Difference between revisions of "*IMPORTANT SSH Login Policies*"
(SSH Policies for Peyton Hall) |
m (Relink) |
||
(12 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
− | + | ==Changes to Remote Access to Peyton Hall Computers== | |
− | |||
For several years we have only allowed logins to Peyton Hall computers | For several years we have only allowed logins to Peyton Hall computers | ||
− | from machines that allow "Reverse Name Lookup" | + | from machines that allow "Reverse Name Lookup"([[#Footnotes_1|1]]). As you may have |
experienced while traveling, this can be an obstacle to connecting | experienced while traveling, this can be an obstacle to connecting | ||
from hotel rooms, etc.; not all ISPs use properly registered IPs. The | from hotel rooms, etc.; not all ISPs use properly registered IPs. The | ||
Line 10: | Line 9: | ||
retired, so we need to do something to maintain unfettered external | retired, so we need to do something to maintain unfettered external | ||
access. There are more excuses for why we're proposing changes under | access. There are more excuses for why we're proposing changes under | ||
− | "RATIONALE" at the end of this document. | + | "[[#Rationale.2FFAQ|RATIONALE]]" at the end of this document. |
− | + | ==Proposed Plans for Remote Access== | |
− | + | '''Lemma:''' | |
− | + | <blockquote> | |
− | + | There is a machine (minos.astro.princeton.edu)([[#Footnotes_2|2]]) which allows | |
− | Lemma: | ||
− | |||
− | There is a machine (minos.astro.princeton.edu) | ||
open access, i.e. minos accepts logins (using passwords or ssh | open access, i.e. minos accepts logins (using passwords or ssh | ||
keys) from any machine on the net; it has been told not to pay any | keys) from any machine on the net; it has been told not to pay any | ||
attention to problems with Reverse Name Lookup. | attention to problems with Reverse Name Lookup. | ||
+ | <br> | ||
+ | N.b. Minos mounts the home filesystems READ ONLY.([[#Footnotes_3|3]]) | ||
+ | </blockquote> | ||
− | + | '''Proposal:''' | |
− | + | <blockquote> | |
− | Proposal: | + | That we change things so as to: |
− | + | <br> | |
− | + | Allow access to all Peyton machines from anywhere, even without | |
− | + | <br> | |
− | + | '''BUT''' | |
− | + | <br> | |
− | + | Only allow users to login to machines other than minos by using | |
− | + | ssh keys (i.e. no passwords). Password logins will still be | |
− | + | permitted if you're sitting at the console. This rule will | |
− | + | apply even within the building --- this is good; no more need to | |
− | + | type your password. | |
− | + | </blockquote> | |
− | |||
We further propose that, before anything is changed, we run a series | We further propose that, before anything is changed, we run a series | ||
Line 54: | Line 52: | ||
lives; hence the offer of a workshop. | lives; hence the offer of a workshop. | ||
− | ---------------- | + | ==Rationale/FAQ== |
− | $ | + | |
+ | ===If it aint broke, why are we fixing it?=== | ||
+ | |||
+ | Because the last Solaris box is departing this earthly plane. | ||
+ | |||
+ | The speed and ruthlessness of attacks on computers has increased | ||
+ | dramatically --- in other words, the cost of being successfully | ||
+ | attacked has increased significantly over the last few years; no | ||
+ | longer does a hacker simply poke around, nowadays they tend to destroy | ||
+ | the system. | ||
+ | |||
+ | Most users connect from their own laptop, in which case they | ||
+ | probably have ssh installed, and the proposed relaxation of the | ||
+ | Reverse Name Lookup rule will be a considerable improvement in their | ||
+ | life while travelling (e.g. when connecting from a hotel in | ||
+ | Afghanistan). Of course, this change in their quality of life will | ||
+ | only occur when the "no passwords" change is implemented --- so you | ||
+ | should start lobbying for it. | ||
+ | |||
+ | ===Why is Reverse Name Lookup worth worrying about?=== | ||
+ | |||
+ | The bulk of attacks upon our systems (99% of 30k attacks/month) | ||
+ | come from machines without reverse name lookup --- the reason's | ||
+ | obvious: If you work for Student Admissions and you're smart enough | ||
+ | that you don't want your handiwork traced back to your University, you | ||
+ | don't want your machine's IP to be identified as "princeton.edu"; so | ||
+ | you use a spoofed IP. | ||
+ | |||
+ | The breakins that we've seen recently (most recently from Arizona | ||
+ | about 18months ago) have been caused by programs reading keyboard | ||
+ | input to capture passwords; Evil People don't usually read every key | ||
+ | typed at the keyboard, but instead install Evil versions of ssh that | ||
+ | record your password as you type it. Access via ssh keys is less | ||
+ | vunerable to such attacks as the passphrase is typed less often (and | ||
+ | to a different programme, ssh-add), and because the Evil One has to | ||
+ | capture both the passphrase AND the key. Most people keep their keys | ||
+ | on their own laptops, which they physically control. But passwords can | ||
+ | be used by themselves to login to accounts from any machine and are | ||
+ | vulnerable to capture when one uses them on an unfamiliar machine. | ||
+ | |||
+ | As mentioned above, you'll be able to use your ssh keys stored | ||
+ | in your home directory to authenticate to any machine on the planet | ||
+ | that runs ssh-agent --- but beware key loggers in Lower Slobbenia. | ||
+ | |||
+ | ===Why do we want to mount /u Read-Only?=== | ||
+ | |||
+ | If we don't mount home directories read only on minos, the Evil | ||
+ | Hacker can install her own .ssh directory and proceed to compromise | ||
+ | the rest of the department. | ||
+ | |||
+ | ===Why not use smart cards (also known as crypto-cards)?=== | ||
+ | |||
+ | Because they're a bit of a pain, and because the initial cost would be in the | ||
+ | neighbourhood of 10k$. | ||
+ | |||
+ | ===What do I do if I run Windows on my laptop?=== | ||
+ | |||
+ | Fear not, you can use Putty; see the instructions in the Peyton FAQ entry for [[SSH#SSH in Windows|SSH]] | ||
+ | |||
+ | ===Will remote access to mail be affected?=== | ||
+ | |||
+ | No; nothing will change either for the better or worse. Well, that's | ||
+ | not quite true. If you like to log in, start pine, and save your mail | ||
+ | to your home directory this won't work on minos (but it will of course | ||
+ | work on other machines). You will however be able to read mail on | ||
+ | minos and save messages to folders on the mail server.([[#Footnotes_6|6]]) | ||
+ | |||
+ | ==Footnotes== | ||
+ | |||
+ | <span id="Footnotes_1">'''1.'''</span> I.e. when they connect we know their IP address; Reverse Name Lookup | ||
means that we can associate that address with a registered machine | means that we can associate that address with a registered machine | ||
− | + | <span id="Footnotes_2">'''2.'''</span> | |
− | + | <pre> | |
+ | ... Minos the dreadful | ||
Snarls at the gate. He examines each one's sin, | Snarls at the gate. He examines each one's sin, | ||
Judging and disposing as he curls his tail: | Judging and disposing as he curls his tail: | ||
Line 73: | Line 141: | ||
[Dante's Inferno, Canto V, translation by R. Pinsky] | [Dante's Inferno, Canto V, translation by R. Pinsky] | ||
+ | </pre> | ||
− | + | <span id="Footnotes_3">'''3.'''</span> Making home directories read only means that minos may be used for: | |
+ | *Logging in to other machines in Peyton using ssh keys; if you have an agent running remotely but don't have your keys you can even login to minos; add your keys; logout again, and then connect to any Peyton machine([[#Footnotes_4|4]]) | ||
+ | *Reading email with pine (mail messages can be saved to mail folders on the mail server, but not to home directories) | ||
+ | *Reading files with e.g. more, less, cat, or emacs. | ||
+ | *Copying files From /u To remote machines. You naturally won't be able to scp To /u, as it's read only. You will be able to copy to scratch disks, e.g. scp my_file minos.astro.princeton.edu:/scr/apache22/rhl or you can copy to /u using ssh tunnels([[#Footnotes_5|5]]) | ||
− | + | <span id="Footnotes_4">'''4.'''</span> E.g. you're sitting in a seedy internet cafe in Coonabarabran (which | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
happens to have some unixy machines) and need to get some work done. | happens to have some unixy machines) and need to get some work done. | ||
+ | <pre> | ||
cafe$ eval `ssh-agent` | cafe$ eval `ssh-agent` | ||
cafe$ ssh-add -l | cafe$ ssh-add -l | ||
Line 109: | Line 167: | ||
cafe$ ssh apache2.astro.princeton.edu | cafe$ ssh apache2.astro.princeton.edu | ||
apache2$ | apache2$ | ||
− | + | </pre> | |
Note that the ssh-add adds your identity to the ssh-agent; it doesn't | Note that the ssh-add adds your identity to the ssh-agent; it doesn't | ||
write to disk. If the evil cafe owner has installed her own ssh binary | write to disk. If the evil cafe owner has installed her own ssh binary | ||
Line 120: | Line 178: | ||
you can connect via minos, but there's no point. | you can connect via minos, but there's no point. | ||
− | + | <span id="Footnotes_5">'''5.'''</span> E.g. to copy to your home directory on eos from Somewhere in Cuba, | |
via minos: | via minos: | ||
+ | <pre> | ||
guant$ ssh -N -f -L 9000:eos.astro.princeton.edu:22 minos.astro.princeton.edu | guant$ ssh -N -f -L 9000:eos.astro.princeton.edu:22 minos.astro.princeton.edu | ||
guant$ scp -P 9000 -o StrictHostKeyChecking=no myFile localhost:RemoteMyFile | guant$ scp -P 9000 -o StrictHostKeyChecking=no myFile localhost:RemoteMyFile | ||
− | + | </pre> | |
The first magic incantation made the port "localhost:9000" an ssh | The first magic incantation made the port "localhost:9000" an ssh | ||
connection to eos; the scp command then used it. The "StrictHost" | connection to eos; the scp command then used it. The "StrictHost" | ||
Line 134: | Line 193: | ||
tells ssh to disregard any change in host identification. | tells ssh to disregard any change in host identification. | ||
− | + | <span id="Footnotes_6">'''6.'''</span> Well, you won't even be able to do this if you have asked pine | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
to write to your home directory in your .pinerc file. For example, | to write to your home directory in your .pinerc file. For example, | ||
− | folder-collections=mail/[] | + | folder-collections=mail/[] |
In case of trouble, move .pinerc out of the way and try again | In case of trouble, move .pinerc out of the way and try again | ||
− | + | ||
+ | [[Category:Policies]] |
Latest revision as of 21:00, 10 May 2007
Contents
Changes to Remote Access to Peyton Hall Computers
For several years we have only allowed logins to Peyton Hall computers from machines that allow "Reverse Name Lookup"(1). As you may have experienced while traveling, this can be an obstacle to connecting from hotel rooms, etc.; not all ISPs use properly registered IPs. The exception to this rule has been machines such as muse and newton which were running Solaris. The last of these computers is about to be retired, so we need to do something to maintain unfettered external access. There are more excuses for why we're proposing changes under "RATIONALE" at the end of this document.
Proposed Plans for Remote Access
Lemma:
There is a machine (minos.astro.princeton.edu)(2) which allows open access, i.e. minos accepts logins (using passwords or ssh keys) from any machine on the net; it has been told not to pay any attention to problems with Reverse Name Lookup.
N.b. Minos mounts the home filesystems READ ONLY.(3)
Proposal:
That we change things so as to:
Allow access to all Peyton machines from anywhere, even without
BUT
Only allow users to login to machines other than minos by using ssh keys (i.e. no passwords). Password logins will still be permitted if you're sitting at the console. This rule will apply even within the building --- this is good; no more need to type your password.
We further propose that, before anything is changed, we run a series of hands-on workshops to get everyone in the building comfortable with using ssh keys to login, or (for those who prefer) comfortable with using minos as an intermediary.
In addition, Steve and Leigh have provided a "ssh-setup" script that you can run to accomplish all the magic required to set up your ssh keys on the astro machines. In addition, the astro FAQ web pages provide step-by-step instructions for installing ssh-keys on laptops or home computers.
Using ssh really is trivial (and very convenient), but setting it up initially is arcane, and something that most of us do only once in our lives; hence the offer of a workshop.
Rationale/FAQ
If it aint broke, why are we fixing it?
Because the last Solaris box is departing this earthly plane.
The speed and ruthlessness of attacks on computers has increased dramatically --- in other words, the cost of being successfully attacked has increased significantly over the last few years; no longer does a hacker simply poke around, nowadays they tend to destroy the system.
Most users connect from their own laptop, in which case they probably have ssh installed, and the proposed relaxation of the Reverse Name Lookup rule will be a considerable improvement in their life while travelling (e.g. when connecting from a hotel in Afghanistan). Of course, this change in their quality of life will only occur when the "no passwords" change is implemented --- so you should start lobbying for it.
Why is Reverse Name Lookup worth worrying about?
The bulk of attacks upon our systems (99% of 30k attacks/month) come from machines without reverse name lookup --- the reason's obvious: If you work for Student Admissions and you're smart enough that you don't want your handiwork traced back to your University, you don't want your machine's IP to be identified as "princeton.edu"; so you use a spoofed IP.
The breakins that we've seen recently (most recently from Arizona about 18months ago) have been caused by programs reading keyboard input to capture passwords; Evil People don't usually read every key typed at the keyboard, but instead install Evil versions of ssh that record your password as you type it. Access via ssh keys is less vunerable to such attacks as the passphrase is typed less often (and to a different programme, ssh-add), and because the Evil One has to capture both the passphrase AND the key. Most people keep their keys on their own laptops, which they physically control. But passwords can be used by themselves to login to accounts from any machine and are vulnerable to capture when one uses them on an unfamiliar machine.
As mentioned above, you'll be able to use your ssh keys stored in your home directory to authenticate to any machine on the planet that runs ssh-agent --- but beware key loggers in Lower Slobbenia.
Why do we want to mount /u Read-Only?
If we don't mount home directories read only on minos, the Evil Hacker can install her own .ssh directory and proceed to compromise the rest of the department.
Why not use smart cards (also known as crypto-cards)?
Because they're a bit of a pain, and because the initial cost would be in the neighbourhood of 10k$.
What do I do if I run Windows on my laptop?
Fear not, you can use Putty; see the instructions in the Peyton FAQ entry for SSH
Will remote access to mail be affected?
No; nothing will change either for the better or worse. Well, that's not quite true. If you like to log in, start pine, and save your mail to your home directory this won't work on minos (but it will of course work on other machines). You will however be able to read mail on minos and save messages to folders on the mail server.(6)
Footnotes
1. I.e. when they connect we know their IP address; Reverse Name Lookup means that we can associate that address with a registered machine
2.
... Minos the dreadful Snarls at the gate. He examines each one's sin, Judging and disposing as he curls his tail: That is, when an ill-begotten soul comes down, It comes before him, and confesses all; Minos, great connoisseur of sin, discerns For every spirit its proper place in Hell... Said Minos, who at the sight of me had paused To interrupt his solemn task mid-deed: "Beware how you come in and whom you trust, Don't be deceived because the gate is wide." [Dante's Inferno, Canto V, translation by R. Pinsky]
3. Making home directories read only means that minos may be used for:
- Logging in to other machines in Peyton using ssh keys; if you have an agent running remotely but don't have your keys you can even login to minos; add your keys; logout again, and then connect to any Peyton machine(4)
- Reading email with pine (mail messages can be saved to mail folders on the mail server, but not to home directories)
- Reading files with e.g. more, less, cat, or emacs.
- Copying files From /u To remote machines. You naturally won't be able to scp To /u, as it's read only. You will be able to copy to scratch disks, e.g. scp my_file minos.astro.princeton.edu:/scr/apache22/rhl or you can copy to /u using ssh tunnels(5)
4. E.g. you're sitting in a seedy internet cafe in Coonabarabran (which happens to have some unixy machines) and need to get some work done.
cafe$ eval `ssh-agent` cafe$ ssh-add -l The agent has no identities. cafe$ ssh minos.astro.princeton.edu rhl@minos.astro.princeton.edu's password: XXXXXXX minos$ ssh-add Enter passphrase for /u/rhl/.ssh/id_dsa: XXX XXX XXXX XXXX XXXX X Identity added: /u/rhl/.ssh/id_dsa (/u/rhl/.ssh/id_dsa) minos$ logout cafe$ ssh minos.astro.princeton.edu minos$ ssh apache2 apache2$ logout minos$ logout cafe$ ssh apache2.astro.princeton.edu apache2$
Note that the ssh-add adds your identity to the ssh-agent; it doesn't write to disk. If the evil cafe owner has installed her own ssh binary and captured your password and your pass-phrase she can now login to our machines --- but that's a risk that we have to take to allow remote access from untrusted sites. We hope that the evil one is a windows user and doesn't understand ssh, but security through obscurity isn't.
Once you've added your keys, you can go directly into any Peyton machine; you can connect via minos, but there's no point.
5. E.g. to copy to your home directory on eos from Somewhere in Cuba, via minos:
guant$ ssh -N -f -L 9000:eos.astro.princeton.edu:22 minos.astro.princeton.edu guant$ scp -P 9000 -o StrictHostKeyChecking=no myFile localhost:RemoteMyFile
The first magic incantation made the port "localhost:9000" an ssh connection to eos; the scp command then used it. The "StrictHost" part is so that SSH will let you do this - the first time it will work fine, but after that SSH may think the host identification changed, especially if you use a different host between the colons ("coma.astro.princeton.edu" instead of "eos..."); the
StrictHostKeyChecking=no
tells ssh to disregard any change in host identification.
6. Well, you won't even be able to do this if you have asked pine to write to your home directory in your .pinerc file. For example,
folder-collections=mail/[]
In case of trouble, move .pinerc out of the way and try again