// // //
Just because this "SSH" program has the word secure in it, your Life Problems aren't entirely solved and you shouldn't assume that you're 100% safe from anything. The steps I describe below are ones that appear to work fine for myself and other people I know, and whilst I hope they work for you I won't be held responsible for any Nasty Things that may happen as a result of you trying them. Stay alert, pilot !
SSH, the Secure SHell, is a replacement for
rsh
and, in most cases, telnet
. It provides
a secure, encrypted connection, through which you can have normal,
interactive logins, as well as tunneling other ports (such as X11
connections) to or from the remote machine. It also comes with
scp
, a replacement for rcp
.
The scope of this short talk is to explain basic usage of the ssh
client (not the server, which can be dealt with some other time). We
also cover use of ssh-agent
, a useful but often
overlooked part of ssh.
For basic use, there's nothing to setup (assuming the software's
already installed on the machine, of course). You can just run it
like rsh
, so if you want to login to a machine called
"pollard" you'd do :
ssh pollard
You'll see a prompt asking for your password like so :
robert@pollard's password: _
But what if you have a different username on that other machine ? Either one of the following works :
ssh bob@pollard ssh pollard -l bob
You might also just want to run a command on the other machine.
ssh pollard 'ls -lt /usr/local/bin | head'
If you want to make sure your login session is secure, don't mix telnet/rsh and ssh ! If you telnet from one box to another, and then use ssh to another machine, someone could sniff the network between the first two boxes and see what you're typing to the third machine...
If you're on a non-unix box, you might want to try one of these ssh clients :
Windows : TTSSH, which
is an add-on to a free terminal emulator called TeraTerm
Pro. Alternatively, there's PuTTY,
which now has a command-line scp
program as well.
A good commercial client is SecureCRT. Lastly, you can
try the F-Secure client, which
is functional, but not fantastic.
MacOS : NiftyTelnet supports ssh.
Alternatively, there's a Java implementation of ssh (at least two, in fact, but I'll stick with one for now) called MindTerm. It's pretty nifty in that it can run as a standalone program or as an applet in your browser. It needs at JDK 1.1, though, so you'll need at least Netscape 4.5 to run the applet.
As well as ssh
, there's a companion program called
scp
that you can use to copy files between machines (like
rcp
) :
scp file.txt pollard:. scp file.txt pollard:txt/guff/foo.txt scp file.txt bob@pollard:txt/guff/foo.txt
and so forth...
By tunneling the right port, ssh can forward an X connection from the remote machine back to yours. You can check if this is working by doing the following on the remote machine :
echo $DISPLAY
You'll notice it'll say something like pollard:10.0
instead of yourlocalmachine:0.0
. This is because the ssh
server on pollard
listens on the "10.0" display and
forwards any data down the ssh connection to your machine.
If you want to run something like Netscape from another machine without having a login shell running on the other machine, you can do :
ssh -n -f pollard netscape
The -n
redirects stdin and stdout to
/dev/null
, and the -f
tells ssh
to fork off into the background after it gets going (which means you
still get time to enter your login password if you need to).
Say you read your mail via POP off a machine which you have ssh access to. You'd rather not have your POP password go over the network in the clear, so you want to tunnel the POP connection over your ssh connection :
ssh -L 9110:pollard:110 pollard
(which means "forward local port 9110 to a remote port 110 on a machine called 'pollard'")
Once you've logged in, you can reconfigure your mail client so that it talks to your local machine using port 9110 - when you connect to port 9110, the data is forwarded over your ssh connection to port 110 of the other machine. This forwarded connection is closed as soon as you logout of the other machine, though.
Bored with having to type your password in all the time ? I thought so...
ssh-agent
is an authentication agent - you run it when
you first login, give it your private key, and from then on (if your
other machines are setup with your public key), you can securely login
to other machines without needing to type in a password, since the
authentication is all tunneled back to the agent.
The basic steps to do this are as follows :
Generate an RSA key with ssh-keygen
(and read
the manual page about it first !), and make sure you pick a good
passphrase :
ssh-keygen
ssh-keygen
creates two files :
The private key (which you should never give
away access to) is stored in
$HOME/.ssh/identity
.
The public key (which you'll go and put on other
machines you want to login to) is stored in
$HOME/.ssh/identity.pub
.
make sure permissions are set properly on these files :
chmod 0700 $HOME/.ssh chmod 0600 $HOME/.ssh/identity
Copy (or append) $HOME/.ssh/identity.pub
to
$HOME/.ssh/authorized_keys
on every other machine you
want to be able to ssh to (don't forget to chmod 0700
$HOME/.ssh
too).
If you use the X Window System, add the following near the
top of your .xsession
file :
eval `ssh-agent` ssh-add
If you're using Gnome or KDE and don't have a
.xsession
file, doing this may be a little more difficult
- Debian's Gnome installation looks like it tries to run
ssh-agent
as part of GDM's "Gnome" login script, but I'm
not sure about others. You could go and hack about in your
XDM (or GDM) config and start ssh-agent
there.
And that's it ! Next time you login, the agent will be
started and you should see a window appear asking for your ssh
RSA key passphrase. Once you've entered it, try
ssh
'ing to one of the machines where you added a
$HOME/.ssh/authorized_keys
file. You should be
able to login without entering another password.
Now that you've done this, be careful ! If you leave your
computer unattended whilst you're logged in with
ssh-agent
running, bear in mind that someone could come
up and not only fiddle on your local machine, they can now login to
another machine you put your public key onto. If you're the paranoid
type, you're probably already running xscreensaver
with
password-locking. If not, you might want to consider doing so.
As always, the manpages are actually worth reading. Try :
man ssh man ssh-agent
The OpenSSH project has revived the free version 1.x codebase and brought it back into active development. Version 1.2.2, the first stable release, appeared just last week. Their history page explains some of the stormy history of SSH's licensing and such.
DataFellows have an SSH web site.
If you're wondering who Bob Pollard is...