Implementing SSH: Strategies for Optimizing the Secure Shell
Author: Himanshu Dwivedi
The majority of Internet and computer users at least once came across the Secure Shell (SSH). With a bunch of security features, SSH is being adopted by a great number of system administrators that are trying to implement some way of secure tunneling to their networks. One of the quotes from the book’s introduction explains SSH perfectly: “SSH to security professional is like a donut to Homer Simpson: a godsend”.
Although the title of the book implies a very technical publication, the book should suite a variety of readers interested in how to use and optimize the secure shell.
About the author
Himanshu Dwivedi is Managing Security Architect at @stake, one of the leading providers of digital security services. He is also a security training leader for the @stake Academy and has published two books on storage security. His professional experience includes application programming, security consultancy and secure product design.
Inside the book
As most other books covering specific technology topics, “Implementing SSH” starts with a brief overview of the secure shell. This initial chapter is mainly targeting the general population with not so much experience in using SSH. Here the author provides tidbits of information related to differences between SSH1 and SSH2, its client/server infrastructure, as well as the most common uses of SSH in real life. The overview is finalized with installation examples of commercial SSH solutions and freely available OpenSSH. Although the installation methods are similiar, author provides simple walkthroughs on installations based on a number of operating systems, including Red Hat Linux (and other Linux distributions respectively), OpenBSD and Windows 2000 Server.
The next couple of chapters, which combined together, spread over about a half of this book’s content, are detailed guides where the author discusses some of the most popular SSH solutions. Both the users and the administrators will find some interesting information in these guides, as Dwiwedi goes deeper into both SSH servers (SSH Communication’s SSH Server, OpenSSH and VanDyke Software Vshell SSH Server) and clients (example command line and GUI clients, Putty, WinSCP, MindTerm and MacSSH). The coverage that each SSH server receives is absolutely satisfying, as the author traverses through all the configuration options and appends detailed descriptions, as well as his own comments to basically every part of the config file. Yes, you can find the similiar stuff in man pages and online FAQs and manuals, but it is usually much better (from the productivity point of view) to find all the infromation you need on one place, nicely categorized and easily accessible from your bookshelf. Besides, the book’s most interesting topics are located in the latter part of this review.
Before going deeper into squeezing the best out of SSH, I should note that one of the chapters is dedicated to SSH management of network devices (mainly Cisco equipment) and SOCKS management.
Although not a direct security option, port forwarding is one of the powerful things SSH offers. Besides the creation of a secure tunnel, the pros for using SSH port forwarding are quite nice: it requires few slight changes to the SSH server, it uses just one port (which comes handy in the process of building firewall rules) and can tunnel a number of insecure protocols, making them secure. Just imagine – while on travel, you need to check your email urgently. You power up your notebook, connect to the airport’s wireless network. Are you comfortable enough to download mail from your POP3 email acocount? On a public wireless network? Guess not! SSH tunneling is the quick and painfull way to download your email on a secure manner. After showing the purpose and the way how port forwarding is done, the author once again shows these possibilities on all of those SSH servers and clients I’ve mentioned earlier.
The situation with checking the email on the airport was just one of the SSH tunneling examples. If you are interested in these type of practical solutions, you will be surely satisfied with one of the chapters, that contains ideas ranging from securing e-mail, file transfers (SMB and NFS) and using secure management (say goodbye to the old and useful, but unsecure VNC implementations).
For those that want actual proofs that SSH is a way to go, author provides some practical information in how SSH can replace some specific protocols for creating a stronger security situation. All of these examples are accompanied with screeshots (mainly targeted to the novice type readers) showing sniffers capturing non-secure and secure connections
Proxy technologies in a secure environment is the title of one of the last chapters of this publication. As you can see from the title, here the author discusses all the good things that can come out of a combination of SSH and a Proxy. Some of the catchy examples with appropriate diagrams include securing wireless coffe-shop connections and secure web browsing with SSH.
The author concludes the book with three real world case studies, each dealing with one of the SSH functions: secure remote access, secure file servers and secure wireless connectivity.
“Implementing SSH” doesn’t go deep into SSH specifics, such as encryption modules and algorithms, but rather provides the readers information on how to effectively use SSH possibilities and use all the potentitals of this valuable solution.
As the content is focused on several different tools running on several different operating systems, a bunch of information provided by the author wouldn’t be of a great interest to some of the readers. On the other hand there is a good thing to know what are the alternatives and what do those alternatives offer.
The bottom line is that SSH is a very important utility and this book provides a wealth of information, that will be mostly of interest to the intermediate users. I would also recommend this book to the readers that often use SSH to connect to their remote machines and were always interested in how the things work and how they can elevate their SSH usage and knowledge to another level. This book will help you do just that. By reading some of the examples and case studies the author provides, you’ll surely stumble upon something that can be deployed in your own network.