created on: 2007.04.06 --------------------------------------------------------------------- Hardening SSH and Mounting Remote Filesystem in OS X Finder via SSHFS https://tinyapps.org/docs/ssh_osx_and_sshfs.txt --------------------------------------------------------------------- Standard disclaimer applies, as always: You are 100% responsible for your own actions. Using this guide, visiting a link, downloading a program, in short, *living*, is done entirely at your own risk (and joy). CONTENTS: 0. Example network diagram 1. Hardening SSH on Remote 2. Setting up public-key (passwordless) authentication 3. Setting up SSHFS on Local 4. Resources 5. Notes ------------------------------------- 0. Example network used in this guide ------------------------------------- "Local" MacBook Pro running OS X 10.4 & SSHFS IP address: dynamically assigned | router/firewall | modem | Internet | modem | router/firewall port 57577 forwarded to 192.168.1.2 | "Remote" PowerMac G5 running OS X 10.4 & SSH service IP address: 192.168.1.2 -------------------------- 1. Hardening SSH on Remote -------------------------- [1.1] Backup /etc/sshd_config: Remote$ cd /etc Remote$ sudo cp sshd_config sshd_config.default [1.2] Edit /etc/sshd_config: Remote$ sudo pico /etc/sshd_config +---------------------------+--------------------------+-----------------------+ | Text as it appears in | Change to: | Why? | | original /etc/sshd_config:| | | +---------------------------+--------------------------+-----------------------+ | #Port 22 | Port 57577 | This moves the SSH | | | (Example only. Use any | port to a non- | | | available port between | standard location that| | | 32768 and 65535) | is less likely to be | | | | scanned by evil | | | | scripts. {1} | +---------------------------+--------------------------+-----------------------+ | #Protocol 2,1 | Protocol 2 | Disable the less | | | | secure SSH v1 and | | | | force v2 | +---------------------------+--------------------------+-----------------------+ | none | AllowUsers your_username | Restrict remote login | | | | to specified | | | | account(s). Separate | | | | multiple users w/space| +---------------------------+--------------------------+-----------------------+ | #PermitRootLogin yes | PermitRootLogin no | Disable remote root | | | | login | +---------------------------+--------------------------+-----------------------+ | #LoginGraceTime 2m | LoginGraceTime 30 | Two minutes is too | | | | long. "30" = 30 sec. | +---------------------------+--------------------------+-----------------------+ | #MaxAuthTries 6 | MaxAuthTries 2 | Reduce the max login | | | | attempts to 2 before | | | | SSH disconnects | | | | remote user | +---------------------------+--------------------------+-----------------------+ [1.3] Save your changes to /etc/sshd_config: Ctrl + O to save file and Ctrl + X to exit pico. [1.4] Open /etc/services and change this: ssh 22/udp # SSH Remote Login Protocol ssh 22/tcp # SSH Remote Login Protocol to this (again, "57577" is just an example): ssh 57577/udp # SSH Remote Login Protocol ssh 57577/tcp # SSH Remote Login Protocol [1.5] System Preferences > Sharing > Turn "Remote Login" off and then back on. [1.6] Test Typing: Local$ ssh user@remote returns: ssh: connect to host remote port 22: Connection refused while typing: Local$ ssh -p 57577 user@remote returns: Password: Last login: Sat Mar 24 16:43:03 2007 from 192.168.1.100 Welcome to Darwin! G5:~ user$ [1.7] Forward port 57577 on Remote's router to Remote (192.168.1.2 in this example) to allow logging in from outside of the LAN. ------------------------------------------------------ 2. Setting up public-key (passwordless) authentication ------------------------------------------------------ [2.1] Generate SSH key pair {2} Local$ ssh-keygen -t rsa You can either leave the password blank for convenience (i.e., you will *never* have to type a password to connect to the remote system), or supply a password and use an agent (in which case you will need to type the password at least once per local login - "at least" because something unpleasant might happen to the agent process, etc). This guide assumes a blank password, but keep in mind that all someone needs to login to the remote server are the key files on your local machine (~/.ssh/id_rsa and id_rsa.pub), so keep them safe. {3} [2.2] Copy public key to Remote Local$ cat ~/.ssh/id_rsa.pub | ssh -p 57577 user@remote 'cat - >> ~/.ssh/authorized_keys' [2.3] Test. You should now be able to login to Remote without a password. Typing: Local$ ssh -p 57577 user@remote returns: Last login: Sat Mar 24 15:56:46 2007 from 192.168.1.100 Welcome to Darwin! G5:~ user$ Excellent! [2.4] Optionally disable password-based SSH login on Remote (i.e., without the keys generated in step 2.1, SSH login will be denied). Remote$ sudo pico /etc/sshd_config Change: #PasswordAuthentication yes to: PasswordAuthentication no and change: #ChallengeResponseAuthentication yes to: ChallengeResponseAuthentication no Save your changes, quit the editor, and restart Remote Login again. If we now try to login via SSH from a computer without our public and private keys, the connection is refused. Typing: Local$ ssh -p 57577 user@remote returns: Permission denied (gssapi-with-mic,publickey,gssapi). [2.5] Regularly check /var/log/secure.log on Remote for SSH logins and login attempts. ---------------------------- 3. Setting up SSHFS on Local ---------------------------- [3.1] Download the binary: http://macfuse.googlecode.com/files/fuse-binaries-0.1.0b006.tar.bz2 Latest version with installer can be found at: http://code.google.com/p/macfuse/ and instructions on CLI use at: http://lifehacker.com/software/ssh/geek-to-live--mount-a-file-system-on-your-mac-over-ssh-246129.php#c1191405 [3.2] Install: Local$ sudo tar -C / -jxvpf fuse-binaries-0.1.0b006.tar.bz2 [3.3] Add entry to PATH line in /etc/profile: change this line: PATH="/bin:/sbin:/usr/bin:/usr/sbin" to: PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin" [3.4] Create an empty directory on Local to be used as the mount point. For example: Local$ mkdir /Users/username/Remote [3.5] Run: Local$ sshfs -p 57577 user@remote: /Users/username/Remote -o ping_diskarb,volname=Remote,reconnect Your home directory on Remote should mount and appear on Local's Desktop. Unmount by dragging to Trash. If you would rather mount Remote's root than your home directory: Local$ sshfs -p 57577 user@remote:/ /Users/username/Remote -o ping_diskarb,volname=Remote,reconnect ** The remaining steps are optional ** [3.6] Make mounting Remote a clickable app (which can of course be added to your Login Items, scheduled via iCal, etc). In your favorite editor, create the following bash script: #!/bin/sh export PATH=/usr/local/bin:$PATH sshfs -p 57577 user@remote: /Users/your_username/Remote/ -o ping_diskarb,volname=Remote,reconnect We'll save it on the Desktop as "mount_remote.sh". [3.7] Download Platypus and use it to turn mount_remote.sh into an app: http://www.sveinbjorn.org/platypus [3.8] Change your new app's icon if desired. Lots of good choices at: http://iconfactory.com/ ------------ 4. Resources ------------ SSH, The Secure Shell: The Definitive Guide (the "Snail Book") http://www.snailbook.com/ Words like "seminal" and "definitive" seem inadequate when describing this tome iGet http://www.nakahara-informatics.com/iget/ Browse and search (via Spotlight!) remote filesystem over SSH. Much faster than the Finder when connecting to remote resources. When using a port other than 22 for SSH, specify the remote domain name or IP address like so: remote_address:port number (e.g., tinyapps.org:57577). Smultron http://smultron.sourceforge.net/ Excellent open-source text editor. With its "File > Open Hidden..." command, an easy choice for working with /etc/sshd_config, /etc/services, and /var/log/secure.log (rather than using pico, vim, emacs, etc). iHook http://rsug.itd.umich.edu/software/ihook/ "A graphical interface designed as a frontend for commandline executables." Great for checking your scipt if Platypus does not create a working app. -------- 5. Notes -------- {1} "Analyzing Malicious SSH Login Attempts" by Christian Seifert http://www.securityfocus.com/infocus/1876 "Move the listening port of the SSH server from 22 to some other unused port. While this would not prevent attackers from connecting to the server and start guessing password, it will significantly reduce the likelihood of finding your SSH daemon, as attackers use standard SSH clients and attack tools that assume the SSH server is running on its standard port 22." {2} Why RSA instead of DSA? The Snail Book (2nd edition, page 86) has this to say about DSA: "DSA has also been surrounded by a swirl of controversy since its inception. The NIST first claimed that it had designed DSA, then eventually revealed that the NSA had done so. Many question the motives and ethics of the NSA, with ample historical reason to do so. Researcher Gus Simmons discovered a subliminal channel in DSA that allows an implementor to leak information - for instance, secret key bits - with every signature. Since the algorithm was to be made available as a closed hardware implementation in smart cards as part of the government's Capstone program, many people considered this property highly suspicious." {3} Using a plaintext key vs. a password-protected key and an agent: Some will object to using a plaintext key. For me, if the local filesystem has been compromised, I've got bigger problems than someone getting into the remote server (since it simply serves as a backup of my local files). Here are some other reasons why I prefer not to use an agent: * A human being has to type the password at least once per session, which makes automation a hassle. * If the agent process dies, unhappiness will reign. * From the Snail Book (page 412): "Using an agent for automation is more complicated and restrictive than using a plaintext key; however, it is more resistant to attack and doesn't leave the key on disk and tape where it can be stolen. Considering that the agent is still vulnerable to being misused via the filesystem, and that it is intended to run indefinitely, the advantages of this method are debatable." If you would prefer to use a password-protected key file and an agent, here are several useful guides: Shortest passwordless ssh tutorial, ever http://blogs.translucentcode.org/mick/2003/09/18/shortest_passwordless_ssh_tutorial_ever/ Passwordless SSH http://www.gatsby.ucl.ac.uk/~iam23/compnotes/passwordless_ssh.html And for the record, here are several guides which use a plaintext key (as this guide does) Setting up public key authentication over SSH http://www.petefreitag.com/item/532.cfm Backing up your stuff to a Linux server http://osxpro.blogspot.com/2005/09/backing-up-your-stuff-to-linux-server.html [END]