Wednesday, April 27, 2011

Disabling SFTP in Open-SSH server,SCP fallback mechanism & it's dependency on sftp client under Windows & Linux.

Today, I will throw some light on access restrictions for user. Sometimes we don't want users to perform sftp operations on the ssh-servers.
For that comment out the following line in sshd_config of Open-ssh server

For many Ubuntu/Debian based systems
Subsystem sftp internal-sftp
or any other *nix systems with Open-ssh server
Subsystem sftp /usr/lib/openssh/sftp-server
Restart the ssh server using
/etc/init.d/ssh restart
After this it is necessary to understand that the user which you are using to perform the sftp connection must not have the /bin/sh (shell access parameter) in the passwd file.
If this is present there then the sftp client from the windows such as winSCP or psftp.exe (command line PuTTY sftp utility) will fallback to ssh connection & thereafter will execute the sftp command giving access to the sftp though we have disabled it.
So now I am using psftp.exe as the client to the 10.10.10.2 server running following config in sshd_config.

sshd_config file :
----------------------------------------------------------------------------------
# Package generated configuration file
# See the sshd(8) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
#Subsystem sftp /usr/lib/openssh/sftp-server
#Subsystem sftp internal-sftp
UsePAM yes
---------------------------------------------------------------------------------------

Case-Study :
Lets Create user,
useradd -m testuser
Without sftp-server shell parameter:
The Subsystem call in the Open-ssh server is commented, but the passwd entry for the user is following with shell access.
testuser:x:1001:1001::/home/testuser:/bin/sh

Fall-back Mechanism SFTP --> SCP :
In Linux, using the sftp command, there will be no sftp access as the sftp in linux uses sftp only mode strictly i.e. no fallback to scp. Hence after commenting the line from the OpenSSH config the Linux client will not connect to Linux server on sftp protocol, Provided the Utility used is sftp in Linux any other external utility can again use SCP as fallback mechanism for it.
From the snapshot of Linux to Linux sftp it is very clear that sftp strigently follows the sftp protocol hence the connection fails.
In Second snapshot, the psftp.exe windows client falls back to scp as "Primary command Failed" & gives access to File transfer present.
From Linux,
sftp testuser@10.10.10.2
From Windows, using psftp.exe
psftp.exe -v testuser@10.10.10.2
or using pscp.exe utility
pscp.exe -v -sftp temp.file testuser@10.10.10.2:/home/testuser
where temp.file is the generated file for transfer.
In pscp.exe it is specifically pointed to use sftp protocol.
Now enable the Subsystem option in the sshd_config,remove the comment & restart the ssh server
Now we can clearly see that after enabling it, the primary command doesnt fail & there is no need of fallback.
So this indicates that the client type matters for the connection restriction.

With sftp-server shell parameter:
To restrict the shell access for particular user, only to sftp capability we can do this
change the entry in the passwd to
testuser:x:1001:1001::/home/testuser:/usr/lib/sftp-server
and add sftp-server to shells
echo '/usr/lib/sftp-server' >> /etc/shells
Now testuser cannot have shell access to the system, but can do sftp if the Subsystem sftp is present in the sshd_config. If that is commented, then from linux it is not possible as fallback (which is SCP) is not supported.
Windows applications can still do file transfers using command invoking in sftp mode in psftp.exe & pscp.exe (see conclusion 4).


a. From Windows to Linux Server with Primary sftp fail

b. From Linux to Linux server giving "connection reset"


Conclusions :
1) SFTP-SCP fallback mechanism can vary from client to client.
2) If Subsystem sftp is commented out, the client psftp.exe will fall-back to SCP mechanism if the /bin/sh is present for that user.
3) If sftp-server shell is only provided,Subsystem sftp is not commented, then user will not have ssh access or scp only access. The SCP only protocol doesnt work from pscp.exe as well as from scp in Linux.
following will not work
pscp.exe -v -scp temp.file testuser@10.10.10.2:/home/testuser
scp temp.file testuser@10.10.10.2:/home/testuser
This will work as follows
pscp.exe -v temp.file testuser@10.10.10.2:/home/testuser
psftp -v testuser@10.10.10.2
sftp testuser@10.10.10.2
4) If sftp-server shell is only provided,Subsystem sftp is commented,
this will work
psftp.exe -v testuser@10.10.10.2
pscp.exe -v -sftp temp.file testuser@10.10.10.2:/home/testuser
this will not work
pscp.exe -v -scp temp.file testuser@10.10.10.2:/home/testuser
sftp -v testuser@10.10.10.2
5) After setting sftp-server shell parameter,ssh connection or scp connection will not work on this user.

Please guys let me know about this through comments.

Saturday, April 23, 2011

Networker Tape dumping using uasm & scanner

Sometimes we need to recover data from the tapes which are well beyond Browse & Retention Policies. Of course the index is no longer there & we want to recover particular data. This can be achieved by using uasm in Networker.
Mount the Tape in the drive from which you want to recover the data into drive & follow the procedure given below.

scanner /dev/nst3

This will report the SSID,client name & saveset name present in the Tape. Apparently we don't want to restore this on original location. Suppose we want to recover this on /tmp location. Now the desired SSID can be selected.

scanner -S <ssid> /dev/nst3 | uasm -rv -m /usr=/tmp

This will scan the bits right of the tape for given SSID & will pipe it to uasm for recevering. uasm is default ASM (Application Specific Module) for Unix Filesystem present. "r" switch for recovring, "v" for verbosity, "/usr" actual saveset & relocated to /tmp for recovery.

To recover all the savesets for particular client, use this

scanner -c <client name> -x uasm -rv -m/=/tmp

This process can be automated using scripts to suite the needs.

Sunday, April 17, 2011

VirtualBox Linux Guest Host-Only Interface DHCP Problem Fix

I have a Ubuntu 9.10 Server Guest VM running on Windows XP SP3 Host. I wanted to change the range of the Host-Only Interface IP to the 10.10.10.x from 192.168.56.x which is default VirtualBox Host-Only Range.
Changing this using the GUI caused some weird errors resulting in No DHCP offers inside VM's. I tried adding new Host-Only interface but that also gave error. I was not able to delete the old one causing 2 overlapping Host-only interfaces which can only be seen through the command line VBoxManage.exe , Not in the Preferences Tabs of VirtualBox GUI.
So here is how to do it.

C:\Program Files\Oracle\VirtualBox>VBoxManage.exe list dhcpservers
NetworkName: HostInterfaceNetworking-VirtualBox Host-Only Ethernet Adapter #2
IP: 10.1.1.2
NetworkMask: 255.255.255.0
lowerIPAddress: 10.1.1.101
upperIPAddress: 10.1.1.254
Enabled: Yes

NetworkName: HostInterfaceNetworking-VirtualBox Host-Only Ethernet Adapter
IP: 10.10.10.1
NetworkMask: 255.255.0.0
lowerIPAddress: 10.10.10.2
upperIPAddress: 10.10.10.100
Enabled: Yes

Now there are 2 Host Interfaces with overlapping IP ranges causing conflicts. Now we will delete this using the VBoxManage.exe

C:\Program Files\Oracle\VirtualBox>VBoxManage.exe dhcpserver remove --netname "HostInterfaceNetworking-VirtualBox Host-Only Ethernet Adapter #2"

C:\Program Files\Oracle\VirtualBox>VBoxManage.exe list dhcpservers
NetworkName: HostInterfaceNetworking-VirtualBox Host-Only Ethernet Adapter
IP: 10.10.10.1
NetworkMask: 255.255.0.0
lowerIPAddress: 10.10.10.2
upperIPAddress: 10.10.10.100
Enabled: Yes

Then start the VirtualBox DHCP server

C:\Program Files\Oracle\VirtualBox>VBoxNetDHCP.exe


C:\Program Files\Oracle\VirtualBox>tasklist
[snipped]
wordpad.exe 5060 Console 0 1,828 K
VirtualBox.exe 5480 Console 0 9,040 K
VBoxNetDHCP.exe 4692 Console 0 4,672 K
[snipped]

Now the VM will get DHCP offers from the Host Only interface.

Friday, April 8, 2011

Cryptography - Hash generation on Linux using MD5/SHA-1 & Applications

Yo, Readers.I will talk about MD5 (Message-Digest Algorithm 5) & SHA-1(Secure hashing algorithm - 1) on this post.
This is hashing algorithm. Now what is that, Well hashing algorithm takes some arbitrary block of data & returns a fixed-size bit string so that even the small change in data results in changing the hash.
Hence the "Message" is data & hash is "Digest".
MD5 gives us 128-bit hash value
SHA-1 gives us 160 bits of digest size or hash value.
These MD5 or SHA hashes are used for :
a. Data Integrity checkups - The data loss in transfer of files over the Internet can be due to 2 reasons i.e. due to connection loss causing loss of data for some bits. This change doesnt affect the file size but can affect the operation. Another reason could be injection of malicious code in the legit data files using MITM (Man in the Middle) techniques causing security threat. As like downloading legit software from trusted provider having the data file tampered on the way by MITM. This can be easily detected by computing the MD5 or SHA hash of the received file & then comparing it with the hash of original file provided at the Software owner website.
If the hashes doesn't match then there could be data change or data loss. That's why these days every software provider has checksums provided for comparison at the receiving end.
b. Password hashing - generally the passwords stored are not in cleartext format, so the passwords specified during authentication procedure are hashed & there hashes are compared to the hashes stored in the database.
c. File or data identification - Many peer to peer (p2p) file sharing applications use hashing for uniquely identifying the seeds or lets say parts of data to gather accordingly.

Now lets do some hash computing on linux using the utlities as follows

1. md5sum - This will compute the MD5 hash for the provided input. Now as there is chance of getting same hashes for the same file contents but then there will be many of it. This will report the hash & the filename as the standard output.

root@ubuntu:~# cat /dev/urandom > 1.txt
^C
root@ubuntu:~# du -sh 1.txt
35M 1.txt
root@ubuntu:~# md5sum 1.txt > 1.txt.hash
root@ubuntu:~# cat 1.txt.hash
97414a6530b9b9e91634c85522fb22a7 1.txt
root@ubuntu:~# md5sum -c 1.txt.hash
1.txt: OK
root@ubuntu:~#

Now here as you can see that hash is generated for the file in the same directory. Passing the hash file to the md5sum with "-c" switch will automatically verify the file for integrity. So we can compute the hashes for all the files in directory & pass it on to the other end for the integrity check. So all the files can be transfered using FTP and then checked with hash file containing all the hashes for the directory paths & all.

root@ubuntu:~# md5sum -b 1.txt > 1.txt.binary.hash
root@ubuntu:~# md5sum 1.txt > 1.txt.text.hash
root@ubuntu:~# cat 1.txt.binary.hash 1.txt.text.hash
97414a6530b9b9e91634c85522fb22a7 *1.txt
97414a6530b9b9e91634c85522fb22a7 1.txt
root@ubuntu:~#

md5sum can also be used with the binary mode with "-b" switch. Default is Text mode for reading the file while hashing. "*" indicates the binary mode of the hashing. Normally on Unix systmes there is no change in the hash but on some systems with different formatting can change the hash.

2. sha1sum - sha1sum utility is same as that of md5sum for the binary mode & integrity check.Just it returns 160 bit hash value.

root@ubuntu:~# sha1sum 1.txt > 1.txt.hash
root@ubuntu:~# cat 1.txt.hash
64ef39c2963627d9acfb6fc0cf3b50dfc016e4a8 1.txt
root@ubuntu:~# sha1sum -c 1.txt.hash
1.txt: OK
root@ubuntu:~#

3. cksum - This utility generates both CRC(Cyclic Redundancy check) checksum & count the bytes in the file for integrity check.

root@ubuntu:~# cksum 1.txt > 1.txt.cksum
root@ubuntu:~# cat 1.txt.cksum
2861886857 36143104 1.txt
root@ubuntu:~#

here the first field represents checksum & the next field represents the bytes of the file.

Security focus on Hashing -
Now this is an endless topic to explore as there are vulnerabilities found in the hashing algorithms & other security aspects are also there.
The hash computation mechanism is targeted by the use of the Nvidia's CUDA platform. High end Graphics Processing Unit can compute more than 200 million hashes per second.
Using Rainbow Tables computed prior by the Distributed computing architecture such as BOINC can be used to reverse the md5 hashes. This is used for password hash reversing for clear text password.

Let me know what you guys think about this.