TweetFollow Us on Twitter

Aug 01 MacTech Online

Volume Number: 17 (2001)
Issue Number: 08
Column Tag: MacTech Online

SSH

by Jeff Clites

SSH

When the Internet was first growing up, it was developing in a rather safe environment. In fact, to the inventors it was probably a miracle that it worked at all. Now, however, those halcyon days are gone, and we live in less innocent times, where security is a genuine concern—it isn’t practical these days to just assume that things will be safe by default. There are a number of steps that users need to take these days to secure their systems, and this month we are going to look at one of them, ssh. It’s a small but important piece.

What’s ssh?

In brief, ssh (the Secure Shell) is a cryptographically secure replacement for telnet. The name is actually a bit of a misnomer—it isn’t really a shell itself, but rather a mechanism for interacting with a remote shell over a secure communication channel. It’s an indispensable tool for working with Mac OS X in a networked environment—like telnet, it allows you to quickly connect to remote machines, which is handy if not essential for a variety of administration and other tasks. In fact, the most significant security enhancement that ssh gives you may not be that it encrypts the contents of your remote session (which it does), but rather that it encrypts the login exchange itself, meaning that your password is never sent unencrypted over the network. Even in a supposedly secure environment, for instance behind a corporate firewall, it’s a good idea to use ssh instead of telnet whenever possible (which basically means whenever the two machines which are communicating both have it installed), both because it adds an extra bit of security, and also because it will get you into the habit of using it and making sure it is installed and available on all machines you routinely connect to, so that when you are operating in a less secure environment (for instance, if you need to connect from off site) you will be in the habit of reaching for ssh and will be opting for security by default.

Mac OS X has ssh installed by default (as part of a regular update package), and you can use it to connect with remote machines without further setup. To enable connections to your machine you merely need to enable remote login in the Sharing pane of System Preferences (after the update which installs ssh on Mac OS X, this setting is connected to ssh rather than to telnet, which is then disabled by default). The ssh “server” component (sshd) can be run out of inetd, but it is more commonly run as a standalone daemon. If you need to install ssh separately (either because you wish to install a newer version or because your current install is damaged), there are instruction on Stepwise for building and installing OpenSSH under Mac OS X. (The article also includes instructions for compiling in support for using tcpwrappers to further secure things by restricting remote login to a specific set of hosts and adding additional logging.) This version of ssh is free and open-source (part of the OpenBSD project, in fact), and leverages the OpenSSL library for many of its cryptographic algorithms. There are commercial versions available as well (and older free version from commercial vendors), but for most users OpenSSH is a good choice. OpenSSH tries very hard to avoid the use of patented algorithms in its implementation, in order to avoid the attendant restrictions to free development and distribution, and consequently does not support some of the algorithms found in commercial versions. This can be seen as either a virtue or a shortcoming, but in practice it does not interfere with its use.

Building OpenSSH 2.9 on Mac OS X 10.0.x
http://www.stepwise.com/Articles/Workbench/2001-05-02.03.html

Securing your Host—tcpwrappers
http://www.theorygroup.com/Theory/Systems/tcpwrappers.html

The SHH Suite

Overall, ssh has a great deal of flexibility in the details of its use. It supports a variety of authentication schemes, from RSA or Kerberos-based authentication to simple passwords or automatic login between trusted hosts; you can choose from several different algorithms (also called ciphers) for the encryption; and you can use ssh for port-forwarding to wrap insecure protocols inside of a secure transfer stream. And in addition to enabling remote login sessions, the ssh distribution contains several related tools which take advantage of ssh’s base facilities for secure communication. For file transfer, there is scp (an analog of rcp and ultimately cp, if you are familiar with those), which is used to copy files between systems over an ssh-based, encrypted channel. Server environments today are often set up without ftp installed in order to enhance security, and in such situations scp is the tool of choice for moving files onto and off of these systems. In addition to encryption, scp also supports compression of files during transit in order to speed transfer, using the same algorithm as gzip. (Compression is also supported by ssh itself, but the benefits are more likely to be noticeable during large file transfers than during a standard interactive login session, although over slow connections compression could make ssh “faster” than telnet for interactive use.) The scp tool has the same semantics as cp, so that source and destination are specified when invoking the tool, rather then being chosen interactively as is commonly done with ftp tools. This can be somewhat inconvenient, as you need to know the exact path to use on the remote system before invoking the tool, which will often necessitate a separate ssh login to “browse around” the remote filesystem to determine the correct path. On the plus side, scp can be used to transfer files between remote systems—neither the source nor the destination needs to be local.

On the other hand, if you need the convenience and flexibility of the interactivity of ftp, you might find sftp more to your liking. It’s a newer addition to the ssh family, and is likely to be less widely deployed at this time. It provides an ftp-like interactive session for file transfer, with similar commands to those used by ftp. Technically, sftp is not itself a secure protocol, but rather it is a protocol designed to be used over a secure channel, provided by ssh. There is a separate executable, sftp-server, which is used by OpenSSH to enable sftp on the server side, but it is invoked by the sshd daemon rather than running separately, so it requires minimal configuration and setup to get it running. One caveat is that sftp is reported to be significantly slower than the traditional scp, although it’s not clear whether this is inherent to the protocol it uses, or if it’s just the result of a still-evolving implementation. Note also that sftp is not simply ftp secured via ssh port-forwarding, because ftp’s use of two separate TCP/IP connections for control commands and data transfer makes this difficult to do; instead, sftp uses a single stream to do its work.

References

Online, you can find most of the essential information you need at the OpenSSH web site, including download locations, online manual pages, and a short FAQ, as well as links to other sites with articles and even more information. There is also another ssh FAQ available online, more general but somewhat geared toward the commercial versions of ssh.

OpenSSH
http://openssh.org

OpenSSH Manual pages
http://openssh.org/manual.html

OpenSSH FAQ
http://openssh.org/faq.html

OpenSSH Articles
http://openssh.org/press.html

The Secure Shell Frequently Asked Questions
http://www.tigerlair.com/ssh/faq/ssh-faq.html

There are also a couple of books available devoted entirely to ssh. They can provide you with all the details and options you have for setting up and using ssh on your systems, as well as using it for advanced applications such as tcp port forwarding. Possibly more importantly, they’ll guide you through the minefield of terminology surrounding different version of ssh products and protocols (which are very easy to confuse), and spell out differences and interoperability issues surrounding the different implementations. Try either SSH, The Secure Shell: The Definitive Guide (ISBN: 0-596-00011-1) from O’Reilly and Associates, or UNIX Secure Shell (ISBN: 0071349332) from Osborne. There is also an excellent web site to accompany the O’Reilly book, with extensive reference information and links to protocol specifications and other reference material.

SSH, The Secure Shell: The Definitive Guide
http://www.snailbook.com

For further helpful info, check out the top 10 FAQ list from Richard Silverman, one of the authors of the O’Reilly book. The security-minded user (which should be everyone, right?) will also want to check out a recent article on SecurityPortal.com about a potential security weakness with ssh, as well as the follow-up rebuttal article from Richard Silverman which corrects some factual errors and gives a less alarmist perspective. For further security info, take a look at the OpenSSH Security page.

Top Ten Secure Shell FAQs
http://sysadmin.oreilly.com/news/sshtips_0101.html

The End of SSL and SSH?
http://www.securityportal.com/cover/coverstory20001218.html

dsniff and SSH: Reports of My Demise are Greatly Exaggerated
http://sysadmin.oreilly.com/news/silverman_1200.html

OpenSSH Security
http://openssh.org/security.html

Finally, for those interested in some of the more advanced features of ssh, start with the SSH Protocol Architecture internet-draft from the IETF for an extensive high-level overview of the protocol. Then, check out an article from the O’Reilly Network on using an ssh tunnel to increase the security of 802.11b wireless networking, such as that used by AirPort.

SSH Protocol Architecture
http://openssh.org/txt/draft-ietf-secsh-architecture-07.txt

Using SSH Tunneling
http://www.oreillynet.com/pub/a/wireless/2001/02/23/wep.html

If you are not yet using Mac OS X (and why aren’t you, huh?), then you can still connect via ssh to remote machines using one of the two clients for the Classic Mac OS. There is NiftyTelnet SSH (based on NiftyTelnet itself) supporting the SSH1 protocol, including scp capabilities, and MacSSH, which is a modified version of BetterTelnet supporting SSH2. Both are available free of charge. If you are running Mac OS X but would prefer a graphical file-transfer tool, try RBrowser, a GUI-based ftp tool which also supports ssh- and scp-based file browsing and transfer. It is still in beta testing, and will require a licensing fee once it is final.

NiftyTelnet SSH
http://www.lysator.liu.se/~jonasw/freeware/niftyssh/

MacSSH
http://www.macsecsh.com/

RBrowser
http://www.rbrowser.com/RBrowser_main.html

 

Community Search:
MacTech Search:

Software Updates via MacUpdate

OmniOutliner Pro 4.2 - Pro version of th...
OmniOutliner Pro is a flexible program for creating, collecting, and organizing information. Give your creativity a kick start by using an application that's actually designed to help you think. It's... Read more
VLC Media Player 2.2.1 - Popular multime...
VLC Media Player is a highly portable multimedia player for various audio and video formats (MPEG-1, MPEG-2, MPEG-4, DivX, MP3, OGG, ...) as well as DVDs, VCDs, and various streaming protocols. It... Read more
Nisus Writer Pro 2.1.1 - Multilingual wo...
Nisus Writer Pro is a powerful multilingual word processor, similar to its entry level products, but brings new features such as table of contents, indexing, bookmarks, widow and orphan control,... Read more
Tinderbox 6.2.0 - Store and organize you...
Tinderbox is a personal content management assistant. It stores your notes, ideas, and plans. It can help you organize and understand them. And Tinderbox helps you share ideas through Web journals... Read more
OmniOutliner 4.2 - Organize your ideas,...
OmniOutliner is a flexible program for creating, collecting, and organizing information. Give your creativity a kick start by using an application that's actually designed to help you think. It's... Read more
Things 2.5.4 - Elegant personal task man...
Things is a task management solution that helps to organize your tasks in an elegant and intuitive way. Things combines powerful features with simplicity through the use of tags and its intelligent... Read more
NeoOffice 2014.10 - Mac-tailored, OpenOf...
NeoOffice is a complete office suite for OS X. With NeoOffice, users can view, edit, and save OpenOffice documents, PDF files, and most Microsoft Word, Excel, and PowerPoint documents. NeoOffice 3.x... Read more
iPhoto Library Manager 4.2 - Manage mult...
iPhoto Library Manager allows you to organize your photos among multiple iPhoto libraries, rather than having to store all of your photos in one giant library. You can browse the photos in all your... Read more
Web Snapper 3.3.8 - Capture entire Web p...
Web Snapper lets you capture Web pages exactly as they appear in your browser. You can send them to a file as images or vector-based, multi-page PDFs. It captures the whole Web page - eliminating the... Read more
TeamViewer 10.0.41404 - Establish remote...
TeamViewer gives you remote control of any computer or Mac over the Internet within seconds, or can be used for online meetings. Find out why more than 200 million users trust TeamViewer! Free for... Read more

Chainsaw Warrior: Lords of the Night has...
It's time to put the Darkness back in its place now that Chainsaw Warrior: Lords of the Night has officially made it to iOS. | Read more »
A World of Ice and Fire Lets You Stalk 2...
George R. R. Martin’s A World of Ice and Fire, by Random House, is a mobile guide to the epic series. The new update gives you the Journeys map feture that will let you track the movements of 25 different characters. But don't worry, you can protect... | Read more »
Gameloft Announces Battle Odyssey, a New...
Battle Odyssey, Gameloft's newest puzzle RPG, is coming to the App Store next week. Set in the world of Pondera, you will need to control the power of the elements to defend the world from evil. You'll be able to entlist over 500 allies to aid you... | Read more »
Fusion - HDR Camera (Photography)
Fusion - HDR Camera 1.0.0 Device: iOS Universal Category: Photography Price: $1.99, Version: 1.0.0 (iTunes) Description: Fusion creates HDR (high dynamic range) photos by capturing different exposures and then combining them into one... | Read more »
Sago Mini Toolbox (Education)
Sago Mini Toolbox 1.1 Device: iOS Universal Category: Education Price: $2.99, Version: 1.1 (iTunes) Description: Come build with the Sago Mini friends! Use a wrench, try a saw, or hammer some nails. From sewing hand puppets to... | Read more »
You Should Probably Grab Hitman GO While...
Hitman GO is a surprisingly cool (yet also incredibly drastic) departure from the Hitman series. It's well worth playing for any puzzle game fans out there, and at the moment you can get your hands - or garrotte if you will - on it for a mere $0.99... | Read more »
IFTTT is Bringing Do Button and Do Note...
IFTTT has announced Do Button and Do Note for the Apple Watch. Do Button lets you make your own personalized button that can connect to things like your Google Drive, control the temperature in your home with Nest Thermostat, or turn the lights on... | Read more »
How Many Days, Hours, and Minutes Are Le...
Countdown, by Yves Tscherry, is now available on the App Store. The app keeps track of countdowns to your favorite things such as someones birthday or days till the New Year. You can display the time in seconds, minutes, hours, days, weeks, months,... | Read more »
The All-New Misfit 2.0 App is Available...
Misfit has just given their app a complete overhaul. Misfit 2.0 now has a brand new interface with a sleek design and is easier to navigate. You'll be able to sync your Misfit device and look up health and fitness information faster than ever before... | Read more »
Halo: Spartan Strike (Games)
Halo: Spartan Strike 1.0 Device: iOS Universal Category: Games Price: $5.99, Version: 1.0 (iTunes) Description: Delve into 30 challenging missions through cities and jungles using a devastating arsenal of weapons, abilities and... | Read more »

Price Scanner via MacPrices.net

TigerText Introduces First Secure Enterprise...
TigerText, a provider of secure, real-time messaging for the enterprise, has announced the launch of TigerText for the Apple Watch. TigerText for the Apple Watch enables users to securely send and... Read more
The Conservation Fund Partners with Apple To...
The Conservation Fund has announced that it will partner with Apple to help protect working forests in the United States. The Apple initiative will conserve more than 36,000 acres of working... Read more
Clearance 13-inch 2.6GHz Retina MacBook Pro a...
B&H Photo has clearance 2014 13″ 2.6GHz/128GB Retina MacBook Pros now available for $1099, or $200 off original MSRP. Shipping is free, and B&H charges NY sales tax only. Read more
Apple refurbished 2014 13-inch Retina MacBook...
The Apple Store has Apple Certified Refurbished 2014 13″ Retina MacBook Pros available for up to $400 off original MSRP, starting at $979. An Apple one-year warranty is included with each model, and... Read more
iMacs on sale for up to $205 off MSRP, NY tax...
B&H Photo has 21″ and 27″ iMacs on sale for up to $205 off MSRP including free shipping plus NY sales tax only: - 21″ 1.4GHz iMac: $1019 $80 off - 21″ 2.7GHz iMac: $1189 $110 off - 21″ 2.9GHz... Read more
Sale! 16GB iPhone 5S for $1 with service
Best Buy is offering 16GB iPhone 5Ss for $1.00 with 2-year activation at a participating cellular provider. Choose free home shipping and activation, or buy online and activate during in-store pickup... Read more
Apple refurbished 2014 MacBook Airs available...
The Apple Store has Apple Certified Refurbished 2014 MacBook Airs available starting at $679. An Apple one-year warranty is included with each MacBook, and shipping is free. These are currently the... Read more
27-inch 3.5GHz 5K iMac on sale for $2349, sav...
 Adorama has the 27″ 3.5GHz 5K iMac in stock today and on sale for $2349 including free shipping plus NY & NJ sales tax only. Their price is $150 off MSRP. For a limited time, Adorama will... Read more
Save up to $380 on an iMac with Apple refurbi...
The Apple Store has Apple Certified Refurbished iMacs available for up to $380 off the cost of new models. Apple’s one-year warranty is standard, and shipping is free: - 27″ 3.5GHz 5K iMac – $2119 $... Read more
iFixIt Teardown Awards 12-IInch Retina MacBoo...
iFixIt has posted its illustrated teardown of the new 12-inch MacBook Retina. They note that this new MacBook is less than half the thickness of the last Apple notebook called just “MacBook” back in... Read more

Jobs Board

*Apple* Retail - Multiple Positions (US) - A...
Sales Specialist - Retail Customer Service and Sales Transform Apple Store visitors into loyal Apple customers. When customers enter the store, you're also the Read more
Communication Manager - *Apple* Pay - Apple...
**Job Summary** This position works within the Apple Pay Merchant Solutions team to create, as well as oversee the development of, materials for use by Apple Pay Read more
Project Manager / Business Analyst, WW *Appl...
…a senior project manager / business analyst to work within our Worldwide Apple Fulfillment Operations and the Business Process Re-engineering team. This role will work Read more
Marketing Program Manager, *Apple* Retail O...
**Job Summary** Imagine what you could do here. At Apple , great ideas have a way of becoming great products, services, and customer experiences very quickly. Bring Read more
Engineering Manager for *Apple* Maps on the...
…the Maps App Team get to take part in just about any new feature in Apple Maps, often contributing a majority of the feature work. In our day-to-day engineering work, we Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.