414
restricted-use keys, 414
ssh options, 414
BatchMode keyword, 295, 415, 441, 620
BeOS SSH implementations, 516
binary distributions, 99
binary packet protocol, 50
BindAddress keyword, 291, 620
Blowfish, 88
bogus ICMP attacks, 94
boot versus manual invocation, 129
brute-force attacks, 40
bulk keys or bulk ciphers, 41
bzip2 and bunzip2, 101

C [ Top ]
cancel-tcpip-forward request, 65
case studies
authentication, 452-468
batch and cron jobs (see batch jobs)
FTP, 415-436
gateway hosts, connecting through, 444-452
Pine email client, 436-444
CAST, 89
CertdListenerPath keyword, 477, 614
Cert.DODPKI keyword, 620
Cert.EndpointIdentityCheck keyword, 620
certificate authorities, 14
Cert.RSA.Compat.HashScheme keyword, 477, 614, 621
challenge/response authentication, 22
ChallengeResponseAuthentication keyword, 171, 178
channels, 47, 64
channel numbers, 64
channel requests, 66
CheckHostIP keyword, 285, 621
CheckMail keyword (Tectia), 199
ChRootGroups keyword, 195, 477, 614
ChRootUsers keyword, 195, 477, 614
Cipher keyword, 163, 509, 609, 621
ciphers, 40
Ciphers keyword, 53, 162, 167, 169, 306, 477, 614, 621
ClearAllForwardings keyword, 357, 358, 621
client configuration, 266
debugging messages, 495
setup recommendations, 404
troubleshooting, 507
ClientAliveCountMax keyword, 154, 614
ClientAliveInterval keyword, 154, 155, 614
Command keyword, 626
Commodore Amiga SSH implementations, 516
compression algorithms, 91
Compression keyword, 171, 268, 272, 273, 276, 280, 311, 614, 621
CompressionLevel keyword, 508, 621
configuration, 101
compile-time configuration, 101-105
configuration files, 45
configure script, 102
command-line flags, 103-104
options, 105
pathname embedding versus PATH variable, 104
make command, 105
"none" encryption, 53
OpenSSH (see OpenSSH)
per-account configuration (see per-account configuration)
serverwide configuration (see serverwide configuration)
Tectia (see Tectia)
(see also client configuration)
connection hijacking, 91
ConnectionAttempts keyword, 621
Connector, 543-551
ConnectTimeout keyword, 293, 621
control connections (FTP), 418
forwarding, 420-424
choosing the target, 421
ControlMaster keyword, 64, 288, 621
ControlPath keyword, 64, 288, 621
covert channels, 96
CRC (Cyclic Redundancy Check) hash, 43
CRC-32 (Cyclic Redundancy Check), 89
cron jobs (see batch jobs)
cryptanalysis, 40
cryptography, 39-43
hash functions, 42
public-key cryptography, 41
secret-key cryptography, 41
security, 40
CVS (Concurrent Versions System), 125
Cyclic Redundancy Check (CRC-32), 89
Cygwin, 518

D [ Top ]
data connections (FTP), 418
Data Encryption Standard (DES), 87
debugging
messages, 495
serverwide configuration
syslog files, 131
DebugLogFile keyword, 621
default identity, 229
DefaultDomain keyword, 621
deny-from keyword, 197, 340
DenyGroups, 402
DenyGroups keyword, 191, 192, 201, 400, 402, 477, 493, 591, 614, 617
DenyHosts keyword, 115, 158, 193, 198, 250, 340, 347, 477, 493, 614
DenySHosts keyword, 193, 198, 412, 477, 614
DenyTcpForwardingForGroups keyword, 201, 205, 477, 614
DenyTcpForwardingForUsers keyword, 201, 205, 477, 614
DenyUsers keyword, 185
pattern matching, 186
DES (Data Encryption Standard), 87
dictionary attack, 27
Diffie-Hellman key agreement algorithm, 86
digital certificates, 14
Digital Signature Algorithm (DSA), 85
digital signatures, 41
DisableVersionFallback keyword, 477, 614, 621
display, 382
DNS (Domain Name Service), 11
DontReadStdin keyword, 298, 621
DropBear, 519
DSA (Digital Signature Algorithm), 85
dynamic port forwarding, 373-377
DynamicForward keyword, 304, 621

E [ Top ]
eavesdropping, 91
Egrep, sshregex (Tectia), 595
character sets, 598
escaped tokens, 596
EkInitString keyword, 264, 621
EkProvider keyword, 264, 621
email clients (see Pine email client)
EnableSSHKeysign keyword, 347, 501, 621
encryption, 4, 40
algorithms, 40
ssh (client), 306
programs, 1
env channel request, 66
environment variables, 627
agents and, 247
per-account settings, 340-343
ssh (client), 275
Ericom PowerTerm, 517
escape characters and sequences, 21
EscapeChar keyword, 272, 301, 302, 621
exec channel request, 66
Expect, 519
ExternalAuthorizationProgram keyword, 194, 477, 614

F [ Top ]
file transfers
sftp, 323
filesystems, recommended settings, 404-407
firewalls, 1, 15
FTP passive mode and, 424
port forwarding, bypassing with, 364
forced commands, 326, 332
command menu, displaying, 335
logging, 338
rejecting connections, 334
scp and, 338
security concerns, 333
SSH_ORIGINAL_COMMAND environment variable, 336
ForcePTTYAllocation keyword, 296, 621
ForwardACL keyword, 201, 203, 204, 205, 477, 614
ForwardAgent keyword, 259
forwarding, 39, 350
limiting or disabling per-account, 344
(see also port forwarding; agents, agent forwarding)
ForwardX11 keyword, 116, 380, 381, 477, 614, 621
ForwardX11Trusted keyword, 383, 621
Friedl, Markus, 10
F-Secure SSH, 518
FTP (file transfer protocol), 417, 429-434
case study, 415-436
control connection forwarding, 420-424
static port forwarding, 417
Tectia client, 416
VanDyke's SecureFX tool, 416
data connections, forwarding through SSH, 434-436
default data port mode, 432
TCP protocol and, 433
NAT and, 426-429
passive mode, 422-426, 431
firewalls and, 424
PASV port theft problem, 423
SSL-enhanced, 14
troubleshooting, 511
typical data transfer mode, 429

G [ Top ]
gateway hosts, 256
case study, 444-452
port forwarding (SSH-in-SSH), 449
scp, 448
SSH connection, making, 445-448
tunnelled SSH withProxyCommand, 450
GatewayPorts keyword, 355, 356, 357, 364, 389, 390, 397, 404, 422, 593, 614, 621
GlobalKnownHostsFile keyword, 621
GNU Emacs and SSH, 517
GnuPG (GNU Privacy Guard), 11
GoBackground keyword, 367, 621
gPutty, 520
group access control, 191
GSSAPI, 463
GSSAPI.AllowedMethods keyword (Tectia), 182
GSSAPI.AllowOldMethodWhichIsInsecure keyword, 182, 615, 621
GSSAPIAuthentication keyword (OpenSSH), 181
GSSAPICleanupCredentials keyword, 182, 615
GSSAPIDelegateCredentials keyword, 622
GSSAPI.DelegateToken keyword, 622
GSSAPI.Dlls keyword (Tectia), 183
gzip and gunzip, 101

H [ Top ]
hash functions, 42, 89
collision-resistance and pre-image-resistance, 43
HOME environment variable, 6
host keys, 20, 284-287
implementation dependency, SSH, 69
Host keyword, 270, 271, 272, 273, 274, 281, 447, 499, 507, 622
hostbased authentication
batch jobs and, 412
per-account configuration and, 347
security of, 412
server configuration for, 175-177
troubleshooting, 500
HostbasedAuthentication keyword (OpenSSH), 175
HostbasedAuthForceClientHostnameDNSMatch keyword, 177, 477, 615
HostCa keyword, 477, 622
HostCAMoCRLs keyword, 477, 622
HostCertificateFile keyword, 458, 477, 615
host-key generation, 130
HostKey keyword, 142, 615
HostKeyAlgorithms keyword, 307, 622
HostKeyAlias keyword, 286, 449, 451, 622
HostKeyEkInitString keyword, 477, 615
HostKeyEkProvider keyword, 615
HostKeyEkTimeOut keyword, 477, 615
HostKeyFile keyword, 142, 477, 615
HostName keyword, 273, 280, 622
hosts, 19-21
HostSpecificConfig keyword (Tectia), 471
hostspecs, 73

I [ Top ]
IDEA (International Data Encryption Algorithm), 86
identification files (Tectia), 232
identities, 227-242, 281-283
creating, 233-242
Diffie-Hellman key exchange, group generation, 241
default identity, 229
listing and deleting, 248
manual switching, 261
multiple identities, 260-262
OpenSSH, 229
switching with agents, 261
tailored sessions, 262
Tectia, 230
IdentitiesOnly keyword, 283, 622
IdentityFile keyword, 157, 232, 261, 262, 273, 281, 282, 283, 410, 622
IdKey keyword, 232, 627
IdleTimeout keyword, 155
idle-timeout keyword, 155, 343, 403, 499
IdPgpKeyFingerprint keyword, 263, 627
IdPgpKeyId keyword, 263, 627
IdPgpKeyName keyword, 263, 627
IgnoreLoginRestrictions.PasswordExpiration keyword, 615
IgnoreLoginRestrictions.Rlogin.AIX keyword, 615
IgnoreRhosts keyword, 76, 175, 176, 197, 198, 405, 412, 478
IgnoreRootRhosts keyword (Tectia), 176
IgnoreUserKnownHosts keyword (OpenSSH), 176
IMAP (Internet Message Access Protocol), 437
authentication, 437
inetd
server configuration and debugging, 223
server invocation using, 150
initialization scripts, SSH servers, 200
installation
prerequisites, 100
signature verification, 100
software inventory, table, 124
source code, 100
source files
extraction, 101
symbolic links created during, 123
Tectia (see Tectia, installation)
Unix implementations, 99-101
binary distributions, 99
on Unix systems, 99
integrity, 37
integrity checking, 4, 167-169
interactive sessions, authentication without passwords, 32
International Data Encryption Algorithm (see IDEA)
IP attacks, 94
IP spoofing, 91
IPSEC (Internet Protocol Security), 12

J [ Top ]
J2SSH Maverick, 517
Java SSH implementations, 517
JavaSSH, 517
JSch, 517

K [ Top ]
kadmin command, 413
KDC (Key Distribution Center), 461
KeepAlive keyword, 153
keepalive messages, 152-154
Kerberos, 12, 461-468
batch job authentication using, 413
integration in SSH, 12
OpenSSH and Tectia interoperability, 464-468
OpenSSH implementation, 111
server configuration for, 181-183
support in SSH, 463
tickets, 12
KerberosAuthentication keyword (OpenSSH), 181
KerberosOrLocalPasswd keyword (OpenSSH), 182
KerberosTgtPassing keyword (OpenSSH), 182
KerberosTicketCleanup keyword, 182
Kermit, 518, 519
KEXINIT messages, 51
Key keyword (Tectia), 232, 330
keyboard-interactive authentication, 177-180
one-time passwords, 177
Tectia plugin for, 488-492
KeyRegenerationInterval keyword, 609, 615
keys, 8, 22, 40, 44
changing, 27
host keys, 20, 284-287
implementation dependency, SSH, 69
key exchange, 51
key generators, 45
key management, 227-265
programs for key creation, 227
setup recommendations, 404
key pairs, 228
key-distribution problem, 41
secrecy, 24
session keys, 462
Tectia external keys, 264
troubleshooting, 504
keywords, 134
known hosts, 19-21
known hosts mechanism, 20
known-hosts databases, 45, 284-287

L [ Top ]
launch-sshd shell script, 139
LDAPServers keyword, 477, 622
limiting simultaneous connections, 157
Linux SSH implementations, 519
ListenAddress, 148
local computers, securing, 29
LocalForward keyword, 355, 356, 357, 593, 622
LoginGraceTime keyword, 155, 156, 477, 615
LogLevel keyword, 312, 313, 615
lsh, 520

M [ Top ]
MAC (message authentication code), 53, 167-169
Macintosh
OpenSSH, 526-530
SSH clients, 526
SSH server, 526-530
SSH implementations, 517
Macs keyword, 168, 615, 622
MacSFTP, 517
MacSSH, 517
man-in-the-middle attacks, 19, 92
masquerading, 426
Maverick SSHD, 517
Maverick.NET, 517
MaxAuthTries keyword, 156
MaxBroadcastsPerSecond keyword, 159
MaxConnections keyword, 157
MaxStartups keyword, 157
MD5, 90
message authentication code (see MAC)
metaconfiguration, 469
Microsoft Windows (see Windows)
MindTerm, 517
motd (message of the day), 198

N [ Top ]
Nagle Algorithm, 159
name service spoofing, 91
NAT (Network Address Translation), 426-429
masquerading, 426
server-side issues, 427
netgroups, 74
network applications, security issues, 1
Network Information Service (NIS), 11
network interface server settings, 148
networking terminology, 6
NEWKEYS, 57
NFS, recommended settings, 404-407
NiftyTelnet SSH, 517
NIS (Network Information Service), 11
nmap, 161
no-agent-forwarding keyword, 334, 344, 403, 414
NoDelay keyword, 115, 159, 293, 477, 616, 622
NoHostAuthenticationForLocalhost keyword, 287, 622
"none" encryption, 53
no-port-forwarding keyword, 330, 331, 334, 344, 371, 403, 414
no-pty keyword, 296, 334, 345, 346, 403, 414, 506
no-X11-forwarding keyword, 381, 414, 513
NumberOfPasswordPrompts keyword, 295, 622

O [ Top ]
one-time pad, 40
one-time passwords, 111, 177
OpenBSD, 5, 10
SSH implementations, 519
OpenSSH, 5, 10, 99
account authorization files, 329
authorization files, 626
configuration, 107-111
access control with TCP-wrappers, 111
command-line flags, 107-111
dependencies, 106
file locations, 107
Kerberos support, 111
networking, 109
PAM authentication, 109
pid file, 108
turning on support for Internet Protocol Version 4 (IPv4), 109
conversion, SSH-1 to SSH-2 keys, 231
environment variables, 627
help command, 278
host access control, 338
host keys implementation, 70
identities, 229, 626
installation, 106-111
build and install, 107
extraction of zipped files, 106
verification with PGP, 107
Macintosh operation, 526-530
OpenSSH (continued)
SSH clients, 526
SSH server, 526-530
popularity of, xi
prerequisites, 106
privilege separation, 80, 184
public-key installation, 24
quick reference, 612-627
random number generation, 108
random number storage, 79
scp keywords, 620-623
scp options, 619
server configuration, 157
logging and debugging, 211-215
server host-key generation, 130
server protocol version string, 170
serverwide configuration
authentication keywords, 171
configuration files, checking, 135
debugging messages, 496
hostbased authentication, 175
Kerberos authentication, 181
password authentication, 173
public-key authentication, 174
recommended settings, 398-401
reverse IP mapping, 158
SSH protocol settings, 169
user welcome, 198
smartcard support, 241
software inventory, 124
SSH configuration directory, key storage file, 24
ssh keywords, 620-623
ssh options, 618
SSH-1, 609
ssh-add options, 625
ssh-agent options, 625
sshd keywords, 613-617
sshd options, 612
ssh-keygen options, 623
SSH_ORIGINAL_COMMAND environment variable, 336
subsystem command syntax, 208
Version 4.0 new features, 591-594
AddressFamily configuration keyword, 591
clients, 592
connection sharing, 592
hostname hashing, 592
KbdInteractiveDevices keyword, 592
logging of access violations, 591
password and account expiration warnings, 591
port forwarding, 592
server, 591
sftp command line, 593
ssh-keygen command-line options, 593
Windows and Cygwin operation, 518, 521-525
agents, 524
Cygwin installation, 521
opening remote windows, 523
public-key authentication, 524
ssh clients, 522
SSH server setup, 522
troubleshooting, 525
OpenSSL, 14, 106
directory path, flagging, 108
Options keyword, 330, 331, 371
OS/2 SSH implementations, 519

P [ Top ]
packet filters, stateful, 424
PalmOS SSH implementations, 519
PAM (Pluggable Authentication Modules), 109, 183
OpenSSH authentication, 109
serverwide configuration, 183
passive mode (FTP), 419, 422-426
firewalls and, 424
PASV port theft problem, 423
passphrases, 24
changing, 27
limitations, 28
PasswdPath keyword (Tectia), 174
password authentication, 173-174
batch jobs, issues with, 408
empty passwords, 173
expired passwords, 173
failed password attempts, 173
troubleshooting, 499
password cracking attacks, 93
PasswordAuthentication keyword, 171, 173, 272, 307, 400, 402, 499, 616, 622
PasswordExpireWarningDays keyword, 616
PasswordGuesses keyword (Tectia), 156, 473
PasswordPrompt keyword, 295, 622
passwords
one-time passwords, 111
security risks, 21
PenguiNet, 518
per-account configuration, 102, 326-348
advantages, 326
authentication, 328
access restriction by host or domain, 338
forced commands, 331
OpenSSH authorization files, 329
public-key based configuration, 328-346
Tectia authorization files, 330
environment variables, setting, 340-343
forwarding, disabling, or limiting, 344
hostbased access control, 346
idle-timeout option, setting (Tectia), 343
limitations, 326
setup recommendations, 403
troubleshooting, 506
TTY allocation, disabling, 345
user's rc file, 348
Perl modules for SSH implementation, 519
PermitEmptyPasswords keyword, 173
permitopen keyword, 344
PermitUserEnvironment keyword, 199
PGP (Pretty Good Privacy), 11
authentication in Tectia, 262-264
PgpKeyFingerprint keyword, 263, 331, 626
PgpKeyId keyword, 263, 331, 626
PgpKeyName keyword, 263, 331, 626
PGPPublicKeyFile keyword, 478, 616
PgpPublicKeyFile keyword, 263, 331, 626
PgpSecretKeyFile keyword, 264, 627
PidFile keyword, 143, 212, 616
Pine email client, 126, 436-444
connection scripts, 444
mail relaying, 442
remote usernames and, 442
PKI (Public Key Infrastructure), 55, 454
plaintext, 40
PocketPuTTY, 519
PocketTTY, 519
port forwarding, 8, 349, 351-372
dynamic port forwarding, 373-377
firewalls, bypassing, 364
forwarding off-host, 361-364
ftp protocol forwarding, 371
listening port number, 367
local forwarding, 352-356
gateway ports, 355
remote forwarding, compared to, 358-361
multiple connection issues, 357
remote forwarding, 356
remote logins, without, 366-367
server configuration, 201-205, 370
target forwarding address, choosing, 368
TCP-wrappers (see TCP-wrappers)
termination, 369
TIME_WAIT problem, 370
troubleshooting, 512
X forwarding (see X forwarding)
Port keyword, 148
port number
server settings, 148
Pragma Fortress, 518
PreferredAuthentications keyword, 308, 622
PrintLastLog keyword (OpenSSH), 199
PrintMotd keyword, 198, 398, 498, 616
privacy, 37
private keys, 228
privilege separation, issues with, 80
privileged ports, 10
PRNGs (pseudo-random number generators, 79
Protocol keyword (OpenSSH), 223
protocols, 3
ProxyCommand keyword, 445, 450, 451, 452, 622
ProxyServer keyword, 616, 622
pseudo-random number generators (PRNGs), 79
pSSH, 519
pty-req channel request, 66
PubKeyAuthentication keyword (OpenSSH), 174
public key files, 229
Public Key Infrastructure (PKI), 55
PublicHostKeyFile keyword, 142, 477, 616
public-key authentication, 21-32
agents, using (see agents)
algorithms, 84-86
authenticator, 22
batch jobs, 409-412
agents, 410-412
filesystem passphrases storage, 409
plaintext keys, 410
client/server interaction, 22
key pair generation, 23
keys, changing, 27
OpenSSH, 27
Tectia systems, 27
public-key authentication (continued)
password authentication, compared to, 26
private keys, 22
public keys, 22, 228
installing in remote accounts, 24
OpenSSH installation, 24
Tectia systems, installation, 25
server configuration for, 174
Tectia systems, key generation on, 23
troubleshooting, 501
public-key cryptography, 41
PuTTY, 518, 520, 576-589
batch jobs, 587
configuration and settings
authentication, 586
compression, 586
encryption algorithms, 585
logging and debugging, 586
Proxies and SOCKS, 585
pseudo-terminal allocation, 585
configuration and use, 576
host keys, 584
saved sessions, 583
SSH protocol selection, 584
TCP/IP settings, 584
file transfers, 578
PSCP, 579
PSFTP, 579
forwarding, 587
installation, 576
key management, 580-583
agents, 582
key selection, 582
Plink console client, 577
remote commands, 578
TCP/IP settings
keepalive messages, 585
Nagle algorithm, 585
remote port selection, 585

Q [ Top ]
QuietMode keyword, 211, 313, 478, 616, 622

R [ Top ]
random number generation, 78
OpenSSH, 108
random seed, 45
RandomSeed keyword, 616
RandomSeedFile keyword, 143, 477, 616, 622
RC4 (ARCFOUR), 88
r-commands, 10
disabling, 398
insecurity, 11
SSH, replacing with, 125-127
in CVS, 125
in GNU Emacs, 126
in Pine, 126
in rsync and rdist, 127
rcp, 81
rdist, 127
realms, 462
regex syntax, SSH patterns (Tectia), 599-603
character sets, 602
escaped tokens, 601
regular expressions manpage (Tectia), 595-603
egrep patterns, 595
ZSH_FILEGLOB, 597
RekeyIntervalSeconds keyword, 155, 162, 307, 478, 616, 622
remote account name, 279-281
remote program invocation and security, 333
RemoteForward keyword, 356, 357, 593, 622
RemotelyAnywhere, 518
replay attacks, 37
requests, 65
RequiredAuthentications keyword (Tectia), 172
gssapi, 182
hostbased, 175
keyboard interactive, 178
RequireReverseMapping keyword, 158, 189, 193, 477, 616
ResolveClientHostName keyword, 189, 477, 616
restricted shell, 414
reverse IP mappings in server configuration, 158
RhostsRSAAuthentication keyword, 172, 175, 347, 609, 616, 623
RIPEMD-160, 90
Rivest-Shamir-Adleman public-key algorithm (see RSA)
RPM packages, 99
RSA (Rivest-Shamir-Adleman) public-key algorithm, 84
RSAAuthentication keyword, 172, 174, 477, 609, 616, 623
rsh (restricted shell), 414
rsh suite, 10
rsync, 127

S [ Top ]
ScanSSH program, 161
scp (Secure Copy Program), 7, 17, 81, 82, 313-323
authentication through local agents, 31
bandwidth settings, 320
batch mode, 319
Cygwin under Windows, 522
data compression, 320
directories, recursive copying, 316
double-remote copying using agents, 30-32
encryption algorithms, setting, 319
file conversions, 320
file transfers, 17
forced commands and, 338
gateway hosts, using through, 448
help, 322
internal options, 322
keywords, 620-623
Macintosh, 526
optimization, 321
options, 619
original file, automatic removal (Tectia), 317
permissions, 317
safety features, 318
ssh executable, locating, 322
SSH protocol settings, 319
statistics, display of, 321
syntax, 18, 313-316
TCP/IP settings, 319
troubleshooting, 509
user identity, 319
wildcards, 316
scp2, 82, 84
sealed servers, 438
SecPanel, 520
secret-key algorithms, 86-89
secret-key cryptography, 41
SECSH (Secure Shell) working group, 10
secure file transfers, 7
Secure Hash Algorithm (see SHA-1)
Secure iXplorer, 518
Secure KoalaTerm, 518
secure remote logins, 5
Secure Shell protocol (see SSH)
Secure Socket Layers (SSL), 14
SecureCRT, 518, 563-573
client configuration and use, 568-570
command-line programs, 572
file transfers, 572-573
vcp and vsftp commands, 572
Zmodem over SSH, 573
forwarding, 570-572
port forwarding, 570
X forwarding, 571
key management, 564-567
agents, 567
key generation, 565
key installation, automatic, 565
key installation, manual, 566
multiple identities, 567
session configuration, 564
troubleshooting, 574
SecureFX, 573
SecurID, 180
SecurIdGuesses keyword (Tectia), 180
security
agent forwarding and untrusted machines, 206
batch job precautions, 413
carelessness and, 97
compile-time configuration setup recommendations, 397
forced commands and, 333
forwarding and, 205
multiple identities, advantages, 260
network applications and, 1
shell escapes and, 333
Tectia SSH-1 compatibility mode issues, 225
SendEnv keyword, 199, 289, 623
server settings and, 199
server authentication, 38
ServerAliveCountMax keyword, 154, 293, 623
ServerAliveInterval keyword, 154, 293, 623
ServerKeyBits keyword, 609, 616
serverwide configuration, xv, 102, 128-226
access control, 184-198
account access control, 185-191
chroot, restricting directory access with, 195
external access control, 194
group access control, 191
hostname access control, 192
root access control, 194
shosts access control, 193
serverwide configuration (continued)
authentication, 171-184
authentication syntax, 171-173
hostbased authentication, 175-177
Kerberos, 181-183
keyboard-interactive authentication, 177-180
login programs, selecting, 184
PAM, 183
password authentication, 173-174
PGP, 181
public-key authentication, 174
configuration files, 133-138
checking, 135
time values in, 155
file locations, 142-146
host-key files, 142
per-account authorization files, 145
process ID file, 143
random seed file, 143
server configuration files, 144
utmp file structure, 145
file permissions, 146
forwarding, 201-206
agent forwarding, 206
port forwarding, 201-205
X forwarding, 205
host-key generation, 130
initial setup, 141-171
data compression, 170
encryption algorithms, 162-167
integrity-checking (MAC) algorithms, 167-169
key regeneration, 161
numeric values, configuration files, 149
protocol version string, 170
restart for each connection, 151
SSH protocol settings, 169
TCP/IP settings (see TCP/IP settings, server)
logging and debugging, 209-223
syslog, 210
making changes, 139
metaconfiguration information, 134, 468-479
per-account configuration (see per-account configuration)
port forwarding, 370
port selection, 131
reconfiguration example, 141
server compatibility, SSH-1 and SSH-2, 223-226
setup recommendations, 397-403
startup file script, 129
subconfiguration files, 134
subsystems, 206-209
definition syntax, 206
troubleshooting, 506
user logins and accounts, 198-201
client environment variables, setting permissions, 199
initialization scripts, 200
user welcome messages, 198
session keys, 462
sessions, 44
identity-based tailoring, 262
SetRemoteEnv keyword (Tectia)
server settings and, 199
SettableEnvironmentVars keyword (Tectia), 200
setup recommendations, 396-407
client configuration, 404
compile-time configuration, 397
key management, 404
per-account configuration, 403
remote home directories, 404-407
serverwide configuration, 397-403
sftp, 33, 81, 84, 323-325
ASCII vs. binary transfer, 34
command-line options, 34, 325
Cygwin under Windows, 522
interactive commands, 323-325
Macintosh, 526
vs. ftp, 34
SftpSysLogFacility keyword, 211, 617
SHA-1 (Secure Hash Algorithm), 90
shadow files, 110
Shannon, Claude, 40
shell channel request, 66
SHELL environment variable, 28
shell escapes, 333
ShellGuard, 518
SIGHUP signal, 140
signers, 45
single-shell agent invocation, 243-245
S/Key in OpenSSH, 111
SkeyAuthentication keyword, 617
slogin (SSH1), 34
SmartcardDevice keyword, 623
SMTP (Simple Mail Transfer Protocol), 437
sniffing, 37
SocksServer keyword, 120, 304, 477, 548, 617, 623
source distributions, 100
SRP (Secure Remote Password), 13
ssh (client), 5
configuration, 266-313
authentication, 307-310
command-line options, 267
configuration files, 268-275
connections, 294-302
data compression, 310
encryption algorithms, 306
environment variables, 275
forwarding, 305
host key types, 307
host keys and known-hosts databases, 284-287
integrity-checking (MAC) algorithms, 306
logging and debugging, 312
precedence, 276
protocol settings, 287-289
proxies, 302, 302-305
random seeds (Tectia), 313
remote account name, 279-281
session rekeying, 307
SOCKS, 302-305
subsystems, 311
TCP/IP settings, 290-294
user identities, 281-283
Cygwin under Windows, 522
debugging messages, 495
escape character, 21
keywords, 620-623
known and unknown hosts, 19-21
Macintosh, 526
remote terminal sessions, 16
client/server channel, establishing, 17
login, 17
ssh options, 618
ssh-add options, 625
ssh-agent options, 625
ssh-keygen options, 623
troubleshooting, 508
unexpected behaviors, handling, 19
verbose mode, 19, 277
SSH Communications Security, 5, 9
SSH (protocol)
quick reference, 612-627
SSH (Secure Shell), xii, 1-15, 36-98
address name with multiple numeric address, problems, 71
algorithms, 84-91
hash functions, 89
public-key algorithms, 84-86
secret-key algorithms, 86-89
authentication, 38
supported methodologies, 38
authorization, 39
authorization in hostbased authentication, 71
control file details, 72
hostbased access files, 72
netgroups, 74
netgroups as wildcards, 76
backward compatibility, 78
clients, 16-35, 44
scp (see scp)
sftp (see sftp)
slogin, 34
ssh (see ssh)
client/server architecture, 2
compression algorithms, 91
configuration directory
key storage files, 24
configuration (see configuration)
cryptography (see cryptography)
denotation of protocols, products and clients, 4
features, 5-9, 36-39
keys and agents, 7
port forwarding, 8
remote commands execution, 7
remote logins, 5
scp (see scp)
secure file transfers, 7
file transfers, 81-84
flexibility in prosecution of services, 47
forwarding, 39
supported types, 39
function and purpose, 1
history, 9
implementation-dependent features, 48, 69-81
host keys, 69
included component protocols, 46-49
installation (see installation)
integrity, 37
keys, 44
known-hosts mechanism, 20
PKI, supported types and supporting implementations, 55
privacy, 37
privilege separation (OpenSSH), 80
SSH (Secure Shell) (continued)
pronunciation, 1
protections provided by, 91-93
random number generation, 78
r-commands, replacing, 125-127
in CVS, 125
in GNU Emacs, 126
in Pine, 126
in rsync and rdist, 127
related technologies, 10-15
firewalls, 15
IPSEC and VPNs, 12
Kerberos, 12
PGP and GnuPG, 11
SRP, 13
SSL, 14
SSL-enhanced telnet and FTP, 14
stunnel, 15
security vulnerabilities, 93-98
server, 43
sessions, 44
software inventory, 124
SSH agent (see agents)
SSH-1, 36, 68
Tectia compatibility support, 122-123
SSH-1 protocol, 9
SSH-2, 36, 45-67
SSH-1 compared to, 68
SSH-2 protocol, 9
SSH-AUTH, 47, 57-63
authentication request, 57
authentication response, 58
host-based authentication, 62
"none" request, 59
password authentication, 61
public-key authentication, 60
SSH-CONN, 47, 64-67
channel requests, 66
channels, 64
completing the connection process, 67
global requests, 65
requests, 65
SSH-SFTP, 48
SSH-TRANS, 47, 49-57
connection, 49
initialization of encryption, 56
key exchange algorithm, 51
key exchange and server authentication, 54
message authentication code and algorithms, 53
parameter negotiation, 51
protocol version selection, 50
server authentication and anti-spoofing, 56
supported encryption algorithms, 37
system architecture, 43-45
Unix implementations (see OpenSSH; Tectia)
Unix versions, xvi
SSH Secure Shell product (see Tectia)
SSH1 product, 9
Ssh1AgentCompatibility keyword, 611, 623
Ssh1Compatibility keyword, 224, 477, 610, 617, 623
Ssh1InternalEmulation keyword, 610, 623
Ssh1MaskPasswordLength keyword, 611, 623
Ssh1Path keyword, 611, 623
ssh-add command, 28, 247-253
command-line options, 250
listing keys, 29
reading input, 28
troubleshooting, 505
ssh-agent command, 28
locking agents form unauthorized use, 29
troubleshooting, 505
ssh-askpass program, 28
password piping, 409
ssh-copy-id command (for key installation), 26
sshd (server), 129
authentication syntax, 171-173
client environment variables and, 199
command-line options, 138
configuration (see server configuration)
debugging messages, 496
hushlogin and, 199
inetd, 223
initialization scripts, 200
key regeneration, 161
keywords, 613-617
launch-sshd shell script, 139
public keys file, 176
running as ordinary user, 129
disadvantages, 131
running as superuser, 129
setup recommendations, 397-403
SIGHUP signal, 140
sshd command options, 612
user SSH directory, 144
user welcome messages, 198
xinetd, 223
Sshd1ConfigFile keyword, 225, 477, 610, 617
Sshd1Path keyword, 224, 477, 610, 617
sshd-check-conf program, 136-138, 219
ssh-keyconverter (OpenSSH), 231
ssh-keygen command, 23, 233
command line options to change passphrases, 27
ssh.pid file, path specification, 108
ssh-probe program (Tectia), 160
sshrc files, 200
sshregex (Tectia) manpage, 595-603
egrep patterns, 595
syntax, 595
ZSH_FILEGLOB, 597
SshSignerPath keyword, 311, 623
SSHTerm Professional, 517
SSL (Secure Socket Layers), 14
TCP-based applications, enhanced with, 14
StrictHostKeyChecking keyword, 284, 285, 286, 623
StrictModes keyword, 25, 146, 147, 149, 478, 617
stunnel, 15
subconfiguration files, 471
forbidden keywords, 476
keyword order, 473
sections, 474
subshell agent invocation, 246
subsystem channel request, 66
Subsystem keyword, 207
symbolic links, created by SSH installations, 123
symmetric ciphers, 41
SYN flood attack, 94
SyslogFacility keyword, 210
system administration, xv

T [ Top ]
tar format, 101
TCP attacks, 94
TCP/IP settings, server
ASLR (Address Space Layout Randomization), 151
failed logins, 156
idle connections, 155
invocation by inetd or xinetd, 150
keepalive messages, 152-154
Nagle Algorithm, 159
port number and network interface, 148
reverse IP mappings, 158
server discovery, 159
simultaneous connections, limiting, 157
tcpip-forward request, 65
TCPKeepAlive keyword, 153
TCP_NODELAY bit, 159
TCP-wrappers, 389-395
Tectia, 5, 99
account authorization files, 330
authentication
authorization file, 232
external keys, 264
identification files, 232
identities, 230
PGP, using, 262-264
X.509 certificates, 454-461
authorization files, 626
client for FTP, 416
configuration, 113-122
authentication, 117-120
debugging, 120
encryption, 117
file locations and permissions, 113
networking, 115
random number generation, 115
SOCKS proxies, 120
TCP port forwarding, 117
X Window system, 116
configuration extensions, 468-479
configuration files
keywords, 477
quoted values, 478
debugging
module names, 604-608
environment variables, 627
file-naming conventions, 130
help command, 278
host access control, 340
host keys implementation, 70
host-key generation, 131
identity files, 626
idle-timeout option, setting, 343
installation, 111-113
build and install, 113
file extraction, 112
md5 verification, 112
prerequisites, 112
metaconfiguration, 134, 468-479
plugins, 479-494
Tectia (continued)
customized password-change plugin, 487
expired passwords, changing, 479-484
external authorization, 492
general rules, 485
keyboard-interactive authentication, 488-492
Perl package for plugin implementation, 484
public keys, changing, 27
public-key generation, 23
public-key installation, 25
quick reference, 612-627
random number storage, 79
scp keywords, 620-623
scp options, 619
scp2, 84
scp, contrasted with, 82
server debugging messages, 496
serverwide configuration
access control files, 196
authentication syntax, 172
authentication techniques, 172
configuration files, checking, 136
hostbased authentication, 175
host-key generation, 130
Kerberos authentication, 182
keyboard-interactive authentication, 178
limiting simultaneous connections, 157
logging and debugging, 215-223
password authentication, 173
public-key authentication, 174
recommended settings, 401-403
rules for quoted strings, 135
server discovery, 159
SSH protocol settings, 170
SSH-1 and SSH-2 compatibility issues, 223-226
ssh-probe, 160
user welcome, 198
software inventory, 124
SSH configuration directory, key storage file, 24
ssh keywords, 620-623
ssh options, 618
SSH Secure Shell product, name change, xi
SSH-1, 610-611
client configuration, 610
key management, 611
scp file transfers, 611
serverwide configuration, 610
SSH-1 protocol compatibility and support, 121-123
SSH2_ORIGINAL_COMMAND, 336
ssh-add options, 625
ssh-agent options, 625
sshd keywords, 613-617
sshd options, 612
ssh-keygen options, 623
sshregex manpage, 595-603
egrep patterns, 595
syntax, 595
ZSH_FILEGLOB, 597
subconfiguration files, 471
forbidden keywords, 476
keyword order, 473
sections, 474
subsystem command syntax, 208
Windows operation (see Tectia for Windows)
Tectia for Windows, 531-562
Accession Lite, 536-539
client application, 533-534
configuration and profiles, 539-542
command-line programs, 552
Connector, 543-551
file transfers, 551
installation, 532
key management, 534
port forwarding, 542-543
supported Windows platforms, 531
Tectia Servers A and T, 555-562
access control, 559
authentication, 559
commands, 557
configuration, 557
forwarding, 560
logging and debugging, 561
operation, 556
SFTP server, 560
troubleshooting, 554
telnet
SSL-enhanced, 14
terminal locking, 29
Terminal.AllowGroups keyword, 617
Terminal.AllowUsers keyword, 617
Terminal.DenyGroups keyword, 617
Terminal.DenyUsers keyword, 617
tickets, 462
time values, server configuration files, 155
TIME_WAIT state, 433
TLS (Transport Layer Security), 14
Top Gun SSH, 519
traffic analysis, 95
transparency, 349
transparent proxies, 424
Triple-DES, 88
Trojnara, Micha, 15
troubleshooting, 497-513
TrustX11Applications keyword, 383, 623
TTY allocation, disabling per-account, 345
tunneling, 39, 351
advantages, 451
tunnels, 8
TuSSH, 519
Twofish, 89

U [ Top ]
Unix
hushlogin convention and SSH, 199
"message of the day" (motd), 198
syslog, 210
UseDNS keyword, 158
UseLogin keyword, 184, 205, 617
UsePAM keyword, 110, 171, 178, 183, 617
UsePrivilegedPort keyword, 292, 623
UsePrivilegeSeparation keyword, 184, 617
user authentication, 38
User keyword, 279, 499, 623
UserConfigDirectory keyword, 137, 144, 145, 269, 539, 559, 617
UserKnownHosts keyword, 176, 617
UserKnownHostsFile keyword, 287, 623
UserSpecificConfig keyword (Tectia), 471
UseSOCKS5 keyword, 477, 617, 623

V [ Top ]
VanDyke Software, 563
VerboseMode keyword, 216, 219, 312, 478, 617, 623
VerifyHostDNS keyword, 286
VerifyHostKeyDNS keyword, 623
version-control systems, 125
VMS SSH implementations, 520
VPNs (Virtual Private Networks), 12
VShell, 518, 574

W [ Top ]
Windows
OpenSSH on Cygwin, 521-525
agents, 524
enabling remote windows, 523
installation, 521
public-key authentication, 524
ssh clients, 522
SSH server setup, 522
troubleshooting, 525
PuTTY client (see PuTTY)
SecureCRT (see SecureCRT)
SSH implementations, 517
Tectia (see Tectia for Windows)
Windows Pocket PC SSH implementations, 519
WinSSHD, 518
WiSSH, 518
wu-ftpd, 423

X [ Top ]
X forwarding, 349, 377-389
limiting or disablig per-account, 344
server configuration, 205
X11DisplayOffset keyword, 381, 617
X11Forwarding keyword, 205, 617
x11-req channel request, 66
X11UseLocalhost keyword, 617
xauth, 108
XAuthLocation keyword, 381, 389, 513, 617, 623
XAuthPath keyword, 617, 623
xinetd
server configuration and debugging, 223
server invocation using, 150

Y [ Top ]
Ylönen, Tatu, 4, 5, 9

Z [ Top ]
zlib, 91, 106
ZOC, 518, 519
ZSH_FILEGLOB, sshregex (Tectia), 597
character sets, 598

Zurück zu SSH, The Secure Shell: The Definitive Guide

O’Reilly Verlag

Index

Themen

Buchreihen

Special Interest

International Sites