In order to allow remote secure access to the local network in the lab, an SSH/VPN server is necessary. This server will have a network interface connected to the public network and another one connected to the local network in the lab, thus provides a gateway. Port forwarding is enabled on the server so that ssh connection to the local network is initiated through this server, other means of ssh connection request sent from outside will be blocked by firewall. Strong security measures have to be implemented on this server because if this server is compromised the lab network will be exposed to intruders. In this section provides a guide for setting up a security enhanced ssh server.
There are many ssh servers are available. In this configuration a centos machine running openssh will be implemented.
Minimum install of system
A minimum installation of the system would minimize security vulnerabilities created by unnecessary services on the network. SSH is now default component of centos. Therefore, the centos machine for SSH servers is installed without any additional components added. At first boot of the system, disable all the services that does not required such as cups and bluetooth. Latest security patches also need to be applied on the system.
Setup SSH server
The openssh server (sshd) is by default installed in centos. There's no need to install the program. Openssh is a very versatile software that is capable for doing varies means of secure remote connection such as VPN and port forwarding.
In the network design in the lab, the ssh server would act like a gateway that forwarding ssh requests to machines in the internal network. In this way all the servers in the lab network can be accessed through the SSH server. And all other means of management connection (i.e ssh, telnet) will be blocked from outside the network to enhance the security.
The following is the configuration considerations for the ssh server:
- Use public keys as authentication method instead of passwords, which would provide better security.
- Direct root login to this server via ssh is disabled, user have to login using ssh account and use su - command to gain root access.
- Pam is not used for authentication, only the local accounts are allowed to login, this reduce the complexity of the
Based on the considerations above the ssh server is configured as in the attached sshd_config file. This configuration file is located at /etc/ssh directory for centos machines.
Private/public key pairs authentication
In order to allow private/ public key pairs authentication, private/public key pairs need to be generated by clients and upload the public keys to the ssh server as trusted keys. All common ssh clients have means of generating private/public key pairs. In this section, we provide examples of key pair authentication for openssh in linux and putty in windows environments.
There is a utility called ssh-keygen is used to generate public/private key pairs. The following command would create a privavte/public key pair that can be used for ssh user. -f option specifies the output file of the keys and -C specifies the comment for the keys that would append with the key files.ssh-keygen -t rsa -f sshuser-rsa-key_mia.blueprint.org -C sshuser-rsa-key_mia.blueprint.org
A passphrase is needed to sucure the private key, enter a long and complecated passphrase for better protection. There will be two files generated from the operation, a private key file and public key file of the suffix .pub.
To authenticate using the key pairs, copy the public key file to the ssh server and export it to the .ssh/authorized_keys file bytouch /home/sshuser/.ssh/authorized_keyschown sshuser:sshuser /home/sshuser/.ssh/authorized_keyschmod 400 /home/sshuser/.ssh/authorized_keyscat sshuser-rsa-key_mia.blueprint.org >> /home/sshuser/.ssh/authorized_keys
And copy the private key file to a safe location on the client computer, protected with access right 400, or copy the file to a thumb drive for additional mobility and security. When connecting to the server, use the command:ssh -i sshuser-rsa-key_mia.blueprint.org email@example.com
There will be prompt asking for the passpharse for the key, after entering the correct passphrase, the ssh connection will be established.
Putty use a program called puttygen to generate the public/private key pair. The user interface is listed below:
To use puttygen, click generate button. Then move the cursor randomly in the window that allow puttygen to generate some randomness. After the key is generated, add a passphrase to it and the public and private keys can be saved. The private keys is saved in putty private key format (.ppk). If this key need to be exported to openssh format, go to Coversions menu and click "Export OpenSSH key".
To use the private/public key pairs authentication in putty, first add the public key to the authorized_keys file as discribed in the openssh section. Then start putty and go to SSH -> Auth menu and specify the private key file for the session. After this, putty can be used as normal password authentication.
Port forwarding is a very powerful feature of openssh that allows mapping of specific ports on remote or local hosts to the SSH port (ususally 22) on the . Through port forwarding, specific services on local lab network could be accessed remotely though ssh servers. Moreover, the connection is secured.
For maximum security, the firewall should block all other access to the ssh server except port 22.
VPN- an alternative
SSH provides a simple method to access the local network in the lab, which mainly provides secure shell and file transfer support. If there's need for remote accessing other resources that constrained for local users, VPN (virtual private network) would be a more suited alternative for ssh. openSSH can create VPN through pppd using scritpts and more sophisticated software packages are available such as openvpn.