|Home > Computersystemen > Security & Network > SSH > Introduction|
Ssh is a secure way of logging in to a computer. It encrypts all communication between client and server such that no third party can eavesdrop. It also provides support for detecting a man in the middle attack.
Once set up, using ssh is as simple as using rsh or rlogin.
There is an scp command similar to and (secure) replacement for rcp and an ftp-like file transfer tool (sftp) you can use as a (secure) replacement for ftp. Both scp and sftp use encryption for both setting up a connection and the actual transfer of the file(s).
You might want to read more about why to use SSH on the remote access page. There you will find an overview of why SSH is chosen and how to use it. The rest of this text describes SSH in more detail and with more background information.
Which (public) SSH servers of the Department of Computer Science are available, can be found on the page describing the importance of the machine/host key.
There are 2 protocol versions of ssh: ssh1 and ssh2. The latter mostly is configured to be backwards compatible with its predecessor. You can have both versions configured and installed at the same time. If the server you try to contact supports ssh2, you should use that. Most ssh2 client-implementations fall back to ssh1 if the server does not support ssh2, but does support ssh1 and vice versa.
Password or Keys
Ssh can be used with both the normal username and password authentification and with authentification with a public and private key pair. Since the former is a less reliable way of authentification, the Setup an SSH key pair section will present how to authentify yourself with a public and private key pair and a corresponding passphrase.
If you just want to give ssh a try however, you can do this very
well with the basic username and password authentification.
Look under the Using SSH section for
instructions and tips on how to use ssh. Our servers are
configured to fall back to username and password
authentification when no public and private key pair are
Bear in mind however, that allthough this username and password authentification still works with our servers at the moment, there is no guarantee whatsoever that this will remain so in the future.
When using just plain username and password authentification, the communication is still encrypted; your password is not sent in clear text over the network and neither is the data that is transmitted after the initial authentification phase. This encryption is done however, by means of the client and server keys. You might want to read the section about the importance of the machine keys.
You can also use ssh to forward (protocols of) other
applications through a safe, encrypted passage over the
internet. To find out more about this forwarding (also called
V(irtual) P(rivate) N(etwork) and/or tunneling) feature of ssh,
consult this page.
Usually the X11 protocol is tunneled by default, so you can use ssh as a safe channel for X11 applications.
Other examples of using the tunneling capabilities are reading your mail, consulting a calendar of directory server, ...
Please make sure that your SSH tunnels are only accessible from your own machine: any configuration items such as Allow remote hosts to connect to tunnel should be configured such that only localhost can connect to any tunnel you set up ! If your tunnels are accessible for other machines as well, you create huge holes in the departmental security ... so please take care.
First check whether there is a native implementation for your platform ... most Linux and MacOS installations already have an ssh client pre-installed or at least available to install in an easy way. You should use that implementation whenever possible.
There are several free ssh implementations, for several
(Of course, there are also commercial ssh implementations available.)
- Ssh home page
Ssh clients for Java
- MindBright ssh version 2 implementation in Java, including an SFTP client and even an FTP-to-SFTP bridge. The latter works by setting up a (regular) FTP server on your local machine that forwards your (regular) FTP commands to the remote SFTP server. In this way, you can use a regular FTP client for accessing an SFTP server.
If you have a (recent) JVM, this ssh implementation definitely is a good choice; tunnels can be set up on the fly, no need to dis- and re-connect; the FTP to SFTP bridge is very nice indeed and it can withstand a comparison to a full fledged sftp client (depending of course on the FTP client you use ... the bridge itself works unnoticed in the background ;-)
It fits on a single floppy, but you need of course a JVM, which does not fit on a floppy ;-)
Nevertheless, you can download the jar/zip file easily to a client having a JVM and thus use it without having to go through a complete installation phase as with other, native implementations.
It is tested on Linux, MacOS and Windows.
Ssh clients for Linux
- See also the MindBright Java implementation above.
- Most Linux distributions have a pre-defined (binary) package for ssh. Check the nearest download site of your favorite distribution.
- Such a package might include sftp as well, or there might be a separate sftp package, depending on the exact distribution at hand.
- Most Linux distributions also have a pre-defined source package for ssh/sftp, that is tailored to their own needs. Check the nearest download site of your favorite distribution.
- With OpenSsh (and of course mutatis mutandis for other implementations as well) make sure never to use the -g command line option, nor the GatewayPorts configuration option, which would open the local ports of your tunnels to other machines than your own host. By default, both are off (secure). If your tunnels are accessible for other machines as well, you create huge holes in the departmental security ... so please take care.
Ssh clients for Windows
- See also the MindBright Java implementation above.
(with a local copy here)
is a great light weight (no installation required) SSH client
which also includes an scp and sftp client and supports both
protocol versions. Moreover, it comes
with a command line ssh tool plink, to be used with
or the likes and pageant, an ssh key agent to store and
remember your keys.
Thus it might very well be a perfect compromise between the complexity of the SSH Secure Shell and the lack of features of the Tera Term implementations ;-)
PuTTY is small enough to fit on a floppy, so you can carry it with you to wherever you might need it ... just copy the putty.exe to your local disk, launch it and start ssh-ing to wherever you'd like to (you'd probably want read the documentation first though ;-)
Please make sure however, to leave the Local Ports Accept Connections From Other Hosts and the Remote Ports Do The Same options unselected/inactive (they are by default). If your tunnels are accessible for other machines as well, you create huge holes in the departmental security ... so please take care.
- FileZilla is a powerful FTP- and SFTP-client for Windows 9x, ME, NT4, 2000 and XP. It has been designed for ease of use and with support for as many features as possible, while still being fast and reliable.
- WinSCP (Windows SecureCopy) is a GUI SFTP and SCP client program for Windows. Its SSH protocol core is based on PuTTY.
- The SSH Secure Shell and File Transfer client (Campus license software at/of LUDIT) has support for both protocol versions and for secure file transfers as well and therefore is also a good choice.
Tera Term on the other hand
is only a Secure Shell, but has two interesting features that might make it a
better choice in some circumstances :
- you can establish new tunnels while being connected. You do not have to disconnect and reconnect for new tunnels to be created.
- it fits on a single 1.4 MB, 3.5" floppy and can be used from that floppy without having to go through a complete setup ... mutatis mutandis of course with any modern replacement of the good old floppies ;-)
- Other SSH clients for Windows :
Ssh clients for MacOS
- First consider the MindBright Java implementation above.
- Other SSH clients for MacOS :
- A (more) complete list of SSH (client) implementations (for various platforms)