A basic introduction to SSH

  1. Warning ! Awooga !
  2. Introduction
  3. Getting started
  4. scp
  5. Running an X program off another machine
  6. Port forwarding
  7. ssh-agent
  8. Other resources

Warning ! Awooga !

Just because this "SSH" program has the word secure in it, your Life Problems aren't entirely solved and you shouldn't assume that you're 100% safe from anything. The steps I describe below are ones that appear to work fine for myself and other people I know, and whilst I hope they work for you I won't be held responsible for any Nasty Things that may happen as a result of you trying them. Stay alert, pilot !


Introduction

SSH, the Secure SHell, is a replacement for rsh and, in most cases, telnet. It provides a secure, encrypted connection, through which you can have normal, interactive logins, as well as tunneling other ports (such as X11 connections) to or from the remote machine. It also comes with scp, a replacement for rcp.

The scope of this short talk is to explain basic usage of the ssh client (not the server, which can be dealt with some other time). We also cover use of ssh-agent, a useful but often overlooked part of ssh.


Getting started

For basic use, there's nothing to setup (assuming the software's already installed on the machine, of course). You can just run it like rsh, so if you want to login to a machine called "pollard" you'd do :

ssh pollard

You'll see a prompt asking for your password like so :

robert@pollard's password: _

But what if you have a different username on that other machine ? Either one of the following works :

ssh bob@pollard
ssh pollard -l bob

You might also just want to run a command on the other machine.

ssh pollard 'ls -lt /usr/local/bin | head'

Doing it securely

If you want to make sure your login session is secure, don't mix telnet/rsh and ssh ! If you telnet from one box to another, and then use ssh to another machine, someone could sniff the network between the first two boxes and see what you're typing to the third machine...

If you're on a non-unix box, you might want to try one of these ssh clients :


scp

As well as ssh, there's a companion program called scp that you can use to copy files between machines (like rcp) :

scp file.txt pollard:.
scp file.txt pollard:txt/guff/foo.txt
scp file.txt bob@pollard:txt/guff/foo.txt

and so forth...


Running an X program off another machine

By tunneling the right port, ssh can forward an X connection from the remote machine back to yours. You can check if this is working by doing the following on the remote machine :

echo $DISPLAY

You'll notice it'll say something like pollard:10.0 instead of yourlocalmachine:0.0. This is because the ssh server on pollard listens on the "10.0" display and forwards any data down the ssh connection to your machine.

If you want to run something like Netscape from another machine without having a login shell running on the other machine, you can do :

ssh -n -f pollard netscape

The -n redirects stdin and stdout to /dev/null, and the -f tells ssh to fork off into the background after it gets going (which means you still get time to enter your login password if you need to).


Port Forwarding

Say you read your mail via POP off a machine which you have ssh access to. You'd rather not have your POP password go over the network in the clear, so you want to tunnel the POP connection over your ssh connection :

ssh -L 9110:pollard:110 pollard

(which means "forward local port 9110 to a remote port 110 on a machine called 'pollard'")

Once you've logged in, you can reconfigure your mail client so that it talks to your local machine using port 9110 - when you connect to port 9110, the data is forwarded over your ssh connection to port 110 of the other machine. This forwarded connection is closed as soon as you logout of the other machine, though.


ssh-agent

Bored with having to type your password in all the time ? I thought so...

ssh-agent is an authentication agent - you run it when you first login, give it your private key, and from then on (if your other machines are setup with your public key), you can securely login to other machines without needing to type in a password, since the authentication is all tunneled back to the agent.

The basic steps to do this are as follows :

  1. Generate an RSA key with ssh-keygen (and read the manual page about it first !), and make sure you pick a good passphrase :

    ssh-keygen
    
  2. ssh-keygen creates two files :

    • The private key (which you should never give away access to) is stored in $HOME/.ssh/identity.

    • The public key (which you'll go and put on other machines you want to login to) is stored in $HOME/.ssh/identity.pub.

  3. make sure permissions are set properly on these files :

    chmod 0700 $HOME/.ssh
    chmod 0600 $HOME/.ssh/identity
    
  4. Copy (or append) $HOME/.ssh/identity.pub to $HOME/.ssh/authorized_keys on every other machine you want to be able to ssh to (don't forget to chmod 0700 $HOME/.ssh too).

  5. If you use the X Window System, add the following near the top of your .xsession file :

    eval `ssh-agent`
    ssh-add
    

    If you're using Gnome or KDE and don't have a .xsession file, doing this may be a little more difficult - Debian's Gnome installation looks like it tries to run ssh-agent as part of GDM's "Gnome" login script, but I'm not sure about others. You could go and hack about in your XDM (or GDM) config and start ssh-agent there.

  6. And that's it ! Next time you login, the agent will be started and you should see a window appear asking for your ssh RSA key passphrase. Once you've entered it, try ssh'ing to one of the machines where you added a $HOME/.ssh/authorized_keys file. You should be able to login without entering another password.

Now that you've done this, be careful ! If you leave your computer unattended whilst you're logged in with ssh-agent running, bear in mind that someone could come up and not only fiddle on your local machine, they can now login to another machine you put your public key onto. If you're the paranoid type, you're probably already running xscreensaver with password-locking. If not, you might want to consider doing so.

Other Resources