July 31st, 2004, 09:46 PM
I haven't really seen anything on SSH so i figured I'd give a post as to what SSH is and how to use it. Keep in mind this is only for Nix machines. I may put up a Windows SSH tutorial later.
Simply put, all telnet sessions are transmitted in plain text. So if you are at home, and log into a machine via telnet, your username and password are transmitted in plain text from your home machine across the internet to the machine. Anyone along the way can see/record your username and password, and later use it to log in to your systems as you, access your files and email. SSH provides you with a simple and uniform way to solve those problems, while at the same it provides you with an easier login experience.
How does SSH work?
SSH solves 2 different problems with regular telnet: authentication and encryption.
Authentication refers to how a server knows that you are who you say you are. In regular telnet, so long as you have the matching password to your username, you are let in. However, as was mentioned earlier, when you type your username and password, anyone along the way could be monitoring your connection, capture your username/password, and later use it to log in as you.
SSH allows you to solve this problem in 2 ways. At a very minimum, if you login with username and password, the transmission between your client and the server is encrypted. SSH also allows you to login with RSA or DSA public/private key authentication. In this case, you generate a public/private key pair. You upload a copy of your public key to a machine. From now on, when you try to login, the server uses your public key to send you a challenge, that only the holder of your private key (hopefully just you) can answer. While this scheme is much safer, it does have one major flaw, anyone who gets hold of your private key can login as you. Hence you must be very careful about securing your private key.
Encryption is solved using a variety of encryption algorithms. Everything you type and receive in an ssh connection is encrypted. This would prevent people from seeing what commands you are typing, or from reading your email when you have it open.
What are known hosts, and why does it ask me about them?
Short answer: The first time you log into each machine, you'll be asked if you want to add the host key to your known hosts. Say yes.
Longer answer: Each time you log into a machine using ssh, the protocol checks the servers key (this is different from the individual user keys which you setup above). If the servers key doesn't match what your ssh client remembers (or if your client has never connected to this server before), it will ask you if you want to accept that host key.
Why? This is to verify that the machine you are connecting to, is really the machine you think it is. There is a class of attacks known as "man in the middle" attacks. The way they work is that someone sets up a new server, and hijacks a DNS name (perhaps like steve.yourdomain.com). Their goal is to let you login, and hope that they can then steal your password, or modify your account to do things you don't want it to do on other machines.
Luckly ssh will notice if happens, and will tell you. So, when you are asked if you want to accept a host key, you should accept it if you've never connected to that machine from this client before. But if you have connected before, then either the machine has been reinstalled and the key changed, or you are not connecting to where you think you are connecting.
Commands and Such
SSH can work just like telnet. At a very minimum you can simply replace commands that you use today as follows:
Old Command Secure Equivalent
If you do nothing else, you'll be prompted for your password on connect. If your happy with things working like this, you can stop reading after you find out how to connect from Windows or Mac.
How to setup your Unix account to accept ssh without passwords
If you create a public/private key pair, you will be able to login to any machine you have access to without entering your password. Having these keys setup also replaces the need for a .rhosts file if you use rlogin, rsh or rcp.
The setup of the public/private key is relatively simple, follow these steps:
* mkdir ~/.ssh
* chmod og-rwx ~/.ssh
* ssh-keygen -b 2048 -t rsa -f ~/.ssh/id_rsa -N ''
* cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
How to log into one Unix machine from another
Using telnet you probably opened a shell and typed something like:
telnet domain or perhaps rlogin domain
Now instead you should type:
You will not be asked for a username or password. The authentication takes place using your public/private keys. You should simply get a shell on the remote machine.
How to run a single command on a remote Unix machine
In the past you may have done things like:
rsh domain who (run the command who on the machine domain.)
In order for this to work, you had to set up a .rhosts file.
Now instead you can simply type:
ssh domain who
Note: There is no need for a .rhosts file or anything else, this just automatically works once ssh has been setup correctly.
How to copy files from one Unix machine to another
In the past you probably did one of the following:
rcp blah.txt user@domain:blah.txt
There are 2 possibilities with SSH:
scp is a direct replacement for rcp. If you already know how to use rcp, there is no difference in syntax. The syntax to copy a file from storage (for example) is:
scp Status@storage:filename .
This would copy the file "filename" on Status's storage account to the current directory on your machine. (NOTE: There is a space period at the end of that command that are very important.).
scp filename Status@storage:Mail
This would copy the file named "filename" on your account, to the directory "Mail" on Status' storage account.
NOTE:This will work regardless of whether you have ssh keys set up for connects between storage and you or not. If you do not have it setup, this will prompt you for your storage password.
sftp works very simular to regular ftp. The main difference is that sftp assumes your username is the same on both machines
The correct syntax is:
And that's all for now.
July 31st, 2004, 09:51 PM
Good, deep descriptive tut/definition. Only thing I might add is perhaps some bold headers? I just think extra spacing and bold/big headers make it easier to read. All in all a good read.
<--Best hardware/gaming news out there--|
<--Gamers will love this one
Light a man a fire and you\'ll keep him warm for a day, Light a man ON fire and you\'ll keep him warm the rest of his life.
July 31st, 2004, 10:17 PM
Ah sorry. I havent written many tutorials so im still missing all the details, ill fix that right now, thanks for the comment.
July 31st, 2004, 11:10 PM
Removing the words CoC and pasting this as your own doesn't make it yours. Tutorials should be original. I've moved this to General Chit Chat and closed it.