Thursday, July 8, 2010

Use PuTTY as an SSH client on Windows

The SSH protocol was developed as a secure, encrypted replacement for the RSH protocol. RSH is used for remote shell access to a UNIX (or UNIX-like) system and was once popular among sysadmins before network security became the constant concern it is now. Now, thanks to SSH, the same convenience can be had with an encrypted protocol famous for its versatility and strong security.

While OpenSSH is probably the most used implementation of SSH in the world, PuTTY is likely the most used SSH client for the Microsoft Windows platform.
PuTTY’s basic capabilities

Like OpenSSH, PuTTY is a very versatile tool for remote access to another computer. It’s probably used more often by people who want secure remote shell access to a UNIX or Linux system than for any other purpose, though that is only one of its many uses.

PuTTY is more than just an SSH client. It supports all of the following protocols:

* raw: The raw protocol is normally used for network debugging.
* rlogin: This is an unencrypted UNIX remote login protocol that uses port 513 by default.
* serial: The serial option is used to connect to a serial line. The most common purpose for this is to establish a serial connection between computers in lieu of an Ethernet or other network connection.
* SSH: As already noted, SSH is an encrypted secure remote login protocol, which uses port 22 by default.
* Telnet: Like rlogin, Telnet (telecommunication network) is an unencrypted remote login protocol. It typically uses port 23 and is available on many systems other than UNIX. Like rlogin, Telnet has waned in popularity due to privacy concerns.

In addition to the five protocols supported by PuTTY, it also supports features such as saved session configurations, session logging, locale (language) settings, and proxy sessions.
The importance of SSH on Windows

Of course, there are a number of reasons to use a tool like PuTTY. But the most common purposes are related to the SSH protocol.

* It’s a terrible idea to connect to a Web host over an unencrypted connection for management of your Web hosting account and for file transfers. Using an unencrypted login is a good way to get your Web hosting account “owned” by a malicious security cracker. Using a secure, encrypted protocol like SSH for such purposes is a much better option.
* SSH via PuTTY offers a quick, easy way to securely access a UNIX shell environment from a Windows system. This is handy not only because of the obvious need some people have for working with both Windows and UNIX/Linux systems, but also for both people who are forced to use Windows and want access to the power of the UNIX shell and people who are forced to use UNIX and want the convenience of their Windows environment while they do it.
* As with OpenSSH, PuTTY can be used as a secure Web proxy.
* PuTTY can be used to secure TortoiseSVN connections with a Subversion server.

This is by no means an exhaustive list, but it’s a good start.
Getting PuTTY

Unlike most UNIX and Linux systems, Windows does not come with any SSH server or client software installed by default. Even when they don’t come with OpenSSH already installed, free UNIX and Linux systems generally make it very easy to install.

Luckily, it is almost as easy to install Windows’ most popular SSH client software. All you have to do is download the Putty.exe file for your version of Windows from the PuTTY download page. Yes, it really is that easy. The downloaded executable file is the PuTTY program.

Tuesday, July 6, 2010

Authentication and Authorization in

Authentication and Authorization are two interrelated concepts, which form the core of security for .NET applications. The authentication and authorization processes in ASP.NET are very flexible, simple and can be implemented in the code. ASP.NET is not a standalone product; it is linked with IIS and is, in fact, a layer on top of IIS. So, any request that comes into the ASP.NET process is first authenticated and authorized by IIS. In short, the ASP.NET process is completely unaware if any user has been denied access to any page by IIS. Several security authorities interact when the user raises a request for an ASP.NET page. You must get to know how these processes work in order to fully understand the ASP.NET system.

Below, is the sequence of events involved in the authentication process (jointly done by IIS and ASP.NET):

1. The incoming request is first checked by IIS. If the IP address from where the request is sought is not allowed access to the domain, IIS denies the request.

2. By default, IIS allows anonymous access and hence requests are automatically authenticated. However, this can be overridden for each application within IIS. Next in the sequence, IIS performs this authentication, if it has been configured to do so.

3. As a next step, the authenticated user request is passed to ASP.NET.

4. ASP.NET now checks whether Impersonation is enabled or not. By default impersonation is not enabled in ASP.NET. Generally, some applications require impersonation for ASP compatibility and Windows server authentication.

5. If impersonation is enabled, ASP.NET executes with the identity of the entity on behalf of which it is performing the executing task.

6. If impersonation is disabled, the application runs with the privileges of ASP.NET.

7. Finally, the identity that has been authenticated and checked for in the previous steps is used to request resources from the OS. ASP.NET relies on NTFS file permissions for granting access.

8. If access is granted (successful authorization), ASP.NET returns the user’s request through IIS.