General Information about Secure Shell

Secure Shell (ssh) replaces the internet services telnet, rexec, rlogin, rsh, rcp, and ftp. These services transmit data and passwords unencrypted, while SSH uses encryption for both. When using SSH also X11-connections will be encrypted, the DISPLAY environment variable will be set automatically (you must not set it in your profiles) and you do not have to use the xhost command to control access to the X-server.

There are two versions of the ssh-protocol. Both version are currently supported at RZG, while the old version 1 offers some special features concerning AFS, which are not available with the version 2.

How to use ssh, scp, sftp?

It is assumed that the ssh-server is installed on the remote host (target) and the ssh-client is installed on the local host (from where you want to establish the connection to the target).

Windows:

On PCs maintained by the central PC-Group of the RZG you'll find ssh via
Start Programme SSH Secure Shell Secure Shell Client
Click on the PC icon to open a new session.
To use the scp/sftp functionality click on Window New File Transfer

If ssh is not installed on your MPG PC you can download it here.

UNIX Command Line:

• ssh as a replacement for telnet and rlogin

  ssh [UserName@]RemoteHost

  UserName is only required if the username on the remote host differs from the username used on the local host.
• ssh as a replacement for rexec and rsh

  ssh [UserName@]RemoteHost Command

  If the commands contains wild cards (e.g. *) it must be enclosed in quotes to make sure they get expanded on the remote host.
  e.g. ssh ibmr 'ls -la .ssh/*'.
• scp as a replacement for rcp (scp is very similar to rcp but much more powerful).
  To transfer a local file to a remote host

  scp Datei [UserName@]RemoteHost:[File|Directory]

  To transfer a remote file to the local host

  scp [UserName@]RemoteHost:File File|Directory

  You can use wild cards (e.g. *) to copy more than one file with one command. In this case the target directory must exist and you cannot specify a filename for the target.
  If you want to copy directory trees recusively use the option -r:

  scp -r Directory [UserName@]RemoteHost:[Directory]

  or

  scp -r [UserName@]RemoteHost:Directory Directory

• sftp as a replacement for ftp
  The sftp-command is very similar to the ftp-command. Currently the password will not be asked for, if you have a proper key-setup.

If you do not specify UserName your username on the local host will be used as default. You can modify this behaviour of the scp-command by adding a line to the local ssh-configuration file $HOME/.ssh/config which assings a different UserName for the remote host. (use man ssh for details).

Special hints for linux:

Linux-Systems configured by RZG should, like the other UNIX-systems, already have a properly configured ssh. If you have afs and want to participate from the benefits of RZG special version of ssh, you should install it using the command /afs/ipp/common/admin/install openssh. This installs the binary, makes a proper setup in /etc/ssh and eventually creates a file /etc/pam.d/sshd and makes an entry in /etc/inittab.

If there isn't an appropriate ssh on your Linux PC you will find a recent version of ssh at SSH of MPG (Max-Planck-Gesellschaft) under the item "SSH Secure Shell für Unix Server".

Authentication

Between all RZG-UNIX-machines, where your home-directory is in afs, there is teh possibility of a password-free login from one machine to another, using keys. To initially enable this feature, you have to call once the command ssh-init, which does a proper and secure setup of your .ssh-directory in afs. Please do not use any other methods to create keys for the first time, since then the access-rights are probably not setup correctly.

All ssh systems support a plain password validation scheme as a fall-back solution (with the password being encrypted for transmission), except if configured not to do so. For more information on how authentication works (especially RSA eoncryption) see

• SSH.COM, commercial version of SSH , or FAQs of
• OPENSSH.COM FREE Open Secure Shell Version (version used at RZG).

SSH Tunnels (Port Forwarding)

You might be interested in the usage of SSH tunnels.

Useful Links and Software Sources

• SSH of MPG (Max-Planck-Gesellschaft)
  instructions, software for SSHWin, License File (german)!
• SSH info of Forschungszentrums Jülich
  very detailed information on ssh (german)
• info of LRZ München
  good page to understand the internals of ssh (german)
• SSH FAQs (engl.)
  detailed description of SSH (english)
• SSH info of TU Chemnitz
  very detailed description of authentiction with protocol of a session (german)
• info of Uni-Dortmund
  another good description of how authentification works (german)