HP N4000 Server Backups - TSI



Information Technology

Systems - Unix

Documentation Type: SOP

Secure Shell

File Transfer

Client Requirements and Configuration

Version 1.3

Description

This procedure outlines and details the requirements necessary to configure and make operational an external secure shell (SSH) client in order to transfer encrypted files to and from the NCO Group SSH2 server via an Internet connection.

Written By:

Thomas Lydick – NCO - UNIX Administrator

Contributors:

Revisions: Version Date Revised By:

|1.0 |11/01/02 |Thomas Lydick – NCO Group |

|1.1 |11/15/02 |Thomas Lydick – NCO Group |

|1.3 |12/02/03 |Thomas Lydick – NCO Group |

| | | |

Table of Contents

I. Table of Contents 2

II. Executive Summary 2

III. General Client Requirements 2

A. Brand of SSH 2

B. Supported SSH Protocols 2

C. Method of Authentication 2

D. Method of File Transfer 2

E. Server Access Restrictions 2

F. Client Internet Firewall Configuration 2

IV. Procedure Outline 2

A. SSH Account Setup on NCO SSH2 Server 2

B. SSH Client Configuration 2

C. Transfer Public Key from client to NCO SSH2 Server 2

D. Initial Login and NCO SSH2 Host Key 2

V. Procedure Detail 2

A. SSH Account Setup on NCO SSH2 Server 2

B. SSH Client Configuration 2

C. Transfer Public Key from client to NCO SSH2 Server 2

D. Connecting to NCO SSH2 File Transfer Server 2

VI. References 2

A. SSH Communications  2

B. F-Secure     2

C. OpenSSH        2

D. SSH – The Definitive Guide  2

VII. Appendix 2

A. NCO SSH2 File Transfer Diagram 2

Executive Summary

The NCO SSH2 (Secure Shell) File Transfer server supports three methods of securely transferring encrypted data to and from a SSH2 client via the Internet.

These include SFTP (Secure File Transfer Protocol), SCP (Secure Shell Copy) and FTP Port Forwarding (OpenVMS Multinet Only).

The SFTP client has much of the same command functionality as FTP, however unlike FTP the data transferred is encrypted using any one of the encryption ciphers.

Secure Shell Copy simply copies a file through a secure shell connection. SCP has limited file transfer options.

FTP Port forwarding redirects or funnels the FTP ports through an established SSH2 connection. This method requires a specially written client the combines the FTP service and the SSH2 service.

This document outlines and details the steps necessary to configure an SSH2 client such that files are transferred securely using SFTP or FTP Port Forwarding to and from the NCO SSH2 File Transfer Server.

General Client Requirements

The NCO Group SSH2 File Transfer server is configured to authenticate, restrict server access and ensure encrypted data transfer such that file transfer security is not compromised.

1 Brand of SSH

Secure Shell (SSH) comes in two basic “brands”, SSH-2 (Commercial) and OpenSSH.

Both brands support the SSH2 protocol, however the SSH-2 (Commercial) Server versions supports such functions as chroot (Limit users to home directories) and custom SSH/FTP clients for FTP Forwarding.

1 Tested Commercial SSH-2 Clients

[pic]

3 Tested OpenSSH Clients

[pic]

2 Supported SSH Protocols

SSH supports two levels of transfer protocols SSH1 and SSH2. The NCO SSH Server will only accept the SSH2 protocol. The SSH1 protocol has known security defects.

3 Method of Authentication

Authentication is through SSH Public Key / Pass Phrase only. SSH Public Key prevents “man in the middle” attacks.

The client must be able to generate a 2048 bit DSA Public and Private Key. The Public Key is copied to the NCO SSH2 Server.

4 Method of File Transfer

The methods of file transfer supported are SFTP, SCP and FTP Port Forwarding. Refer to NCO SSH2 File Transfer Diagram

1 SFTP and SCP

SFTP and SCP typically comes bundled with the SSH client.

SFTP provides greater options for file transfer than SCP.

Note: In order to use SCP, the commercial version of the SSH client must be used. Because the NCO SSH File Transfer Server uses chroot and static binaries, the ssh-dummy-shell is designed to use a propriety protocol for SCP, which is not supported by OpenSSH SCP.

2 FTP Port Forwarding

The only supported version of FTP Port Forwarding is with OpenVMS SSH client Multinet.

FTP Port Forwarding requires a specially written SSH client which incorporates direct service access from the standard FTP client and not through the host loopback connection.

In addition to the SSH account setup, a standard FTP account is created. Access to the FTP account requires a 2nd level of authentication using a password.

This type of FTP Forwarding ensures that the FTP password authentication and data transfer are encrypted within a SSH pipe.

5 Server Access Restrictions

Client accounts are restricted to their own home directory. Access to other NCO Group client accounts is restricted.

This is accomplished with the use of the SSH2 chroot configuration.

6 Client Internet Firewall Configuration

The SSH2 clients use TCP/IP port 22, default. The SSH2 client must be able to access the Internet through port 22.

To limit access through the firewall a filter of “outbound only” and restrict client access based on source IP address is suggested.

Procedure Outline

1 SSH Account Setup on NCO SSH2 Server

1 Create SSH Server Account

NCO will create an account on the NCO SSH2 Server and provide the client the account name to be used when connecting to the server.

2 Create FTP Server Account

NCO will create a FTP account in addition to the SSH account for those clients that are using FTP Port Forwarding file transfer.

2 SSH Client Configuration

1 Local file transfer account create

Setup or use a file transfer account, which does not contain system admin rights on the client. During the Private/Public key generation step a “.ssh or .ssh2” directory is created under the file transfer account default or home directory.

2 Public/Private Key Generation

Using the account created in the previous step, a SSH2 2048 bit DSA Private and public key are generated.

3 Create Identification File

Create an identification file that contains the file name of the Private key.

3 Transfer Public Key from client to NCO SSH2 Server

1 Sending Public Key

The Public part of the key pair is a readable text file. This file can be sent as an email attachment to designate person at NCO Group. The public key will be placed in the home .ssh or ssh2 directory on the SSH2 Server.

4 Initial Login and NCO SSH2 Host Key

1 Initial Login

The initial login will require that the NCO SSH2 Host Public Key is copied locally. This process will create or append to the known_hosts file.

Procedure Detail

1 SSH Account Setup on NCO SSH2 Server

1 Create SSH Server Account

NCO will create an account on the NCO SSH2 File transfer server.

No system password will be necessary for this account. The authentication is through the Public/Private keys and pass phrase.

1 Home Directory structure

1. /bin – SSH2 executables

2. /xfer/incoming – Client incoming files

3. /xfer/outgoing – Client outing files

4. /.ssh2 – SSH2 user configuration directory

2 Create FTP Server Account

The FTP account is only necessary for those clients that will use FTP Port forwarding method of file transfer.

This account and directory is in addition to the SSH Server account.

2 SSH Client Configuration

1 Local file transfer account create

Setup or use a file transfer account, which does not contain system admin rights on the client. During the Private/Public key generation step, a “.ssh or .ssh2” directory is created under the file transfer account default or home directory.

Window versions of SSH2 might create a “UserKeys” directory for key placement.

2 Public/Private Key Generation

Using the account created in the previous step, a SSH2 2048 bit DSA Private and public key pare is generated.

1 Key Specifications

1. Key Type DSA

2. Key Bit Size / Length 2048

3. Key Format SSH2 Commercial

4. Key Pass Phase A short sentence, include spaces

5. SSH Client Port 22

6. Key Comment Enter NCO provide account name.

7. Key / File Name id_dsa_2048_NCO

Example: DSA 2048 bit Key

id_dsa_2048_NCO - Private Key

id_dsa_2048_NCO.pub - Public Key

2 Key Pass Phrase

The Pass Phrase is typically a short sentence.

DO NOT USE THE NCO ACCOUNT ID, SINGLE WORD or A SIMPLE SPACE when entering a pass phrase.

Use upper and lower case.

In the event that the Private key is copied, the private key will not operate without the pass phrase.

1. Examples:

The 3 dogs have brown hair.

Red Sox will never win the World Series.

3 Example of the ssh-keygen2 or ssh-keygen command

1. OPSYS: Unix, Linux

$ ssh-keygen –b 2048 –t dsa –C “My company key”

$ ssh-keygen -b 2048 -t dsa -C “My Company Key for NCO”

Generating public/private dsa key pair.

Enter file in which to save the key (/home/DUDE/.ssh/id_dsa): id_dsa_2048_NCO

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in id_dsa_2048_NCO.

Your public key has been saved in id_dsa_2048_NCO.pub.

The key fingerprint is:

9e:c3:ec:92:79:81:31:b3:bf:f0:9f:0b:55:d3:f2:2a DUDE@SERVER.

$

2. OPSYS: Windows

Program Settings ( Global Settings ( User Authentication ( Keys ( Generate New Key

4 Converting from OpenSSH key to SSH2

In order for the key to be read by the NCO SSH2 server, the public key must be in the SSH2 Commercial format.

1. Check what format the key is in.

a. Edit the Public Key (the part of the key pare with “.pub” extension)

b. The top line should contain “ BEGIN SSH2 PUBLIC KEY”

c. The last line in the public key should contain “END SSH2 PUBLIC KEY”

2. Change Open SSH public key format to Commercial SSH key format.

a. Execute

$ ssh-keygen –x –f ./id_dsa_2048_NCO > id_dsa_2048_NCO.pub

3 Identification File

The identification file is a plain text file used by the client to direct the sshd service to the private key location.

1 Create and Edit the identification file

The identification file is typically placed in the .ssh2 or .ssh for Unix, VMS or Linux.

The identification file is automatically created and updated with the Private Key name entry when the key is generated for some Windows versions of SSH2/OpenSSH.

1. Change to the .ssh or .ssh2 subdirectory within the file client file transfer account.

2. Create file called identification

3. Insert following entry

IdKey id_dsa_2048_NCO

4. Change permission to read only on file.

3 Transfer Public Key from client to NCO SSH2 Server

1 Sending Public Key

The Public Key , id_dsa_2048_NCO.pub can be sent through email to the designated NCO Group – IT Systems – Unix group member for upload into the NCO SSH2 File Transfer server.

4 Connecting to NCO SSH2 File Transfer Server

1 Initial Connection

1 Prerequisites Check List

← Account Created on NCO SSH2 File Transfer Server

← Access to Internet from SSH client through port 22.

← Client File Transfer account created.

← Public / Private Key generated

← Client identification file created and updated.

← Public Key Placed on NCO SSH2 File Transfer Server.

2 Connecting to NCO SSH2 File Transfer Server

1. Execute from the SSH Client

ssh {NCO_server_ID@clientftp.

3 Download Host Public Key

On the initial connection to the NCO SSH2 File transfer server the client should receive the following message:

Example.

Host key not found from database.

Key fingerprint:

xunil-gupab-bavuv-vobop-zizal-hihom-miluc-mopov-kahor-gonyb-fyxex

You can get a public key's fingerprint by running

% ssh-keygen -F publickey.pub

on the keyfile.

Are you sure you want to continue connecting (yes/no)?

1. Check the Key fingerprint. This is the NCO host public key unique identifier. It must match the follow, ONLY ANSWER YES to the question if the fingerprint is a match.

NCO SSH2 File Transfer Server Fingerprint

xocih-typac-rogot-tovis-litem-pebud-ninir-fosov-moluc-rarib-cexix

4 Enter Pass Phrase

1. Enter the Pass Phrase sentence.

2. If authentication is successful the follow type of message should be displayed:

Passphrase for key "/home/clientacc/.ssh2/id_dsa_2048_NCO" with comment "2048-bit dsa, clientacc@, Wed Oct 16 2002 07:43:50 -0500":

Authentication successful.

Last login: Fri Oct 25 2002 10:51:08 -0400 from 142.192.201.97

No mail.

Press any key to exit.

Currently the SSH Client has a successful authenticated SSH connection to the NCO SSH2 File Transfer server. However, because of the server restrictions a normal user shell command prompt is not provided.

Press any key to close the SSH connection.

At this point of the configuration process the SSH client and server are operational. File transfers can precede using SFPT, SCP or FTP Port Forwarding.

References

1 SSH Communications 

2  F-Secure    

3  OpenSSH       

4  SSH – The Definitive Guide 

Appendix

1 NCO SSH2 File Transfer Diagram

2 PORT 22

3 SSH Pipe

-----------------------

DMZ

NCO File

Transfer Server

SSH

Client

FTP

Client

SSH2

Server

SFTP/SCP

Client

FTP

Server

Ftp through a SSH2 Pipe – FTP Forwarding

Secure FTP through SSH2 Pipe

NCO

Fire Wall

PORT 22

SSH PIPE

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download