Remote Login with SSH

Now everyone can work from home, securely (Part2/3)

Introduction

Remote login allows users to connect to servers that are located in different networks from their local machine. Similar to how we use remote to control our devices even it is just few feet away (lazy people understand this); remote login allow us to work from anywhere while accessing data stored on remote servers in the company’s private networks.

Remote Login using TELNET

The simplest way to remote login is by using TELNET. TELNET is a basic protocol that opens TCP port 23 on the server for remote access. Each users are given a unique account that is password protected. TELNET is fast because it is stripped down; but it is not intuitive since it is purely command based.

Secure Shell (SSH)

Secure Shell (SSH) is the upgraded version of TELNET. What you can do on a TELNET session is exactly the same as a SSH session. In real world, SSH is the preferred option of remote login service for secure connections. SSH’s connections are encrypted using symmetric, asymmetric and hashing mechanism. The added layers of protection introduced some extra processing overhead in the edge nodes. So, it is recommended to use TELNET if remote login is used in a LAN with trusted users; and use SSH for connecting to servers located in remote LANs (Taylor: ‘I don’t trust nobody, and nobody trust me’ on the Internet).

SSH_client → SSH server communicates back and forth to exchange important information to setup a secure remote connection

SSH vs TELNET (in context of network security)

SSH has mostly replaced TELNET for the added security. In a secure connection, the data (plaintext) is encrypted with cryptographic keys into secured data (ciphertext). These keys can be secret key in symmetric encryption, or a {private/public} key set in asymmetric encryption. These keys are exchanged or kept only by the sender and receiver. If the encrypted packets are intercepted in MITM; the attacker needs to guess the original key used to ‘lock’ this packet to see the packet’s contents.

SSH encrypts message to a cipher form that is not recognisable even if the packets are intercepted
TELNET vs SSH

How to use SSH

In the example network, Avocado is trying to remote connect to the data server using SSH.

Avocado working from home in Penang. He needs to connect to the server in Kampar. (Zoom to enlarge)
Remote login using SSH

Understanding SSH prompts

If the connection is successful; Avocado should be able to perform some basic tasks like file operations using SSH commands. The command for some of the supported tasks are listed here. We can see that we are connected to the right server from the second line ‘cisco@192.168.209.244’; which is the same IP we specify in putty when starting the connection. The ‘last login’ line indicates our client IP address; which is the IP address of Avocado’s PC at 192.168.209.159. In this example; Avocado typed ‘ls’ command to list all the files and folders that are visible on the data server. The output shows that there are currently 2 files, namely ‘ftp-eagle-server.pcap’ and ‘tftp-eagle-server.pcap’ and a folder named ‘Desktop’ on the server.

The screen on SSH_client after successful login
SSH commands on a Linux-based server (source)
Command
=========
‘netstat -b’
Usage
======
shows all the active ports that are opened in the client machine

A socket is a combination of {IP:Port} to indicate a network connection

Referring to the 4th line in command output, we can find the socket entry of 192.168.209.244:22. This imply that the SSH connection to the server is successful. More options for netstat can be found here.

Netstat is a network command to check for all active TCP/UDP ports on a machine

Packet Analysis (TELNET vs SSH)

SSH is a secure remote login service we hoped TELNET could be. So how exactly does SSH prevent MITM that has been the archilles heel to TELNET?

TELNET sends username and password in plaintext which can be recovered using a network sniffer
SSH encrypts data using cryptographic keys. Only the sender and receiver can unpack the packet to see the packet contents. The GIF shows the payload is not recoverable in Wireshark as they are currently encrypted