SecureShell

From UMIACS
Revision as of 14:26, 3 March 2009 by Pjk (talk | contribs) (added ssh key section)
Jump to navigation Jump to search

Secure Shell (or SSH) is a network protocol allowing two computers to exchange data securely over an insecure network. By default use of SSH brings the user to a terminal, but the protocol can be used for other types of data transfer such as SFTP and SCP.

Connecting to an SSH Server

Under RedHat Linux 3, 4, and 5, and Mac OS X, the following command from a terminal will connect a client computer to the UMIACS OpenLAB.

# ssh bkirz@openlab.umiacs.umd.edu

This will give you access to a terminal on any one of the OpenLAB servers. Note that by default you will not have access to applications that require X11 to run.

On Windows XP or Vista hosts there are no SFTP clients installed by default. Users can install either which will enable SSH and SFTP access.

Alternatively, all users can use the UMIACS Intranet SFTP Web Applet located here without installing any additional software.

X11 Forwarding

By default, SSH only gives the user shell access to a host. Enabling X11 Forwarding allows users to run applications with Graphical User Interfaces.

Under RedHat Linux 3, 4, and 5, and Mac OS X, the following command from a terminal will connect a client computer to the UMIACS OpenLAB using X11 Forwarding.

# ssh -X bkirz@openlab.umiacs.umd.edu

Note: Mac users must have X11 installed in their systems for X11 forwarding to work. This can be checked by looking for X11.app in /Applications/Utilities. You can find the installer here.

Windows users can enable X11 forwarding in PuTTY by opening the PuTTY Configuration Pane, and checking the box marked "Enable X11 Forwarding" under Categories->Connection->SSH->Tunnels.

Note that the UMIACS Intranet SFTP Web Applet does not allow X11 Forwarding.

SSH Tunneling

You can tunnel one or more ports through an SSH connection such that your packets will look like they are coming from the host you are tunneling to. This is helpful for services that you would be normally blocked by a firewall.

Please see the SecureShellTunneling page for more information.

Passwordless SSH with SSH Keys

There are some situations where it is important to be able to ssh without entering a password. This is mostly required when working in clusters. This is done using ssh keys. Instead of authenticating with a password, ssh can use a pre-defined set of encryption keys to establish an authorized connection. To setup passwordless ssh, do the following.

First, create an ssh key pair:

 # ssh-keygen -t dsa

The command will prompt you for a passphrase. If you use a password, you will need to enter it at the beginning of your work session. This is preferable as it is more secure but may cause problems for some clustered work If you simply hit [enter], you will never be prompted for a password when ssh'ing which can lead to security problems.

This will produce two files, id_dsa and id_dsa.pub, the private and public keys respectively. Once you've created the keys, you will need to put them into place as follows:

 # mkdir ~/.ssh
 # chmod 700 ~/.ssh
 # mv id_dsa ~/.ssh
 # chmod 600 ~/.ssh/id_dsa
 # touch ~/.ssh/authorized_keys2
 # chmod 600 ~/.ssh/authorized_keys2
 # cat id_dsa.pub >> authorized_keys2
 # rm id_dsa.pub

It is very important that you keep your private key secure! Ensure that it is chmod'd to 600 and that you do not put it anywhere visible to other users!

If you did not select a passphrase when you generated your keys, you can now ssh without a password. If you did select a passphrase, you will need to activate the keys as follows:

 # ssh-agent [SHELL]
 # ssh-add -t [TIME]

In this case, "[SHELL]" is your preferred shell and "[TIME]" is the amount of time you'd like the key to be active in seconds. So, the following would start a bash shell with passwordless ssh active for 30 minutes:

 # ssh-agent bash
 # ssh-add -t 1800

You will be prompted for your passphrase and, when entered correctly, you will be able to ssh without entering a password.

To disable this functionality, simply delete your private key file (~/.ssh/id_dsa) and remove the public key from your ~/.ssh/authorized_keys2 file.

Further Information

OpenSSH

Windows Clients