How-to: Secure SSH Forwarding

How-To: Create Secure Communications Network Using SSH Forwarding (A Beginner’s Guide, From Scratch)

About this document:

This document is designed to be a comprehensive walkthrough for the moderate computer user to create a secure networking solution without setting up a VPN (virtual private network).

Audience:

This document is designed with the convenience of the Windows user in mind, although, ironically the solution involves Linux. The user should be familiar with basic networking concepts, how to configure their own router, and how to configure a firewall; although they do not need to have extensive Linux experience to execute the tutorial. The author is a Windows user and realizes the fact that most people that read this tutorial will probably not have an extensive Linux background (including the author!). To this end, this tutorial is designed to be a cut and paste tutorial, the terminal emulator that we are going to be using (more on this later) PuTTY allows pasting code by the right click of a mouse, which as you will find will make this go much faster.

What you’ll need:

* An old computer with at least 64mb ram

* 300mhz x86 processor

* Debian GNU/Linux 4.0R2 or Ubuntu server 7.10 (i.e. the lastest version of Ubuntu or Debian GNU/Linux at the time of writing)

* and some coffee (optional)

* The PuTTY suite for Windows. Read up on PuTTY, with a short graphical tutorial.

* Oh yeah, and the computer should have a functioning NIC (Network Interface Card, ya know, an ethernet jack)

* My edit of the sshd_config file

* Maybe a banner to place in /etc/issue.net

Installing the new Operating System:

The following is written based upon installation of Debian 4.0R2 on a 200MHz Intel Pentium I x86 with 96MB Ram, so if I can do this, so can you. Any Debian-based system should work as the binaries (more on this later) that we are going to compile are designed to work on any Debian-based system. Personally, I have tested this setup a few times using Debian 4.0R2 as well as Ubuntu 7.10

1) Obtain a copy of Debian 4.0R2 (I opt for the net-install edition, business card)

2) Select your region keyboard etc...

3) Select a host name (and a domain name if you need to)

4) Choose your mirror country and dl location I use (ftp.us.debian.org)

5) Enter proxy information if needed

6) partitioner, guided use entire disk

7) Select your drive

8) Best to select separate /home partition (it will make the allocations for you)

9) (Finish and write to disk)

10) Select time zone

11) Specify the root and user accts

12) Install the latest kernel mine was linux-image-2.6.18-5-486

13) I would opt out of the package survey if they ask you

14) Extra packages - install only standard system, you don't need the desktop environment or any other packages for this purpose, besides if you want you can always install them later...

15) Say yes to install GRUB to the master boot record of the first HDD

16) Continue to reboot into the new system

These are, of course, general instructions. Follow what's on the screen and use your head. If you know you want a functioning Linux system, feel free to install more or less packages. However, this tutorial is written from the perspective that you are probably just going to use this thing as an encrypted gateway. I usually take the minimalist approach (notice my beautiful HTML skills...)

Configuring Your New System:

To the neophyte is seems like there's a lot of magical hoopla going on here, and indeed it takes time to get used to Linux, writing from the perspective that you are going to use this as a dumb machine, you don't need to know what every gritty detail is in the following code. Follow the instructions as given, if something goes wrong, it's not my fault, all I can say is that it worked for me.

Provided you installed Debian:

Note: If you installed Ubuntu, you will not have a root account by default. This is not to say that it doesn't exist, it's just that, it doesn't allocate a password so other people can't try and guess it and compromise your machine. In all honesty, it's annoying. It's up to you though to secure your own machine. The tutorial provided and the defaults of the Operating System are sufficient though for pretty good security.

To login as root, first login as the account set in the installation. Then type:

sudo su

into the terminal. You will be prompted to enter your password again. All instructions listed below should be executed as root, in fact, you should set a root password anyway to make your life easier. While logged in as root type:

passwd

To open the new Unix password prompt. (Didn't know you really installed Unix did you ;) )

Also, installing from CD has potential complications as everytime you want to install something, it'll prompt you to stick in the CD to look for packages. This is 2008 (at the time of writing) do yourself a favor and get a decent internet connection and disable installing from CD:

nano /etc/apt/sources.list

Comment out any lines that point to package repositories (look it up if you're unsure what I'm talking about) on the CD-ROM. Commenting equates to placing a "#" before the statement.

Lastly: If you have any other drives that you want to mount, say /home/, do that now, I realized that halfway through and ended up having to re-install (not fun):

nano /etc/fstab

to mount any secondary HDDs (Hard Disk Drive)

How to read this: It may seem a little didactic, telling you how to read, but unless you know linux well, follow these instructions. The code presented may be executed linearly in one terminal, however, since some steps take longer than others, we will multi-task. Blocks of code may be pasted one at a time. If there is a line break in the code that means I want you to wait until the computer digests it and then proceed. The order of steps is important! especially in the beginning. Follow steps in numerical order. There are steps where order is unimportant and where you can execute potentially time consuming commands in parallel (like as in compiling an entirely new set of cryptographic libraries). These steps will have a letter e.g. 2a, 2b, 2c, ... 2n. indicating that you should open up n terminals and execute the commands in parallel (again 1 block at a time folks). Wait until all subsets (2n) are done before moving on to the next number. # on a, b, etc. means, you are executing that command on that terminal (this shouldn't be too difficult to keep track of). "CMT:" means comment. And one last thing, the computer doesn't know what the hell my numbering system or comments mean, don't copy them.

If you haven't already noticed, the code is printed in courrier. Green text indicates, something meaningful that you should change (e.g. an account name), Red text indicates that the following is optional, but still recommended.

Code:

aptitude install build-essential libpam0g-dev debianutils coreutils openssh-server

CMT: Necessary packages for the programs below to compile

apt-get update

apt-get upgrade

CMT: Update your system

cd /tmp

wget http://ftp.us.debian.org/debian/pool/main/z/zlib/zlib_1.2.3.3.dfsg.orig.tar.gz

tar xvfz zlib_1.2.3.3.dfsg.orig.tar.gz

cd zlib-1.2.3.3.dfsg

make clean

./configure -s

make

CMT: Make the zlib compression binaries

3 on b

make install

CMT: Install the zlib compression binaries

cd /tmp

wget http://ftp.us.debian.org/debian/pool/main/o/openssl/openssl_0.9.8g.orig.tar.gz

tar xvfz openssl_0.9.8g.orig.tar.gz

cd openssl-0.9.8g

./config

make

make tests

CMT: Make the openssl cryptographic binaries

4 on c

make install

CMT: Install the openssl cryptographic binaries

cd /tmp

wget http://olivier.sessink.nl/jailkit/jailkit-2.4.tar.gz

tar xvfz jailkit-2.4.tar.gz

cd ./jailkit-2.4

./configure

make

CMT: Make the jailkit (chroot jail binaries)

5 on d

make install

CMT: Install the jailkit (chroot jail binaries)

6 on d

mkdir /home/chroot

chown root:root /home/chroot

jk_init -v /home/chroot jk_lsh

addgroup chrootusers

adduser --ingroup chrootusers chroot_user

CMT: Make a chroot jail inside the home folder, make sure it's owned by root, and create a new group chrootusers, make an account for chroot_user (enter his password), your first client

7 on d

jk_jailuser -m -j /home/chroot chroot_user

mkdir -p /home/chroot/home/chroot_user

CMT: jail chroot_user into the chroot jail, make sure his home directory is present

--Wait until are terminals are free. Close c and d--

8 on a

cd /tmp/

wget http://ftp.us.debian.org/debian/pool/main/o/openssh/openssh_4.6p1.orig.tar.gz

tar xvfz openssh_4.6p1.orig.tar.gz

cd ./openssh-4.6p1

./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam

make

CMT: Make the openssh-server (a new version of it 4.6p1 was fairly stable at the time of writing)

15 on a

make install

CMT: Install the openssh-server

16 on a

sshd -v

/etc/init.d/ssh restart

CMT: Check the version of the openssh-server, and restart the service

9 on b

mkdir /home/reg_user/.ssh

nano /home/reg_user/.ssh/authorized_keys

CMT: Obtain a public key file. Generate a key pair using puttygen.exe and paste (right click in PuTTY) the text in the top dialog into the authorized keys file. Save the private key, you'll need it.

10 on b

mkdir /home/chroot/home/chroot_user/.ssh

nano /home/chroot/home/chroot_user/.ssh/authorized_keys

CMT: Obtain the public key file from the client. For simplicity's sake, let's let you be the first client to test it out. Generate a key pair using puttygen.exe and paste (right click in PuTTY) the text in the top dialog into the authorized keys file. Save the private key, you'll need it.

11 on b

addgroup powerusers

adduser reg_user powerusers

nano /etc/group

CMT: Ok, this is hard to explain and not entirely necessary. When you create a user for the first time at the install prompt, you are not given the option to select which group this user belongs to. I want you to make reg_user belong to the group power users. By looking at the "group" file see what ID number corresponds to the current group "reg_user" as well as the new group "powerusers".

12 on b

nano /etc/passwd

CMT: Now under the entry for reg_user, I want you to change the group ID number (the second 4 digit number) from the previous number associated with "reg_user" to the new number associated with "powerusers"

13 on b

delgroup reg_user

chgrp -R powerusers /home/reg_user

CMT: Get rid of "reg_user" change group permissions to "powerusers"

14 on b

chown -R reg_user:powerusers /home/reg_user

chmod -R 600 /home/reg_user/.ssh

chmod 700 /home/reg_user/.ssh

chown -R chroot_user:chrootusers /home/chroot/home/chroot_user

chmod -R 600 /home/chroot/home/chroot_user/.ssh

chmod 700 /home/chroot/home/chroot_user/.ssh

CMT: Apply the appropriate permissions to the directories containing the key files so that the SSH daemon will not yell at you.

--at this point you should check up on a. It should be done. Go ahead and close b. From now on, you only need one terminal--

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original

CMT: Make a backup of the original sshd_config file

--Now you are going to upload my version of the sshd_config file, it follows this tutorial, feel free to change it as you like (especially the permit open section). The file may be edited using any standard text editor in windows or on linux. For now we're just going to upload the sshd_config file using PuTTY's secure FTP program--

Open psftp.exe

type:

open host

cd /etc/ssh/

put sshd_config

bye bye

Replace host with the ip or host of the Linux computer. Make sure that the new sshd_config that you downloaded is placed in the same folder as psftp.exe before you execute the "put" command. Remember, if something goes wrong, you can always edit the sshd_config file. It's located in /etc/ssh/

/etc/init.d/ssh restart

CMT: Restart the daemon. You're now ready to rock. Open up a couple new PuTTY windows, connect to the server as reg_user appending the private key you made to the session. Allow yourself a terminal window, and test out some port forwarding, if you need to make changes to the config file, make them, restart the daemon and disconnect and reconnect the PuTTY session. If the daemon fails, or you lock yourself out, you'll need keyboard access to the Linux computer. Test out your first client account as well. Test PuTTY with the defaults (i.e. requesting a shell) it should fail. Try again without requesting a shell. It should work, but just sit there. Be sure to try out some port forwarding on the client account.

Taking it from here, how to effectively use PuTTY:

Now you have a secure SSH server, in fact so secure that it basically denies users shell access at login and will fail on PuTTY's default settings. You'll need to teach your users how to use PuTTY and have them be able to generate their own keys. Since they don't have shell access they won't be able to update their keys if, say, a key were to be compromised, so you will likely have to gain some rudimentary familiarity with the shell. Effectively, you will have to specify in the sshd_config file what IPs (and ports) on your internal network you want your users to be able to connect to. To ensure security, machines on the private network should be behind the router firewall and the only obvious port open to the outside should be port 22 (i.e. the port they will connect to using PuTTY). Through this port they will be forwarded by the Linux computer to other computers on the network. To ensure that this can happen, you should configure windows firewall or other firewall software to accept connections from the linux computer, or have the program be implemented as an exception to the firewall. Finally, on the client side, your user will select a local forwarding port corresponding to a destination on your internal network. This could be anything, a webserver, FTP site, chat server, you name it. However, in order to connect to you, the client must first authenticate their presence to the Linux computer (which is acting as a gateway) and have the port forwarded. On the client side PuTTY binds the local port that the client has specified to the loopback address (127.0.0.1 or localhost), thus when the client proceeds to use an application, say a webbrowser and type in localhost:### where ### is their specified port, provided they are forwarded correctly, they will get a webpage available on your local network over an encrypted connection. If you don't understand the usefulness of this by now, it's hopeless for you and you should just giving up. While we're on the topic:

Taking it from here, why the hell did I do this?:

Are you really asking this question? You followed what I told you, I can't tell you why you did that. My guess is that security is important to you, or you just like screwing around with computers. Maybe you envision a mountain of 1337 HaX0r d00dZ listening in between you and your clients. The point is, just saying you're secure because no one is looking is a poor excuse.

FAQ:

It doesn't work!

It worked for me, check the date on the file, if it's like 2010 and you're still following this chances are most linux distros have a modernesque version of the SSH Daemon in their repositories, in which case, you won't have to compile it.

Ur HTML suckz! Make it lok nice, lol.

Go to hell. I have better things to do than make this look pretty or search for HTML templates. This tutorial assumes you have some functioning gray matter and can read.