CS 231: Computer Security

Logging in With SSH: A Story

You may work with a partner of your choosing on this assignment.

SSH is a protocol commonly used to support encrypted remote login services. It is also used to enable a variety of other network services that require encryption and authentication, such as remote command execution, encrypted file transfer (SFTP), encrypted file copying (SCP), tunneling, etc.

SSH is defined by RFC 4253: The Secure Shell (SSH) Transport Layer Protocol

For this assignment, you're going to observe SSH for its simplest application: remote login to a command-line environment. Then you'll write another story describing what you observed, and connecting it explicitly to the protocol described in RFC 4253. The goal is to understand and describe every step of SSH's login process.

What to observe, and how

You need both an SSH client and Wireshark to run this experiment. You can find that combination by booting Mac on any of the CS Department machines in CMC304 and 306. Of course, you can also find it by making sure both are installed on your own computer. (Note that the "ssh" command comes standard on Macs.)

Once you have the tools ready, launch a Wireshark capture and use your SSH client to login to a remote server on which you have an account. Stop the capture once you've executed a single command on the other side, like "ls" or whatever you wish.

You all have accounts on the Math/CS network, so one of those machines would be a good choice. But the important thing is this: you want to capture a session that acts like it's the first time you have logged into the remote machine, because you want your story to include an explanation of this message:

If you are logging into a computer you have logged into via SSH previously, then you'll need to reset your local computer's "known hosts". On a Mac, the file ~/.ssh/known_hosts is a text file that you can edit with any text editor. If you delete the line containing "thacker.mathcs.carleton.edu" and then try logging into thacker, you should see the message above or some variant of it.

When you have an SSH client on Windows, there's a known_hosts file somewhere, but its location depends on which client you're using.

Questions to address in your story

Feel free to dig even deeper than this, but here are some questions you should definitely try to answer. In all cases, cite sections of RFC 4253 and show excerpts from the Wireshark log as appropriate.

• What is the sequence of events in the protocol exchange, and how do those events match up to the protocol as described in the RFC? (As a trivial example, the whole interaction starts as a TCP connection request sent by the client, as noted in the RFC section 4.1.)
• What encryption and compression algorithms did the exchange you observed use?
• At what point during the interaction did your client report to you that the authenticity of the remote host could not be established? Where did the "key fingerprint" in question come from?
• When during the interaction did encryption start?
• After encryption, what information about the exchange were you able to infer anyway?
• Did the interaction follow all the requirements of RFC 4253? If not, describe any discrepancies you noticed.

Handing it in

Hand in a PDF file telling your story. Include links and references as appropriate, and also screenshots and/or text from Wireshark to illustrate your observations. Consider the audience for this story-telling to be other CS majors who have not yet studied SSH. As with the previous story, your audience should be other CS majors, and you should expect a length no longer than 10 pages.

Submit your PDF via Moodle.

Have fun!