SSH-Introduction

Secure Access to Remote Computers


ssh ( secure shell) is the recommended program to log in to other hosts. ssh transmits the login information (userid and password) in encrypted form over the network. This way nobody listening on the network is able to collect and misuse this confidential information. ssh should be used instead of telnet, rlogin, rsh or other insecure access methods when logging in to another host.

DESY has recently blocked unencrypted remote access  for security reasons. Users  should  use ssh instead. In addition to the increased security, ssh transports the environment necessary to establish X11 connections and makes life much easier this way.

Restrictions

In order to use ssh, it has to be installed on the users site and an ssh demon must run on the  system the user wants to connect to. Both conditions are fulfilled on all centrally supported computer systems at DESY. Not all remote computers have ssh installed, either because of lack of interest or even for legal reasons. Unfortunately in some countries legal restrictions apply to the transmission of encrypted information over networks and therefore the use of ssh is restricted or illegal. In these cases users can get access through the webserver bastion.desy.de. This is described under  http://www.desy.de/rsr/bastion.html

Using ssh

There are many options and parameters possible for the advanced ssh user. The ssh man pages will explain them in full detail, but a complete understanding is not necessary in order to use ssh. The command ssh my-remote-host will connect to the remote system, several messages can safely be ignored.

When ssh is started, the client side negotiates with the remote server a pair of keys to encrypt the login on the remote side. Messages from the ssh command relate to building pairs of keys and related information.

Technical aspects

ssh is a program for logging into a remote machine and for executing commands in a remote machine. It is intended to replace rlogin and rsh, and provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. Ssh connects and logs into the specified hostname. The user must prove his/her identity to the remote machine using one of several methods.

If the user is using X11 (the DISPLAY environment variable is set), the connection to the X11 display is automatically forwarded to the remote side in such a way that any X11 programs started from the shell (or command) will go through the encrypted channel, and the connection to the real X server will be made from the local machine. The user should not manually set DISPLAY. Forwarding of X11 connections can be configured on the command line or in configuration files. The DISPLAY value set by ssh will point to the server machine, but with a display number greater than zero. This is normal, and happens because ssh creates a "proxy" X server on the server machine for forwarding the connections over the encrypted channel. Ssh will also automatically set up Xauthority data on the server machine. For this purpose, it will generate a random authorization cookie, store it in Xauthority on the server, and verify that any forwarded connections carry this cookie and replace it by the real cookie when the connection is opened. The real authentication cookie is never sent to the server machine (and no cookies are sent in the plain). If the user is using an authentication agent, the connection to the agent is automatically forwarded to the remote side unless disabled on command line or in a configuration file.

Related programs

There is a full family of programs built on ssh, like scp ( instead of rcp) slogin ( instead of rlogin). These programs provide the functionality of the traditional commands using the ssh security mechanism. They can and should be used whenever possible.

Strange Warnings

Sometimes you may get strange warnings from ssh when working on a workgroup server at DESY, telling you that the so-called host keys have changed or that someone might be listening on the line. This warning message is usually related to logging in to a cluster of machines, e.g. pal, solar or similar and indicates a missing item in the system configuration. If this happens, you should tell it to the UCO (uco@desy.de) and we will fix the configuration problem.

How can I get ssh at DESY?

Detailed information is available from  http://www.desy.de/rsr/ssh.html