Secure SHell [SSH] is a set of programs intended to replace and extend the functionality of the insecure "r"-programs: rlogin, rsh and rcp. It does this by employing encryption and authentication, surpassing rlogin's ".rhosts" mechanism with a secure one.
SSH encrypts all data in the connection between the local machine [the machine from which the connection is being made] and the remote machine [the machine which is being connected to]. In addition to encrypting the keystrokes and screen data, SSH will also encrypt and forward X11 connections. In this case, the user does not have to manually set the DISPLAY variable on the remote machine, as SSH will take care of it all automagically.
SSH can be used to:
SSH is currently being deployed across campus. SSH is available on UCB's undergraduate CS machines and socrates.berkeley.edu. As well, uclink[234]?.berkeley.edu will be supporting SSH in the near future. Your local system administrator can be contacted to determine the availability of [or to encourage the installation of] SSH on other machines. The most recent issue of Berkeley Computing & Communications contains an article on SSH in relation to the UCB campus environment.
SSH is freely available for UNIX from the SSH Home Page - http://www.cs.hut.fi/ssh/ .
Information about commercial Windows and Mac versions of SSH is available from DataFellows at their F-Secure SSH page - http://www.datafellows.com/f-secure/fclintp.htm .
UCB campus departments should contact WSS Software Distribution for information regarding discounted license pricing.
SSH relies on the knowledge of a slight amount of data stored by the user. SSH is based on RSA-encryption, and like all public-key systems, the user needs both a public and private key to use the system; as well, SSH needs a random number generator seed, which is user-specific. The ssh-keygen program generates this data for the user; ssh-keygen generates the following files:
jsled@josh.asynchronous.org$ [~] ssh-keygen Initializing random number generator... Generating p: ................................++ (distance 528) Generating q: ...++ (distance 50) Computing the keys... Key generation complete. Enter file in which to save the key (/home/jsled/.ssh/identity): <RETURN> Enter passphrase: <user-entered passphrase> Enter the same passphrase again: <same user-entered passphrase> Your identification has been saved in /home/jsled/.ssh/identity. Your public key is: 1024 37 570995861311744913699852643840495620503105177916202595981143078740421447 07234725107032716031313676352354759768729079333048192564496060745735388393675040 48251376663323088994798943255485136598021692118911541230193385758280090695891602 5590978882896036684032728595904115093929448135894970165679059780624183271411 jsled@josh.asynchronous.org Your public key has been saved in /home/jsled/.ssh/identity.pub
The data for the local machine has been created. The same should be done for all accounts from which the user would like to use SSH. In effect, a separate identity [public/private key pair] is created for each account.
The public key is then copied by the user to the remote machine, where is it placed in the file ~/.ssh/authorized_keys; this file can be made public since it only consists of public keys. The file controls access to account on the remote machine. It works in a manner similar to the ~/.rhosts file, since it defines a list of identities which have access to the system. However, it is fundamentally secure, whereas .rhosts [and the whole rlogin/rcp/rsh mechanism] is not. The easiest way to copy this data between machines is to use copy-and-paste and cat, IMHO. FTP, rcp or ssh can also be used to do this.
Notice that I've only described, above, the setup for one of the authentication methods. That's because it's the only one that really should be used. Forget about using .rhosts, .shosts and any of the hosts.equiv stuff... it's just no good, and it's what SSH was created to replace].
The most relevant command form for use of ssh is:
ssh [-l login_name] hostname [command]The hostname is the name of the remote machine you are attempting to connect to. If the -l login_name option is not specified, the current local user's login name will be used. For instance, if I'm using the account jsled@josh.asynchronous.com and I'm attempting to connect to joshua@cafe.berkeley.edu, and I use the command:
jsled@josh.asynchronous.org [~] ssh cafe.berkeley.eduI will not be able to connect, because ssh is trying to connect with jsled@cafe.berkeley.edu. I would need to use the command:
jsled@josh.asynchronous.org [~] ssh -l joshua cafe.berkeley.eduwhich will connect to the appropriate account.
The optional command argument is a command to be executed on the remote machine. The output of this single command will be returned, and ssh will exit with the same status as the command on the remote machine. This is similar to use of rsh, but offers the benefits of ssh.
At this point, a connection will be established between the two machines. SSH will set up X11 forwarding from the remote machine to the local machine; any X11 programs started on the remote machine will automagically used this encrypted channel to transmit X11 data. It will appear as a normal, telnet- or rlogin-created connection. Enjoy.
Every instance of ssh requires the user to enter the passphrase for their private key. If multiple connections are established by the user, this can be annoying. SSH provides a mechanism to get rid of this annoyance, however, which offers another advantage at the same time.
The ssh-agent program make life simpler for the heavy SSH user. ssh-agent runs in the background, and manages user identities. The ssh-add program allows the user to add an identity to ssh-agent. When ssh-add is run, the passphrase for the private key is asked for. After that point, whenever ssh is run, ssh will communicate with ssh-agent to get the private key info; the passphrase is not asked for. In addition, ssh-agent will forward that identity on to the remote machine; in effect, the identity of the user on the local machine can be used to connect to other machines from the remote machine.
Notice, however, that use of ssh-agent entails a slight security risk. Since the passphrase for the user's identity is not asked for, anyone can sit down at the terminal and use SSH to connect to a remote machine. You'll want to use ssh-agent only from a secure local machine.
In order to allow future instances of ssh to contact ssh-agent, it must be run as the parent of these processes. This means that it must start [or start a parent of] all processes which want to use it. There are two reasonable ways to do this:
ssh-agent startx
Then, after the new shell or X comes up, issue the command:
ssh-addwhich will add your current identity [as specified in ~/.ssh/identity] to ssh-agent. Future ssh sessions will then have access to your identity. With command-line options, you can also add multiple identities as specified in other files.
You may ask why adding other identities would be useful. ssh-agent, however, offers another benefit. If requested through an option in ~/.ssh/config, all identities which the local ssh-agent knows about will be forwarded to other machines. If you add these identities at the local machine [and therefore enter their passphrases on the local machine], they will be automagically propagated to all machines you are connected to through SSH.
This section describes some of the more advanced use of SSH. This section is not necessary for everyday use of SSH, but it will make everyday use much easier.
SSH supports the ability to forward ports on both the local and remote machines. This allows you to access non-telnet services through an encrypted channel. You can forward a local port to port 110 on another machine, for instance, to securely check POP mail on that machine.
Forwarding local ports is the most useful option. This allows you to specify a local port number which can then be used securely access a remote port. This is the manner by which you can forward port 61234 to port 110 on machine foobar.berkeley.edu; when you point your mail reader to check 'localhost:61234' for POP mail, it will really [securely] be connecting to 'remotehost:110', and the mail reader will get the POP service it expects on the remote machine.
FIXME : The commands for this aren't working out correctly... I'm working on it... - jsled
There are many configuration options; to see them all with their descriptions, look at the CONFIGURATION FILES section of the man page ssh(1). The more useful options are summarized below.