What is an SSH Man-in-the-Middle Attack? | Apple Mac OS X Server

34

What is an SSH Man-in-the-Middle Attack?

An attacker may be able to get access to your network and compromise proper routing information, such that packets intended for a remote computer are instead routed to the attacker who impersonates the remote computer to the local computer and the local computer to the remote computer. Here’s a typical scenario: A user connects to the remote computer using SSH. By means of spoofing techniques, the attacker poses as the remote computer and receives the information from the local computer. The attacker then relays the information to the intended remote computer, receives a response, and then relays the remote computer’s response to the local computer. Throughout the process, the attacker is privy to all the information that goes back and forth, and can modify it.

A sign that may indicate a man-in-the-middle attack is the following message when connecting to the remote computer using SSH.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@

WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!

@

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Protect against this type of attack by verifying that the host key sent back is the correct host key for the computer you are trying to reach. Be watchful for the warning message, and alert your users to its meaning.

Important: Removing an entry from the known_hosts file bypasses a security mechanism that would help you avoid imposters and man-in-the-middle attacks.

Be sure you understand why the key on the remote computer has changed before you delete its entry from the known_hosts file.

Controlling Access to SSH Service

You can use Server Admin to control which users can open a command-line connection using the ssh tool in Terminal. Users with administrator privileges are always allowed to open a connection using SSH. The ssh tool uses the SSH service. For information about controlling access to the SSH service, see the Open Directory administration guide.

Chapter 2 Connecting to Remote Computers

Image 34

Apple Mac OS X Server manual What is an SSH Man-in-the-Middle Attack?, Controlling Access to SSH Service

Contents

Mac OS X Server Apple Computer, Inc Apple Computer, Inc. All rights reserved Contents Specifying the Target Computer Volume Installing Server SoftwareLocating Computers for Installation Preparing the Target Volume for a Clean Installation Viewing or Changing Media Settings Setting Network PreferencesConfiguring Network Interfaces Managing Network Port Configurations Mounting Volumes Working with Disks and VolumesMounting and Unmounting Volumes Unmounting Volumes 141 Listing Connected Users 142 163 171 214 Apache Tomcat JBoss Server 215 MySQL Database Contents 265 Configuring the Active Directory Plug-In Glossary AppendixIndex Contents About This Guide Command Parameters and Options Using This GuideCommands and Other Terminal Text Understanding Notation Conventions Default Settings Commands Requiring Root Privileges This guide Tells you how to Install Mac OS X Server and set it up for the first timeCreate and manage users, groups, and computer lists. Set up Earlier versions of the server Manage directory and authentication services Set up and manage QuickTime streaming services This guide Tells you how to Executing Commands Opening Terminal Test.c file in the current folder Specifying Files and FoldersPath string Description Folder Redirecting Input and Output Modifying Flow ControlRedirect Description Using Environment Variables Following command in a Terminal window Executing Commands and Running Tools Including Paths Using Drag and Drop Correcting Typing ErrorsRepeating Commands Searching for Text Within a File An example of a configured crontab file Terminating CommandsScheduling Tasks Viewing Command Information Sending Commands to a Remote ComputerTo access a man $ hdiutil help $ dig -h $ diff --help Executing Commands Understanding Secure Shell How SSH Works Password-Less Logins Using SSH Keys Updating SSH Key Fingerprints What is an SSH Man-in-the-Middle Attack? Controlling Access to SSH Service To access a remote computer using ssh Connecting to a Remote ComputerUsing SSH You’re prompted for the user’s password To disable Telnet access Using TelnetTo enable Telnet access To access a remote computer using telnet Installing Server Software To use installer to install Mac OS X Server software Locating Computers for Installation To list volumes available for server software Specifying the Target Computer VolumePreparing the Target Volume for a Clean Installation To list computers on the local network Installing from Multiple CDs Automating Server SetupRestarting After Installation Creating a Configuration File To save a configuration file during server setup Installing Server Software and Finishing Basic Setup To provide a passphrase in a file Working with an Encrypted Configuration FileCustomizing a Configuration File To provide a passphrase interactively Sample Configuration File Installing Server Software and Finishing Basic Setup Installing Server Software and Finishing Basic Setup Configuring the Server Remotely from the Command Line Storing a Configuration File in an Accessible Location Using the serversetup Tool Changing Server SettingsUsing the serveradmin Tool To display the server’s software serial number Viewing, Validating, and Setting the Software Serial NumberGeneral and Network Preferences To set the server software serial number Updating Server Software To check for available updatesTo install an update To validate a server software serial number Moving a Server Installing Server Software and Finishing Basic Setup To restart the local computer Restarting a ComputerAutomatic Restart To restart a remote computer immediately Shutting Down a Computer Changing a Remote Computer’s Startup DiskManipulating Open Firmware Nvram Variables Monitoring and Restarting Critical Services Folder Usage Restarting or Shutting Down a Computer To display the computer name Viewing or Changing the Computer NameViewing or Changing the Date and Time To change the computer name Viewing or Changing the System Time Zone Viewing or Changing the System DateViewing or Changing the System Time Viewing or Changing Network Time Server Usage Viewing or Changing Sleep Settings Viewing or Changing the Energy Saver SettingsViewing or Changing Automatic Restart Settings Changing the Power Management Settings Viewing or Changing the Startup Disk Settings Viewing or Changing Remote Login Settings Viewing or Changing the Sharing SettingsViewing or Changing the International Settings Viewing or Changing Apple Event Response Disables the buttons and 1 enables the buttons Viewing and Changing the Login SettingsTo view the current setting Setting Network Preferences Configuring Network Interfaces Viewing Port Names and Hardware Addresses Managing Network Interface InformationViewing or Changing MTU Values Creating or Deleting Port Configurations Managing Network Port ConfigurationsViewing or Changing Media Settings Activating Port Configurations To change the order of the port configurations Managing TCP/IP SettingsChanging a Server’s IP Address Run the changeip tool To change a server’s IP addressTo change the IP address of a standalone server To view TCP/IP settings for a particular port or device To list TCP/IP settings for a configurationTo view TCP/IP settings for port en0 To change TCP/IP settings for a particular port or device Viewing or Changing DNS Servers Working with VLANs Enabling TCP/IPIeee 802.3ad Ethernet Link Aggregation Configuring a Network Interface Configuring Ethernet Link Aggregation Managing AppleTalk Settings Managing Snmp Settings Starting Snmp Installing SnmpOpen the /etc/hostconfig file Locate the line Immediately above it, add this line To identify the process id Configuring SnmpTo start the snmp agent manually To stop snmpd To start snmpd, execute this as root Collecting Snmp Information from the HostTo view the snmp.conf file Other options in the menu you were working in are Managing Proxy Settings Viewing or Changing FTP Proxy Settings Viewing or Changing Streaming Proxy Settings Viewing or Changing Web Proxy SettingsViewing or Changing Secure Web Proxy Settings Viewing or Changing Gopher Proxy Settings Viewing or Changing Socks Firewall Proxy Settings Managing AirPort SettingsViewing or Changing Proxy Bypass Domains Computer Name Managing the Computer, Host, and Bonjour NamesHostname Bonjour Name Managing Preference Files and the Configuration DaemonCommand displays 0 if the name was changed To display the server’s Bonjour name To set the hostname of a system Changing Network LocationsTo get the hostname of a system To view the current locations This example, the network location will switch to AirPortComputer will respond with output similar to the following Mounting and Unmounting Volumes Understanding Disks, Partitions, and the File System To unmount a volume Mounting VolumesUnmounting Volumes To view a list of currently mounted file systems Monitoring Disk Space To enable diskspacemonitorDisplaying Disk Information To display disk information Reclaiming Disk Space Using Log-Rolling Scripts Erasing, Modifying, Verifying, and Repairing Disks To mount a drive To get mount info about a partitionTo erase and repartition a disk Partitioning and Formatting Disks To format a Mac OS Extended volume as case-sensitive HFS+Command Description Partitioning a Disk Formatting a Disk Checking for Disk ProblemsLabeling a Disk To fomat a disk To see if journaling is enabled Checking to See If Journaling is EnabledEnabling Journaling for an Existing Volume To enable journaling Disabling Journaling Enabling Journaling When You Erase a DiskUnderstanding Spotlight Technology Enabling and Disabling Spotlight Restart your server To enable Spotlight on your serverPerforming Spotlight Searches To view the metadata of a file Managing RAID Volumes Controlling Spotlight Indexing To image a boot volume Imaging and Cloning Volumes Using ASRTo repair a failed mirror To restore a volume from an image Working with Users and Groups Understanding Accounts To create a local administrator user account Administering and Creating AccountsCreating a Local Administrator User Account for a Server To create an local administrator user with a specific UID Creating a Domain Administrator User Account To create a domain administrator user account To find the Guid of the administrator user Checking a User’s Administrator PrivilegesCreating a Nonadministrator User Account To see if a user is a server administrator Specify the user ID, replacing 1234 with the new user’s ID 102 To retrieve a user’s Guid Retreiving a User’s GuidRemoving a User Account Review the Guid for a particular user Disable the user account by entering the following command Revoking a User’s Right to Access His or Her AccountTo prevent a user from logging To reenable a user account that is disabled To terminate all of a user’s processes Checking a Server User’s Name, UID, or Password To change a user account attribute to a new value Modifying a User AccountAttribute Description Creating a Mobile User Account To create a mobile account Creating a User’s Home Folder Managing Home FoldersTo flush the cache To create a home folder for a particular user Mounting a User’s Home Folder Administering Group AccountsTo create a home folder for users in the local domain To mount a user’s shared home directory on an AFP server Creating a Group Account To add a group account Removing a Group Account You can remove group accounts by using the dscl toolTo remove a group account Adding a User to a Group You can add users to a group using the dscl toolTo add a user to a group Removing a User from a Group You can remove users from a group by using the dscl toolTo remove a user from a group Review the new settings of the group To create a nested group Creating and Deleting Nested GroupTo verify a nested group To display the information about a particular group Editing Group RecordsTo unnest a group To delete a group To create a group folder Viewing the Workgroup a User Selects at LoginCreating a Group Folder See the CreateGroupFolder man page for more information Importing Users and Groups To import users and groups Writing a Record Description Creating a Character-Delimited User Import FileNumber of attributes in each account record 121 Using the StandardGroupRecord Shorthand Using the StandardUserRecord ShorthandAn example user account looks like this Some examples of permission settings Setting PermissionsViewing Permissions Setting the umask for Individual Users Use one of the following values to set the permission level Use the chmod tool to change permissions for an item Changing PermissionsSee the chmod man page for more information Changing the Group Securing System AccountsChanging the Owner Securing Initial System Accounts Securing the Root Account To disable root loginEnter the root password when prompted Restricting Use of the sudo Tool Securing Single-User Boot To set the Open Firmware password for increased security Setting Password PolicyComputer should restart and display the login window To set the minimum password length to 5 characters To change a user’s passwordTo view the global password policy To set a more secure global password policy See the pwpolicy man page for more information Access the help prompt and enter the command nameFinding User Account Information To query for a user by name 132 Working with File Services Managing Share Points To list existing share points Listing Share PointsCreating a Share Point To create a share point To change share point settings Modifying a Share Point Checking AFP Service Status Managing the AFP ServiceStarting and Stopping AFP Service Viewing AFP Settings To change a setting Changing AFP SettingsList of AFP Settings To change several settings Whether the AFP service should restart automatically when Allow an administrator user to masquerade as another userAuthentication mode. Can be Location of the error log Last time the login greeting was set or updated Record user logins in the activity logLogin greeting message Default = -1unlimited List of AFP serveradmin Commands To list connected users Listing Connected UsersValue returned by getConnectedUsers To send a message Disconnecting AFP UsersSending a Message to AFP Users To disconnect users Computer will repond with the following output Canceling a User DisconnectTo cancel a user disconnect Value Description To list service statistic samples Listing AFP Service StatisticsComputer will respond with the following output To display the log paths Viewing AFP Log FilesTo view the latest entries in a log Value displayed by Checking NFS Service Status Managing the NFS ServiceStarting and Stopping NFS Service Viewing NFS Service Settings Stopping FTP Service Managing the FTP ServiceStarting FTP Service Checking FTP Service Status List of FTP Service Settings Changing FTP Service SettingsParameter ftp Description Prompted to log in to the FTP. Customize to your Directory in which the FTP content is storedDisplays a banner message that appears when Own preferences Viewing the FTP Transfer Log List of FTP serveradmin CommandsChecking for Connected FTP Users Checking SMB/CIFS Service Status Managing the SMB/CIFS ServiceStarting and Stopping SMB/CIFS Service Viewing SMB/CIFS Service Settings List of SMB/CIFS Service Settings Changing SMB/CIFS Service SettingsParameter smb Description Low errors and warnings only Browser service. Can be set toAdvanced pane of Windows service settings in the Server Medium service start and stop, authentication failures Windows service settings in the Server Admin Server’s NetBIOS name. Can be set to a maximumPane of the Windows service settings in the Server Admin This corresponds to the Wins Registration Off and Enable List of SMB/CIFS serveradmin Commands Listing SMB/CIFS Users To list SMB/CIFS connections Disconnecting SMB/CIFS UsersListing SMB/CIFS Service Statistics Computer responds with the following output Location of the name service log Viewing SMB/CIFS Service LogsLocation of the SMB service log Managing ACLs To grant a user write permission for a file Using chmod to Modify ACLsFollowing are the permissions applicable to folders To deny a guest read permission for a file To view the ACL of a file Output should look like the following 160 Working with the Print Service Understanding the Print Process To start print service Performing Print Service TasksStarting and Stopping Print Service To stop print service Viewing Print Service Settings Checking the Status of Print ServiceChanging Print Service Settings Print Service Settings Parameter print Description Queue Data Array Parameter printDescription Command printcommand= Description Managing the Print ServiceFollowing is an example of a queue array parameter block Listing Jobs and Job Information Pausing a QueueListing Queues To pause a queue To hold a job Holding a JobTo release the job Viewing Cover Pages Viewing Print Service Log FilesTo obtain a list of available cover pages 170 To start NetBoot service Understanding the NetBoot ServiceStarting and Stopping NetBoot Service To stop NetBoot service Viewing NetBoot Settings Checking NetBoot Service StatusChanging NetBoot Settings Parameter netboot Description Changing General Netboot Service SettingsVolume parameter array Storage Record Array Filters Record Array Image Record Array To enable NetBoot Enabling NetBoot 1.0 for Older NetBoot ClientsPort Record Array Working with System Images Booting from an ImageUsing hdiutil to Work with System Images Updating an Image Using asr to Restore System Images Imaging Multiple Clients Using Multicast asr Choosing a Boot Device Using systemsetup To configure a client to receive a multicast stream Understanding the Mail Service Postfix Agent Cyrus Mailman Checking the Status of Mail Service Managing the Mail ServiceStarting and Stopping Mail Service Viewing Mail Service Settings Mail Service Settings Parameter mail Description Default = domain Default = 500sDefault = 1s Default = += Default = 1000s Default = 0sDefault = postfix Default = -=+ Default = 60s Default = flockDefault = flush Default = postdrop Default = mail Default = 10sDefault = /usr/bin Default = none Default = qmgr Default = smtpDefault = 7d Default = fcntl Default = 5d Default = errorDefault = showq Default = host Default = deferred Default = incomingDefault = active Default = bounce Default = rewrite Default = virtualDefault = $home Default = 600s Default = Default Default = 30sDefault = hash Default = c Default = cyrus Default = auxprop 193 Listing Mail Service Statistics Mail serveradmin CommandsTo list samples To display the log locations Viewing the Mail Service LogsDefault = srvr.log Location of the server log Backing Up the Mail Files Reconstructing the Mail Database Generating a CSR and Creating a Keychain Setting Up SSL for Mail ServiceEnter a key size at the next prompt, and then press Return 199 Importing an SSL Certificate into the Keychain Accessing the Server CertificatesObtaining an SSL Certificate To import an SSL certificate into the keychain To create a password file Creating a Password FileSee the certadmin man page for more information To list the certificates stored in the System keychain Configuring Mailboxes Enabling Sieve Scripting Enabling Sieve Support To enable Sieve supportReload the mail service Sample Sieve Scripts Self-Defined Forwarding Script Basic Sort and Anti-Junk Mail Filter Script Sieve Scripting Resources 206 Understanding Web Technology Files Location Checking Web Service Status Managing the Web ServiceStarting and Stopping Web Service Viewing Web Settings Serveradmin and Apache Settings Changing Web SettingsChanging Settings Using serveradmin Viewing Service Statistics Web serveradmin CommandsViewing Service Logs Listing Hosted Sites V2-Throughput bytes/sec Value you want to display. Valid valuesV1-Number of requests per second V3-Cache requests per second Addsite File Example Script for Adding a WebsiteAddsite.in File Tuning the Server Performance To run the script JBoss Server Working with Application Servers and JavaApache Tomcat To start Apache Tomcat To start JBoss, enter the following To install the default databaseMySQL Database To stop JBoss, enter the following To set the network option To set the root passwordTo create a database To start mysqld Working with Network Services Managing Network Services Checking the Status of Dhcp Service Managing the Dhcp ServiceStarting and Stopping Dhcp Service Viewing Dhcp Service Settings To see a list of available service settings Changing Dhcp Service SettingsDhcp Service Settings To change a single Dhcp setting About Subnet IDs Dhcp Subnet Settings ArraySubnet Parameter Wins pane of the subnet settings in the Server General pane of the subnet settings in the ServerNot set default Lease time in seconds To add a subnet Corresponds to the NetBIOS Scope ID field in the WinsAdding a Dhcp Subnet Domain name such as apple.com To add a static map Adding a Dhcp Static MapAbout Static Map IDs Command Dhcpcommand=Description List of Dhcp serveradmin CommandsViewing the Dhcp Service Log Determine the location of the Dhcp service logs Checking the Status of DNS Service Managing the DNS ServiceStarting and Stopping the DNS Service Viewing DNS Service Settings List of DNS serveradmin Commands Changing DNS Service SettingsDNS Service Settings Viewing the DNS Service Log Configuring IP Forwarding Managing the Firewall Service Viewing Firewall Service Settings Starting and Stopping Firewall ServiceChecking the Status of Firewall Service Firewall Startup Firewall Service Settings Changing Firewall Service SettingsParameter ipfilter Description Ipfilter Groups with Rules Array Defining Firewall RulesAdding Rules by Modifying ipfw.conf Unmodified ipfw.conf file To add a rule Adding Rules Using serveradminPing cracker.evil.org to determine its IP address An example of this would be similar to the following Firewall serveradmin Commands Ipfilter Rules Array Using Firewall Service to Simulate Network Activity Managing the NAT ServiceViewing Firewall Service Log Location of the ipfilter service log Viewing NAT Service Settings Starting and Stopping NAT ServiceChecking the Status of NAT Service Changing NAT Service Settings NAT serveradmin Commands NAT Service SettingsParameter nat Description Viewing the NAT Service Log Port Mapping Checking the Status of VPN Service Managing the VPN ServiceStarting and Stopping VPN Service Viewing VPN Service Settings Default = Keychain Changing VPN Service SettingsList of VPN Service Settings Default = IPSec Default = PPP Default = ManualDefault = L2TP Default = Dsacl Default = Mppe Default = PptpDefault = EAP-RSA VPN Service Log on this List of VPN serveradmin CommandsViewing the VPN Service Log Restarted. See Using the serveradmin Tool on Location of the VPN service log Configuring Site-to-Site VPNSite-to-Site VPN Adding a VPN Keyagent User IP Failover Operation Setting Up IP FailoverIP Failover Prerequisites Hardware Requirements To enable IP failover Enabling IP Failover Notification Only Configuring IP FailoverPre and Post Scripts To restore the NAT service to its default configuration Restoring the Default Configuration for Server ServicesEnabling PPP Dial-In To restore the Qtss service to its default configuration To restore the Dhcp service to its default configurationRe-create the two default records To restore the DNS service to its default configuration To restore the VPN service to its default configuration Testing Your Open Directory Configuration Using General Directory ToolsUnderstanding Open Directory Modifying a Directory Domain Testing Open Directory Plug-insChanging Open Directory Service Settings Registering URLs with SLP LDAPTimeoutUnits Default = minutes LDAPServerBackend Configuring LdapPasswordOptionsString Managing OpenLDAP Standard Distribution Tools Configuring slapd and slurpd DaemonsTool Used to Idle Rebinding Options Delay RebindIdle Timeout Searching the Ldap Server 256 257 Using Ldif Files Managing NetInfo Configuring NetInfoAdditional Information About Ldap Viewing or Changing Password Policies Managing Open Directory PasswordsOpen Directory Password Server Enabling or Disabling Authentication Methods To dump the KDC’s database Kerberos and Apple Single Sign-OnBacking Up the Kerberos Database To load KDC data from a dumped file To add a principal To add a service principalPrincipal Management To delete a principal Using kadmin to kerberize a service Using Directory Service ToolsOperating on Directory Service Directory Domains To kerberize a service from a terminal running on that host Finding Network Information Manipulating a Single Named Group Record To add an Ldap server Adding or Removing Ldap Server ConfigurationsConfiguring the Active Directory Plug-In To remove an Ldap server 266 Performing Qtss Service Tasks Understanding QuickTime Streaming Server Viewing Qtss Settings Starting and Stopping the Qtss ServiceChecking Qtss Service Status Changing Qtss Settings Default = qtaccess Qtss SettingsDescriptions of Settings Look in the sample file for Default = admin Default = digest Listing Current Connections Default = qtssManaging Qtss Logs on For connections v1, this is integer average number Viewing Qtss Service StatisticsConnections To force Qtss to reread its preferences Send a HUP signal to this processForcing Qtss to Reread its Preferences List the Qtss processes To set up Sites/Streaming/ in older home folders Configuring Streaming SecurityResetting the Streaming Server Admin User Name and Password To reset the user name and password Controlling Access to Streamed Media Creating an Access File Path and filename of the user file Between terms, make sure you enclose the entire messageQuotation marks Qtusers Adding or Deleting Groups Accessing Protected MediaAdding User Accounts and Passwords Making Changes to the User or Group File Create QuickTime Atom ref movie with extension .qtl Manipulating QuickTime and MP4 MoviesCreating Reference Movies Create XML text ref movie with extension .qtl 280 Configuring the Log File Configuring Your System Logging Local Logging Configuring Remote Logging on a Server Configuring Remote Logging on a Client ComputerTo enable remote logging on a client computer Remote Logging Or match a single host like this Open /etc/rc and locate the following line PCI RAID Card Command Reference 286 287 288 Glossary Computer account See computer list Directory node See directory domain Full name See long name 292 293 294 Relay point See open relay Search path See search policy 297 298 136 Example Stopping service Naming 41 AccessSecuring Chgrp tool ACL access control list Restoring images Logs Lpr Backup Cyrus Mail files Image Booting from 176 updating Dynamic Host Configuration Protocol. See DhcpError messages command not found Executing commands Disk journaling Kerberosautoconfig tool 261 keychain Backing up Principal management 262 tools and utilities 302 QuickTime Streaming Server. See Qtss Used by ldapsearch 255 scheduling tasks AFP DNS Viewing service logs 239 Terminating commandsTime, viewing or changing 57 Stopping service Tools for remote configuration