SSH Quick Guide
Written by Scott Ostrander   
Thursday, 02 February 2006 08:07

What is SSH?

SSH (Secure Shell) is a suite of programs that allow a secure connection to machines in the School of Computing. It was designed to be a drop-in replacement for rshrcp, and rlogin, and also can replace telnet and ftp, and has become the defacto method for remote shell access to UNIX-based systems. The advantage that SSH provides is that all network communication is encrypted with one of a variety of strong encryption methods (Blowfish, triple-DES, etc). The secure shell commands also provide strong authentication between hosts (using RSA authentication), protecting against man-in-the-middle attacks. An additional benefit of using ssh is that it redirects any X11 traffic over the secure channel automatically, so you don't even have to worry about setting the DISPLAYenvironment variable.

Currently, the SoC Facility is using the OpenSSH suite for its ssh implementation.

Using SSH

Using ssh is easy. Just type ssh hostname at a command line and it will prompt you for your password and log you into the remote machine. Similarly, you can run scp or sftp commands; they should be intuitive commands to use. However, we recommend you read their man pages to become familiar with their options and arguments. (Note that we have another SoC Facility faq that covers how to transfer files using SSH).

Available Hosts?

The primary "host" which is available to all SoC users is shell.cs.utah.edu. This is a load-balanced alias which will take you to a cluster of hosts. 

SSH Version?

You should be using SSHv2 to connect to all of our services.

Using RSA/DSA Keys

RSA and DSA are protocols used for a more secure form of authentication than your password. Both are supported by OpenSSH, and it is up to you which, if any, you would like to use. These protocols rely on what are called your public and private keys, which are accessed via your passphrase. A passphrase is similar to a password, except it can be a phrase with a series of words, punctuation, numbers, whitespace, or any string of characters you want. Good passphrases are 10-30 characters long, are not simple sentences or otherwise easily guessable (English prose has only 1-2 bits of entropy per character, and provides very bad passphrases), and contain a mix of upper and lowercase letters, numbers, and non-alphanumeric characters.

To use either RSA or DSA authentication, you will need to perform two steps (using RSA authentication as an example):

  1. Generate your keys:

    commandprompt:> ssh-keygen -t rsa -b 1024
    Generating public/private rsa key pair.
    Enter file in which to save the key (/home/cclake/.ssh/id_rsa):
    Created directory '/home/cclake/.ssh'.
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:
    Your identification has been saved in /home/cclake/.ssh/id_rsa.
    Your public key has been saved in /home/cclake/.ssh/id_rsa.pub.
    The key fingerprint is:
    99:73:4a:48:5f:97:8c:de:b0:30:4e:07:59:a7:21:16 cclake@shell
    commandprompt:> ls -al .ssh
    total 16
    drwx------ 2 cclake cs-class 4096 2005-01-12 15:47 .
    drwxr-xr-x 7 cclake cs-class 4096 2005-01-12 15:47 ..
    -rw------- 1 cclake cs-class 951 2005-01-12 15:47 id_rsa
    -rw-r--r-- 1 cclake cs-class 222 2005-01-12 15:47 id_rsa.pub
    commandprompt:>
  2. Copy your public key

     

        commandprompt:> cp .ssh/id_rsa.pub .ssh/authorized_keys

     

Once that is done, the next time you use sshscp or sftp to connect to another machine, you will be prompted for your passphrase instead of your password. Please note that there is no way to recover a lost passphrase, so please memorize it. If you do lose it, you will have to generate new keys from scratch.

 

Using ssh-agent

ssh-agent is a special program to manage authentication for you, so you don't have to type in your passphrase everytime you want to log into a machine. The way to invoke ssh-agent is to give a process that you want to run with your authentication credetials, usually a shell. Then you invoke the command ssh-add, which will prompt you for your passphrase. From then on out, you should be able to use any of the ssh commands without typing in your passphrase:

 

    commandprompt:> ssh-agent /bin/tcsh
new_commandprompt:> ssh-add
Enter passphrase for /home/cclake/.ssh/id_rsa:
Identity added: /home/cclake/.ssh/id_rsa (/home/cclake/.ssh/id_rsa)
new_commandprompt:> ssh shell.cs.utah.edu /bin/hostname
shell
new_commandprompt:> exit
exit
commandprompt:> ssh shell.cs.utah.edu /bin/hostname
Enter passphrase for key '/home/cclake/.ssh/id_rsa':
shell
commandprompt:>

 

Note that once the shell running under ssh-agent is quit, you can no longer ssh around without entering your passphrase.

Using ssh-agent with keychain

ssh-agent can be kind of a pain to use, as you have to run it for each process/shell that you want to use it with. Some people run their entire window managers under ssh agent to avoid typing their passphrases zillions of times, but there is an easier way- keychain.

keychain manages ssh-agent for you, and allows you to keep one copy of ssh-agent running per machine. It's use is quite simple. Just run keychain from the command line. This will fire up ssh-agent for you, and create two files for you in a directory called .keychain. You need to source that file to set up communications with ssh-agent, then run ssh-add to enter your passphrase, and then you are good to go.

 

    commandprompt:> keychain

KeyChain 2.3.4; http://www.gentoo.org/projects/keychain
Copyright 2002-2004 Gentoo Technologies, Inc.; Distributed under the GPL

* Initializing /home/cclake/.keychain/trust-sh file...
* Initializing /home/cclake/.keychain/trust-csh file...
* Starting ssh-agent

commandprompt:> source .keychain/trust-csh
commandprompt:> ssh-add
Enter passphrase for /home/cclake/.ssh/id_rsa:
Identity added: /home/cclake/.ssh/id_rsa (/home/cclake/.ssh/id_rsa)
commandprompt:> ssh shell.cs.utah.edu /bin/hostname
shell
commandprompt:>

 

The benefit of this is now you can log out, fire up another shell, or do whatever, and all you need to do is run keychain again, source the host file, and off you go.

 

    commandprompt:> keychain

KeyChain 2.3.4; http://www.gentoo.org/projects/keychain
Copyright 2002-2004 Gentoo Technologies, Inc.; Distributed under the GPL

* Found running ssh-agent (25130)

commandprompt:> source .keychain/trust-csh
commandprompt:> ssh shell.cs.utah.edu /bin/hostname
shell
commandprompt:>
This is easily put into your .cshrc or .bashrc file so that it is done automatically when you log in. Here is an example of what you can put in your .bashrc file, so that all you needed to do was type kchwhen you wanted to start using ssh on a host without typeing your passphrase more than once:

 

 

    kch=`type -p keychain`;
hostfilename=`echo $HOST | sed 's/\..*//'`;
if [ -n "$kch" ]; then
$kch;
if [ -f ~/.keychain/${hostfilename}-sh ]; then
echo "Sourcing ~/.keychain/${hostfilename}-sh...";
. ~/.keychain/`uname -n`-sh;
if ! ssh-add -l | grep -q id_rsa; then
ssh-add;
fi;
else
echo "No keychain host file found.";
fi;
else
echo "keychain script was not found!";
fi

 

Of course, this would have to be modified slightly to work with a .cshrc file.

SSH and Windows

If you want to use SSH on a Windows system, we recommend using SecureCRT, a program that implements the SSH protocol in a windows environment. This is a licensed program that can be purchased from UofU Software Licensing site. One thing to note, you will want to make sure you set your protocol to "SSH2" when using SecureCRT to connect to SoC Facility UNIX machines.

Another recommended program is PuTTY, which is free and can be downloaded from the PuTTY website. One advantage of PuTTY is that you can run it directly off their web site (this is useful if you are at an Internet-cafe or some other site where you need to use ssh but do not have the ability or privilege of installing software).