Using SSH at Monash University

SSH, the Secure SHell, is a replacement for rsh and, in most cases, telnet. It provides a secure, encrypted connection, through which you can have normal, interactive logins, as well as do other useful things like forwarding X11 connections. It also comes with scp, a replacement for rcp.

This is intended as a guide to helping people get started with SSH at monash. Comments and queries should be directed to Andrew.Cosgriff@cc.monash.edu.au, or posted on the monash.decstations newsgroup


  1. Getting started
  2. Doing it securely
  3. Running an X program off another machine
  4. scp
  5. ssh-agent
  6. Other resources

Getting started

For basic use, there's nothing to setup : you can just run it like rsh:

ssh aurora

Or, if you have a different username over yonder, you can do either one of :

ssh username@otherhost.net
ssh otherhost.net -l username

or, to do something non-interactively :

ssh aurora 'ls -lt /usr/local/bin | head'

In both of these cases, you'll be asked for your password on aurora before it will run the command.


Doing it securely

If you want to make sure your login session is secure, don't mix telnet/rsh and ssh ! - you have to use ssh everywhere, this includes from PCs, annexes, and so on. If you, say, telnet from your PC to aurora, and then ssh to silas, it's no more secure than telnetting straight to silas. Similarly, if you dial in to the annex or ascend terminal servers, and telnet from them, you're still leaving yourself open.

In answer to the next question you probably have after reading that, yes, there is a Windows version of SSH. Unfortunately, though, it's a commercial product, although you can get a demo that expires after a while. Since then, somebody's added SSH support to a free product called TeraTerm Pro.


Running an X program off another machine

At Monash, people are encouraged to run Netscape off the two main unix machines Silas and Aurora. In order to do this, one could do the following, from a shell prompt on your local DECstation :

ssh -n -f silas netscape

You'll be prompted for your password, and will them be returned to the shell prompt. A few seconds later, netscape should appear. What's different is that you didn't need to do anything about "xhost" or "xauth" - It will set up the correct xauth configuration such that nobody else can mess with your X display, and the X connection from silas to your DECstation is encrypted, the same as a normal "telnet-like" session. Also, if ssh needs to ask for your password, but isn't running on a terminal (eg. your window manager runs it for you, off a menu), it will pop up a window asking you for your password.


scp

As well as ssh, there's a companion program called scp that you can use to copy files between machines (like rcp) :

scp file.txt aurora:txt/guff/foo.txt

or, if your account name is different on the other machine :

scp file.txt blah@yoyo:txt/foo.txt

ssh-agent

ssh-agent is an authentication agent - you run it when you first login, and add your private RSA key, and from then on (if your other machines are setup with your public RSA key), you can securely login to other machines without needing to type in a password. The basic steps to do this are as follows :

  1. Generate an RSA key with ssh-keygen (and read the manual page about it first !), and pick a good passphrase :
    ssh-keygen
    
  2. The private key (which you should never give away access to) is sotred in $HOME/.ssh/identity, and the public key (which you can give away access to) is in $HOME/.ssh/identity.pub - make sure permissions are set properly :
    chmod 0700 $HOME/.ssh
    chmod 0600 $HOME/.ssh/identity
    
  3. Copy (or append) $HOME/.ssh/identity.pub to $HOME/.ssh/authorized_keys on every other machine you want to be able to ssh to (don't forget to chmod 0700 $HOME/.ssh too).
  4. Add the following near the top of your .xsession file (the "-s" is because my .xsession file is run with sh or ksh or bash or zsh. if you use tcsh or csh, you should put "-c" instead) :
    eval `ssh-agent -s`
    ssh-add
    
  5. And that's it !

Other Resources