UNIX AT JILA: Secure Shell (SSH)

Secure Shell (SSH)

SSH (Secure Shell) is a program that enables a user to log into another computer over a network, to execute commands on a remote machine, and to move files from one machine to another. It provides strong authentication and secure (encrypted) communications over insecure channels. SSH is intended as a complete replacement for rlogin, rsh, rcp, and rdist. It can also replace telnet and ftp in virtually all cases. The features of the Secure Shell include:

All communications are automatically and transparently encrypted. Encryption is used to protect against sniffing (when someone intercepts and views data moving along a network connection.)
Incoming connections are carefully authenticated to help prevent spoofing (when one computer is made to masquerade as another.)
X-windows forwarding provides secure remote display of X application windows.
Arbitrary TCP/IP ports can be redirected over the encrypted channel in both directions. This allows for the possibility of providing a secure "tunnel" for insecure protocols such as POP3, IMAP, or telnet.

Obtaining SSH
SSH is normally pre-installed on all Unix/Linux systems and on Macintosh OS X. An SSH client program for Windows is available for free from ssh.com. For older Macs, try MacSSH.

Using SSH
To log into one Unix system from another, just type "ssh name.of.remote.machine.edu" on the command line, then enter your password when prompted. If your username on the remote system is not the same as the local one, use "ssh username@name.of.remote.machine.edu". To log out, simply type "exit".

To log in to a Unix machine using the Windows SSH client, start up the client (which should have a desktop icon), click on "Quick Connect", enter "name.of.unix.system.edu" in the "Host Name" box, your username in the "User Name" box, click "Connect", and enter your password when prompted. To disconnect, type "exit".

To execute a remote command (for example, "ls -l") on a remote Unix machine (call it Workstation A) from another, type "ssh WorkstationA "ls -l"" and you'll get back a listing of your home directory.

File transfer with scp/sftp
SSH includes secure file transfer capability, which can be used in place of ftp.

The Windows SSH installation by default provides a Secure File Transfer desktop icon. Using this program, connect to the remote Unix system using the steps in the previous section, and then drag and drop your data files between the resulting PC window and the Unix system window.

Unix users can run "sftp" from the command line; its syntax and functionality are equivalent to normal Unix ftp. "scp" is also available on Unix systems. It works just like rcp. For example, if you are on WorkstationA and want to copy file.txt to WorkstationB, type

scp /local/path/to/file.txt WorkstationB:/path/to/target/directory

You will be prompted for your password on WorkstationB. If you are on WorkstationB and want to copy file.txt from WorkstationA, type

scp WorkstationA:/path/to/file.txt /path/to/local/target/directory

You can also transfer an entire directory structure recursively using "scp -r".

Using ssh and scp without a password
With rsh and rlogin, you can create a .rhosts file that allows you to log in from selected workstations without supplying a password. The ssh commands offer similar functionality, but in a much more secure fashion, by using public-key/private-key authentication.

To allow yourself to log in from WorkstationA to WorkstationB without a password, follow this procedure:

a) Log in to WorkstationA.

b) Type

cd .ssh
ssh-keygen -t dsa

Just hit Return at all the prompts, including the one for the passkey. This command creates a file called "id_dsa.pub" in your $HOME/.ssh directory which contains your public key.

c) From your $HOME/.ssh directory, type

scp id_dsa.pub WorkstationB:/tmp/Akey

d) Log in to WorkstationB and cd to your .ssh directory.

e) Type

cat /tmp/Akey >> authorized_keys2
rm /tmp/Akey
chmod 600 authorized_keys2

You should now be able to run ssh and scp from A to B without having to enter a password. Keep in mind that if someone manages to break into your account on A, then she has immediate access to your account on B. Thus, you will probably want to use this procedure sparingly. Note also that if your home directory on Workstation A is shared with Workstations C and D, when you follow the procedure above, you'll be able to log in to B from any of A, C, or D.

Using ssh with eXceed
In order to display an X-window from a Unix system back to your Windows PC over SSH, you first need to have an X-server program (like Hummingbird eXceed) running on the PC. Once you have eXceed installed, use the following steps to send individual display windows back to your PC's desktop.

In the commercial SSH client for Windows, choose Edit-Settings-Tunneling and check the box for "Tunnel X11 Connections".
Log in to the Unix machine via the SSH client as usual.
In eXceed's Xconfig program, choose "Display and Video" and make sure the "Multiple" radio button is checked.
Start eXceed. If a host chooser window appears, click on the "Passive" button.
From your SSH login, you can run an X-enabled program and the resulting display will appear in a separate window right on your PC desktop.
Note: when you run X applications from the command prompt in your SSH login window, put an ampersand (&) after the command so that you can continue working at the prompt.
Another Note: make sure to close all the X-windows before logging out with SSH!

Updated: Mon May 9 13:01:40 MDT 2005