Berkeley Lab Computer Protection Program: Resources

Emergencies | Site Index | Contact Us


	CPP Home

	Contacts

	Policy Guidelines

	Scan Information

	System Procedures

	Tools & Services

	ALERTS

	Recent CPP Actions

	News & Articles

	CPP Intranet

PROCEDURES FOR SECURING SYSTEMS

Secure Shell (SSH)

About SSH
Logging onto LETS with SSH
Dos & Don'ts
Download SSH
SSH on a UNIX Computer
SSH on a Windows Computer
Off-Site SSH Resources

<< Back to Desktop Security

________

About SSH

If you currently use "telnet" or "rlogin" to login from one computer to another you are exposing your data and your computers to potential attacks by hackers. The System and Network Security group strongly recommends the use of "Secure Shell" (SSH), which has been found to greatly increase security. While SSH does require some initial setup and some understanding of how it works, the extra effort is well worth it and will significantly reduce the chance that your data and/or computers will be tampered with.

SSH automatically encrypts all data exchanged between the two computers during your entire login session. This prevents hackers from seeing or manipulating data (including passwords) as that information passes through the network. Second, SSH provides much stronger "authentication," so it is more difficult for a hacker to gain access to your account by impersonating you from another computer.

It is strongly recommended that login sessions involving Lab computers use SSH. This is particularly important for privileged (root) logins as well as logins that go over networks outside the Lab (i.e., logins from home or while on travel).

How Does SSH Work?

While the encryption feature of SSH is automatic and transparent to the user, the authentication feature requires a bit of explanation and setup. The type of authentication used in SSH is called "public key" authentication.

When you first set up to use SSH, you will run an SSH program to create two special files, each containing a long random number. These two numbers are called "keys," and although they are different numbers, they are related to each other mathematically. One is called your "public key" and the other is your "private key." As the name implies, the public key can be known to anyone and does not need to be protected. In fact, a copy of your public key must be in your home directory on any computer you want to login to with SSH.

The private key, on the other hand, must be carefully protected and only needs to exist in your home directory on the computer you are going to be logging in from. As long as no one else has access to your private key, the computer you are logging in to will have a high degree of confidence that you are who you say you are without sending any sensitive information (like passwords or keys) over the network. The diagram below illustrates:

Finally, for SSH's security to work, you must protect that private key. This is done by encrypting the file that contains it. SSH will do this for you, and it will ask you for the password used to encrypt that file whenever you login to another computer.

SSH Dos and Don'ts

Do use SSH to protect your password(s) and other data when logging in to lab computers.
Don't expose your password by using telnet or make lab computers vulnerable by using rlogin.
Do make sure that the entire route from your keyboard to the computer your using is protected and encrypted with SSH.
Don't login to one computer with telnet or rlogin and then run SSH from there to another computer. This exposes your SSH passphrase in the first unencrypted connection.
Do make sure your private key is encrypted with a hard to guess passphrase.
Don't use your regular UNIX password as your SSH passphrase.
Do feel free to install SSH on any computers that you use for Lab business, including home computers and laptops used to login to Lab computers.
Don't give the Mac or PC version of the software to anyone who is not associated with the Lab or who would not be using it for Lab business.

Download SSH

The UNIX version of this software is widely available at no cost and runs well on most UNIX platforms. The Lab has acquired a site license for the PC and Macintosh clients from Data Fellows. This software can be used by Laboratory employees to access the LETS system and conduct other Laboratory business. However, please do not distribute this software to non-Laboratory employees. Collaborators who need to log into computers here at the Lab from off-site Macs or PCs can buy very inexpensive licenses from F-Secure Corporation (formerly Data Fellows).

F-Secure SSH for Windows (95/98/NT)
F-Secure SSH for Macintosh
SSH for Solaris
Purchasing Add-On for PC SSH. Customizes F-Secure SSH for use with the lab's purchasing system. F-Secure SSH must be installed BEFORE installing this add-on.

SSH on a UNIX Computer

Configuring Your System

Make sure SSH is installed on any computers you use and that you have access to this tool. If you're not sure, ask your system manager(s).
Generate the public and private key files described above by running the program ssh-keygen:

ssh-keygen -N "password"

The password should actually be more than one word, and it's usually called a "passphrase." This should be a phrase that you can remember. It will take a few seconds to generate the keys and then the program will ask where you want to put the private key. Hit return and the private key will go into a file called $HOME/.ssh/identity. The public key will then automatically go into a file called $HOME/.ssh/identity.pub.

Get your public key copied to the machines you want to login to. A safe way to do this is to use the "scp" program. "scp"is very much like the "rcp" program, but it uses SSH security features. If the remote computer were named "ux8," you would type:

scp $HOME/.ssh/identity.pub ux8:.ssh/authorized_keys

Since the authorized_keys file isn't there yet, "scp" will ask you for your UNIX password on the remote computer. (Please note: this is not the passphrase used in the ssh-keygen command above.)

Logging in with SSH

Use the "ssh" command in the same way you would normally use the "telnet" or "rlogin" command (i.e., ssh ux8). SSH will ask for the passphrase to decrypt your private key (not your UNIX password). Type in your passphrase, and you will be securely logged into the other computer.

Shortcut to Using passphrase All the Time

If you frequently login to other computers from a UNIX computer and don't want to have to type your passphrase each time, there is a tool that can help you without sacrificing security. It's called "ssh-agent." For more information on this tool, view the UNIX man page. There are a few different ways to use ssh-agent, and these depend on how you use your computer:

Using "ssh-agent" from a UNIX Shell:

If you aren't running a window, then using "ssh-agent" is easy. All you have to know is which "shell" you are using (typically csh or tcsh). If your shell is "csh," then you would type the following right after you login:

ssh-agent csh

This installs "ssh-agent" until you log out.
Next, give your passphrase to "ssh-agent" with the ssh-add command:

ssh-add
You are then asked for your passphrase, which is handed over to ssh-agent. From this point on, SSH will not ask you for your passphrase.

Using "ssh-agent" from X windows:

If you normally start X windows after you login by typing something like "xinit," then you can type:

ssh-agent xinit

instead. This will start X windows with the agent running in the background.
Once X is running, you will need to run:

ssh-add

which will ask you for your passphrase and hand it over to the ssh-agent. You can also run this program in your .xinitrc file. From this point on, ssh will not ask you for your passphrase.

SSH on a Windows PC

Configuring Your System

Make sure SSH is installed on your PC as well as the UNIX machine(s) you want to login to. If you're not sure, ask your system manager(s).
Generate those public and private key files described above. To do that you simply run the "SSH wizard," which was installed with SSH. It will guide you through the creation of the key files and will ask you for the password to encrypt t-he private key with.
Copy your public key to the machine(s) on which you want to login. The file that contains your public key created by the SSH wizard above is, by default, "identity.pub" in your SSH directory. The file is a normal ASCII text file that can be moved over to your UNIX computer(s) through FTP, floppy disk, or even email. The key should go into a file in your home directory called ".ssh/authorized_keys".

Logging in with SSH

Double click the SSH program. Once SSH starts up you can hit "enter" to start the connection dialogue. You will then enter the hostname you want to login to as well as your username and select "RSA" authentication. SSH will ask you for the passphrase to decrypt your private key (not your UNIX password). If you type in the right one, you will get logged into the other computer in a very secure way.

Offsite and Onsite SSH Links

F-Secure Corporation (purchase inexpensive licenses for login to Lab computers from off-site Macs or PCs)

F-Secure SSH for Windows (95/98/NT)

F-Secure SSH for Macintosh

SSH for Solaris
Purchasing Add-On for PC SSH. Customizes F-Secure SSH for use with the lab's purchasing system. F-Secure SSH must be installed BEFORE installing this add-on.

Logging onto LETS with SSH (Lab LETS SSH Instructions)
Secure Shell Community Site (Information site on SSH1 and SSH2)
Symantec Downloads