How to Use Secure SHell (SSH): End-to-End Encryption to Access SCD Supercomputers

Background
End-to-end Encryption using SSH
Obtaining SSH Clients for your System
File Transfers with SSH Client
Recommendations (further reading)

Background

On August 1, 2001, the Scientific Computing Division (SCD) implemented tighter security on many of the computing systems managed by the division for UCAR and NCAR. The need to improve security was driven by a number of factors; chief among them were attempts by hackers to break into SCD computing systems by obtaining ("sniffing") a legitimate user's username and password (referred to as a cleartext password) while monitoring SCD's network at a remote location.

SCD has been closely monitoring unauthorized access attempts since before the UCAR security perimeter was established in 1998, and has diligently prevented unauthorized access to UCAR computing resources. Additional efforts to prevent unauthorized access to SCD computing systems were evaluated by UCAR's Computer Security Advisory Committee (CSAC) which has recommended that a ban on the use of cleartext passwords be imposed on all connections that originate outside of the UCAR security perimeter. This higher level of security requires that connections now be encrypted, end-to-end (from the machine of origin, to the machine being accessed), via Secure SHell (SSH) technology.

Systems Affected

These security measures affect any connection that originates outside the UCAR security perimeter, terminates inside, and requires a username and password authentication. This includes Internet access to your login account, personal files, and reading your E-mail (from a remote Telnet connection). Use of Telnet, FTP (exceptions, see below), IMAP and POP cannot be used directly from outside networks to machines inside the security perimeter.

Systems Not Affected

These measures will not affect any public resource intended for use by anyone on the Internet, such as Web Servers and Anonymous FTP Servers, since access to these resources do not require a username and password. In addition, this ban does not affect:

-- Guest FTP accounts, provided they are secured in the same manner as anonymous FTP;

-- Any network connection that is completely inside (or completely outside) the UCAR security perimeter;

-- Outbound connections that are initiated from within the UCAR security perimeter and terminate outside of that perimeter;

-- Remote Access Server (RAS) dialup access;

-- Sending or receiving E-mail.

Questions or concerns regarding any aspect of these new security measures should be directed to SCD's Technical Consulting Group (consult1@ucar.edu).

End-to-End Encryption using SSH

End-to-end encryption helps prevent unauthorized monitoring of your activities across external or internal networks. Your password(s), data, files and other resources are secure from detection and possible damage. While there are several technologies available for end-to-end encryption, CSAC and SCD have determined that the Secure SHell (SSH) method is a best fit for users of our computing resources.

SSH basically encrypts the link you establish between your local machine to the remote machine you wish to access (end-to-end). SSH implements protocols that look very much like rlogin, rsh, and rcp in terms of how they are used. SSH provides interactive login, remote command execution, and file transfer services. For systems with X-Window servers, SSH can also forward connections from the machine you log into back to your display. In addition, SSH can be programmed to forward other services such as POP or IMAP from your local machine over the encrypted link via your login machine. For example, this is one way of accessing your Email box remotely without exposing your password.

SSH servers are available on all public SCD systems and on the UCAR gatekeeper machine. Many other Internet sites and institutions also have SSH servers. Free SSH clients are available for all major platforms (Unix, Linux, Windows, Macintosh). Commercial clients with a more sophisticated user interface and vendor support can also be had for Windows and Macintosh machines.

SSH clients are available for all major operating systems, either with commercial support or available free of charge. Free SSH clients (released under either the GPL, a BSD-style license, or similar arrangement) are covered in this document. In addition, several commercial clients are listed for those users that require or need commercial support.

Obtaining SSH Clients for your System

SSH clients are available for Palm Pilots, Windows CE machines, Unix-like systems, Mac OS, and Microsoft Windows. Information on obtaining SSH clients for these systems may be obtained by clicking on the appropriate link, below.

SSH for UNIX-like Systems
SSH for Mac OS
SSH for Microsoft Windows
SSH for Palm Pilots

Additional assistance in locating and downloading SSH clients for systems not listed above may be obtained from the SCD Technical Consulting Group (consult1@ucar.edu).

File Transfers with SSH Clients

SSH provides a clean path across which file transfers can be run. These include scp originally from Unix, zmodem (originally used extensively for Bulletin Board Systems (BBS), port-forwarded ftp command channels, and a more secure system designed to mimic ftp commands known as sftp, among others. Your choice will depend on what is available for your platform, and your preferences regarding command line vs. GUI interfaces. SCD supports all of of them, as well as sftp. See the examples of how to transfer files via these various transfer options.

Obtaining SSH for Unix-like systems

Free clients

SCD strongly recommends the free OpenSSH client. OpenSSH comes with OpenBSD (its home base), Debian Linux, and Red Hat Linux 7. You can also obtain the Portable OpenSSH distribution for just about any other Unix-like system you have, including pre-built RPMs for Red Hat Linux 6.2 and updates for 7. (You don't need to be root on your Unix-like system to build and install the ssh client for your own use.) OpenSSH uses command line scp for efficient file and directory transfer.

If you're adventurous, you might also check out lsh by Neils MöIler. It's a GPLed SSH-2 implementation.

Commercial clients

If instead you want the commercial support you can get from a for-pay product, plus perhaps a few additional features, SSH Communications Security sells SSH for Unix-like systems online. Their original US distributor, F-Secure, also sells a similar version online, known as F-Secure SSH.

Obtaining SSH for Mac OS

Free clients

SCD strongly recommends NiftyTelnet SSH by Jonas Walldén. It is an excellent terminal emulator and provides a drag-and-drop GUI front end for scp file and directory transfers.

Also recommended are the Java SSH client, Mindterm. It works well on Mac OS, particularly for port forwarding, though the user interface is somewhat generic Java and thus not Mac standard. A Mac OS runtime of the GPLed version 1.2 is available locally. Mindterm has a rudimentary dialog-based front-end for scp file and directory transfers on all platforms.

A new contender is the free MacSSH, currently in early development release, based on BetterTelnet by Rolf Braun and lsh by Neils MöIler. You might want to try it out, especially if you are an advanced user who wants the SSH-2 support and port forwarding that NiftyTelnet SSH lacks.

Commercial clients

If you want the commercial support you can get from a for-pay product, the original US distributor of SSH Communications Security's product, F-Secure, sells a Mac version of their F-Secure SSH online. It does SSH-2 only (no support for the less secure SSH-1), and forwards your standard ftp command channel connections for file transfers.

Free clients

SCD strongly recommends PuTTY for MS Windows users. PuTTY does command line scp with pscp.exe for file and directory transfer. The iXplorer graphical front end for PuTTY's scp (reviewed by Jeremy C. Reed) provides a point and click scp transfer interface. PuTTY also now includes a command line sftp file transfer client.

In addition the division highly recommends the cygwin GNU utility suite for MS Windows, which can run OpenSSH. Cygwin is best for those Microsoft Windows users who also wish to use other GNU and open source tools. It is tremendously useful for getting all kinds of work done on a Windows machine, not just for running OpenSSH. When using OpenSHH, it does command line scp for efficient file and directory transfer.

SCD also recommends the Java SSH client, Mindterm. It works fairly well under the Java pre-installed on most recent Windows systems. Mindterm has a rudimentary dialog front-end for scp file and directory transfers on all platforms. It can also port-forward the ftp command channel.

Also available is the TerraTerm SSH (ttssh) add-on for the excellent TerraTerm Pro terminal emulator by T. Teranishi. It uses zmodem to transfer individual files. To transfer entire directories, use pkzip to make an archive first then use unzip on the web server, or use PuTTY's pscp.exe or a similar utility instead.

Commercial clients

If you want the commercial support you can get from a for-pay product, SecureCRT is available online from VanDyke. SecureCRT is easy to set up and use. SecureCRT offers multi-file zmodem transfers, and the new version will ship with a command-line sftp called vcp as well. A separate product, SecureFX, does both sftp, and ftp command channel port forwarding.

In addition SSH Communications Security sells a Windows version of SSH online. Their original US distributor, F-Secure, also sells a similar version online, known as F-Secure SSH. Both do file and directory transfers with a drag-and-drop sftp client.

Ssh provides a clean path across which many different types of file transfers can be run. These include scp originally from Unix, zmodem (originally used extensively for BBSes), port-forwarded ftp command channels, and a more secure system designed to mimic ftp commands known as sftp, among others.

Which you choose will depend on what is available for your platform, and your preferences regarding command line vs gui. We support all of the following: scp, href="http://www.ucar.edu/csac/userdocs/ucarsshhowto.html#xferwithzmodem">zmodem, port-forwarded ftp command channels, and sftp.

NiftyTelnet SSH (Mac OS) has a very smooth file transfer window. Mindterm (Java) has a dialog-based front end for scp that isn't as straight forward, but it can get the job done if it's all you have. Other clients, like OpenSSH (Unix, Windows cygwin), SSH (Unix), F-Secure SSH (Unix), and PuTTY's pscp.exe (Windows) use a command line scp.

If you want to recursively copy mydirectory to host h.example.com (where you log in as myname) into the location /www/example.com/web/, type the hostname or select the shortcut for that hostname in the New Connection dialog, and click the Scp… S button. Then set up the resulting file transfer dialog as follows:

You can drag and drop files into the "Source Files" pane from the Finder as well. This makes copying large numbers of individual files that aren't stored in one directory quick and easy.

If you want to recursively copy a directory called log from the location /www/example.com/ on a host h.example.com where you log in as myname to your download folder, type the hostname or select the shortcut for that hostname in the New Connection dialog, and click the Scp… S button. Then set up the resulting file transfer dialog as follows:

Mindterm's file transfer dialog is not as sophisticated as NiftyTelnet, but it gets the job done if you're willing to type directory names and select files one by one with a standard file picker. After you have logged on to a server, you can select "SCP File Transfer…" from the "File" menu. The resulting dialog is used both to upload and download files and directories:

To switch from copying files to the server to downloading files from it, click the "Change Direction" button.

Depending on the platform you're using to run Mindterm, you may be able to select directories through the "…" button, or you may have to select a file in the directory, and manually edit the resulting path Mindterm generates. It's certainly not the most elegant implementation, but it does work.

The command line for doing a recursive scp of mydirectory from your websites directory to host h.example.com (where you log in as myname) into the location /www/example.com/web/ typically looks like this:

  scp -r ~/websites/mydirectory myname@h.example.com:/www/example.com/web

Or with pscp.exe:

  pscp -r c:\websites\mydirectory myname@h.example.com:/www/example.com/web

Note: Replace the directory, host, and login names with those for your own system. If your login name is the same on both ends of the transfer, you can omit the myname@ portion when using scp.

If you want to copy just the contents of mydirectory instead of mydirectory itself, refer to those contents like this:

  ~/websites/mydirectory/*

Or with pscp.exe:

  c:\websites\mydirectory\*.*

The /* or \*.* tells scp or pscp.exe to copy the contents of mydirectory only into …/web/ instead of creating or replacing a directory called mydirectory within …/web/.

The command line for copying all files whose names start with access from the location /www/example.com/log/ on a host h.example.com where you log in as myname, to the current working directory your workstation, typically looks like this:

  scp myname@h.example.com:/www/example.com/log/access\* .

Or with pscp.exe:

  pscp myname@h.example.com:/www/example.com/log/access* .

Note: Replace the directory, host, and login names with those for your own system. If your login name is the same on both ends of the transfer, you can omit the myname@ portion when using scp.

zmodem is usually implemented in terminal emulators with BBS heritage. TerraTerm SSH and SecureCRT are examples.

To copy a file to host h.example.com in the directory /www/example.com/web/, log in to h.example.com, and change working directory to /www/example.com/web/ with the following command line:

  cd /www/example.com/web/

Note: Replace the directory and host names with those for your own system.

Then set up a zmodem file transfer as follows:

Select the file you wish to transfer in the resulting dialog. TerraTerm SSH will handle invoking the rz (zmodem receive) program on the server, and will send the file to the server, placing it in the current working directory you previously selected.

To download a file named access_log from host h.example.com's directory /www/example.com/log/, log in to h.example.com, then type the command line:

Note: Replace the directory and host names with those for your own system.

The server will begin trying to send the file. Select zmodem as in the picture above, but choose Receive, and TerraTerm SSH will accept the transfer and download the file.

To copy a number of files to host h.example.com in the directory /www/example.com/web/, log in to h.example.com, and change working directory to /www/example.com/web/ with the following command line:

  cd /www/example.com/web/

Note: Replace the directory and host names with those for your own system. Then select SecureCRT's zmodem upload list as follows:

In the resulting dialog, select the files you wish to transfer. Then go back to SecureCRT's Transfer menu, and select Start Zmodem Upload. SecureCRT will handle invoking the rz (zmodem receive) program on the server, and will send the files to the server, placing them in the current working directory you selected earlier.

Sftp is a new file transfer application that can mimic interactive ftp without the worries about port forwarding and without using a cleartext data transfer. It does command line transfers under OpenSSH (Unix, Windows cygwin) and SecureCRT vcp (Windows), as well as drag and drop under SecureFX (Windows), SSH (Windows), and F-Secure SSH (Windows).

An sftp client is included with the Portable OpenSSH distribution. It provides for interactive sessions plus commands for directory listings like the usual command line ftp clients. You invoke sftp as follows::

  sftp myname@h.example.com

Note: Replace the login and server name with those for your own system.

Once connected, the commands in the sftp client are virtually the same as in an ftp command line client. You can switch to different directories on the server with cd, and on the client with lcd. You can also get and put files.

SecureCRT's vcp uses sftp under the hood, but works like scp. It doesn't offer an interactive session for directory listings the way the OpenSSH sftp client does.

The command line for doing a recursive sftp of mydirectory from your websites directory to host h.example.com (where you log in as myname) into the location /www/example.com/web/ typically looks like this:

  vcp -r c:\websites\mydirectory myname@h.example.com:/www/example.com/web

Note: Replace the directory, host, and login names with those for your own system.

The command line for copying all files whose names start with access from the location /www/example.com/log/ on a host h.example.com where you log in as myname, to the current working directory your workstation, typically looks like this:

  vcp myname@h.example.com:/www/example.com/log/access* .

Note: Replace the directory, host, and login names with those for your own system.

SecureFX from VanDyke (they also produce SecureCRT) provides a point and click, drag and drop sftp that mimics the MS Windows Explorer. SecureFX can optionally transfer only those files that are newer on the source than on the destination.

(picture goes here)

SSH from SSH Communications Security provides a point and click, drag and drop sftp that mimics the MS Windows Explorer:

(picture goes here)

F-Secure SSH from F-Secure also provides a point and click, drag and drop sftp that mimics the MS Windows Explorer:

(picture goes here)

Capsule Recommendations

For further information, below are some capsule summaries of the recommend SSH technolgy to use, along with alternatives based on specific preferences.

Recommendation for Unix-like systems

Use OpenSSH. scp is available with OpenSSH.)

Recommendation for Mac OS

Use NiftyTelnet SSH for logins and file transfers.

(If you need port forwarding, also use Mindterm. If you need port forwarding and SSH-2 support both, try MacSSH instead. If you want ftp command channel port forwarding, you'll need to go commercial with F-Secure SSH.)

Recommendation for Microsoft Windows

Use PuTTY for interactive logins and file transfers. Optionally use iXplorer on top of pscp.exe for file transfers.

(If you want a different terminal emulator, use TerraTerm SSH (ttssh), while still using PuTTY or iXplorer for file transfers. If you want more Unix command line utilities, use cygwin instead of PuTTY. If you really want the snazzy sftp GUI agents, you'll need to go commercial with SecureCRT/SecureFX, SSH, or F-Secure SSH.)

Document created July 27, 2001

Last update: 09/28/2004

If you have questions about this document, please contact SCD Customer Support. You can also reach us by telephone 24 hours a day, seven days a week at 303-497-1278. Additional contact methods: consult1@ucar.edu and during business hours in NCAR Mesa Lab Suite 39.

© Copyright 2001-2004. University Corporation for Atmospheric Research (UCAR). All Rights Reserved.

Address of this page: http://www.scd.ucar.edu/docs/ssh/ucarssh.html