|SSH Quick Guide|
|Written by Scott Ostrander|
|Thursday, 02 February 2006 08:07|
What is SSH?
SSH (Secure Shell) is a suite of programs that allow a secure connection to machines in the School of Computing. It was designed to be a drop-in replacement for rsh, rcp, and rlogin, and also can replace telnet and ftp, and has become the defacto method for remote shell access to UNIX-based systems. The advantage that SSH provides is that all network communication is encrypted with one of a variety of strong encryption methods (Blowfish, triple-DES, etc). The secure shell commands also provide strong authentication between hosts (using RSA authentication), protecting against man-in-the-middle attacks. An additional benefit of using ssh is that it redirects any X11 traffic over the secure channel automatically, so you don't even have to worry about setting the DISPLAYenvironment variable.
Currently, the SoC Facility is using the OpenSSH suite for its ssh implementation.
Using ssh is easy. Just type ssh hostname at a command line and it will prompt you for your password and log you into the remote machine. Similarly, you can run scp or sftp commands; they should be intuitive commands to use. However, we recommend you read their man pages to become familiar with their options and arguments. (Note that we have another SoC Facility faq that covers how to transfer files using SSH).
The primary "host" which is available to all SoC users is shell.cs.utah.edu. This is a load-balanced alias which will take you to a cluster of hosts.
You should be using SSHv2 to connect to all of our services.
Using RSA/DSA Keys
RSA and DSA are protocols used for a more secure form of authentication than your password. Both are supported by OpenSSH, and it is up to you which, if any, you would like to use. These protocols rely on what are called your public and private keys, which are accessed via your passphrase. A passphrase is similar to a password, except it can be a phrase with a series of words, punctuation, numbers, whitespace, or any string of characters you want. Good passphrases are 10-30 characters long, are not simple sentences or otherwise easily guessable (English prose has only 1-2 bits of entropy per character, and provides very bad passphrases), and contain a mix of upper and lowercase letters, numbers, and non-alphanumeric characters.
To use either RSA or DSA authentication, you will need to perform two steps (using RSA authentication as an example):
Once that is done, the next time you use ssh, scp or sftp to connect to another machine, you will be prompted for your passphrase instead of your password. Please note that there is no way to recover a lost passphrase, so please memorize it. If you do lose it, you will have to generate new keys from scratch.
ssh-agent is a special program to manage authentication for you, so you don't have to type in your passphrase everytime you want to log into a machine. The way to invoke ssh-agent is to give a process that you want to run with your authentication credetials, usually a shell. Then you invoke the command ssh-add, which will prompt you for your passphrase. From then on out, you should be able to use any of the ssh commands without typing in your passphrase:
commandprompt:> ssh-agent /bin/tcsh
Note that once the shell running under ssh-agent is quit, you can no longer ssh around without entering your passphrase.
Using ssh-agent with keychain
ssh-agent can be kind of a pain to use, as you have to run it for each process/shell that you want to use it with. Some people run their entire window managers under ssh agent to avoid typing their passphrases zillions of times, but there is an easier way- keychain.
keychain manages ssh-agent for you, and allows you to keep one copy of ssh-agent running per machine. It's use is quite simple. Just run keychain from the command line. This will fire up ssh-agent for you, and create two files for you in a directory called .keychain. You need to source that file to set up communications with ssh-agent, then run ssh-add to enter your passphrase, and then you are good to go.
The benefit of this is now you can log out, fire up another shell, or do whatever, and all you need to do is run keychain again, source the host file, and off you go.
commandprompt:> keychainThis is easily put into your .cshrc or .bashrc file so that it is done automatically when you log in. Here is an example of what you can put in your .bashrc file, so that all you needed to do was type kchwhen you wanted to start using ssh on a host without typeing your passphrase more than once:
kch=`type -p keychain`;
Of course, this would have to be modified slightly to work with a .cshrc file.
If you want to use SSH on a Windows system, we recommend using SecureCRT, a program that implements the SSH protocol in a windows environment. This is a licensed program that can be purchased from UofU Software Licensing site. One thing to note, you will want to make sure you set your protocol to "SSH2" when using SecureCRT to connect to SoC Facility UNIX machines.
Another recommended program is PuTTY, which is free and can be downloaded from the PuTTY website. One advantage of PuTTY is that you can run it directly off their web site (this is useful if you are at an Internet-cafe or some other site where you need to use ssh but do not have the ability or privilege of installing software).