## Using SSH instead of telnet ## Jim Mock If your FreeBSD system is connected to the internet, you should be concerned about the security of your system. The first thing you should do is edit /etc/inetd.conf file and disable any services that you don't want or need. "How do I control my machine remotely or allow other users to access my machine if I disable telnetd?" you might ask. The answer is easy.. three letters.. SSH. One of the most basic ways to improve the security of your system is to use SSH (Secure Shell) instead of telnet. SSH originally came about as a replacement for rlogin, rsh, and the other r* commands, however users started realizing how useful it is and started using it to replace other commands as well, including telnet and ftp. SSH Features One of the most important features of SSH is that it encrypts your connection unlike telnet which passes data in clear text. If you're using telnet, the possibility exists that your connection can be spied on and login and passwords can be sniffed. Using SSH, this problem doesn't exist; it provides strong authentication and secure communication over insecure channels. Some other features of SSH include: o Complete replacement for rlogin, rsh, and rcp. o Strong authentication. Closes several security holes. o Improved privacy. All communications are encrypted automatically and transparently. o Secure X11 sessions. o Arbitrary TCP/IP ports can be redirected through the encrypted channel in both directions for things such as e-cash transactions. o You don't have to retrain users; everything is automatic. o Never trusts the network. o The client authenticates the server before every connection. o Host keys can be generated centrally or automatically when the software is installed. Host authentication keys are typically 1024 bits. o Users can create any number of user authentication RSA keys for their own use. Each user has a file which lists the RSA public keys for proof of possession of the corresponding private key which is accepted as authentication. User authentication keys are typically 1024 bits. o The server (sshd) has it's own RSA key which is automatically regenerated every hour. The key is never saved in a file, and exchanged session keys are encrypted using both the server key and server host key to make it impossible to decipher a captured session by breaking into the server machine at a later time. One hour after the connection, even the server cannot decipher the session key. o Server key regeneration interval is configurable and the key is normally 768 bits. o The software can be installed and used (with restricted functionality) without root access. o The client is customizable in system-wide and per-user configuration files. o Automatically executes rsh after displaying a warning if the server isn't running sshd. o Optional compression of all data with gzip which may result in significant speedups if the connection is slow. Installing SSH If you have the ports collection installed, installing SSH can be easily installed by doing the following: # cd /usr/ports/security/ssh/ # make install If you don't have the ports collection installed, you can either install it by following the instructions in Issue #2 Newbie's Corner article (/archives/0299/articles/newbie.shtml) or by reading Dan Langille's FreeBSD Diary entry (http://www.freebsddiary.com/freebsd/topics.htm#ports). If you have something against installing the ports collection or using the ports to install software, you can download the SSH source code from ftp://ftp.funet.fi/pub/unix/security/login/ssh/. Replacing telnetd If you choose to disable telnetd and use SSH instead, you'll need to edit /etc/inetd.conf as follows: # pico inetd.conf Find the line for telnetd and comment it out. If your doing this on a remote machine, it would be a good idea to test SSH first and make sure it's working before disabling telnetd, or you'll lock yourself out of the box. See the steps in the next section on 'Using SSH'. This is the line you want to comment out: telnet stream tcp nowait root /usr/libexec/telnetd telnetd Comment it out by putting a '#' at the beginning of the line. Using SSH After installing SSH, a script to start the SSH server (sshd) on boot up can be found in your /usr/local/etc/rc.d directory. The script name is sshd.sh. If you want to start sshd immediately, you can either reboot and it will start automatically, or you can invoke sshd manually by running the following as root: # /usr/local/sbin/sshd After running it, you can verify that it's running by issuing the following command: # ps auxw | grep sshd Once you've verified that sshd is running, try connecting to your machine using ssh by doing the following: # ssh host.domain.com Where host.domain.com is the name of your machine. You should then see something like this: Host key not found from the list of known hosts. Are you sure you want to continue connecting (yes/no)? If you want to connect to the host (which in this case you do) type 'yes' at the prompt. It will put a key in ~/.ssh/known_hosts file, and you won't be prompted again; it will simply connect you. If you have users that will be connecting from non-UNIX machines, you can get Windows SSH clients from the following locations: SecureCRT: http://www.vandyke.com/ TTSSH: http://www.zip.com.au/~roca/ttssh.html There are also a few others available, but the two above are the most popular. If you use either of these and experience problems, please contact the software maker, not me. I don't use Microsoft systems, therefore I won't be able to help. - Jim $Id: security.txt,v 1.1 2000/02/16 08:07:47 jim Exp $