SSH(Secure SHell) is an alternative to telnet and the r-tools (including rlogin, rcp, etc). SSH uses strong encryption algorithyms to encrypt the transfered information (including passwords).
SSH is important to use because with rlogin and telnet, all the information transfered is in clear-text. The problem posed here is that if someone installed a sniffer on your network, then they can get all the information they want, including passwords to your system. By encrypting all the information, the sniffer would pick up the impossible to read transfered text. Please refer to the handout for an example.
Note: The RSA encryption algorhythm is under a patent with the U.S. patent office. You should not use RSA in a commercial environment. If using OpenSSH, use Blowfish, the default. The patent expires later this year.
SSH works on many different platforms including:
For Linux, there are three main client/server packages:
SSH 1.x - SSH 1.x is the most used of the official SSH versions. SSH 1.x uses a "Free for non-commecial use" license that disallows the user from selling the product for a profit or to be used for financial gain. SSH 1.x, at the time of this writing, is 1.2.27.
Note: On July 6, SSH 1.2.29 and 1.2.30 were both released. Not only did they include security fixes, but they included the same license which 2.x has. We highly recommend you switch to OpenSSH.
SSH 2.X - SSH 2.x is not as widely used as SSH 1.x, due to the tighter license. SSH 2.x falls under a "Free for non-commercial use" license, as does SSH 1.x. However, SSH 2.x requires the user to pay a fee for use in a commercial environment. At the time of this writing, SSH2 is at version 2.2.0.
OpenSSH - OpenSSH is a SSH clone, written by some of the OpenBSD developers. As of OpenSSH 2.1.1, OpenSSH contains support for both SSH 1.x and SSH 2.x protocols. OpenSSH 2.x is released under the BSD license. At thetime of writing, OpenSSH 2.1.1 is the latest.
For non-Unix systems, there are a few recommended clients:
PuTTY (Windows) - PuTTY is an open-source Windows client that will do SSH, telnet, and raw connections. PuTTY is licensed under the PuTTY License, which is both Open Source Certified and complies with the Debian Free Software Guidelines. The main page for PuTTY is: http://www.chiark.greenend.org.uk/~sgtatham/putty/
Mindterm (Java) - Mindterm is an open-source Java client that will connect to an SSH server. Mindterm can be loaded inside of a web browser as an applet to connect a user to a SSH server. Mindterm is licensed under the GPL. The webpage for Mindterm is: http://www.mindbright.se/mindterm/
SecureCRT (Windows) - SecureCRT is a widely used SSH client. SecureCRT is a closed-source product and costs $99 for a single computer license. The SecureCRT website is at: http://www.vandyke.com/products/securecrt/index.html
You can download each of the sources from the official websites. All the websites necessary can be found through Freshmeat.net.
Note: If installing OpenSSH on a non-OpenBSD system, download the port version. The port version is shown with a p in the file- name.
www.ssh.com(SSH 1.x and SSH 2.x)
First, type in ./configure ; make to run the configure script and then compile the sources. The ../configure switches and arguments are in man ssh. Once completed, as root, type in make install. At this point, the system should almost be ready to run ssh client and/or server. ssh needs to be uncommented from /etc/services. Start the daemon, by typing sshd & as root. The server should now accept remote ssh connections.
Note: zlib (compression library) and OpenSSL are both required to compile OpenSSH. zlib is included in some distributions.
The remote host needs to have SSH installed. Only certain clients will connect to certain servers.
SSH 1.x client - Connects to SSH 1.x and OpenSSH servers.
SSH 2.x client - Connects to SSH 2.x and OpenSSH servers.
OpenSSH client - Connects to SSH 1.x, SSH 2.x, and OpenSSH servers.
Note: For this demonstration, we have boxes with the following configuration:
Debian - OpenSSH
Red Hat 5.2 - SSH
To do a basic connection to an SSH server, the syntax is: ssh -l user_name IP . -l specifies the username to connect to. The IP is the IP or hostname of the system which to connect to. All the possible switches and arguments for ssh are located in man ssh. The system will prompt for a password. Upon authentication, a shell is opened to the proper user. From this point on, a SSH session acts the same as a telnet session.
Note: Upon connection the first time, the user will receive the following message:
RSA key fingerprint is 74:4c:1e:86:04:2a:ac:ab:c2:cd:32:ff:19:76:80:fc. Are you sure you want to continue connectinog (yes/no)?
Answer "yes". The fingerprint will vary from computer to computer.
To quit a SSH session, type exit to fall back to the local prompt.
The default configuration file for SSH is /etc/sshd.config for the daemon. The options for sshd.config can be found in man sshd.
The default configuration file for SSH is /etc/ssh.config for the client. The options for ssh.config can be found in man ssh.
scp is used to encrypt file copies between two computers. scp is compiled on default. scp requires that a SSH server is running on the system being connected to. scp does not require any configuration.
To send a file to a remote computer:
scp file user@remote_host:
For example, to send snort-1.6.tar.gz to user masq at host 192.168.10.2, one would use:
scp snort-1.6.tar.gz firstname.lastname@example.org:
Note: The colon(:) at the end of the line is mandatory.
To recieve a file from a remote system:
For example, to pull snort-1.6.tar.gz from the user masq at host 192.168.10.2, one would use:
SSH-Agent is used to security do authentication through keys for all applications by wrapping them with SSH.
"Ssh-agent is a program to hold authentication private keys. The idea is that ssh-agent is started in the begin ning of an X-session or a login session, and all other windows or programs are started as children of the ssh- agent program (the command normally starts X or is the user shell). Programs started under the agent inherit a connection to the agent, and the agent is automatically used for RSA authentication when logging to other machines using ssh." - man ssh-agent
ssh-keygen is used to generate and manage authentication keys for SSH. This program is normally run once upon running ssh to create a $home/.ssh/identity file.
ssh-add is used to add identities to the authentication agent, ssh-agent.