SUSE Conversations


Remote Installation of SUSE with SSH



By: DamianMyerscough

August 21, 2007 1:48 pm

Reads:250

Comments:0

Rating:0

Problem:

Performing a remote installation of SUSE over VNC poses a possible security as the installation traffic travels over the wire unencrypted.

Solution:

Perform a remote installation over SSH which will encrypt traffic traveling over the wire.

Remote installation of SUSE with SSH

The installation of SUSE over SSH (Secure Shell) is as simple as installing SUSE over VNC (Virtual Network Computing). The major difference between installing SUSE over SSH is that SSH provides encryption throughout the duration of the installation, whereas VNC uses encryption just for the initial connection thereafter the data is transmitted in clear text.

This article shows the security weakness in a SUSE installation over VNC and why SSH is a better choice security wise. The first section of this article shows VNC and SSH security differences by sniffing the network traffic of a VNC and SSH installation revealing possible security threats. If you are just interested in setting up SUSE over SSH jump to the “Installing SUSE over SSH” section.

SSH vs VNC

In this section of the article you will see why I recommend performing a SSH installation of SUSE rather than a VNC installation. One of the major factors that you are probably wondering is, if you do a SSH installation will it have to be a text based installation and the answer is “NO”. SSH has the capabilities of forwarding X11 traffic to your screen similar to VNC, however you will not be able to access the installation screen via a web browser which VNC provides and you will need a SSH client when installing SUSE over SSH.

Sniffing VNC traffic

When sniffing VNC traffic it is possible to gather sensitive data, Table 1 shows what type of data can be gathered from sniffing a SUSE installation over VNC. The data that can be captured could prove useful to a cracker.

Data
Authentication result. Mouse position.
Screen width. Text stored in the servers cut/copy clip board.
Desktop name. Share desktop flat which indicates whether the installation can be accessed by more than one client.
Mouse button. Authentication response which is the clients encrypted response to the servers authentication challenge.

Table 1: Sensitive data.

The data that is listed in Table 1 is not encrypted as VNC only encrypts the initial connection which is when the password is sent over the wire, after that traffic is send in clear text. Figure 1 shows a screenshot of the data listed in Table 1 being captured on a private network with Wireshark.

Click to view.

Figure 1: Sniffing VNC traffic.

As you can see from Figure 1 the desktop name has been captured: “root’s installation desktop (192.168.0.2:0)” and has not been encrypted, which shows the data has been transmitted over the network in clear text.

Sniffing SSH traffic

When performing an installation of SUSE over SSH the data is encrypted before it is sent over the network thus revealing no useful data for crackers. All traffic that is transmitted between the two machines is encrypted even after the initial connection the data is still encrypted. Figure 2 shows the traffic that was captured while performing an installation of SUSE over SSH.

Click to view.

Figure 2: Sniffing of a SSH installation.

Installing SUSE over SSH

The installation of SUSE over SSH is very simple and just requires two arguments to be passed into the boot options. The two arguments that are to be passed into the boot options are “UseSSH=1″ and “SSHPassword=<Password to be used>”. The first argument sets the installation to use SSH the second argument sets a temporary password for the SSH installation, Figure 3 shows the two arguments in the boot options. If you are paranoid of shoulder surfers it is possible to not specify the “SSHPassword=” argument and when you start the installation you will be asked for a temporary SSH password which will be echoed on the screen as asterisk characters (*).

Click to view.

Figure 3: SUSE boot screen.

Once you have typed the two arguments into the boot options you can press the return key and SUSE will begin setting up a SSH server. Once the machine has network connectivity you can move to another machine and being the installation. The user you need to SSH in as is “root” and you will also need to use the -X qualifier to forward the X11 traffic to your machine as shown in Figure 3.1.

If you have a busy network or just what to compress the data being transmitted between the two machines you can use the -C qualifier, which will compress the data being transmitted using the gzip compression algorithm.

damian@server2:~ #  ssh -X root@192.168.0.2 
The authenticity of host '192.168.0.2 (192.168.0.2)' can't be established. 
DSA key fingerprint is d3:8e:48:6c:5a:e4:45:ac:80:d9:7f:bc:16:a3:7a:a3. 
Are you sure you want to continue connecting (yes/no)? yes 
Warning: Permanently added '192.168.0.2' (DSA) to the list of known hosts. 
root@192.168.0.2's password: 

SUSE Linux Enterprise Server 10 Installation 

/usr/X11R6/bin/xauth:  creating new authority file /root/.Xauthority 
#[11;0]Welcome to the inst-sys... 
Linux 192.168.0.2 2.6.16.21-0.8-default #1 Mon Jul 3 18:25:39 UTC 2006 i686 athlon i386 GNU/Linux 
/root 

run yast to start the installation 

inst-sys:~ #

Figure 3.1: SSH into the server.

Once you have connected to your server you can begin the installation by issuing the “yast” command which will begin the installation and forward the X11 traffic to your machine as shown in Figure 3.2.

Final Thoughts

Now that you know how easy it is to install SUSE over SSH I hope you will choose this method over the traditional VNC. I would also recommend reading the SSH man pages to see what other qualifiers you can use to aid you with your installation.

Environment:

This article was tested on SUSE Linux Enterprise Server 10

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags: , ,
Categories: SUSE Linux Enterprise Desktop, Technical Solutions

Disclaimer: As with everything else at SUSE Conversations, this content is definitely not supported by SUSE (so don't even think of calling Support if you try something and it blows up).  It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.

Comment

RSS