ssh Suite
Many people prefer the ease of use and greater functionality of the
ssh suite of tools for secure remote access. Unlike opie, you will definitely need the
assistance of a systems administrator to install ssh. A
full installation requires root access.
The ssh suite contains: ssh itself, a secure
replacement for rlogin / rsh, to login and
execute commands remotely, scp, a replacement for
rcp to simply copy files, and sftp, a
replacement for ftp to perform more sophisticated file
copies. ssh is described in much greater detail at SSH Communications Security web site.
ssh sets up an encrypted link between two
machines. Authentication is performed both on the machine level and
the user level.
There are currently two major releases of ssh. Version 1
suffers from several widely publicized (and exploited) security
holes. Version 2 addresses these problems. While MSRI supports
outgoing ssh1 for backwards compatibility, we only allow
ssh2 for incoming connections.
In what follows, ssh refers to version 2 of
ssh.
ssh ssh2 is freely available for educational use. The
educational license was recently revised to explicitly include
administration of educational sites. SSH Communications Security
maintains a list of mirrors
worldwide from which you may download the ssh2 sources.
ssh ssh you will have to set up both
the public keys which authenticate your remote machine and your
personal identity.
Every machine you connect with using ssh will have to
have an authenticating private key / public key pair. ssh
will offer to install these keys for you automatically when you first
connect. If you have difficulty doing so, your systems administrator
can provide you with the public key for your remote machine, and we
can help you with the public keys of MSRI machines.
You can generate a private key / public key pair for yourself using
the ssh-keygen utility. Your private key / public key
pair will be secured by a pass phrase and stored in two files in the
.ssh2 subdirectory of your home directory. For example,
my private key public key pair are called id_dsa_1024_a
and id_dsa_1024_a.pub,
respectively. id_dsa_1024_a is readable only by me, while
id_dsa_1024_a.pub is world readable.
ssh uses these keys indirectly. Your .ssh2 directory
contains two files: identification, which has a single line
specifying the name of the private key for your account on that
machine, e.g:
IdKey id_dsa_1024_aand
authorization, which has lines giving the name of
all the public keys you will be using to connect from
remote machines, e.g.:
Key id_dsa_1024_a.pub
N.B. While ssh-keygen by creates key pairs with
these names by default, I would advise having a different pair of
names for each site, to help keep straight whether you are coming or
going. With that naming scheme, your local
.ssh2/identification would say:
IdKey here_id_dsa_1024_ayour
.ssh2/authorization would say:
Key there_id_dsa_1024_a.puband your
.ssh2 directory would contain one local private
key here_id_dsa_1024_a and several remote public keys
there_id_dsa_1024_a.pub,
elsewhere_id_dsa_1024_a.pub, etc.
Therefore, you will have to install a copy of your public key from your
remote machine into the .ssh2 subdirectory of your MSRI
account and update the identification file
accordingly. If you are not at MSRI, you may have to email the public
key to yourself and use opie to telnet to your
account and install it, or you can send email to the computing staff asking for help.
This process is described in greater detail in the ssh
man page and in the documentation accompanying the ssh
distribution.
ssh ssh is extremely easy to use. To login
to MSRI from afar, simply ssh to sshost.msri.org. If your logins
for MSRI and your remote account are different, you will have to use
the formssh -l your_MSRI_login sshost.msri.org
ssh will even set
the DISPLAY environment variable to your remote machine, if
possible. scp is similar.
ssh Does AuthenticationJoe Christy Fri Feb 12 05:24:59 PST 1999