SSH (Secure Shell) first and foremost is a secure replacement for the r*
programs (rlogin, rsh, rcp, rexec). The reason it is secure is because it
uses all kinds of encryption type tomfoolery so that clear text is never
sent over a network, it uses RSA keys to authenticate the user to the
and it also uses RSA keys to authenticate the server to the user.
I am making the assumption that you're using the Unix version of ssh
as this is written for the consumption of the Irish Linux Users Group and
windows SSH is both commercial and crap I think it's valid)
Download yourself a copy of the latest ssh at ftp://ftp.cs.hut.fi/pub/ssh/
begin with (version 1.2.26 as of this writing). After untarring the
, standard installation procedure for any good GNU source package. All
have to do now is run sshd to start up the standalone ssh daemon listening
port 22 of your server. There's your basic ssh setup, type ssh host to
to host with your standard unix password. Xclients are automatically
through the encrypted channel to your display and you can get a help
ssh escape sequences by typing ~?.
If you get adventurous and try sshing to other servers, be warned that
be told that the host key is not found from the list of known hosts. This
the public key found in the host's /etc/ssh_host_key.pub file. If you
continue to connect, this key will be added to your $HOME/.ssh/known_hosts
file. The rationale behind this is that if somebody else ever masquerades
this host, the host key would be different to the entry in known_hosts and
will instantly notice and tell you so. The ssh package comes with a
called make-ssh-known-hosts which looks up all the hosts in a DNS domain
adds their host keys to the /etc/ssh_known_hosts file which is also
The programs themselves:
Sshd is configured via the /etc/sshd_config file. I recommend
you look at the
man page to pick out all the gory details, it lets you do stuff like only
allow/deny certain hosts or users login access using ssh, set idle
specify what kind of authentication you want (unix password, rhost or RSA
which I'll come back to later) and kerberos authentication. Most of these
options are already in the default config file so you can just modify that
ssh reads $HOME/.ssh/config and the global configuration file
when it starts up. Yet again read the man page for details, most of it is
pretty straight forward except for the TCP forwarding options -L and -R.
assumes that you can login to a remote host via ssh. If so then you can
ssh as a secure channel to access unencrypted remote network services such
ftp or pop (it's also a handy way of getting around firewalls).
ssh -L 12345:poo.smooch:21 poo.smooch
will make an ssh connection to host poo.smooch. If poo.smooch has sshd
you will be presented with what appears to be a normal login session.
the scenes however ssh is listening to port 12345 on your local machine
connections to that port will be forwarded over your ssh session, then an
unencrypted session is initiated from the remote side of your ssh session
port 21 on poo.smooch so that as far as the remote ftp server is
somebody just ran a normal ftp session from poo.smooch to itself. Ssh -R
the same thing only in reverse.
ssh-keygen is the program used for generating RSA key pairs. Run
-f /etc/ssh_host_key -N '' if you need to generate new /etc/ssh_host_key
/etc/ssh_host_key.pub files (make install generates these for you by
Running ssh-keygen on it's own you are asked for a passphrase, this can
allegedly be any length you want and it is the passphrase you use to login
a host if you enable RSA authentication in the sshd configuration file.
generates two files, $HOME/.ssh/identity and $HOME/.ssh/identity.pub.
your default RSA identity keys (you can create different identities by
ssh-keygen -f identity_file then use them by running ssh -i identity_file
host). Appending identity.pub to $HOME/.ssh/authorized_keys of any
any computer allows you the luxury of logging into that account with your
passphrase. It also has the added security that somebody must also
your identity file before the passphrase would work. Another cool thing
authorized_keys is that you can prepend options to the start of a public
so that if somebody logs into an account with the corresponding passphrase
identity file, those options can do things like allow connections only
certain hosts, deny certain types of ssh forwardings, set environment
variables or just execute certain commands.
from="localhost",command="echo potatoes" 1024 37
the above line in my $HOME/.ssh/authorized_keys will allow only people
in from localhost to use that identity and it'll simply say potatoes and
you off. The email@example.com part is just a comment that ssh-keygen puts
it doesn't do anything.
ssh-agent is a daemon that stores a user's authentication keys
so that when that user runs ssh, ssh-agent automatically does the RSA
authentication for that user saving him the bother of entering the
himself. What you do is run ssh-agent with an arbitrary command (usually
shell) as it's argument. Now command and all its' child ssh sessions can
automatically authenticated by ssh-agent, but ssh-agent authenticates
by default . You need to run ssh-add [file] where file contains a private
identity key such as those generated by ssh-keygen ($HOME/.ssh/identity is
default if no files are specified). You'll be asked to enter the
for that private key. From now on, any ssh session that uses that
will be automatically authenticated. You can add as many identities as
like, ssh-add -l lists the ones currently loaded in ssh-agent.
scp is the ssh version of rcp which lets you copy a file to a
scp $HOME/.ssh/identity firstname.lastname@example.org:.ssh/identity
would copy my identity file to my account on host poo.smooch
slogin is just a symlink to ssh
- go to www.replay.com or ftp.replay.com for lots of info on encryption
security etc. but ESP. ssh rpms for redhat
Pro is a windows terminal emulator. Useful for telnetting to
unix boxen from win95 etc. It has a SSH version called TTSSH which
that you can telnet to a secure linux box from win95 securely.
- I may at some stage in the future, explain the procedure involved in
turning a default redhat box into a completely secure (as possible
- Upgrading packages re errata
- Installing ssh bits
- Editing inetd.conf to strip out unnecessary bits.
has free win32 & win16 ssh clients, together with the
cryptography .DLLs needed for using them.
Copyright belongs to the author.
About the author, Ka Chun Leung.
First please note that you should no longer use ssh protocol version 1 as it is vulnerable, always use version 2.
While I'm here I feel I should mention putty which is a simple set of free (mit/x license) ssh client tools for Windows. Another item worthy of note (though it's under a proprietary license) is Mindterm which is a ssh suite written in java which includes the ability to provide a local ftp proxy to a remote sftp server (no more plain text ftp logins).