Last update: 09/16/2004
SSH is an acronym for "secure-shell," a set of commands enabling secure logon, file transfer, and X Window clients. SSH was developed in Finland a few years ago. There are commercial versions available for purchase, but earlier public-domain versions are the ones commonly available at NCAR. SSH commands are superior to commands like rlogin and ftp because they encrypt your name, password, and entire logon session to protect it from sniffing and hijacking.
If you are using UCAR computers from outside the UCAR security perimeter, you need to use SSH in your logons, file transfers, and X Window client sessions. SCD provides two documents to help you use SSH to connect to our computing systems:
The following documents help you communicate with NCAR computers using scp and sftp:
SSH commands have the look and feel of the commands they replace. You'll be able to quickly and easily replace your existing commands with SSH commands that behave the same, except you'll be much safer in terms of privacy and password theft.
Here is a summary of the "r" commands that can be replaced by SSH:
Note: You may also use ssh in place of telnet and ftp for login, and you may use scp in place of ftp for file transfer. The ssh and scp commands provide greater security.
Here are some troubleshooting hints that might help you get started using SSH at NCAR.
SSH daemon not running on remote computer.
If the SSH daemon, sshd, is not running on the remote computer, your ssh logon effort will be greeted with this message: "Secure connection to xxx.ucar.edu refused; reverting to insecure method. Using rsh. WARNING: Connection will not be encrypted." Then, if the remote computer accepts rsh logons, you will be logged on with rsh after providing your UNIX password or matching a .rhosts or /etc/hosts.equiv entry on the destination host. Otherwise, your logon effort will abort.
Missing or incorrect authorized_keys file.
You receive the message missing or incorrect authorized_keys file when you have set up your authorized_keys incorrectly on the remote computer. The consequence is that you can still log on with ssh, but you will be asked for your regular UNIX password rather than your passphrase for your private key.
Protocol version not supported.
If you have an ssh client that uses protocol version 2 (ssh2) only, you will be unable to connect to ssh1 servers. Due to licensing and cost issues, most UCAR ssh daemons are still ssh1-only. This will change as free ssh2 implementations become available. For the interim, however, if you encounter this problem you will need to obtain an ssh1 client.
What you enter on the terminal can usually be captured on the local area network you are connected to. Talk to your local system administrator for an assessment of X-terminal security.
The NCAR/SCD Technical Consulting Group will answer your questions about using SSH. You can telephone them weekdays from 08:00-17:00 MDT at 303-497-1278 or send email to consult1@ucar.edu
On August 1, 2000, SCD banned the "r" commands rcp, rsh, and rlogin from external hosts to SCD computers, in compliance with the NCAR/UCAR Computer Security Advisory Committee (CSAC) policies and recommendations. Usage of "r" commands is permitted between two SCD computers, or from an SCD computer to an external host; but users should not rely on using these commands indefinitely, because NCAR/UCAR policy may change and also because other computing sites are banning the "r" commands in increasing numbers.
References: A tip from the SCD consultants: Access change, September 20, 2000: "r" commands restricted from remote hosts
The viewgraphs for a presentation on this topic by the NCAR/UCAR Computer Security Advisory Committee Chair: User Access Changes
On August 1, 2001, SCD turned off Telnet and FTP access from outside networks and enacted a cleartext password ban for inbound authenticated connections.
References: An SCD News item: Security perimeter tightens
A complete explanation of the encryption requirement: UCAR Cleartext Password Ban
To learn about SSH, use Kimmo Suominen's Getting started with SSH. It provides an excellent overview and introduction to SSH. It shows examples of using SSH for logon, file transfer, and X Window sessions. It explains how to log on and copy files without having to enter your password each time. It explains the SSH concept of pass-phrase, a more secure version of password. And it provides other links of interest, including ones for non-Unix computers.
If you are looking for a list of clients, other help pages, or just about anything else regarding ssh, we recommend the SSH FAQ maintained by Steve Acheson.
If you are looking for details for your specific OS, we recommend
you first view the information on your local system with the command
man ssh. If SSH has not been installed there, you can browse
man pages.
A good local reference comes to us from NCAR's Matthew Park (ACD): SSH Port forwarding (Tunneling) with Linux (UNIX) and MS Windows. Matthew's web page gives step-by-step instructions for Linux and MS Windows.
If you have questions about this document, please contact SCD Customer Support. You can also reach us by telephone 24 hours a day, seven days a week at 303-497-1278. Additional contact methods: consult1@ucar.edu and during business hours in NCAR Mesa Lab Suite 39.
© Copyright 2000-2004. University Corporation for Atmospheric Research (UCAR). All Rights Reserved.
Address of this page: http://www.scd.ucar.edu/docs/ssh/index.html