Enabling NetIntercept’s SSH Decryption

NetIntercept can decrypt SSH traffic to and from NI SSH servers. An NI SSH server is an OpenSSH server (version 3.9p1) that has been modified to allow NetIntercept to decrypt network traffic generated by clients connecting to and from that server. One copy of NetIntercept is capable of decrypting traffic to and from any number of NI SSH servers (as long as that traffic appears on the monitored network). Please refer to the NI-SSH-README file on the NI SSH CD for further information.

Note: As of 16-Sep-2003, OpenSSH published a Security Advisory describing a possible buffer overflow exploit. We recommend patching your OpenSSH server using the patch described at http://www.openssh.com/txt/buffer.adv.

Ethics. Users expect their communications via SSH to be encrypted and secure. We strongly recommend that you display a notice to all users logging into the NI SSH server, notifying them that their communications are being monitored and that by logging into your server, they implicitly give consent to be monitored and that any information they transmit may be intercepted, recorded, and read by your organization.

Generating Private Keys

Before installing the modified SSH server, you will need to obtain a set of private keys for it. Either use an existing NI SSH server's set, or create a new set as described below:

1. Start the NI GUI.
2. Go to the Configuration tab, Modules sub-tab.
3. Choose SSH from the Module field.
4. Press the New button to create the new set of private keys. NI will prompt you for a unique identifier, and create the following files:
   • /usr/ni/etc/ssh-export/NIAF-[uniqueid]/niaf.h
     Add this file to the server source before compiling. (See the SSH server installation instructions below.)
   • /usr/ni/etc/ssh-export/NIAF-[uniqueid]/README
     This file contains information about the header file listed above.
   • /usr/ni/etc/niaf-private-keys/NI-SSH-PRIVKEY-[uniqueid]
     This is the encrypted private key used to decrypt traffic to and from an SSH server. To remove NI's ability to decrypt traffic from a particular SSH server, delete the file generated for that server.
5. NI will prompt you to write the header file to archive media. If you want to create a CD or DVD containing this information, press OK. The entire NIAF-[uniqueid] directory will be written to the archive media.

SSH Server Installation

To install the modified SSH server:

1. Obtain the modified OpenSSH source code (version 3.9p1-NI) from the CD that shipped with NetIntercept.
2. Unpack the source code into a directory tree on your SSH server machine.
3. Move niaf.h from the NI box to the SSH source directory.
4. Install any security patches you deem necessary. Patches are available from http://www.openssh.com/security.html.
   
5. Shut down any SSH servers currently running.
6. Uninstall any previous versions of OpenSSH on the machine.
7. Become root.
8. Compile and install the new SSH server (usually by running configure, make, and make install, in that order). See the OpenSSH install instructions and the NI-SSH-README file on the CD for more information.
9. Reboot the SSH server machine.

Sandstorm's Products

Order / Get a Quote

Contact Us

Back to top