SSH! Keep it secret. Keep it safe

SSH!

Keep it secret. Keep it safe

Using Secure Shell to Help Manage Multiple Servers Don Prezioso

Ashland University

Why use SSH?

• Proliferation of servers

• Physical servers now Virtual / Hosted • System management without console • Inter-server processes and file transfers • Less worry about passwords

What is SSH?

• Secure Shell (encrypted connections) • Replaces telnet (ssh)

• Secure copy (scp) • Secure file transfers (sftp)

• Public/Private key pairs for encryption

Server Software for Linux

OpenSSH

Free ssh for unix based systems Red Hat Packages:

openssh-4.3p2-82.el5 - Core SSH components used by both client and server openssh-askpass-4.3p2-82.el5 - Passphrase dialog for X11

openssh-clients-4.3p2-82.el5 - SSH Client components (ssh, scp, sftp, etc...) openssh-server-4.3p2-82.el5 - SSH Server components (sshd)

/etc/ssh/sshd_config:

UsePAM yes

Subsystem sftp /usr/libexec/openssh/sftp-server AllowGroups sys adm ftpusers staff

Server Software for Windows

freeSSHd

See www.freeSSHd.com to download installation package

Edit C:\Program Files\freeSSHd\FreeSSHDService.ini:

[SSH server] SSHPublickeyPath=C:\Program Files\freeSSHd\Authorized_Keys [Users] UserCount=2 [User0] Name=datatel Auth=2 Password=000000000000000000000000000000000000000000 Domain= Shell=1 SFTP=1 Tunnel=0 [User1] Name=dprez Auth=0 Password=000000000000000000000000000000000000000000 Domain=AD Shell=0 SFTP=1 Tunnel=0

Clients for Linux

– ssh – Secure Shell client

• telnet replacement • remote command execution

– scp – Secure Copy – Copy files between systems – sftp – Secure FTP client

rsync!

• Not part of OpenSSH

• Does not require ssh, but will use it • Synchronize entire directory trees between

multiple servers

• Delta-transfer algorithm dramatically reduces the data sent over the network

• Not just a client...

Clients for Windows

http://www.chiark.greenend.org.uk/~sgtatham/putty/

• PuTTY – Terminal emulation

– Saved profiles

– Command line options for shortcuts

• PuTTYgen – Utility to create key pairs • Plink – Remote command execution (CGI) • PSCP and PSFTP – Command mode file transfer

Clients for Windows

http://winscp.net

• WinSCP – Graphical file transfer utility

Public / Private Key Pairs

– Password needed for authentication

– Some clients will allow saving passwords (not secure!)

• May be created and exchanged ahead of time

– No password needed

• Public key

– Not secret (May be e-mailed or published)

• Private Key

– Keep it secret – Keep it safe!

Generating Keys on unix

ssh-keygen -C [email protected] – Defaults:

• 2048 bit RSA type keys • ~/.ssh/id_rsa (private key) • ~/.ssh/id_rsa.pub (public key)

– I don’t use passphrase normally – Comment – just for your identification – .ssh directory is private – don’t change

Generating Keys on Windows

• PuTTYgen

– Click ‘Generate’ – Move mouse – Save private key

Where to put Public Keys

• On the system you will connect to

– Unix:

~/.ssh/authorized_keys – Windows:

C:\Program Files\freeSSHd\Authorized_Keys\username – Each key is one (long) line of text:

ssh‐rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuMqLt5t+lF1W3oz7WtSBQX8zaBFHrD0vG 4B4yyHBC9gLid44Mr3CFwiDAK8YZTtLzqWHHZdjMv90kZ3AKC8O6m+VQbS42Q6jCPN18 kHPKPLt+cJ1rHWYY1IwbEnHTAnIxUW3AMw6FgpjYJgcipJjIBzauk1S5IHUl5agG+AJv MHa6wsePKJn3jkl3py1kPLz67DitboXvErCVtxBEwFeGzYFTP23MXE6Uwj7I5m0OH5m9 o9TeTFuEF9OvwFMr/qsksaHoGQ3Gjo9mVUumpdTLZzKjVhTdsQ3XelWALj/onFlneHZP ej0TK0JevJ3Ms3c2xl9BmluP5aS72sw7jk4Rw== [email protected]

– Paste key using any text editor

Using the Private Key

• Unix – Automatic! • PuTTY

– Command line (-i path) – Saved Session

• Connection>SSH>Auth

Using the Private Key

• WinSCP

– Command Line (/privatekey path) – Advanced Site Settings

Logging in as root!

• No need to give out root password • Each user generates their own key pair • If they leave – just remove their public key

(don’t need to change the password!) • Treat other servers as additional ‘users’

Importing Bookstore Charges (GLIM)

# RemoteHost="[email protected]" RemotePath="FromMBS" # ImportPath="/datatel/coll18/production/apphome/DATA/DATA_G/GL.INTERFACES" DropPath="/home/mbsftp" DropFile="bks*.TXT" #

# Get files from the remote server #

/usr/bin/scp $RemoteHost:$RemotePath/$DropFile "$DropPath/" >> $logfile 2>&1 #

# Now that we have them local, delete them from the remote server #

for filepath in $DropPath/$DropFile ; do filename=$(basename $filepath) RemoteCommand="rm -f $RemotePath/$filename" ssh $RemoteHost "$RemoteCommand" >> $logfile 2>&1 done

#

Restarting Tomcat (WebAdvisor)

#!/bin/bash

if [[ $( /bin/hostname ) = "datatel.ashland.edu" ]] ; then /usr/bin/ssh [email protected] service tomcat restart fi

Locking UI

https://ui.ashland.edu

– Normal web.config file redirects to:

https://ui.ashland.edu:8183/Colleague/launch.htm

– Script gets a copy of web.config file using sftp – Script creates a new web.config that redirects to:

http://ui.ashland.edu/OOS.htm

– Script transfers new web.config to the web server using sftp

• Users who know the real URL can still use UI • Unlock just does the reverse

Locking WebAdvisor

• Similar to locking UI

– No files are transferred between systems – Script uses ssh to copy files on the web server

• Users who know the whole URL can still run • Doesn’t lock portal access to WebAdvisor
• Works in combination with stopping listener

– Better message ☺

File Transfers in UniData

• X.SFTP.SEND

– UniBasic program any user can run – Builds a temporary script for input to sftp – Copies ‘datatel’ private key and sets permissions – Runs sftp with –b option to process the temporary

script and use private key copy – Deletes copy of private key

File Transfers in Envision Basic (Studio)

• S.EXECUTE.SFTP (Ellucian provided) SFTP.GET.FILE:

* Get path to _HOLD_ X.HOLD.PATH = "_HOLD_" X.PATH.ERROR = "" X.PATH.MSG = ""

CALL S.GET.ABS.PATH(X.HOLD.PATH, X.PATH.ERROR, X.PATH.MSG) *

* Call SFTP to transfer the file X.SCH.IMPORTS.FILE.NAME = "export.csv“ X.SFTP.ERROR = ""

XL.SFTP.RESULT = "" X.SFTP.CONFIG = "SCHI" X.SFTP.ACTION = "get"

CALL S.EXECUTE.SFTP(X.SFTP.ERROR, XL.SFTP.RESULT, X.SFTP.CONFIG, X.SFTP.ACTION, X.SCH.IMPORTS.FILE.NAME, X.HOLD.PATH) RETURN

Envision SFTP Configuration

• SFTP screen:

Conclusion

• Easy connection to multiple servers • Automation of system management tasks • Fewer passwords