Home Wiki Interactive News Learning Links About Us

 

Learning >> Documentation >> Internet >> SSH

ssh (SSH client) is a program for logging into a remote machine and for executing commands on a remote machine. It is intended to replace the rlogin and rsh, and provide secure encrypted communications between two untrusted hosts over an insecure network. X11 (graphical display system for linux) connections and arbitrary TCP/IP ports can also be forwarded over the secure channel, i.e. port forwarding is provided so you can run programs that normally don't provide a secure connection feature through ssh, in essence it allows for secure tunnels. You can look into the differences between the two versions of SSH protocols, but suffice to say that currently we only allow in protocol version 2 to frink as it provides additional security with more advance encryption algorithms than version 1, basically its more secure :). If you want to learn more man ssh at a console will bring up the full listing of information on the version installed on the machine your logged into.

Some basic options for the connection, of which you'll generally just use the following syntax ssh username@host. Some of the additional switches can come in handy for forwarding of ports for allowing programs to use the secure connection to the server or to specify the cipher to be used for encryption.
-c blowfish|3des|des : This allows you to select which encryption to use. Suggest you leave it to use the default unless your experiencing connection problems.
-f : Requests ssh to go into the background just before command execution. This is the recommended way to start programs on a remote system. ssh -f username@host xterm
-l login name : Allows specification of the login name if you want to use the format ssh -l username host. This is the same as ssh username@host.
-p port : Allows the connection port to be specified. This is useful for when the server uses a different port than the standard 21 for initiating connections.
-C : Enables compression on the connection which is desirable when using a modem connection, but should be avoided when using network or DSL speed connections.
-x : Disables X11 forwarding, which is useful if logging in from a linux machine to a linux server over a slow connection so you don't want any X11 applications to be started accidently such as netscape as a viewer being launched from pine or mutt (mail clients).
-X : Enables X11 forwarding. If you connecting across a network and you want to access a GUI on the remote system this can be useful.
-L port:host:hostport : specifies that connections to port number port on the local machine are to be forwarded to port hostport on machine host from the remote machine being connected to. For this to work the host must be reachable by the remote server being connected to.
-R port:host:hostport : specifies that connections to the port number port on the remote machine are to be forwarded over the secure channel to the local machine which will route them on to port hostport on host which means host must be visible to the local machine.

Firstly we'll cover the basic connection command using ssh. There are two versions, it suggested that you pick one and stick with it. We cover the two for the sake of completeness and so that your aware of the other method in case you come across it in the future.

There's no point in taking up a huge amount of space here with the messages displayed after you log in unless it contains information pertaining to the use of the ssh command line that was just executed, so the rest the text displayed after you enter your password and login has been left out.

The second method is to use the -l option, note the use of lower case, followed by the username and then the server to connect to.

If it works correctly you should get the same output as in the first example.

Occasionally we will want to run another program across the secure connection. We can do this by having ssh forward a port on the local machine to a designated port on a remote machine. Remember the remote machine mush be visible from whatever machine we are connected to otherwise the port cannot be forwarded. Additionally it we need an application on a remote machine to be able to communicate back to our machine via the tunnel we can have the ssh connect forward the port on a remote machine back to a designated port on our own. At the end of this page you'll be shown how to connect to geminga/vega from home over a secure tunnel through the compsoc server. This should demonstrate this a little better than performing all the port forwards on the local machine.

Firstly open up 2 connections to frink and login. Your going to need the 2 so you can see whats happening. In 1 we're going to connect to frink (same as localhost) but we will forward port 2025 (if its in use just pick another higher up) to port 25 on frink.nuigalway.ie. In the other screen we will telnet to port 2025 on the localhost. If the port forwarding is successful we should be greeted with the response from the smtp (mail transfer protocol) service which runs on port 25 even though we connected to port 2025. Lets start with screen one.

The next will be done in the second window. Note that the server we are connecting to here is localhost since it is a local port that was forwarded through the tunnel to port 25 on frink and we are connecting to the localhost port. Also to connect to the smtp service we'll be using telnet for the moment, occassionally we can use the same methods to forward ssh connections on to computers that are only reachable from the machine that we first connected to. That will be shown in connecting to geminga at the end. The syntax of a telnet connection is telnet server port. Please note that it should only ever be used for demonstration purposes or for services that do not use authenication since it transmits all usernames/passwords as text and not encrypted.

If you get the same output as above you've created the port forwarding correct and are now connect to the smtp service on frink. If you know the correct commands you could send a mail directly to someone using this. To exit press the following keys: You will be greeted by a prompt "telnet>" and should type exit to finish as below. While not particularly useful it's an easy demonstration of port forwarding that does not require access to another machine.

For those of you who use Linux at home or have a commandline version of ssh that can be used on Windows, here's how to connect all the way into your account on geminga, or if its vega you use you can just substitute where I use geminga with vega. This same method can be used to connect to any other machine via an ssh tunnel, in this case the program that I will be running over the tunnel will also be ssh. Even when a server will accept a telnet connection its bad practice to use this if it requires any authenication. I'll begin by outlining the necessary information required to create the tunnel starting at your home machine and ending at frink, the compsoc server, with any information coming across the tunnel being sent on to the desinated port on the remote machine. At this stage you also need to know what program you intend on using as this will determine what port your tunnel will have to be forwarded to on the remote machine.

Following is the basic details that I will use to create the tunnel, you can modify these to suit your requirements.
Machine to Connect to : frink.nuigalway.ie
Machine Connecting from : localhost
Remote Machine to have tunnel forward port to : geminga.it.nuigalway.ie
What to connect to on the Remote Machine : ssh deamon as I want to login to a shell on geminga so I need to ssh into it.
Port to connect to on Remote Machine : 22, since the ssh deamon listens on port 22. Telnet uses 23, smtp 25. Port on localhost to be forwarded to the Remote Machine : anything above the reserved ports, so use 2022 as its easy to remember.

Now for the easy bit, combining this information to form the arguements for the ssh connection and tunnel forming.

Now the tunnel is up and running we need to use it. In this case will be using ssh, but the same details will hold true for any other application that you want to perform this will. What we currently know is that port 2022 on localhost will actually go straight to port 22 on geminga.nuigalway.ie across an encrypted connection. We are actually just telling whatever program we will run where the entrance to a connection we have already created for it is. Since we have created this connection in advance it doesn't need to know where the connection goes to, just where to enter the connection and it will be brought to where it needs to go.
Port to Connect to : 2022, because this is the port that gets forwarded.
Machine to Connect to : localhost, is this is the machine the port is forwarded from.

The first time you connect to geminga or any other server your going to get this output about the RSA key. It is used to uniquely identify the machine that you are connecting to, and given that there are 3.40282³⁸ combinations its unlikely that you could be given the same one twice. Its basically the machines public key and as a result its useless in trying to use it to spoof a connection, as you require the private key in order to be able to send information that can be decoded using this. This is used for initial connection setup to allow for a more secure information transfer method to be negoiated based on a large number of keys. Once you choose to store this, there is only two occassions where it will need to be updated, 1) the server decides to recreate its RAS keys or 2) where you use a tunnel like this that uses a generic name for the host that can also be used for other connections.