Home > Help Files > Security > SSH > Index

Security: SSH

CONTENTS:
     o What is SSH?
     o Download SSH 
     o WebSSH
     o Instructions
       o Logging in using SSH Passphrase
       o SSH w/o passwords in 1111 Linux Cluster (manually)
       o SSH w/o passwords in 1111 Linux Cluster (parallel computing)
       o Running programs remotely with SSH and Exceed
     o SSH info
       o SSH Public and Private KEYS
       o Features
       o SSH-Agent
       o How to replace rsh/rcp/rlogin with SSH

What is SSH?

SSH (Secure Shell) is a program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over insecure channels. It is intended as a replacement for rlogin, rsh, and rcp.

SSH protects the user from illicit network snooping ("packet sniffing"), whereby un-encrypted passwords and text can be read by unscrupulous persons.

SSH is most useful for logging into a UNIX computer from an Windows computer or from another UNIX computer, where the traditional 'telnet' and 'rlogin' programs would not provide password and session encryption; however, the DECF administrative personnel tend to use SSH exclusively in preference to telnet or rlogin, except in cases where SSH is not available.

SSH serves a purpose that is similar to Kerberos, but it works consistently amongst different operating systems and is easier to administer (no ticket- server is required, sysadmin privileges are not required to set it up). SSH Secure Shell for Workstations includes several features of interest:

  • Full replacement for telnet, rlogin, rsh, rcp, and ftp
  • Fully integrated secure file transfer and file copying with a graphical user interface
  • Optional automatic authentication of users
  • No passwords sent in cleartext to prevent the stealing of passwords
  • Multiple strong authentication methods that prevent such security threats as spoofing identity

To use ssh to connect to a host, just type 

        ssh hostname
(the same way you would use telnet or rlogin) If you are connecting to a host for the first time, you will be asked for confirmation. Type "yes" and hit return. You now have an encrypted connection to that host. Additionally you should be able to transparently run X (graphical) applications without setting any additional variables.

Download SSH

SSH Clients

SSH Public and Private KEYS

When you first use ssh, it asks you to invent an "RSA indentity passphrase". It generates public and private keys for you, in files called "identity.pub" and "identity". The "identity" file should not be readable by anyone but you.

On UNIX, those files are located in your .ssh directory. On Windows, they are typically located in your lop-level home directory folder.

Features

SSH has a number of excellent security features beyond the basic encryption of your password and login session as they pass over the net. SSH can provide a stronger encryption algorithm ("RSA") and it can allow X11 and other network protocols to securely "tunnel" through your encrypted SSH session as they pass over the net. 
  SSH commands include:  

   sshd         Server program run on the server machine.  This
                listens for connections from client machines, and
                whenever it receives a connection, it performs
                authentication and starts serving the client.

   ssh          This is the client program used to log into another
                machine or to execute commands on the other machine.
                "slogin" is another name for this program.

   scp          Securely copies files from one machine to another.

   ssh-keygen   Used to create RSA keys (host keys and user
                authentication keys).

   ssh-agent    Authentication agent.  This can be used to hold RSA
                keys for authentication.

   ssh-add      Used to register new keys with the agent.

   make-ssh-known-hosts
                Used to create the /etc/ssh_known_hosts file.

  For more infomation, see the manual pages ssh(1), sshd(8), scp(1),
  ssh-keygen(1), ssh-agent(1), ssh-add(1), and make-ssh-known-hosts(1).

What is SSH-Agent?

Ssh-agent is a program to hold authentication private keys. The idea is that ssh-agent is started in the beginning of an X-session or a login session, and all other windows or programs are started as children of the ssh-agent program. ssh-agent is stores your (private) authentication keys for ssh. This means that if you're using it, you won't have to enter the passphrase to unlock it every time you ssh to a remote machine.

How to Replace rsh/rcp/rlogin with SSH

Old Command New Command
rsh hostname [ -n ] [ -l username ] command ssh hostname [-l username] command
rlogin [ -l username ] hostname ssh hostname [-l username]
rcp [ -p ] filename1 filename2 scp user@hostname:filename user@hostname2:filename2

If you want to be able to use ssh and scp without passwords, see the next section.

Logging in using SSH Passphrase

Example. Login from myclient.berkeley.edu into myserver.berkeley.edu using a passphrase.
  1. ssh myclient.berkeley.edu
  2. cd .ssh2/
    If there is no .ssh2 directory, do something like, ssh localhost and it'll create it for you for the first time.
  3. Generate a private key with an empty passphrase by issuing: ssh-keygen myclient
    Two files will be created: 
       ~/.ssh2/myclient      Your private key.
   ~/.ssh2/myclient.pub  Your public key.  Can be shared.
  4. Edit your ~/.ssh2/identity file. The identity file specifies which file contains your private key.
    IdKey myclient
  5. Copy the ~/.ssh2/myclient.pub on myclient.berkeley.edu to the server kepler.berkeley.edu. Do not ftp the file! You can copy and paste or, from myclient.berkeley.edu
    scp ~/.ssh2/myclient.pub myserver:~/.ssh2/myclient.pub
  6. ssh to myserver.berkeley.edu, the server.
  7. Edit the ~/.ssh2/authorization file on kepler. This specifies which key is authorized to connect to the server.
    Key myclient.pub
  8. Now test it by ssh'ing from myclient.berkeley.edu to myserver.berkeley.edu

Secure Remote Access Without Passwords (manually)

Due to the unique setup of 1111 Etch lab, you can use ssh-agent to avoid entering your username/password when logging between machines in the cluster.
  1. Log into kepler.berkeley.edu on the console or using ssh.
  2. cd .ssh2/
    If there is no .ssh2 directory, do something like, ssh localhost and it'll create it for you for the first time.
  3. Generate your key by issuing: ssh-keygen decf
    You will be prompted for a passphrase. Choose you passphrase carefully! Do not re-use your password. It defeats the purpose. Here are some guidelines for picking passphrases: 
       * Should be between 25 and 80 characters
   * Should not be English text (or any other human language)
   * Should not be the name of any entity, person, place, ...
   * Should not be anything anyone could guess from hearing you talk
    Two files will be created: 
       ~/.ssh2/decf      Your private key.
   ~/.ssh2/decf.pub  Your public key.  Can be shared.
  4. Edit your ~/.ssh2/identification file:
    IdKey decf
  5. Start ssh-agent by issuing: ssh-agent /bin/tcsh
  6. Add your key to the agent: ssh-add
    You'll be prompted for your passphrase.
    You can now try ssh'ing to any of the hosts in the cluster. You should not be prompted for a password.
  7. To ssh to other machines outside of the 1111 Etch Linux cluster w/o entering your password, you need to:
    • ssh to the remote machine and edit the ~/.ssh2/authorization file:
      Key decf.pub
    • Copy the ~/.ssh2/decf.pub file to the remote machine's ~/.ssh2/decf.pub

Secure Remote Access Without Passwords among DECF clusters

To be able to ssh among DECF clients w/o a password
  1. Log into kepler.berkeley.edu on the console or using ssh.
  2. Generate your key by issuing: ssh-keygen -P decf Two files will be created: 
       ~/.ssh2/decf      Your private key.
   ~/.ssh2/decf.pub  Your public key.  Can be shared.
  3. Edit your ~/.ssh2/identification file:
    IdKey decf
  4. Edit your ~/.ssh2/authorization file:
    Key decf.pub
  5. Now you will be able to ssh into any of the Linux clients w/o a password. You will still need to provide one if you're connecting remotely.

The following SSH help files are available:

  • Quickstart for SSH2

  • Advanced
    How to use some of the more advanced features of ssh, such as agent forwarding (only have to type your password once!) and X authentication spoofing (never have to type "xhost" or "setenv DISPLAY" again!)

  • Ssh to another machine without password or passphrase. Contact consult@newton.berkeley.edu if you want to do this. It is highly recommended that you do not do so except for cron job purposes.

 

Comments to consult@newton.berkeley.edu
© 1998-2009 UC Regents