12.1. Introduction and Background

Tools such as telnet, rsh and X send data, including passwords, over the network in clear text --- a hazardous business! ssh, originally written by Tatu Ylonen, is a suite of tools that replace rsh, rlogin and rcp.

Ylonen's version of ssh used the patented RSA encryption algorithm and whilst the patent has now expired ssh Ylonen's company, F-SEcure, no longer produce free versions (even for non commerical use). Thankfully Bjoern Groenvall and the OpenBSD team have written a patent-free, open-source version which is now available for most versions of Unix, OpenSSH.

The suite of tools consists of: sshd --- a daemon that acts as a server to all other commands; ssh --- remote shell and remote command sessions; scp --- tool for automated file transfers; sftp --- tool for automated file tranfers (only recently available with OpenSSH); and several encryption-key-handling tools.

We focus on OpenSSH.

12.2. How It Works

When a user invokes ssh (the client) it requests a connection with a remote host (the server) --- the server must be running sshd. The server and client build an encrypted connection. The steps are:

1. First, the client and server exchange public host keys. If the client machine has never encountered a given public key before ssh asks the user whether to accept the (untrusted) key. These host keys are used to negotiate a session key which is used to encrypt all subsequent data using a cipher such as Triple-DES, Blowfish or IDEA.
   
   
2. Secondly, the server attempts to authenticate the user using RSA or DSA certificates; if such authentication is not possible the server asks for a standard username/password pair. .rhosts"-style authentication may also be used, with or without RSA keys or Kerberos.
   
   
3. After authentication the session is started over the encrypted tunnel.

12.3. Getting and Installing SSH

The best place to get OpenSSH is the OpenSSH website www.openssh.org (see also www.openssh.com --- an alias). Binaries are available for Linux only; source code is available and has been rested on Linux, Solaris, *-BSD and all the major commercial Unices.

Installation of the client (from source) is simple, for example:

tar -xzvf openssh-<version>.tar.gz cd openssh-<version> ./configure --sysconfdir=/etc/ssh make make install

If you need to install the daemon/server you will also need to install startup scripts --- check out the contrib directory in the source.

The commercial version of ssh can be found at www.ssh.com.

12.4. "Encrypted Telnet" --- ssh

To use ssh to "do encrypted telnet" simply type

ssh remote.host.net

or similar, or possibly

ssh -l remoteuser remote.host.net

if the remote username is different from your local username.

12.5. (Noninteractive) Remote Copies --- scp

This is the secure replacement for rcp --- its a noninteractive (contrast ftp) file copy (to or from a remote host) utility. To copy:

scp [options] sourcefile targetfile

where the sourcefile and targetfile are of the form

username@remote.host.net:path/filename

if remote, or of the usual form, e.g., path/filename, if local --- scp asks for your password on the remote host.

12.6. .rhosts and .shosts Authentication

ssh can authenticate via the .rhosts mechanism, but this is turned off by default as it is very insecure. An ".shosts" mechanism exists as a replacement --- the connecting host's identity is verified by host-key-checking (rather than source-IP address, which is easily spoofed) and, in addition, root on the connecting host may transparently connect.

12.7. Executing Remote Commands

ssh maybe used to execute single remote commands (cf. rsh). For this simply invoke ssh with a command as the last argument, for example:

ssh simonh@remote.host.net tail /var/log/messages | more

where the more process is local.

12.8. sftp

12.9. Advanced Stuff: Port-Forwarding and Virtual Private Networks

This is the really good bit. ssh can be used to secure X, POP, FTP-proper, etc.

Encrypting X session launched back to your local machine is simple. First edit /etc/ssh/sshd_config and ensure X11Forwarding is set to yes. Secondly, start a ssh session from local to remote host as usual. Thirdly, start X-applications as usual, for example, xclock -d <localhost> &.

X11 is the only service hardcoded into ssh; others must be forwarded using the -L flag. For details see the resources listed below

• An excellent introduction is provided by the article The 101 Uses of OpenSSH, Parts 1 and 2, Linux Journal January and February 2001.
  
  
• Chapter 11 of Linux System Security, pub. Prentice Hall, Scott Man and Ellen L. Mitchell, ISBN 0-13-015807-0.