Recommendation to Use SSH at CERN

This website is no longer maintained. Its content may be obsolete. Please visit http://home.cern/ for current CERN information.

Contents
Index

Editorial Information
Editorial
If you need help
Announcements

Move and Upgrade of the Computing Helpdesk

Physics Computing

Recommendation to Use SSH at CERN
News on Linux RedHat 7.2.1
Castor Release V 1.4.1

Desktop Computing

Internet Services and Network

Scientific Applications and Software Engineering

The Learning Zone

Questions and Answers from the Computing Helpdesk

User Documentation

Just For Fun ...

Une histoire du support technique...

Previous:		Physics Computing
Next:		News on Linux RedHat 7.2.1
(If you want to print this article)

Recommendation to Use `SSH` at CERN

Jan Iven, Denise Heagerty , CERN Computer Security Team

Abstract

CERN recommends the use of secure shell (SSH) to replace less secure commands, such as telnet, ftp and the BSD r-commands (rsh, rlogin, rexec, rcp). This article explains how ssh improves security, the importance of installing and using ssh locally to secure your complete connection, and provides links to installation instructions for UNIX and Windows. Full information is available at http://cern.ch/security/ssh

Why use `SSH`?

Attackers routinely use passwords from legitimate users connecting to or from a CERN machine. These passwords are usually obtained from watching ("sniffing") the network traffic of that user. The user's account can then be used to attack other machines, both inside and outside CERN. To prevent attackers from obtaining these passwords, encryption must be used.

Secure shell (SSH) is a network protocol and tool suite to transparently encrypt network traffic. It is designed to replace telnet, ftp and the BSD r-commands (rsh, rlogin, rexec, rcp), all of which transmit passwords as cleartext and are vulnerable to connection hijacking. It offers secure port forwarding and can therefore be used to encrypt other network traffic (e.g. X11) as well.

Advice on using `SSH` securely

Using ssh does not automatically solve all security problems, and it has to be used correctly in order to be useful:

ssh is only secure when used end to end, i.e. directly from one trusted computer to a trusted server. You are advised to install and use ssh on your local system. (Note that using telnet or X11 to connect to a remote ssh client computer will still expose passwords in cleartext, as these applications do not encrypyt.)
Passwords must still be regularly changed: An already-stolen password will continue to work over ssh, and although the encryption mechanism is generally assumed to be secure, passwords may still be discovered. Password advice is at http://cern.ch/security/passwords.

Installing `SSH` at CERN

Documentation is provided in the "SSH at CERN" web site for:

Using `SSH` to encrypt other applications

To encrypt X11 applications with ssh, see the web page Starting Remote X Applications at CERN

References

The OpenSSH web page contains source, binaries, a FAQ and pointers to other implementations, including MS-Windows.
The CERN FAQ on ssh
An external Tutorial, written by Kimmo Suominen
Man pages: ssh, sshd, scp, sftp, sftp-server, slogin, ssh-add, ssh-agent, ssh-askpass, ssh-keygen, ssh-keyscan, x11-ssh-askpass (also on most UNIX systems by typing "man command")
A series of SSH Internet drafts describe the protocol and architecture.

Contact

Comments and questions should be sent at

 
Computer.Security@cern.ch

About the author(s): Jan Iven is a member of the CERN Computer Security Team, specialised in Linux and SSH. Denise Heagerty is the CERN Computer Security Officer.

For matters related to this article please contact the author.

Cnl.Editor@cern.ch

CERN-CNL-2002-002
Vol. XXXVII, issue no 2

CERN Accelerating science

Contents Index