TweetFollow Us on Twitter

Aug 01 MacTech Online

Volume Number: 17 (2001)
Issue Number: 08
Column Tag: MacTech Online

SSH

by Jeff Clites

SSH

When the Internet was first growing up, it was developing in a rather safe environment. In fact, to the inventors it was probably a miracle that it worked at all. Now, however, those halcyon days are gone, and we live in less innocent times, where security is a genuine concern—it isn’t practical these days to just assume that things will be safe by default. There are a number of steps that users need to take these days to secure their systems, and this month we are going to look at one of them, ssh. It’s a small but important piece.

What’s ssh?

In brief, ssh (the Secure Shell) is a cryptographically secure replacement for telnet. The name is actually a bit of a misnomer—it isn’t really a shell itself, but rather a mechanism for interacting with a remote shell over a secure communication channel. It’s an indispensable tool for working with Mac OS X in a networked environment—like telnet, it allows you to quickly connect to remote machines, which is handy if not essential for a variety of administration and other tasks. In fact, the most significant security enhancement that ssh gives you may not be that it encrypts the contents of your remote session (which it does), but rather that it encrypts the login exchange itself, meaning that your password is never sent unencrypted over the network. Even in a supposedly secure environment, for instance behind a corporate firewall, it’s a good idea to use ssh instead of telnet whenever possible (which basically means whenever the two machines which are communicating both have it installed), both because it adds an extra bit of security, and also because it will get you into the habit of using it and making sure it is installed and available on all machines you routinely connect to, so that when you are operating in a less secure environment (for instance, if you need to connect from off site) you will be in the habit of reaching for ssh and will be opting for security by default.

Mac OS X has ssh installed by default (as part of a regular update package), and you can use it to connect with remote machines without further setup. To enable connections to your machine you merely need to enable remote login in the Sharing pane of System Preferences (after the update which installs ssh on Mac OS X, this setting is connected to ssh rather than to telnet, which is then disabled by default). The ssh “server” component (sshd) can be run out of inetd, but it is more commonly run as a standalone daemon. If you need to install ssh separately (either because you wish to install a newer version or because your current install is damaged), there are instruction on Stepwise for building and installing OpenSSH under Mac OS X. (The article also includes instructions for compiling in support for using tcpwrappers to further secure things by restricting remote login to a specific set of hosts and adding additional logging.) This version of ssh is free and open-source (part of the OpenBSD project, in fact), and leverages the OpenSSL library for many of its cryptographic algorithms. There are commercial versions available as well (and older free version from commercial vendors), but for most users OpenSSH is a good choice. OpenSSH tries very hard to avoid the use of patented algorithms in its implementation, in order to avoid the attendant restrictions to free development and distribution, and consequently does not support some of the algorithms found in commercial versions. This can be seen as either a virtue or a shortcoming, but in practice it does not interfere with its use.

Building OpenSSH 2.9 on Mac OS X 10.0.x
http://www.stepwise.com/Articles/Workbench/2001-05-02.03.html

Securing your Host—tcpwrappers
http://www.theorygroup.com/Theory/Systems/tcpwrappers.html

The SHH Suite

Overall, ssh has a great deal of flexibility in the details of its use. It supports a variety of authentication schemes, from RSA or Kerberos-based authentication to simple passwords or automatic login between trusted hosts; you can choose from several different algorithms (also called ciphers) for the encryption; and you can use ssh for port-forwarding to wrap insecure protocols inside of a secure transfer stream. And in addition to enabling remote login sessions, the ssh distribution contains several related tools which take advantage of ssh’s base facilities for secure communication. For file transfer, there is scp (an analog of rcp and ultimately cp, if you are familiar with those), which is used to copy files between systems over an ssh-based, encrypted channel. Server environments today are often set up without ftp installed in order to enhance security, and in such situations scp is the tool of choice for moving files onto and off of these systems. In addition to encryption, scp also supports compression of files during transit in order to speed transfer, using the same algorithm as gzip. (Compression is also supported by ssh itself, but the benefits are more likely to be noticeable during large file transfers than during a standard interactive login session, although over slow connections compression could make ssh “faster” than telnet for interactive use.) The scp tool has the same semantics as cp, so that source and destination are specified when invoking the tool, rather then being chosen interactively as is commonly done with ftp tools. This can be somewhat inconvenient, as you need to know the exact path to use on the remote system before invoking the tool, which will often necessitate a separate ssh login to “browse around” the remote filesystem to determine the correct path. On the plus side, scp can be used to transfer files between remote systems—neither the source nor the destination needs to be local.

On the other hand, if you need the convenience and flexibility of the interactivity of ftp, you might find sftp more to your liking. It’s a newer addition to the ssh family, and is likely to be less widely deployed at this time. It provides an ftp-like interactive session for file transfer, with similar commands to those used by ftp. Technically, sftp is not itself a secure protocol, but rather it is a protocol designed to be used over a secure channel, provided by ssh. There is a separate executable, sftp-server, which is used by OpenSSH to enable sftp on the server side, but it is invoked by the sshd daemon rather than running separately, so it requires minimal configuration and setup to get it running. One caveat is that sftp is reported to be significantly slower than the traditional scp, although it’s not clear whether this is inherent to the protocol it uses, or if it’s just the result of a still-evolving implementation. Note also that sftp is not simply ftp secured via ssh port-forwarding, because ftp’s use of two separate TCP/IP connections for control commands and data transfer makes this difficult to do; instead, sftp uses a single stream to do its work.

References

Online, you can find most of the essential information you need at the OpenSSH web site, including download locations, online manual pages, and a short FAQ, as well as links to other sites with articles and even more information. There is also another ssh FAQ available online, more general but somewhat geared toward the commercial versions of ssh.

OpenSSH
http://openssh.org

OpenSSH Manual pages
http://openssh.org/manual.html

OpenSSH FAQ
http://openssh.org/faq.html

OpenSSH Articles
http://openssh.org/press.html

The Secure Shell Frequently Asked Questions
http://www.tigerlair.com/ssh/faq/ssh-faq.html

There are also a couple of books available devoted entirely to ssh. They can provide you with all the details and options you have for setting up and using ssh on your systems, as well as using it for advanced applications such as tcp port forwarding. Possibly more importantly, they’ll guide you through the minefield of terminology surrounding different version of ssh products and protocols (which are very easy to confuse), and spell out differences and interoperability issues surrounding the different implementations. Try either SSH, The Secure Shell: The Definitive Guide (ISBN: 0-596-00011-1) from O’Reilly and Associates, or UNIX Secure Shell (ISBN: 0071349332) from Osborne. There is also an excellent web site to accompany the O’Reilly book, with extensive reference information and links to protocol specifications and other reference material.

SSH, The Secure Shell: The Definitive Guide
http://www.snailbook.com

For further helpful info, check out the top 10 FAQ list from Richard Silverman, one of the authors of the O’Reilly book. The security-minded user (which should be everyone, right?) will also want to check out a recent article on SecurityPortal.com about a potential security weakness with ssh, as well as the follow-up rebuttal article from Richard Silverman which corrects some factual errors and gives a less alarmist perspective. For further security info, take a look at the OpenSSH Security page.

Top Ten Secure Shell FAQs
http://sysadmin.oreilly.com/news/sshtips_0101.html

The End of SSL and SSH?
http://www.securityportal.com/cover/coverstory20001218.html

dsniff and SSH: Reports of My Demise are Greatly Exaggerated
http://sysadmin.oreilly.com/news/silverman_1200.html

OpenSSH Security
http://openssh.org/security.html

Finally, for those interested in some of the more advanced features of ssh, start with the SSH Protocol Architecture internet-draft from the IETF for an extensive high-level overview of the protocol. Then, check out an article from the O’Reilly Network on using an ssh tunnel to increase the security of 802.11b wireless networking, such as that used by AirPort.

SSH Protocol Architecture
http://openssh.org/txt/draft-ietf-secsh-architecture-07.txt

Using SSH Tunneling
http://www.oreillynet.com/pub/a/wireless/2001/02/23/wep.html

If you are not yet using Mac OS X (and why aren’t you, huh?), then you can still connect via ssh to remote machines using one of the two clients for the Classic Mac OS. There is NiftyTelnet SSH (based on NiftyTelnet itself) supporting the SSH1 protocol, including scp capabilities, and MacSSH, which is a modified version of BetterTelnet supporting SSH2. Both are available free of charge. If you are running Mac OS X but would prefer a graphical file-transfer tool, try RBrowser, a GUI-based ftp tool which also supports ssh- and scp-based file browsing and transfer. It is still in beta testing, and will require a licensing fee once it is final.

NiftyTelnet SSH
http://www.lysator.liu.se/~jonasw/freeware/niftyssh/

MacSSH
http://www.macsecsh.com/

RBrowser
http://www.rbrowser.com/RBrowser_main.html

 

Community Search:
MacTech Search:

Software Updates via MacUpdate

The beginner's guide to Warbits
Warbits is a turn-based strategy that's clearly inspired by Nintendo's Advance Wars series. Since turn-based strategy games can be kind of tricky to dive into, see below for a few tips to help you in the beginning. Positioning is crucial [Read... | Read more »
How to upgrade your character in Spellsp...
So you’ve mastered the basics of Spellspire. By which I mean you’ve realised it’s all about spelling things in a spire. What next? Well you’re going to need to figure out how to toughen up your character. It’s all well and good being able to spell... | Read more »
5 slither.io mash-ups we'd love to...
If there's one thing that slither.io has proved, it's that the addictive gameplay of Agar.io can be transplanted onto basically anything and it will still be good fun. It wouldn't be surprising if we saw other developers jumping on the bandwagon,... | Read more »
How to navigate the terrain in Sky Charm...
Sky Charms is a whimsical match-'em up adventure that uses creative level design to really ramp up the difficulty. [Read more] | Read more »
Victorious Knight (Games)
Victorious Knight 1.3 Device: iOS Universal Category: Games Price: $1.99, Version: 1.3 (iTunes) Description: New challenges awaits you! Experience fresh RPG experience with a unique combat mechanic, packed with high quality 3D... | Read more »
Agent Gumball - Roguelike Spy Game (Gam...
Agent Gumball - Roguelike Spy Game 1.0 Device: iOS Universal Category: Games Price: $2.99, Version: 1.0 (iTunes) Description: Someone’s been spying on Gumball. What the what?! Two can play at that game! GO UNDERCOVERSneak past enemy... | Read more »
Runaway Toad (Games)
Runaway Toad 1.0 Device: iOS Universal Category: Games Price: $2.99, Version: 1.0 (iTunes) Description: It ain’t easy bein’ green! Tap, hold, and swipe to help Toad hop to safety in this gorgeous new action game from the creators of... | Read more »
PsyCard (Games)
PsyCard 1.0 Device: iOS Universal Category: Games Price: $1.99, Version: 1.0 (iTunes) Description: From the makers och Card City Nights, Progress To 100 and Ittle Dew PSYCARD is a minesweeper-like game set in a cozy cyberpunk... | Read more »
Sago Mini Robot Party (Education)
Sago Mini Robot Party 1.0 Device: iOS Universal Category: Education Price: $2.99, Version: 1.0 (iTunes) Description: -- Children's Technology Review Editor's Choice -- | Read more »
Egz – The Origin of the Universe (Games...
Egz – The Origin of the Universe 1.0.2 Device: iOS Universal Category: Games Price: $3.99, Version: 1.0.2 (iTunes) Description: ►►► Special offer until 2nd may : get the game at 2.99€ instead of 3.99€ ! ◄◄◄ Egz is a mesmerizing mix... | Read more »

Price Scanner via MacPrices.net

Apple restocks Certified Refurbished Mac mini...
Apple has restocked Certified Refurbished 2014 Mac minis, with models available starting at $419. Apple’s one-year warranty is included with each mini, and shipping is free: - 1.4GHz Mac mini: $419 $... Read more
15-inch 2.2GHz Retina MacBook Pro on sale for...
Amazon.com has the 15″ 2.2GHz Retina MacBook Pro on sale for $1699.99 including free shipping. Their price is $300 off MSRP, and it’s the lowest price available for this model from any reseller (and... Read more
Apple Beats Microsoft at Own Game; Amazon Pri...
First quarter seasonality combined with an overall disinterested customer base led to an annual decline of 14.7% in worldwide tablet shipments during the first quarter of 2016 (1Q16). Worldwide... Read more
Tablets Had Worst Quarter Since 2012, says St...
The global tablet market began 2016 just as 2015 left off, down. Tablet shipments fell 10% to 46.5 million units during the Q1 2016, according to the new “Preliminary Global Tablet Shipments and... Read more
Clearance 13-inch MacBook Airs, Apple refurbi...
Apple recently dropped prices on certified refurbished 2015 13″ MacBook Airs with 4GB of RAM with models now available starting at $759. An Apple one-year warranty is included with each MacBook, and... Read more
Clearance 12-inch Retina MacBooks, Apple refu...
Apple has dropped prices on Certified Refurbished 2015 12″ Retina MacBooks with models now available starting at $929. Apple will include a standard one-year warranty with each MacBook, and shipping... Read more
Aleratec Releases Mac Software Upgrade for 1...
California based Aleratec Inc., designer, developer and manufacturer of Portable Device Management (PDM) charge/sync products for mobile devices and professional-grade duplicators for hard disk... Read more
Sale! Amazon offers 27-inch iMac, 13-inch 2.9...
Amazon has the 27″ 3.2GHz 5K iMac and the 13″ 3.9GHz Retina MacBook Pro on sale for $300 off MSRP, each including free shipping, for a limited time: - 27″ 3.2GHz/1TB HD 5K iMac (model MK462LL/A): $... Read more
Apple refurbished 13-inch Retina MacBook Pros...
Apple has Certified Refurbished 13″ Retina MacBook Pros available for up to $270 off the cost of new models. An Apple one-year warranty is included with each model, and shipping is free: - 13″ 2.7GHz... Read more
13-inch 2.7GHz/128GB Retina MacBook Pro on sa...
Take $200 off MSRP on the price of a new 13″ 2.7GHz/128GB Retina MacBook Pro (model MF839LL/A) at Amazon. Shipping is free: - 13″ 2.7GHz/128GB Retina MacBook Pro: $1099.99 $200 off MSRP Act now if... Read more

Jobs Board

Restaurant Manager (Neighborhood Captain) - A...
…in every aspect of daily operation. WHY YOU'LL LIKE IT: You'll be the Big Apple . You'll solve problems. You'll get to show your ability to handle the stress and Read more
Automotive Sales Consultant - Apple Ford Linc...
…you. The best candidates are smart, technologically savvy and are customer focused. Apple Ford Lincoln Apple Valley is different, because: $30,000 annual salary Read more
*Apple* Retail - Multiple Positions - Apple,...
Job Description: Sales Specialist - Retail Customer Service and Sales Transform Apple Store visitors into loyal Apple customers. When customers enter the store, Read more
*Apple* Solutions Consultant - Apple (United...
# Apple Solutions Consultant Job Number: 48260200 Phoenix, Arizona, United States Posted: Apr. 22, 2016 Weekly Hours: 40.00 **Job Summary** As an Apple Solutions Read more
Restaurant Manager (Neighborhood Captain) - A...
…in every aspect of daily operation. WHY YOU'LL LIKE IT: You'll be the Big Apple . You'll solve problems. You'll get to show your ability to handle the stress and Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.