Ssh (Secure Shell) is a program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It is intended as a replacement for rlogin, rsh, rcp and telnet. The key is that ssh provides strong authentication ("Are you who you say you are?") and secure communications (conversations which cannot be deciphered by hackers) over unsecure networks.
It also provides neat services like handling xauth commands for you and providing a single-login facility (where you only have to give your password once in order to login to multiple domains of computers) via the ssh-agent and ssh-add commands.
There are actually two different versions of the SSH protocol (SSH-1 and SSH-2) and strictly speaking, they are not compatible. For a discussion of the two implementations, see http://www.snailbook.com/faq/ssh-1-vs-2.auto.html. We are using SSH-2, with fallback support for SSH-1 clients.
They can use that information to pretend to be you; therefore they can gain unauthorized access to any password-protected computer you use (locally or remotely). Even if they don't pretend to be you, they can record all of your keystrokes as you work from machine A over the network to machine B.
A primary benefit to ssh is that it encrypts your keystrokes so no one can see them as they pass over the network.
The X Window System also has a number of severe vulnerabilities. With ssh, you can easily create secure remote X sessions. Ssh conveniently handles setting your DISPLAY variable and running xauth for you.
Ssh protects against these kinds of attacks:
Things get more complicated when you realize that network packets are pretty faceless critters. Just because one comes bearing a key, how do you know it was sent by the computer it claims to be from? This makes it useful to do some checking on the computer's identity as well as verifying that the key works.
Public key cryptography uses a public key to encrypt data and a private key to decrypt it. The name public key comes from the fact that you can make the encryption key public without compromising the secrecy of the data or the decryption key.
What this means is that it is safe to send your public key in electronic mail or by other means. For anyone to actually gain access they need the corresponding private key to identify themselves.
These other, more involved, steps are helpful for people who are going to use ssh between domains of computers and/or more sophisticated tools, like ssh-agent.
When I say "end" below, I mean the computer at one end of a two-computer connection you wish to make or are making. In general, I assume that the ends will be in different security domains, so you'll want a different password to get into each end. The ~ (tilde) sign indicates your home directory.
ssh -V.
(That is a uppercase -V. The lowercase -v option means
"connect but emit verbose status messages.")
If you get a "ssh: Command not found" error message, then either ssh is not installed on your computer or it is not in your search path.
You can check the other end with the telnet program.
The ssh daemon listens for incoming connections on port 22. If you telnet
to that port on a host,
(telnet hostname 22), it will say "connection refused"
if ssh is NOT installed. In that case, immediately ask your system
administrator to quickly install the latest version of ssh so their
computers will be more secure! She or he can get a
copy from the ssh home page
http://www.ssh.com.
If ssh is available, you will see
Trying 220.220.220.220... Connected to hostname. Escape character is '^]'. SSH-1.99-2.4.0 SSH Secure Shell (non-commercial)You can then type "quit" to close the connection.
ssh-keygen
to create a pair of authentication keys (one public, one private)
for yourself. These will be stored in your .ssh2 directory as
~/.ssh2/id_dsa_1024_a (the private key) and ~/.ssh2/id_dsa_1024_a.pub
(the public key). The naming convention used is If someone has access to the private key, they can use it to pretend to be you. Because we work in a very cooperative environment, by default most users can read many of the files in our home directories. Even if they couldn't, a hacker could break into your machine by some method other than password sniffing, and then take your private key and pretend to be you to get onto other machines. The private and public keys are stored on disk in files because they are too long (over two hundred characters) to memorize or type by hand.
Knowing this, the authors of ssh made ssh able to encrypt your private key before storing it to or reading it from your home directory. To do this, ssh will ask you for a password when you need to read that ~/.ssh2/id_dsa_1024_a file. Actually, ssh allows you to use more than one (pass) word -- you can specify a short phrase that, taken together, acts as a password.
Always, always, type in a good pass-phrase when prompted for one. It can be multiple words (i.e. spaces are just fine within the phrase), so you could choose a sentence that you can remember. Changing some of the words by misspelling them or by changing some of the letters into digits is highly recommended to increase the strength of your pass phrase.
Here is a sample session, your input is in bold. Note that the pass-phrase is not echoed back as you type it. It is shown here only as an example. DO NOT USE THE SAMPLE PASS-PHRASE SHOWN BELOW AS YOUR OWN PASS-PHRASE!
myworkstation% ssh-keygen -c myuserid-ssh2@home
Generating 1024-bit dsa key pair
4 .oOOo.oOo.oO
Key generated.
myuserid-ssh2@home
Passphrase : red 3agle, midnight
Again : red 3agle, midnight
Private key saved to /home/myuserid/.ssh2/id_dsa_1024_a
Public key saved to /home/myuserid/.ssh2/id_dsa_1024_a.pub
myworkstation%
Okay, now you have a pair of keys on one computer, which we'll call
computerA. You need to copy the public key
to the remote computer(s) so you can start having a secure two way
conversation.
If you have accounts on computers in multiple organizations, you should create separate keys on each of them. I have separate keys for
People are going to have more and more passwords in the coming years. Passwords, pass-phrases, PIN numbers, etc. The only thing you can do (without carrying around a password-protected Personal Digital Assistant) is write them down on a small scrap of paper and put it in your wallet. This does not have to be as risky as it sounds.
The -c (comment) option to ssh-keygen allows you
to give a more meaningful name to your pair of keys. By default,
ssh-keygen will name your keys
youruserid@machineonwhichyourunssh-keygen (e.g. user@eta). It may
help you remember which key is which if you use -C myuserid@domainname
(e.g. myuserid@pha).
You specify which identity you will be using to authenticate to other computers with the ~./ssh2/identification file. Add the following line to your identification file:
IdKey id_dsa_1024_a # You can rename this private key to something # more meaningful. Just be sure to change the # corresponding file name in ./ssh2If your identity varies from machine to machine, this file file will be machine-specific.
Unlike ssh1, ssh2 does not support changing the passphrase on an existing key.
~/.ssh2/authorization
file on that system. All keys listed in that file are allowed
access via ssh (if they have the right pass-phrase).
Start by copying the public key for your default identity into
the ~/.ssh2/authorization file.
myworkstation% cd ~/.ssh2 myworkstation% vi authorizationAdd the following line to the file ~/.ssh2/authorization:
Key id_dsa_1024_a.pub # Note that you can change the name of this
# to something more meaningful, like pha-ssh2-key.pub.
# Just be sure to change the corresponding file name
# in ./ssh2.
If you want to use ssh only within one organization, say
within your department, then you will have only one key in
authorization. If you want to use ssh to go between
two sets of computers, say your department and your university
account, you would have multiple keys in the file.
A second file is specific to the local machine, ~/.ssh2/identification. This file specifies what private key you want to use when authenticating to other computers. So the next step is to add the following line to ~/.ssh2/identification:
IdKey id_dsa_1024_a # Again, you can rename this private key to something # more meaningful. Same rule as above applies.Keep in mind that the ~/.ssh2/identification file will vary from identity to identity (ie your isp key, work key, home key).
Use a text editor (e.g. pico, vi, gnuemacs) to add more keys (that
you've generated on other computers using ssh-keygen)
to the file. If you use cut and paste to copy the key make sure each
key entry is a single line in the file. The keys to add
are always the public keys (from key.pub files).
You should now copy the ~/.ssh2/authorization file
to other systems (in other organizations) to allow access from the
local system.
One way to copy the file is to use the scp command.
You can also send it in electronic mail, via the
ftp command or even by putting it on a floppy disk and
hand carrying it to the other computer.
~/.ssh2/ directory
~/.ssh/authorization file
myworkstation% cd myworkstation% ls -ld authorization identification id_dsa_1024_a id_dsa_1024_a.pub -rw-r--r-- 1 you you 26 Mar 26 11:29 authorization -rw-r--r-- 1 you you 11 Mar 26 11:33 identification -rw------- 1 you you 825 Mar 26 11:12 id_dsa_1024_a -rw-r--r-- 1 you you 686 Mar 26 11:12 id_dsa_1024_a.pubYou can set these permissions with these commands:
myworkstation% cd myworkstation% chmod go-w .ssh2/identification myworkstation% chmod a+rx .ssh2 myworkstation% chmod a+r .ssh/authorizationRemember to do this on all the systems you want to have access to.
ssh or the
slogin commands instead of the insecure
rsh,
rlogin or the
telnet commands. slogin is a symbolic link to ssh, so it's shorter/easier to use the ssh command. Slogin is still available only for the convenience of people who are used to it.
The only required parameter is the name of the remote system. (The pass-phrase shown below is not actually echoed back to you when you type it.)
myworkstation% ssh othercomputer Passphrase for key "/home/you/.ssh2/id_dsa_1024_a" with comment "you-ssh2@pha":red 3eagle, midnight Authentication successful. [more output from the remote machine] othercomputer%Now all of your keystrokes will be transmitted in encrypted form. If you start any X Windows programs, the X data sent back and forth will be encrypted too.
If your account name on the remote system differs from the one on
the local system (the system you are connecting from) you can use
the -l switch or ssh user@host to specify the remote account name.
(That is a lowercase L character, not the number one.)
myworkstation% ssh -l othername othercomputer Passphrase for key "/home/you/.ssh2/id_dsa_1024_a" with comment "you-ssh2@pha":red 3eagle, midnight Authentication successful. [more output from the remote machine] othercomputer%or...
myworkstation% ssh othername@othercomputer Passphrase for key "/home/you/.ssh2/id_dsa_1024_a" with comment "you-ssh2@pha":red 3eagle, midnight Authentication successful. [more output from the remote machine] othercomputer%You can change the default remote account name by creating an entry for the host in the ssh configuration file ~/.ssh2/ssh_config. Then you won't need to use the -l option to specify the remote account name every time you connect to that host.
ssh -v to get verbose output on
what is being done by the local ssh program and the remote sshd
server daemon. (That is a lowercase -v. The uppercase -V option means
"print version number and exit.")
ssh command
can also be used to run commands on remote systems without logging
in. The output of the command is displayed and control returns to
the local system. Here is an example which will display all the
users logged in on the remote system.
myworkstation% ssh myworkstation who christos ttyp8 Oct 17 20:42 (milou) myworkstation%If you are using the X Window System you can use this capability to start a terminal window to start an interactive session on the remote system.
myworkstation% ssh -n myworkstation xterm & [1] 15866 myworkstation%Use the
scp command. Starting with SSH-2, sftp
is also available to transfer files securely. If you use
ftp,
you have to send your password over the network unencrypted. If you
use rcp, you have to have insecure .rhosts or
/etc/hosts.equiv files in place beforehand. You can scp
or sftp
files around and it will encrypt your pass-phrase if it is required.
If you are comfortable with using ftp, sftp
should be very familiar - commands are based on ftp.
Sftp and scp serve slightly different purposes. If you have one file that you want to transfer quickly, scp can be more useful. If you want to copy multiple files interactively, sftp is better.
When using scp, to specify a file on a remote system, simply prefix it with the name of the remote host followed by a colon, as in this example, which copies a file from your home directory on computerB to the current directory on computerA:
computerA% scp -p computerB:aliases . computerA%The
You can copy several files in a single command if the destination is a directory. You can also copy files between two other machines. This example makes use of both of those features:
computerA% scp -p computerB:.login computerB:boofoo hn.stsci.edu:. computerA%Relative filenames resolve differently on the local system than on the remote system. On the local system the current directory is assumed (as usual with all commands). On the remote system the command runs in the home directory! Thus relative filenames will be relative to the home directory of the remote account.
More examples of scp usage can be found at the Ssh quick command reference.
NOTE: When you specify remote machines in both the source and the destination the connection to copy the files is made directly between those hosts. The files are not copied through the local system. Sometimes this makes a difference in a firewalled or otherwise restricted environment.
To transfer multiple files, an interactive session is often useful. sftp supports copying files in much the same wayas traditional ftp, but it encrypts all traffic. Don't be confused by the similarities, however - an sftp client cannot connect to an ftp server, nor can SSH-2 servers accept ftp connections (w/o setting up special forwarding configurations). Despite these fundamental underlying differences, the two share an extremely similar command syntax. Use sftp as you would ftp:
computerA% sftp computerB sftp> pwd /home/you sftp> get file file | 62 kB | 62.5 kB/s | TOC: 00:00:01 | 100%Type help at the sftp prompt to list all the commands it supports. Unlike ftp, sftp does not distinguish between ASCII and binary transfers; it only supports binary. Therefore ASCII files transferred from Windows machines will not display end-of-line characters properly.
~/.ssh2/config (there
is also a system-wide file, usually /etc/ssh_config).
Each entry starts with a Host keyword. You can use
wildcards to match all the appropriate systems:
? matches any single character
* matches any sequence zero or more characters
Compression yes/no (no)
EscapeChar character (~)
KeepAlive yes/no (yes)
User account (local account)
~/.ssh2/config file.
Host *nasa.gov
User you
Compression no
Host *jhu.edu
EscapeChar ^
Host *
Compression yes
EscapeChar !
KeepAlive no
Options are accumulated over entries, but a more specific entry will
override a less specific one. E.g. in the above compression will not
be used for hosts that match *nasa.gov but will be used
for hosts that match *jhu.edu (and all other hosts since
the * entry matches all hosts).
For a complete list of options please refer to the manual pages of
both ssh and sshd.
If you frequently open connections or copy files to remote systems you can avoid having to repeatedly type in pass-phrases by keeping some or all of your authentication keys in memory. This mode of authentication is called using "RSA keys". (If you don't do RSA, you are using either password or /etc/hosts.equiv-style authentication.) A key benefit of using ssh-agent is that you no longer need to use .rhosts or .shosts or /etc/hosts.equiv or /etc/shosts.equiv files to login or copy files without typing your passphrase. Even if a user can break into your account, as long as you used a passphrase to encrypt your private key file, they cannot do RSA authentication as you.
A program called
ssh-agent will provide decrypted authentication
keys to other machines when you connect to them with the
ssh or slogin or
scp commands. You will need to type the
pass-phrase only once -- when you load an identity into
ssh-agent with the
ssh-add program (see the
next section below).
There is a trick to this, and that is that ssh-agent will do this automatic key transmission only for programs that were started by a shell that was started by ssh-agent. UNIX programs inherit configuration information from the programs that start them ("parent" processes give their configuration to their "children" processes). For security reasons, ssh-agent checks to ensure that the program trying to use it is a child of itself.
When you start ssh-agent you need to provide it a
command to spawn. This is usually either your shell (e.g. /bin/csh)
or a command to start a windowing environment (e.g. startx to start an
X Windows session). When you exit the command, all of the keys will be
removed from memory.
Computer Center-maintained Solaris 2.6 (and later) computers start
ssh-agent automatically for you at the right place in the CDE startup process
for all of your shells to be children of ssh-agent. Therefore,
you only need to use ssh-add when using the console of these workstations.
You're welcome!
(Of course, if you login remotely, you'll need to use something like
Here are two examples, one for any UNIX environment and one for an X Windows environment.
myworkstation% ssh-agent $SHELL myworkstation%
myworkstation% xterm -exec ssh-agent /bin/csh & myworkstation%You will now need to add keys into memory with
ssh-add
to have them
available for ssh, slogin or scp commands. Those commands have to be
run by a child of the shell in the first example and from the xterm
in the second example. If you would like add keys to your current shell or xterm, you can do so by issuing the following command
myworkstation% eval `ssh-agent` Agent pid 880 myworkstation% ssh-add
See the systems administration tips page for pointers to configuring X Windows sessions to use ssh-agent for all xterm sessions.
Because of the complexity of X Windows implementations and the lack of time for testing, the Computer Center cannot assist people in using this feature to enable ssh-agent support for an entire OpenWindows or CDE session if the above information is not sufficient.
Before your connections can be authenticated without prompts for
a pass-phrase you have to use ssh-add to
add the necessary keys to memory. To add the default key on the
current system to memory no options are needed. To add keys for other
domains, you need to have the private key files for those domains
in the local .ssh2 directory.
The pass-phrase is prompted for to decrypt the key. It is not echoed back as you type it.
myworkstation% ssh-add Adding identity: /home/you/.ssh2/id_dsa_1024_a.pub Need passphrase for /home/you/.ssh2/id_dsa_1024_a (you-ssh2@pha). Enter passphrase: red 3agle, midnight myworkstation&You can specify the file that contains the key if you have multiple identities. You must use the private key file (the one that does not have the
.pub
extension, normally ~/.ssh2/id_dsa_1024_a on that particular
domain). (When creating your .ssh2/authorization file, you
need to specify all of the public key components for your multiple
domains to the same file, one per line. Therefore this part of setting up
ssh-agent can be confusing because you are supposed to have multiple files,
one for each domain, with the private key information in them.)
this is different For example
myworkstation% ssh-add ~/.ssh2/goddard Adding identity: /home/you/.ssh2/goddard.pub Need passphrase for /home/you/.ssh2/goddard (you-ssh2@goddard). Enter passphrase: red 3agle, midnight myworkstation&
To list all keys currently in memory use the
myworkstation% ssh-add -l Listing identities. The authorization agent has 2 keys: id_dsa_1024_a: you-ssh2@pha goddard: you-ssh2@goddard myworkstation%The
myworkstation% ssh-add -d ~/.ssh2/goddardYou can delete all keys from memory at once with the
myworkstation% ssh-add -DThis is useful if you have added keys into memory on remote systems and don't want to reconnect just to delete the keys.
If you use ssh to go from computerA to
computerB (and don't turn off the X forwarding feature, which is
enabled by default), ssh will set the
DISPLAY variable on computerB
to display back on computerA. Ssh will also exchange
xauth magic
cookies from computerA to computerB automatically. So you do not
have to set the DISPLAY variable by hand or run xauth by hand!
(Xauth is a more secure implementation of the
xhost program that may be more familiar to you.)
man ssh.