« Previous 1 2 3

Secure SSH connections the right way

Certified

Conclusions

SSH is not a perfect protocol, but in its simplest application, it at least provides basic measures against integrity loss. However, as IT security requirements grow, as stipulated in the industry, the protection provided by SSH out of the box can no longer be relied upon. Without key management and unambiguous integrity detection, SSH could become an opening for a cyberattack and can therefore compromise, the system-critical infrastructure. This problem can be remedied by centralized key management and independent integrity determination by a third-party entity.

Probably the most appropriate solution for many organizations, which because of its complexity this article does not cover, would be to combine SSH authentication with Active Directory (AD) authentication. The X.509 certificate-based authentication provided by AD is a perfect match. This system would also provide centralized identity management.

Infos

  1. RFC 4251: https://tools.ietf.org/html/rfc4251#section-4.1
  2. CVE-2020-14145: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14145
  3. RFC 4253: https://tools.ietf.org/html/rfc4253#section-7
  4. ssh-mitm: https://github.com/ssh-mitm/ssh-mitm
  5. IT-Grundschutz: https://www.bsi.bund.de/EN/Topics/ITGrundschutz/itgrundschutz_node.html
  6. ISO 27001: https://www.iso.org/isoiec-27001-information-security.html

The Author

Simon Böhm wrote this article while completing his basic military service at the ICT & Cybersecurity Center of the Austrian Armed Forces. In private life, he focuses on general security strategies in network technology and software development.

« Previous 1 2 3

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
Print Issues
Digital Issues
 
SUBSCRIPTIONS
Print Subs
Digisubs
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Lead Image © almagami, 123RF.com
    Attacks on HTTPS Connections
    HTTPS protects a connection from both tapping and manipulation, but only if a man in the middle hasn't already infiltrated the Internet connection. We highlight the weaknesses in HTTPS and demonstrate how to protect your client and server.
    more »
  • Lead Image © Amy Walters, 123RF.com
    Hardening network services with DNS
    The Domain Name System, in addition to assigning IP addresses, lets you protect the network communication of servers in a domain. DNS offers further hardening of network protocols – in particular, SSH fingerprinting and CAA records.
    more »
  • Lead Image © Yevgeniya Ponomareva, Fotolia.com
    SSL/TLS best practices for websites
    SSL and TLS are very complex technologies. If you want to avoid wading through cryptography manuals to harden your HTTPS web server, read on for practical recommendations on establishing, securing, and optimizing your SSL/TLS configuration.
    more »
  • Lead Image © nerhuz, 123RF.com
    Transport Encryption with DANE and DNSSEC
    Those who think that enabling STARTTLS in the mail client will make their mail traffic more secure are wrong. Only those who bank on DANE can be sure that a mail server or a firewall will not switch off encryption in transit.
    more »
  • Lead Image © Petr Vaclavek, 123RF.com
    Secure your data channel with stunnel
    Stunnel provides a TLS wrapper with extensive configuration options to secure your data over insecure wireless networks.
    more »
comments powered by Disqus