LA CADENA DE VALOR ARROZ MOLINERIA EN EL DEPARTAMENTO DEL

Public-key authentication is one of the best authentication methods provided by SSH. Unlike password authentication, public-key authentication requires each user to contain a public-key file in order to authenticate. The fact that many corporate networks rely on user passwords, no matter how strong or weak, to protect sensitive and propriety information leaves many networks vulnerable to simple attacks. The following sidebar provides several reasons why using passwords on sensitive systems may not be the best decision in order to attain an acceptable level of security:

Now that you have seen some of the security issues with passwords, you will learn about using public keys for authentication and why the use of key- based authentication can virtually eliminate many of the issues described pre- viously. The following sidebar lists the strengths that public-key authentication offers in a typical network environment, both internally to the network and externally.

Key-based authentication in a SSH environment uses public and private keys. The following is a summary of the steps required to generate a key pair for SSH:

1. An authorized user must generate a public and private key pair.

2. The user has the option of password protecting the private key, which is recommended in almost all environments.

3. The user’s public key needs to be securely uploaded to the SSH server, usually stored in the user’s home directory. For example, the user Kusum would have a public key stored in /home/Kusum/.ssh/ or Documents and Settings\Kusum\.ssh of the SSH server.

4. Authorization, Identification, and authorized_keys files need to be populated.

5. Public-key authentication needs to be configured on the SSH server, which is enabled by default on many SSH installations.

That is it! ion.

◆ If a password is compromised, it is very difficult to detect an incident, since all communication would look like that of an authorized user. ◆ Hostile SSH clients could contain key-loggers to capture a password. ◆ Passwords alone do not force two-factor authentication.

◆ Passwords are susceptible to the Sticky-Note attack (the act of writing down a password on a Post-It note and sticking it to a computer monitor). ◆ Passwords can be shared from one application, such as SSH, to another

application, such as FTP or NTLM authentication. A hostile attacker could sniff other weak protocols, such as FTP and NTLM, for passwords. If the user has the same password for all three accounts, which is the case in many situations, the malicious attacker would have a valid SSH password.

For key-based authentication to be implemented, each valid user must con- tain a public and private key pair. The process of creating a public and private key pair is the responsibility of the SSH client, not the SSH server. The public and private keys are stored on the local machine—the user’s machine—and a copy of the user’s public key is stored on the SSH server. To authenticate, the user must contain both the public and private keys. The user must authenti- cate, using a password, to his or her local private key, which decrypts the private-key file and enables it. Once authentication is granted, the public key is used to authenticate to the SSH server. The SSH server receives the public key and determines if the public key matches the same public key that the server holds for that particular user. If the match is correct, the user is then authenticated. The data flow for public-key authentication is illustrated in Figure 4.7.

As noted in Step 1, creating a public and private key pair is the responsibil- ity of the SSH client, not the SSH server. Since several different SSH clients exist, I will address the process of creating a public and private key with each of the following SSH clients:

■■ OpenSSH (Unix and Windows)

■■ SSH Communications (Unix and Windows Command Line) ■■ SSH Communications (Windows GUI)

■■ VanDyke SecureCRT

◆ Sole reliance on user passwords is virtually eliminated.

◆ Brute-force attacks, and other password attacks, cannot be executed against public keys.

◆ Sniffing, key loggers, and the Sticky-Note attack are no longer significant threats with public-key authentication.

◆ In order for an unauthorized user to successfully authenticate to a SSH server, a malicious user would have to compromise an authorized user’s machine, obtain a copy of his or her pubic and private key, and guess the passphrase of the private key. This scenario may require more effort for an attacker than moving to an easier target or easier network.

Figure 4.7 Key-based authentication in SSH.

Furthermore, I will demonstrate how to convert specific SSH client keys to fit a particular SSH server. For example, OpenSSH keys are not interpretable to SSH Communications’ SSH servers by default. While it would be very nice if all public and private keys could be used from one SSH server to the other, the reality is that you need to modify your public and private keys in order to use them across multiple environments. The SSH servers you will make your client keys interoperable with are the following:

■■ SSH Communications ■■ OpenSSH

■■ VShell

N OT E In the following sections, the use of ssh, ssh-keygen, ssh.exe, and ssh-keygen.exe refers to OpenSSH SSH clients. Furthermore, the use of ssh2, ssh-keygen2, ssh2.exe, and ssh-keygen2.exe refers to SSH Communications’ SSH clients. Lastly, the use of vsh.exe and vcp.exe refers to VanDyke Software SSH clients.