BOBOd6$$$6$@H9 Z-jmatesjFLOM!`K(xHH@Re(HH(d'h llZ/{HW5Ow0:/):/)ɝZv  4 {  7FH:DSET >=2H&O   B   ؀    T F   +   0  Ѐ À 7   L    @ )@ m@ @+@ y D b! @"/ "e@@"u@@# @$ %#@@%s@@&~ @' '@@(q@@)= @*z *@@*@@ + @-3 !-]@@.M@@". @/ #0@@0@@$1v 2h %44 @51 !&5@@5@@"'6 @8 #(8U@@8u@@$)9 @: %*;@@;S@@&+?u1?@2@U@gl32@(@<l43A @C 54D @EՀ 65Gf H76J$ @K) 87L @N 98??1:2)2@@9* q/   HHVff33̙ff33ff33ffffffffffff33ff33333333ff333333ff33ff33̙ff33̙̙̙̙ff̙33̙ffffffffffff33ff33333333ff333333ff33ff33̙ff33ff33ffffffffffff33ff33333333ff333333ff33ffffffffffff33ffffffff̙ffffff33ffffffffffffff33ffffffffffffffffffffffff33ffffff33ff33ff33ff33ffff3333ff33ffffffffffff33ff33333333ff333333333333̙33ff33333333333333ff33333333ff33ff33ff33ffff33ff3333ff3333333333333333ff333333333333333333ff333333ff33̙ff33ff33ffffffffffff33ff33333333ff333333ff33wwUUDD""wwUUDD""wwUUDD""wwwwwwUUUUUUDDDDDD""""""           , ,X,,XX,X,XX,XX,XX,X,XX,X,,XX,!X,,XX X X,X,,!XX,,X X X,X,,XX,,X,XX X,X,,,XXX,X,XXX, ,XX,,,,,,, ,,,5    HHVff33̙ff33ff33ffffffffffff33ff33333333ff333333ff33ff33̙ff33̙̙̙̙ff̙33̙ffffffffffff33ff33333333ff333333ff33ff33̙ff33ff33ffffffffffff33ff33333333ff333333ff33ffffffffffff33ffffffff̙ffffff33ffffffffffffff33ffffffffffffffffffffffff33ffffff33ff33ff33ff33ffff3333ff33ffffffffffff33ff33333333ff333333333333̙33ff33333333333333ff33333333ff33ff33ff33ffff33ff3333ff3333333333333333ff333333333333333333ff333333ff33̙ff33ff33ffffffffffff33ff33333333ff333333ff33wwUUDD""wwUUDD""wwUUDD""wwwwwwUUUUUUDDDDDD""""""                     HHVff33̙ff33ff33ffffffffffff33ff33333333ff333333ff33ff33̙ff33̙̙̙̙ff̙33̙ffffffffffff33ff33333333ff333333ff33ff33̙ff33ff33ffffffffffff33ff33333333ff333333ff33ffffffffffff33ffffffff̙ffffff33ffffffffffffff33ffffffffffffffffffffffff33ffffff33ff33ff33ff33ffff3333ff33ffffffffffff33ff33333333ff333333333333̙33ff33333333333333ff33333333ff33ff33ff33ffff33ff3333ff3333333333333333ff333333333333333333ff333333ff33̙ff33ff33ffffffffffff33ff33333333ff333333ff33wwUUDD""wwUUDD""wwUUDD""wwwwwwUUUUUUDDDDDD""""""                     T HHT8BIMTGrphbj TTHHTT@ s{s+{{wws|o[k:gb^ZVRVJ5^{\{{{wws}o\k;gb^ZVwNVJ5FA=995q1P-/)$ jjII) )).b{k{"{{{ws}o\k;gbb^ZVwRVJ5FA=95q1P-/)$ kkJJ**)  ) ))I) J=s{Y{ Vv kkKJJ**)) )*))*JJKKJJJJ) Nv{{g{{$lJ)*JJJKKKKKJKKKKJKK KKKKJJJJJJJJ) ))^{[ {s HkJJKkkkkkkkKJJJJJJJJJJJ )*1pg;{i {o{g 'jJJKKKKKKkkkKKKJKJJJJJJJJJJJJ kAs|{y {g9G &HjJJKKKKKKKKKkkkKKkkKKJJKJJKKKKJJ JJJIJ) N5w{ށ {^ G &'IjkKKKKKKKkkkkkKlKkkKKkkkKKkKK KKKKKKkklkj1ps{݃ wV & GG'IjlKKKKKKKkLkllllkkKkKkkkkll %.! ! V{{t{NT &G GIjJJKKkkklllm %)O-O-N).).).-p).5).).! F2o{{ޅ{J2 %G HII)-/-O ).).% =kZ{{{F %fgGGH %)9=9J51p1pkkjjiiihhg F f f F E F ggghhh9g9{{ރ{F $fgggGHHIj1PJFAA=FJ5EJEA=kjiiihhgg F F ED$%EE E Ffghhi5g9{{k{J2DfgggHIihHh GggF G F E DDED E F g ggghiii5g8{{e{Zffghijjihgg g G f f F EDEEDE E F f fghhh5g8{{t{{o{Affghijiiihg f G F F EE EEED E F FFFGGg GGghhii5g8{{w{w_9ffgghijiiihgg gg f f G F fFGgGFGF E$F(F0f4eghiii5g9{{o{oZ5fghii iihhhhghgH H GGFG hhHe'y9LTa,jiii9g9{{p{ {o{Z5ffgijiihhHG F,&,F0E8ed? @43@/<8C. Ӡ8<8а<2j t -(@  5@ L,832L<1+ `p+<0=?2c ӎ||48\< ,7|21ܿ7M wp3#` ֯ $2b \ ?8  lÀ ,3| @> P>{8;0҂?T3a >?8  j@ 0@pvp@r!/&@#^ l,p 3A90 < ?{c 2h0os#? _^<< < , 3Z O< ? ( ,/o./%Ti`@3p <  ?,6, +3? /(Kо?|p7_7P(1? .|S3o ?= <, '3L< i@p13 ̌00p ;ǃ.s3*63ijr3j//~?ø #@ S (022 ;@4 c " -2@ ƒ3l?@< b 8g<|1p $?/@c{ "K&/q3f- 4< 0spx 4<4 10L$ # |2% 0#cp8 673 a =0/1Λ0Ž 8<ߴ3C3 k{6e 42#c8 >>7 0$`M@3a̰@ /@$3EP /ȋ8 03k@8 / t 0S#mÂ4j !8 Js383 M ,3aip3 ,d ; @ 3N8 Ӡ?0 3:38 3m8^@,< sOÐ 3? <,? 0˂tC0??@>-1 3K@ >8 <@< @`#f`~Sx@Ê38 p,>/@ 48#n @~ 38  ?M> 2,/??4<޺ /2 #m @<, 48 @ O+0c7ˠ, 0$<lP 30 o;γ@3m+O/B @ 8 ? ɖ, ó&<4F 0ҽ@ ,#r ,8|SO8P>( x0<,s3γ3[ + >s Ï <.#n U@A pN?8  <(< 50Cl g0 #L 8 М?8O@<@#X<(0ϯ? 4-|ՠ0,A08 #Y |L0 L8(=:|<#D|=U<<?  @#BLT /<<<8@? #A<=[<<:#@ 0<Mn8<<P<#A <8<<0<#B@<` 4,<2#D  |,p 4<<D >=,p _<,n,#B >??,p t<0D 0;` @x< x/T<D [7 @x< @CË@/<#D + d@,x<  4#G  T@:@,<//#I @;@<<s#O @ ;9h?OEj@< ?@4#U U ?:x<@> #V i[ p>68</Ӏ<4#U / p=28 *<}<!#T @ Yp528 ==,<x/9@pT /h`:38 @pB< N I< #S X`:38 <<?0<G$/ V] CO:8<4 0x  < O40 ^ p@; 0<4 0<  #`  6@ <4 =0< 8 p#_ /?7@ x<4 ,,8 @.@^ 3_;@@x,4 <48 ? ,P /#[0@;@ 4 |1< /<@8p,/#Y==;@@ ??4 =0< 2?<p<?Z v?@@ 4< /  @4?#W p//?@@ 40< <0?#U S,?@@ 4 8? <? #T @ ?@ 4 <?< ? #P o@ t@4 <|8#R ?  p4 <04<#U ?@@ p_ <48/G@?#T 3@͠ 4 ,0|8/?@#U ?7  |4 <8K[ p#?@!0 4@ 8<  O#Y <4 0@@8 #U ?o7 IA4 @?4 x=/S 0P D4 8E/@??T q@_4߀ 44?dp?P ?@4/40|O   4?@4po.@</=#I 4/4?0<I ?F4п?4=n@{iA 4@,4Y4 /??j.4 0?Z |ۿT4@@ 4<ip] oU8? @~@^4>/4? ()Яp _W <& 4 @@?x=8; _, O  s?G8 @Z o 0Q @4 Poˀ Π^  "C 4/   ?? `|\  8425s<4 d/4@/ M@< ^ /w ?42?4p,?A ? l pX   0 =t4?@R PI  8|E <0=`F / <so0\/`@ ? @0  4  ꪤC0?2  <006(  4?0D$0:=3,= VVUVUeUpUUjUUVDSET2H6*n DSET2HT \ g@z@G6*|DSETT 4p  Notes:DSETT ( $  $t`H ,SSH Use and Users  of 29DSETTk 804''x@ABCDEFGTl  ?@ C D Gk  < SSH Use and Users (or I knew what you knew, but now I don't!) Jeremy Mates jmates@u.washington.edu Department of Molecular Biotechnology University of WashingtonDSETTjH@D11DE6  F    LThis presentation will be archived online at the Cellworks website: http://cellworks.washington.edu/sage/meetings/1999/06/ssh.pdfDSETT! XPT4 4H HH(H5HCHRHjHH$  \The Road Map Introduction How SSH works Installation Configuration Authentication Examples & Applications Legal Stuff & the Future DSETT %h`d  j$  &l&What is SSH? Drop-in replacement for standard unencrypted unix utilities such as telnet, rlogin, and rsh. Agent which allows arbitrary TCP/IP (and X11) connections to be forwarded over a secure channel. Great for untrusted hosts on insecure networks (and paranoid sysadmins working from Home).DSETT悀 xpt [$ |Do I Need SSH? No, if you trust your local users/ISP/Script Kiddies/Crackers to play fair. No, if you use protocols that cant be routed over SSH (e.g. UDP based services), or your client machines dont support SSH. Otherwise, SSH will benefit your network.DSETT pp(~   A traceroute I did from work to home took ten hops, crossed eight different networks, and went past five different providers. Most platforms have some degree of support for SSH. I hear in the 1950s, everyone left their doors unlocked. We live in very different times now.DSETT 28 $!# 33 Section 2: How SSH works (The magic Black Box)DSETTႀ ( T   Z ((,( How it works RSA public key cryptology used during handshake between client/server. Various algorithms (IDEA, Blowfish, Triple DES) for the subsequent session (speed vs. security). The session is always encrypted. Allows gzip based compression (for slow links).DSETT`` (OPxy     RSA has patent on the RSA public key cryptology in SSH, until January 1, 2000. RSA can be found at http://www.rsa.com/ Some of the algorithms (and RSAs part, for that matter) have licenses that make their use in various situations illegal. More on this later. DSETT.. 8""" """"H%& $+& // Section 3: Installation (go ./configure :)DSETTC4 4 ('('('('($+ DDSupported Platforms SSH 1 (client and server) has been ported to most flavors of unix (e.g. Solaris, IRIX, AIX, HPUX, Digital Unix, BSD, Mac OS X, etc.) and Linux. SSH 1 clients are available for Windows, Mac OS, Palm Pilot, the Java VM and more. SSH 2 has been ported to fewer platforms; considered developmental by most.DSETT@@    Concentrate on the installation of SSH for unix. The Windows key-gen-wizard-installs are easy if one has a grasp of the essentials from the unix side. You can grab the latest free versions at: ftp://ftp.cs.hut.fi/pub/ssh/DSETT   h/(D1W/(o.}........~- 2D0V5W2o) ./configure (Build Options) For a complete listing of options, use: ./configure --help Some important options: --disable-rsh --without-idea --disable-asm --with-libwrap[=] --with-socks --disable-server-port-forwardings --disable-server-x11-forwarding --with-etcdir=/etc/sshDSETTbfi``   j jAs shown later, if a intruder can get through your firewall using SSH, and you have left port forwarding on, the intruder will essentially have complete access to your internal network, bypassing the firewall rules completely. The --with-etcdir option is a favorite of mine, as SSH uses a gaggle of /etc files, and less clutter in /etc is a good thing, IMHO...DSETTil~$ $0;(h3(/( <W:*A4EFAh696962 @C@C@C"@ACD@FCL@RCU@W>d8x> make & install (More Building) Typically one does a make; make install after configuration is complete. You can install SSH on a NFS drive with make install on the build host, then use make hostinstall to locally configure each other NFS host. To replace the r* suite: Move rsh, rlogin, rcp aside, then link originals to ssh, slogin, and scp. Maintain the /etc/ssh_known_hosts file.DSETT ( $Hmn   7 4  v 4  I 4k   4   ,The following command will give you a rough idea of what other make options are possible, as some programs really dont tell you whats in there: $ grep '^[^ ]*:' Makefile.in The infamous Berkeley r* suite hacks that somehow became part of the standard unix distributions are rsh, rlogin, and rcp. If youre serious about eradicating these utilities, comment them out of /etc/inetd.conf, and delete the binaries from disk (or at the very least strip off the suid bit). Move the r* utilities into a different folder when you move them aside, then remind ssh where to find them with ./configure --with-rsh=path_to_rsh. Otherwise, ensure that the links to the ssh utilities come before the r* ones in the $PATH variable such that the proper binary (ssh) is called.DSETTʂ 8040?(A?(G?(U?(?(FH FBHFFHHTFVHfF <Building Checklist ./configure (with local options as needed). make make install make hostinstall (if doing the NFS thing on other computers). install a boot script, if not running SSH out of inetd.DSETT‚H@D!",-:Fs      4V 7j 4~ 7 4  B  L 4T  _ 4c   4   4   LA sample SysV style init script: #!/bin/sh case "$1" in start) if [ -x /usr/local/sbin/sshd ]; then /usr/local/sbin/sshd fi ;; stop) kill `cat /var/run/sshd.pid` rm -f /var/run/sshd.pid ;; esac Known to work on Linux and Digital Unix. Solaris uses a different /var/run location (/etc as I recall). If youre lazy, you probably could just stick /usr/local/sbin/sshd into your rc.local file (or moral equivalent).DSETT!"XPT8""" """"$%& \ Section 4: Configuration DSETT h`d, ,0GwGG;GeGMNILYN~LNDNDNnDqN lConfiguration: SSH is flexible server has many config options as well in /etc/sshd_config, more if using TCP Wrappers. global ssh_known_hosts file allowed (if using NFS or similar sharing) in addition to local one. client (/etc/ssh_config) and user-specific config files (~/.ssh/config), also command line options. 5 different basic authentication methods. has good man pages, worth the read.DSETT,/Kxpt   L|L.rhosts, .rhosts w/ RSA host, RSA password, TIS password, generic password.DSETT0=CTTOOMIJ/ICVRR Configuration: sshd sshd reads /etc/sshd_config on start or SIGHUP After installation, develop a system (or site) wide server config file. Important command line options: -d debug mode. Runs in foreground. -i reminds ssh it is running from inetd.DSETT$PP6   4   %%You probably will want to write a policy governing how ssh should be run at your site, given the flexibility ssh offers (and how well it can log actions). See the sshd man page for a complete list of switches. Most switches can be specified by using directives in the /etc/sshd_config file.DSETT} 0 08 K0PvWWQeZ S0UvY[Y[Y\^\j Configuration: /etc/sshd_config Choice Options: This is where the allowed authentication methods are set or disabled. Deny/Allow directives on based on username, primary group, or host/IP of client. X11Forwarding, AllowTCPForwarding StrictModes - great for misconfig spotting. Jun 10 14:46:13 server sshd[15472]: log: Rsa authentication refused for ontherange: bad modes for /home/ontherangeDSETT (   ~45 different config options for this file. See the man page for a complete rundown on each. Most probably will never be used. More on the different authentication means later. One might want to disable X11 or TCP forwarding, if you dont want X11 connections back to the client, or want to stop folks from being able to open arbitrary TCP forwards. If security on TCP forwards is an issue, see the TCP Wrapper section below that has options for limiting such problems.DSETTBKM $< <PTgT]]]4]_]]]MV.f=VKfXVXdcgcXdca_a4_6a__b`f_l`ta}baba_`_`aba NNConfiguration of ssh (client) ssh uses global /etc/ssh_config and per-user ~/.ssh/config config files. Command-line options will override any user or global settings. More common ones: -l username User username for connection. -c cipher Specifies cipher to encrypt session with. -x Disables X11 forwarding. -C Enables compression. (For slow links.) -L port:host:hostport Forward port to hostport on host. -R port:host:hostport Forward remote port to hostport on host. -P Use non privileged port. Disables rhosts and RSArhosts authentication. (Allows ssh to work behind some firewalls.)DSETT PP~   You can also use ssh user@example.com instead of the standard ssh -l user example.com for a benefit of 3 less keystrokes. Anything not a - option past the hostname is considered to be a command to be executed on the remote machine.DSETT! 8 8P=JKvnhpnir;k -MIJSvsouxsqv:z;mlm Configuration: /etc/ssh_config As with sshd config file, lots of options. Use this file to configure global settings: Disable X11 forwarding to certain hosts: Host *.badgui.example.com ForwardX11 no Automatic port forwarding to other hosts: Host gateway.example.gov LocalForward 1234:internal.example.gov:23 Bear in mind users can override these options with command line switches or their own ~/.ssh/config.DSETT"823gh6   4   See man page, details the many different options. The spiffy thing about port forwarding is that in the above example, internal.example.gov will be looked up from the inside, e.g. from gateway.example.gov, so even though the source (say, a dial-in account on the beach in Tahiti) may not be able to find the internal machine, the gateway connected to can. On reflection, a global port forward (e.g. one made in /etc/ssh_config) is probably a Bad Thing. Place forwards on the command line or per-user config file instead. (You should see a Local: bind: Address already in use error if something is already using the forwarding port you specified.) You can also stick at least two forwarded ports onto a connection (and probably more; I havent tested beyond two :).DSETTς#(#w===l"M#|IJI  Configuration: tcp_wrapper support When compiled with tcp_wrappers (not a default), you gain additional directives for your allow/deny files: sshd sshdfwd-x11 sshdfwd-DSETTVb$g  8\]V   4*  w 4~   4   4  V 4 hhPort name must be used if in /etc/services, though I havent test that restriction out yet. Example (assumes implicit ALL:ALL in hosts.deny :) of restricting access to telnet port to a single host: sshdfwd-telnet: home.example.org Or to allow everyone forwarded access to the NUTS Daemon, which, oddly enough, isnt in your services table: sshdfwd-4132: ALLDSETT%( $ 0"" """"$%& , Section 5: Authentication DSETT炀&804!0wCtHtHtHtHZM|Cy{ <Authentication Methods There are numerous means of authentication: RhostsAuthentication - disabled by default, insecure (same as used by r* suite). RhostsRSAAuthentication RSAAuthentication PasswordAuthentication - from /etc/passwdDSETT䂀'H@D@@"LM   LAnd a few more, if you use TIS or other 3rd-party authentication solutions. The above are tried in order until an acceptable one is agreed on by client and server, or the user enters the wrong password at PasswordAuthentication.DSETT(XPT #0#~;HHHsHD"#;BRV]6}=A}R \RSA Authentication in SSH (1 of 2) RhostsRSAAuthentication checks /etc/hosts.equiv or .rhosts files, but also verifies clients host key before allowing the connection. Requires clients /etc/ssh_host_key.pub to be appended onto the servers /etc/ssh_known_hosts file. Optionally allows use of ssh-specific .shosts or /etc/shosts.equiv files instead of the r files. Good for users accustomed to no-password logins (unless they can use ssh-agent!) or automated scripts.DSETTv)h`d  $   lNote that host keys do not have passwords; hence, RhostsRSAAuthentication works without asking for a password, unlike RSAAuthentication.DSETT*xpt6 6%8#~5HHHpHH"#5}'}6Z}m} |RSA Authentication in SSH (2 of 2) RSAAuthentication Similar to how PGP works: user maintains private key on client, and uploads public key to server. User must supply a password to decrypt the private key. Key is generated on client using the ssh-keygen command. (The private key is stored in ~/.ssh/identity, and the public key is placed into ~/.ssh/identity.pub.) The contents of are ~/.ssh/identity.pub appended into ~/.ssh/authorized_keys file on the server. Users dont have to have a password on their key.DSETT+@@&xyZ   4.   4   Host keys are generated using ssh-keygen -N to create a key with a null password. Users probably shouldnt do so :) See the man page for ssh-keygen for more information.DSETT'<",''8""" "%"&"'"$%&& (( Section 6: Examples & Applications DSETTad-d`P`(~3~H5 eeExample of forwarding From term1@conf.example.org: $ ssh -L 1234:ftp.example.com:21 user@example.comDSETT.,w$  term1@conf.example.orgDSETT/0-  firewallDSETT 0 Y/  example.comDSETT 1q0 ftp.example.comDSETT$'23Z3 44(Be sure to use PAS mode, otherwise ftp will fail.)DSETT`c3qD<<4 4L$ r rThen on conf.example.org type: $ ftp localhost 1234 Connected to localhost. 220 ftp.example.com FTP server ready.DSETT4R , ,50!~I~~ !HII SSExample: running remote commands $ ssh status@diskfarm.example.edu df -k Or, even better, edit the authorized_keys file on the host diskfarm for status to read something like: command=df -k 1024 35 Dump, rdist, and other utilities are known to run over SSH. You might also want to drop to a faster cipher (I.E. not IDEA).DSETTL]5e ( $, ,60~y~~~;~)2 f,fExample: SSH and X11 harmony You can use ssh-agent to store RSA keys in memory, so as to avoid typing the same password. Start your X-Window server with ssh-agent in front: $ ssh-agent startx And then use ssh-add to load keys into memory. ssh-agent now allows automagic connections to servers with the same key(s). Only useful with RSAAuthentication setups.DSETT(="6(80478""" "&"'"("$%'& )<) Section 7: Legal Stuff & The Future DSETT7H@D8( ~a~~~6   LLegal Stuff SSH1 vs. SSH2: SSH2 has much more restrictive license with regard to commercial use. RSA Patents: until Y2K, that is. Must license. IDEA cipher patented: commercial use requires license. Perhaps free version in the future? Or will IPv6/IPSEC make SSH obsolete?DSETT8 XPT8 89X ~k~v+Yl  5\v \References Scottie Swensons copy of Steve Achesons SSH: Introduction Though Implementation from SANS 99. SSH Links: Free Sources: ftp://ftp.cs.hut.fi/pub/ssh/ Home Page: http://www.ssh.fi/sshprotocols2/ Commercial Version: http://www.datafellows.com/ FAQ: http://www.employees.org/~satch/ssh/faq/ News: comp.security.ssh (good source of info) Mailing list: ssh@clinet.fi (send body subscribe ssh to ) Good Windows client: http://www.vandyke.com/ Free Windows client: http://www.zip.com.au/~roca/ttssh.htmlDSETT9h`dp(p<   lNote: the firewall in this case is configured simply to allow TCP connections from anywhere to ssh inside the LAN to the host example.com Also, allowing this sort of access may be a good or a bad thing, depending on what sort of access you want to allow into your network. SSH forwarding can either be disabled totally, or use can compile with TCP Wrappers to gain fine-grained control over what forwarding (and logging!) takes place.DSUMjmatesHDNISTYLB|JSTYL  Z                #   .    #              ! !#.""  #%" !$&"% &( ', (' )+'*$"+-,1 -51./ /2/001 1. 2).3*43 56369374879: :>:;8:<< !=@<">C<"?; 5@A;6AE;BBC?  )DF?EH?FMGG (HNG)IDG)JLG) K= #HLI=)IMJ=) NT *LOVT)PO &QRO'RK $SSK%TP +UUP,VW -WYW.X[W.Ye /Zje0F[Z\Q 1X]\Q.W^^Q.$_] 2`_]3aa]3b`]3cb]3JdfT)eX]3fc]3gd]3hg] 3ik 6Ojmk)Mklk)ln 7msn:nh 4ooh5pi ;oqqi5rp 8sup9txp9ur <svvr9twzr9xw ?y|w@zt ={yt>|{t>"} A ~BBB}!B+~ C ~D E F#FF G FF~Dw@w@    ~"D"~D~D Hj)~$D IJ %@HASH $ (7 'q 5 7 *<**8**B *M1***M,6 4)(:((=+a=+c=+h>+`>+b>+g*,2<<2*  *- <Z,)!%5,f6,eE:xI:-c,2qc<2vf9Ym*%nm*-p9r9u*U_%9P,)!,*-H)%9(<8T8\9%V::)2:)0#*-RH*%lc8Gc9%c9Nc:%ic:-K<y<2*[*V-#*-.,)-(,*,CF*;Z<Qb<2wc9?c94 *2&!:k"*5'((<<2U=,2:=<2^><2]z+={+>,2S<2<2d *2=,2m,) F:(+*2/:2@:2A *2D!*2E=<2~><2 **3c:-z:%}((<2{<2|=<2.* .* .*.*.*"/ (/(3(*4*$9 (: *#N4,5N+N,P,T<,T=,Z<,hjazo}Bod& CHAR 6  "   !    '''' %HASH         %           "  !    $  #    > CELLHASH   GRPHnF HASHtKl RULR   @. @. * * *  **  L* * *** **NNNN* *6*6L* * rrL* **7*$.*$.L* *L*L*6*6L*6*6HL*6*.*. *Z*ZL* *6L*Z*Z*6 *ZL*ZL * *@L *6 *6D**@.@.@.L***KHASHM)J@)DIM   I0/3T'\)5\)9)6),7)7).t")I)%)))'7):@?D)Ca/h!4h);8<Q2 &' ') C!!+1!-))))$C!7^(^!H^*^!6^)#)')'( ^^ )> ) 7)B ' ^)= !A     @/@7F@@~E@G$ KSENHASHPLKUP   % "!*#$(&23)'+1.0,/47-58;69?<K:C=@B>IADGELMRJFHPT\QSNUOVeW[X]_^`bacfgYdhnpZikjlorqumzsvxt{w|y}~$NAMEDefault Default SSHeaderBodyFooter Default TBdDFNTMNew YorkGenevaCourierPalatino HelveticaMCROMCROoBlNMARKMRKS MOBJWMBTSNAP W R R HH HH@A{c^RkZg9co{g9wco{ZVo{kZg9kZkZs^wcNssA{o{kZo{so{skZssckZcg9skZo{s{o{o{kZkZo{So{so{sso{sso{sso{sso{sso{sso{sso{sso{sso{sso{sso{sso{sso{sso{sso{sso{sso{sso{sso{sso{sso{sso{sso{sso{sso{sso{sskZo{o{o{o{o{o{o{o{o{o{o{o{o{o{o{o{o{o{o{o{o{o{]o{$kZg9ZZg9JR{RJR^{{wsw{F1{R{kZswwwo{]o{$Nso{RkZNso{VZo{Vg9JRRwwg9ZF1JR{cRVg9F1^ZVBo{Bwo{_o{%o{kZVccR{VckZkZo{R^o{g9^NsNs^sJRNsRo{o{cVg9sR{g9co{o{o{o{{{{o{so{#kZcZkZkZccV^Z{ZRc^Vg9^g9cVcV^Zg9c^o{g9o{g9Z kZg9Vc^kZ^{wo{uo{0o{o{{{{s{o{o{wws{o{sg9wskZs{wo{wkZwo{so{s{kZwwso{o{{{sw{o{o{o{o{o{o{o{o{o{o{o{o{o{o{o{o{o{o{o{o{o{o{o{o{o{o{o{o{o{o{o{o{o{o{o{o{o{o{so{{wo{3o{o{Z^ccRcg9g9kZcRZcRRo{3o{g9{wwswkZwww{{wo{Ko{ ww{ws{{sg9w{wo{{wo{{{w{kZ{o{Mo{ ^g9kZF1kZ^^ZZcc{NsVkZo{Vcg9g9ckZZZg9kZkZo{Io{sww{w{w{sw{w g9s{{w{ww{o{ao{ ckZwkZkZso{kZsskZo{wZwkZswco{{Ro{so{o{sg9so{so{so{swo{ao{g9g9kZRRkZo{Zg9cZg9{o{o{kZco{c^kZo{g9VV{cco{g9^kZ^ckZcVZo{2o{{wws{{{o{Go{kZkZg9^VZg9^o{Vco{kZg9ZZF1cg9^cVVg9^g9o{<o{wwo{wsw{wswswcg9wo{o{o{o{o{o{o{g9o{cJR^g9o{o{kZg9kZJRZBNsVF1Bg9o{so{so{swco{{w{w{{wswo{{-wcs{{ww{kZww{ws{{o{{s{wswo{{{ss{cw{{wkZw{so{{wo{wAo{Vco{g9VkZcckZVg9VkZ^cg9sZg9Zwg9^{VkZkZVg9c^kZo{kZg9VkZV^{NskZwg9ZkZscg9ZcZo{kZ^kZ{ZZckZkZ^^s wswswww{{sswo{{wws{w{sw{{o{{{ww{w{sw{w{wso{g9g9kZwg9o{{ww{o{{kZg9Bg9Vg9^Zo{sg9^ZcR^kZZkZcg9RF1^g9VcNsVkZZccZcVkZkZVNsNscsNsZ^Zg9RZRcwc^ccRs^VZscg9Rg9^Rg9}o{kZo{kZo{kZo{o{kZo{kZo{o{kZo{kZo{kZo{kZo{o{kZo{kZo{kZo{o{kZo{kZo{kZo{kZo{kZo{kZo{o{kZo{kZo{kZo{o{kZo{kZo{kZkZo{TNAM4344C383EE65D6666D9FF62670C0FECPRT-0s com.apple.print.PrintSettings.PMColorMode com.apple.print.ticket.creator com.apple.printingmanager com.apple.print.ticket.itemArray com.apple.print.PrintSettings.PMColorMode 1 com.apple.print.ticket.client com.apple.printingmanager com.apple.print.ticket.modDate 2002-11-27T19:02:01Z com.apple.print.ticket.stateFlag 0 com.apple.print.PrintSettings.PMCopies com.apple.print.ticket.creator com.apple.printingmanager com.apple.print.ticket.itemArray com.apple.print.PrintSettings.PMCopies 1 com.apple.print.ticket.client com.apple.printingmanager com.apple.print.ticket.modDate 2002-11-27T19:02:01Z com.apple.print.ticket.stateFlag 0 com.apple.print.PrintSettings.PMDestinationType com.apple.print.ticket.creator com.apple.printingmanager com.apple.print.ticket.itemArray com.apple.print.PrintSettings.PMDestinationType 1 com.apple.print.ticket.client com.apple.printingmanager com.apple.print.ticket.modDate 2002-11-27T19:02:01Z com.apple.print.ticket.stateFlag 0 com.apple.print.PrintSettings.PMFirstPage com.apple.print.ticket.creator com.apple.printingmanager com.apple.print.ticket.itemArray com.apple.print.PrintSettings.PMFirstPage 1 com.apple.print.ticket.client com.apple.printingmanager com.apple.print.ticket.modDate 2002-11-27T19:02:01Z com.apple.print.ticket.stateFlag 0 com.apple.print.PrintSettings.PMLastPage com.apple.print.ticket.creator com.apple.printingmanager com.apple.print.ticket.itemArray com.apple.print.PrintSettings.PMLastPage 9999 com.apple.print.ticket.client com.apple.printingmanager com.apple.print.ticket.modDate 2002-11-27T19:02:01Z com.apple.print.ticket.stateFlag 0 com.apple.print.PrintSettings.PMPageRange com.apple.print.ticket.creator com.apple.printingmanager com.apple.print.ticket.itemArray com.apple.print.PrintSettings.PMPageRange 1 32000 com.apple.print.ticket.client com.apple.printingmanager com.apple.print.ticket.modDate 2002-11-27T19:02:01Z com.apple.print.ticket.stateFlag 0 com.apple.print.ticket.APIVersion 00.20 com.apple.print.ticket.privateLock com.apple.print.ticket.type com.apple.print.PrintSettingsTicket  com.apple.print.PageFormat.PMHorizontalRes com.apple.print.ticket.creator com.apple.printingmanager com.apple.print.ticket.itemArray com.apple.print.PageFormat.PMHorizontalRes 72 com.apple.print.ticket.client com.apple.printingmanager com.apple.print.ticket.modDate 2002-11-27T19:02:01Z com.apple.print.ticket.stateFlag 0 com.apple.print.PageFormat.PMOrientation com.apple.print.ticket.creator com.apple.printingmanager com.apple.print.ticket.itemArray com.apple.print.PageFormat.PMOrientation 2 com.apple.print.ticket.client com.apple.printingmanager com.apple.print.ticket.modDate 2002-11-27T19:02:01Z com.apple.print.ticket.stateFlag 0 com.apple.print.PageFormat.PMScaling com.apple.print.ticket.creator com.apple.printingmanager com.apple.print.ticket.itemArray com.apple.print.PageFormat.PMScaling 1 com.apple.print.ticket.client com.apple.printingmanager com.apple.print.ticket.modDate 2002-11-27T19:02:01Z com.apple.print.ticket.stateFlag 0 com.apple.print.PageFormat.PMVerticalRes com.apple.print.ticket.creator com.apple.printingmanager com.apple.print.ticket.itemArray com.apple.print.PageFormat.PMVerticalRes 72 com.apple.print.ticket.client com.apple.printingmanager com.apple.print.ticket.modDate 2002-11-27T19:02:01Z com.apple.print.ticket.stateFlag 0 com.apple.print.PageFormat.PMVerticalScaling com.apple.print.ticket.creator com.apple.printingmanager com.apple.print.ticket.itemArray com.apple.print.PageFormat.PMVerticalScaling 1 com.apple.print.ticket.client com.apple.printingmanager com.apple.print.ticket.modDate 2002-11-27T19:02:01Z com.apple.print.ticket.stateFlag 0 com.apple.print.subTicket.paper_info_ticket com.apple.print.PageFormat.PMAdjustedPageRect com.apple.print.ticket.creator com.apple.printingmanager com.apple.print.ticket.itemArray com.apple.print.PageFormat.PMAdjustedPageRect 0.0 0.0 576 734 com.apple.print.ticket.client com.apple.printingmanager com.apple.print.ticket.modDate 2002-11-27T19:02:01Z com.apple.print.ticket.stateFlag 0 com.apple.print.PageFormat.PMAdjustedPaperRect com.apple.print.ticket.creator com.apple.printingmanager com.apple.print.ticket.itemArray com.apple.print.PageFormat.PMAdjustedPaperRect -18 -18 594 774 com.apple.print.ticket.client com.apple.printingmanager com.apple.print.ticket.modDate 2002-11-27T19:02:01Z com.apple.print.ticket.stateFlag 0 com.apple.print.PaperInfo.PMPaperName com.apple.print.ticket.creator com.apple.print.pm.PostScript com.apple.print.ticket.itemArray com.apple.print.PaperInfo.PMPaperName na-letter com.apple.print.ticket.client com.apple.print.pm.PostScript com.apple.print.ticket.modDate 2000-07-28T22:57:04Z com.apple.print.ticket.stateFlag 1 com.apple.print.PaperInfo.PMUnadjustedPageRect com.apple.print.ticket.creator com.apple.print.pm.PostScript com.apple.print.ticket.itemArray com.apple.print.PaperInfo.PMUnadjustedPageRect 0.0 0.0 734 576 com.apple.print.ticket.client com.apple.print.pm.PostScript com.apple.print.ticket.modDate 2000-07-28T22:57:04Z com.apple.print.ticket.stateFlag 1 com.apple.print.PaperInfo.PMUnadjustedPaperRect com.apple.print.ticket.creator com.apple.print.pm.PostScript com.apple.print.ticket.itemArray com.apple.print.PaperInfo.PMUnadjustedPaperRect -18 -18 774 594 com.apple.print.ticket.client com.apple.print.pm.PostScript com.apple.print.ticket.modDate 2000-07-28T22:57:04Z com.apple.print.ticket.stateFlag 1 com.apple.print.PaperInfo.ppd.PMPaperName com.apple.print.ticket.creator com.apple.print.pm.PostScript com.apple.print.ticket.itemArray com.apple.print.PaperInfo.ppd.PMPaperName Letter com.apple.print.ticket.client com.apple.print.pm.PostScript com.apple.print.ticket.modDate 2000-07-28T22:57:04Z com.apple.print.ticket.stateFlag 1 com.apple.print.ticket.APIVersion 00.20 com.apple.print.ticket.privateLock com.apple.print.ticket.type com.apple.print.PaperInfoTicket com.apple.print.ticket.APIVersion 00.20 com.apple.print.ticket.privateLock com.apple.print.ticket.type com.apple.print.PageFormatTicket ETBLhDSUMHDNISTYLMCRO*oBlN*MARK*WMBT*SNAP*TNAM8NCPRT8uETBLe汄