Page One

Campus Computing News

"Pass the word, Please"

Round Reel Revolution

Students in the Tree

ssh . . .

The New Wordmarks are Here!

The Software Crisis

RSS Matters

The Network Connection

List of the Month

WWW@UNT.EDU

Short Courses

IRC News

Staff Activities
    

ssh . . .

By Duane Gustavus, UNIX Research Analyst

Who do you want to be today?

As you whiz around the Internet leaping whole continents at a single click, you might have noticed an insistent murmur about network security. It's nice that somebody worries about that sort of thing, but even nicer that you don't have to, because it sounds like it could get to be seriously tedious. Sure there are nefarious characters out there, but you don't work for the CIA, and there's no information in your account other people would even care about, right?

Wrong; because what they are after is not your term paper nor anything stored in your account. What they want is access to your account; in other words, your identity. Then they are free to cruise the Net knowing whatever actions they take will be attributed to you.

Starting to get the picture? If not, maybe your focus on the issue will sharpen when the FBI knocks on your door to ask about that death threat you sent the President. Yes that's hyperbole, but only just.

In a society where individuals are held individually responsible for their actions, it is important to protect your identity. On the Internet where your identity is most often established by the account you use to access the network, it is important to protect your account.

Sniffing for passwords

Before you skip to the next article to avoid another well-meaning (but nonetheless incredibly boring) lecture on the importance of managing the password for your account, let me interject that the most common way to gain access to someone else's account these days does not involve "cracking passwords". Why go to that much trouble when you can just grab the password right off the network?

Here's the way it works. There are over 6500 nodes on the unt.edu domain, and that number grows almost daily. Most of these nodes are "unmanaged", meaning that some portion of the day or night their primary user is not around, and at any rate the primary user is not a "systems" type that has the time or skill to determine everything the system is doing at any given time. It is relatively easy for someone to start a "sniffer" job running in the background which can log to a "hidden" file all the connect sessions that appear on that segment of network. That file will contain the login name and password of every telnet or ftp session over that network segment during the time the sniffer was running.

If you have a sniffer log file, you don't need to crack passwords to login to someone's account; you KNOW the password. Now the system has no way to discriminate between you and the real account holder. Until the user changes their password (which none of us really enjoy all that much), you can become that user anytime you like.

Secure shell

Well, you say, if the network itself is insecure, what do you expect me to do about it? Encrypt information before putting it on the network. If this sounds suspiciously like I'm trying to get you to learn something new, I'll admit to it right up front. I want you to learn how to use ssh (secure shell). Here's why: telnet and ftp are very old access methods which were written in the days when the Internet was accessible only to a few researchers and computer vendors. Computers were slow and encryption of data was deemed an unnecessary function in an access method. Both telnet and ftp put the password you enter in the network packet just the way you entered it (that is in plain old text). With access to the network (over 6500 nodes remember), all anyone has to do is snarf the packet as it goes by, and your account is also their account. When you access your UNT account from home, the number of network access points increases enormously.

Secure shell encrypts the login dialog with a pretty tough encryption key so that if the packet is sniffed, your password is embedded in a matrix of "digital noise". The cracker will have to burn some considerable computer cycles to retrieve it in a usable form. Generally, it is not worth this much work. It's kind of like the police say about having a dog in your yard; there are ways for a thief to get around the dog, but the easiest of those is to move on to a house without a dog.

If I have gone to this much trouble to convince you to use this ssh stuff, it must be a real pain to use right? Actually, once it is setup, using ssh is really not much different from telnet from the user's perspective. Instead of entering a command like "telnet jove.acs.unt.edu", you would enter something like "ssh -l duane jove.acs.unt.edu". If you were using telnet, jove would respond back with a message and "login:" prompt. When you use ssh, the prompt is merely something like "duane@jove.acs.unt.edu's password:". You enter your jove password, ssh encrypts it before putting in the network packet and sends it along. The sshd process in jove then decrypts it and the login process proceeds.

What about ftp? The ftp protocol has the same security model as telnet (ie none at all). There is a companion command to ssh named scp which can be used to transfer files. In order to copy a file from my computer to jove, I could use "scp foo.c duane@jove.acs.unt.edu:". Notice the trailing ":" character on the destination. This command says to copy the file named foo.c in the current working directory to the login directory of user duane on the host jove.acs.unt.edu. Again you will see the prompt "duane@jove.acs.unt.edu's password:" which must be answered with the correct password before the transfer is accomplished.

Does any of this stuff work outside of UNIX?

As a matter of fact, yes. My guess (in lieu of any research on the subject) is that ssh is the most commonly used secure access method in the world. There are both commercial and non-commercial (read free) versions. For your convenience, ssh and scp are both available on all CSCI and ACS UNIX server systems and all CAS General Access Lab PC's. Also, there is a link on the Computer Science Department's home page which you can follow to download and configure ssh for your Win95 system at home. There are commercial versions of this software available for Mac's, but I am not aware of any free legal ssh clients for this platform (sorry).

Too much trouble?

Some have pointed out to me that the scp command is not as convenient as the point-and-click ftp client they are accustomed to using. Perhaps the extra effort of typing a few characters is amply rewarded if your account is not in the sniffer log the next time someone wanders through it asking "Let's see; who do I want to be today?"