Secure Shell


Secure shell refers to a collection of protocols and software to allow remote login to computers using encryption for all data transfers. This means that when you type in your password, it is encrypted while travelling across the Internet, so that random packet sniffing tools cannot detect it as it passes. Secure shell is referred to as ssh for brevity. There are two ssh protocols extant. Ssh1 is older. It uses 56-bit encryption. It is adequate for many purposes, but the encryption scheme could theoretically be broken, and more importantly, it is vulnerable to a certain kind of attack that does not require the encryption scheme to be understood at all. We recommend against its use. Ssh2 uses 128-bit encryptions and is ostensibly immune to the aforementioned attack.

We use ssh2 for remote logins in the Math Department at Washington State University. This page offers some instructions on how to do that.

From Unix Machines...

All Unix computers in the Department have ssh installed. You may use it to log in remotely to another computer simply by typing sshcomputername on a command line. The ssh program may tell you that the remote computer's name does not appear in the list of known hosts. Tell it that you do want to enter the name in the list of known hosts. After that, you need only to enter your password (it will be encrypted as it goes across the network), and press the ENTER key.

Some of you might have grown used to logging into remote computers without having to give your password. At first glance, when you use ssh, you will not be able to do this. However, through the miracle of public-key cryptography, you can restore this ability. The idea is that you need to create a private key for your own session, and a public key for the remote machine. Do this using the following steps.

  1. At a Unix prompt, type ssh-keygen.
  2. The program ssh-keygen will create public and private keys for you. The private key is stored so that no one but you can read it. The public key is placed (by default) in .ssh/identity.pub on your home directory. When ssh-keygen asks you for an RSA passcode, just push the enter key (twice).
  3. Now change to the .ssh directory (cd .ssh), and type cp identity.pub authorized_keys.

Henceforth, you should be able to log into other machines without having to give a password. Under no circumstances should you change the permission settings on any files in the .ssh directory. SSH incorporates a utility for file transfer called scp (S-Copy). Scp allows you to transfer files from the command line with fully encrypted passwords. To use it, type a line similar to the example below.

scp thetahat:/usr1/mydirectory/myfile.txt myfile.txt
Obviously you may substitute the name of your favorite machine for thetahat, and the path to the file you want for the "/usr1..." part. For details of the scp command, see the man page on any Unix computer ("man scp" is the command).

From Windows Machines...

To gain access to a Unix computer from a Windows machine, you need an ssh client. The systems staff are working to get these installed everywhere, but they won't do it on your home computer. If you want to install an ssh client on your home computer or laptop, you may obtain PuTTY by clicking its name. This is a client for both ssh1 and ssh2 that you may save to your desktop. To run it, double-click its icon, type in the name of the host (e.g. thetahat.math.wsu.edu) and click the radio button labeled "SSH", then click ok. It can be customized in many slightly-less-than-intuitive ways. For sophisticated users, the PuTTY developers have provided an entire suite of ssh tools. You may obtain the latest version of the lot directly from the official site at http://www.chiark.greenend.org.uk/~sgtatham/putty/". The most useful of the other tools are scp and plink.

From Apple Machines...

We are aware of only two free ssh clients. NiftyTelnet provides a nice interface, but only uses the ssh1 protocol. MacSSH is client that provides only ssh2. If you want to log into thetahat, you must use ssh2.