16 ultimate SSH hacks

So you think you know OpenSSH inside and out? Test your chops against this hit parade of 16 expert tips and tricks.

By Carla Schroder

March 26, 2012 — IDG News Service — So you think you know OpenSSH inside and out? Test your chops against this hit parade of 16 expert tips and tricks, from identifying monkey-in-the-middle attacks to road warrior security to attaching remote screen sessions. Follow the countdown to the all-time best OpenSSH command!

[ Running SSH on a non-standard port ]

SSH tips #16-14:Detecting MITM attacks

When you log into a remote computer for the first time, you are asked if you want to accept the remote host's public key. Well how in the heck do you know if you should or not? If someone perpetrated a successful monkey-in-the-middle attack, and is presenting you with a fake key so they can hijack your session and steal all your secrets, how are you supposed to know? You can know, because when new key pairs are created they also create a unique fingerprint and randomart image:

$ ssh-keygen -t rsa -C newserver -f .ssh/newkey

Generating public/private rsa key pair.

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in .ssh/newkey.

Your public key has been saved in .ssh/newkey.pub.

The key fingerprint is:

44:90:8c:62:6e:53:3b:d8:1a:67:34:2f:94:02:e4:87 newserver

The key's randomart image is:

+--[ RSA 2048]----+

|oo +.o. |

|. = B o. |

| E X + . |

| B B .. |

| . * o S |

| . |

| |

| |

| |

+-----------------+

SSH tip #16: Retrieve the fingerprint and randomart image of an SSH key

If you make a copy of this when you create new encryption keys, then you can fetch a key's fingerprint and randomart image anytime to compare and make sure they have not changed:

$ ssh-keygen -lvf keyname

SSH tip #15: View all fingerprints and randomart images in known_hosts

And you can see all of them in your ~/.ssh/known_hosts file:

$ ssh-keygen -lvf ~/.ssh/known_hosts

SSH tip #14: Verify server keys

You can see the fingerprint and randomart for any computer you're logging into by configuring /etc/ssh/ssh_config on your client computer. Simply uncomment the VisualHostKey option and set it to yes:

VisualHostKey yes

Then login to any remote computer to test it:

$ ssh user@host2

Host key fingerprint is 66:a1:2a:23:4d:5c:8b:58:e7:ef:2f:e5:49:3b:3d:32

+--[ECDSA 256]---+

| |

| |

| . o . |

| + = . . . |

|. + o . S |

| o o oo |

|. + . .+ + |

| . o .. E o |

| .o.+ . |

+-----------------+

user@host2's password:

Obviously you need a secure method of getting verified copies of the fingerprint and randomart images for the computers you want to log into. Like a hand-delivered printed copy, encrypted email, the scpcommand, secure ftp, read over the telephone...The risk of a successful MITM attack is small, but if you can figure out a relatively painless verification method it's cheap insurance.

Originally published on www.itworld.com. Click here to read the original story.
RESOURCE CENTER