 |
|
The ECRB's Guide For Reviewers says that four stars is for "must have" books. I had been using SSH for nearly four years before reading SSH - The Secure Shell, so I don't think it meets the four star criteria. However, I did learn more about SSH than I expected, mostly improving security and adding convenience. Though SSH is a secure protocol and most implementations are quite good, it can be weakened by a naive setup. SSH - The Secure Shell, is the antidote to a naive setup. When using SSH frequently in a hostile environment (e.g., over the Internet), it is a "better have" book.
SSH - The Secure Shell mainly covers the original SSH1, SSH2 from SSH Communications Security, Inc. (SCS), and OpenSSH from the OpenBSD project. Other implementations are briefly covered. After an explanation of the SSH architecture and an introduction to basic SSH client usage, the authors cover installation, server configuration, key management, advanced client usage, and client configuration. Beyond the expected command line options and configuration file details are what-to and why-to sections: what to do to in the case studies and why to use or not various authentication mechanisms. I have been using password authentication, believing it was the most secure method. Recently I have started using public key authentication with a key management agent because I was tired of continually re-typing my password.
It turns out that public key authentication is more secure. Passwords are passed over the encrypted channel and decrypted on the server side. A compromised or evil server can steal passwords. With public key authentication, a random challenge is encrypted with your public key on the server, passed to your client which decrypts it with the private key, combines it with the session key, and sends the MD5 hash back. The server compares the returned hash with its own calculation to verify identity. Including the session key prevents an corrupt server from using the authentication to impersonate you on some other site. Note that neither key is ever sent over the link. Public key authentication also has more per-account configuration available to restrict connecting hosts and allowed commands. For example, a public-private key pair could be used only for backups. The client host could be restricted to just the backup server and only the tar command allowed.
Hold off on doing anything other than fixing gaping security holes until you reach Chapter 10. It gives a recommended build options, server and client configurations, and key management policies. Up to this point, the authors had been very good about covering SSH1, SSH2, and OpenSSH. However, in this chapter only SSH1 and SSH2 are covered. For OpenSSH, I had to refer back to previous chapters for the syntax of some recommendations and found that other recommended options do not exist in OpenSSH.
Chapter 11 has several case studies: SSH in batch or cron jobs, SSH with FTP (hint, it's troublesome), SSH with Kerberos, Pine with SSH and IMAP, and connecting through an intermediate host.
There is a good chapter on troubleshooting. Of course, it cannot cover every problem, but it does give Rule One for debugging SSH problems: turn on verbose messages (-v).
The final five chapters cover other implementations: a Windows port of the SSH1 server, SecureCRT (a Windows client), F-Secure client (Windows and Macintosh clients), and NiftyTelnet SSH (Macintosh client). PuTTY is recommended in a table of features for Windows clients, but there is no other mention of it. I have used is and did not bother reading the documentation (if any) so maybe they said all that is needed.
I did wish for more coverage on One Time Password (OTP) support. They mention several implementations, including commercial and hardware products, but nothing on where to get the open/free source S/KEY or how to install it. When I travel, it is nice to not have to carry a laptop to check my e-mail. So far, I have used friends' and family's computers with an SSH client or a HTTPS Web browser. However, I would like to use public systems and while I trust my friends and family, I don't always trust them to keep their computers free of key grabbing trojans. Knowing that OTP exists and can be used with my SSH server may be all the hints I need.
In summary, SSH - The Secure Shell (or a book like it) is a "better have" when using SSH more than casually. The writing is transparent (doesn't draw attention to itself). Clearly the authors have worked with SSH extensively (the section on FTP is not something you can get from the program documentation). Woven throughout is a gentle critique of where the program design choices could have been better. I expect that this book is going to stay within reach for a week or two while I get my SSH setups running effortlessly and then it will move to the archival bookcase until I need to setup a new computer. That's how I like things to work - set it up right once and then it just works.
-- Jeffrey Taylor (jeff.taylor@ieee.org)
1. Introduction to SSH
2. Basic Client Use
3. Inside SSH
4. Installation and Compile-Time Configuration
5. Serverwide Configuration
6. Key Management and Agents
7. Advanced Client Use
8. Per-Account Server Configuration
9. Port Forwarding and X Forwarding
10. A Recommended Setup
11. Case Studies
12. Troubleshooting and FAQ
13. Overview of Other Implementations
14. SSH1 Port by Sergey Okhapkin (Windows)
15. SecureCRT (Windows)
16. F-Secure SSH Client (Windows, Macintosh)
17. NiftyTelnet SSH (Macintosh)
Appendix A. SSH2 Manpage for sshregex
Appendix B. SSH Quick Reference
Index
|
Explanation of ERCB rating scale:
|
