Department of Computing Imperial College
Using SSH

SSH (Secure SHell protocol) provides secure encrypted communications between two untrusted hosts over an insecure network.

What can it do?

Why is telnet not available?

The use of telnet in DoC has been discouraged for several years. Telnet allows usernames and passwords to cross the network as plain text, which is very insecure. Ssh does not do this. Telnet was the last "service" we ran using the inetd system. Dropping support for telnet allows us to stop using the inetd "super-daemon", thus protecting DoC from any security holes in inetd.

Where can I get ssh?

For the full list, go to FreeSSH.

We have had experience of, or recommendations for, the following:

What is SCP?

In the same way that ssh is a replacement for telnet, scp provides a more secure way of transferring files than ftp.

Typical usage:

scp yourusername@texel13.doc.ic.ac.uk:filename .

What is the difference between OpenSSH and SSH-Corp SSH?

OpenSSH is developed under a completely free licence as part of the OpenBSD project. This is the Linux port. For comparisons between the two, and further information, see SSH-Corp and OpenSSH.

What's this about kerberos support?

All versions of ssh in DoC are compiled with support for kerberos authentication. This means that once you have done a kinit you can use ssh freely within DoC until your kerberos ticket expires. Note: logging in to X automatically does a kinit for you.

Public key authentication

The information below is just a summary of Kimmo Suominen's Getting Started document. Also see the manual page for ssh-keygen.

Type ssh-keygen to create an authentication key for yourself. Always, always, type in a good pass-phrase when prompted for one. It can be multiple words (i.e. spaces are just fine within the phrase), so you could choose a sentence that you can remember. Changing some of the words by misspelling them or by changing some of the letters into digits is highly recommended to increase the strength of your pass phrase. You can change your pass phrase by using ssh-keygen -p at any time.

Then type cp ~/.ssh/identity.pub ~/.ssh/authorized_keys to make an authorised keys file including your new key. You can later add more keys to this file using a text editor, eg for home machines, or other machines outside the department.

Make sure the permissions in your .ssh directory are as follows: 

drwxr--r-x    3     1024 Jul 22 17:05 ./
-rw-r--r--    1      597 Jan 22  2002 authorized_keys
-rw-------    1      736 Jan 22  2002 id_dsa
-rw-r--r--    1      597 Jan 22  2002 id_dsa.pub
-rw-r--r--    1   157991 Sep 12 16:48 known_hosts
-rw-------    1      512 Jun 27  2002 random_seed

ssh will not work if permissions are set in a way that could compromise security. Use ssh -v host to get diagnostic information if there are problems.

Using ssh

You can use slogin or ssh to log into another machine. To run an xterm you can type: 

ssh -f shell1 'xterm'
The -f option says run as a background process. You will be prompted for your passphrase.

Copying files using ssh

If you have two accounts that you wish to copy files between, you can use either scp or rsync -e ssh, both of which use ssh to make the connections. See the man pages for more information.

Logging in without passwords

If you want to avoid retyping your passphrase if you log in a lot, type ssh-agent $SHELL and then ssh-add which will prompt you for your passphrase. This will then allow any process spawned from this shell to use ssh without passwords. This lasts until you exit from the shell or type ssh-add -D to delete the identities. See the man pages for more information.

© CSG / 2002