SSH

Introduction

Secure Shell (SSH) is used for interactive command-line access to a server in much the way telnet is, but SSH uses encryption to significantly increase security during login and all communication processes. Additionally, the SSH protocol supports secure file transfer via SCP (secure copy) or SFTP (secure FTP). Telnet and regular FTP, by comparison, send all information, including passwords, in cleartext, which is a form of network communication easily readable by anyone monitoring network transmissions between the client and server.

The IMSS UNIX cluster runs an SSH server (sshd), and we strongly recommend that SSH, SCP or SFTP be used instead of telnet or non-anonymous FTP wherever possible. Anonymous FTP does not involve the sending of a user's password, so it is less of a security concern than non-anonymous FTP.

Obtaining SSH

If you are running Solaris, Linux, MacOS 10.x or other unix-based operating systems, you very likely already have a command line SSH program installed on your system. You can check this by typing which ssh from the command line.

Unfortunately, unlike MacOS 10.x and popular Linux distributions, Windows does not come with an SSH client already installed. There are many freeware SSH client programs available, including OpenSSH via installing Cygwin, however the most notable and perhaps easiest to use is PuTTY , a graphical SSH client for Windows and Unix platforms. See below for instructions on using PuTTY.

For secure file transfers specifically, use additional PuTTY packages PSCP and PSFTP, which are nice GUI apps that work really well. WinSCP is another good freeware secure file transfer program that includes a nice graphical interface. Filezilla, a freeware graphical FTP client for Windows, also supports encryption with SFTP, as well as SSL.

For more information on downloading and setting up WinSCP, Filezilla, and also Dreamweaver (set up only), please click here.

IMSS also has an SSH client named MindTerm that is run through a java-enabled web browser. See below for more information on our MindTerm web-based ssh component.

How do I set up SSH?

This document only covers the most-used ssh clients (OpenSSH and PuTTY). Other clients should have similar interfaces and options.

Note: If you need to connect to another server from the IMSS cluster, you should use OpenSSH. While it is possible to get another ssh client and put it in your home directory, OpenSSH is already installed and requires no extra work.

If you are using Solaris, Linux, MacOS 10.x, or other unix-based operating systems and the which ssh command from above was successful, you already have ssh installed and ready to use. If which ssh gives you an error message and your system administrator has already told you OpenSSH is installed, determine the directory the ssh program lives in. Then add that directory to your path, or be ready to type the path each time you want to run ssh. If no SSH client is installed, then use your OSs package manager, ex. yum or apt-get on RHEL or Ubuntu, to install OpenSSH. OpenSSH includes both a server and a client program, and supports SCP and SFTP for file transfers.

If you run Windows, and downloaded PuTTY, you are set. PuTTY is a single-file, though after it is run once, at least one extra file is created in your home directory. Remember where you downloaded it and run it from that location, or create a shortcut and put it on your desktop. Please note that there are several downloads available at the PuTTY site. If all you need is an ssh client (i.e., a replacement for telnet), you only need the file named putty.exe.

Using SSH

PuTTY

Start PuTTY by double-clicking the executable file you downloaded. The 'PuTTY Configuration' window will open. Verify the cursor is in the 'Host Name' field and enter the name (or IP address) of the machine you want to connect to. Also verify the SSH button is selected for 'Protocol'. If this is a machine you will connect to on a regular basis, you may want to enter a name in the 'Saved Sessions' field and click the 'Save' button. In the future, you can double-click the name you just entered and it will start your ssh session. If you have never connected to the machine with ssh before, you will be informed that the authenticity of the host can't be established. If you are sure you are connecting to the correct machine, enter 'yes' to continue. Type in your IMSS username and password and you are now signed into the IMSS cluster. If you have connected to the machine with ssh before, you will not receive the authenticity warning message.

OpenSSH

Command line examples:
ssh -l username hostname.server.com - Connect as username to host hostname.server.com
ssh username@hostname.server.edu - Connect as username to hostname.server.edu

One of the ways SSH protects your data transmissions is to verify the destination host is who you think it is before you connect. This is accomplished by verification of the hosts public SSH key.

The most secure way to complete a first connection to a server is to obtain the server's public SSHkey from an admin and enter it in your $HOME/.ssh/authorized_keys file prior to making that initial connection. However this is generally not very practical in practice, thus the first time you connect to a server via SSH, you will be informed that the authenticity of the host can't be established. If you are reasonably sure you are connecting to the correct machine, enter 'yes' to continue, but remember you really have no idea if you are making a direct connection to that particular machine, or if someone is performing an Man In The Middle attack on your connection, since you do not yet have a copy of the destination host's public SSH key.

Once you have answered yes, SSH will automatically store the destination host's public SSH key in your authorized_keys file. If in the future during a connection attempt SSH informs you the authenticity of the host can not be verified, you will know not to complete the connection as the key being offered by the host you think you are connecting to does not match the known key you have saved. Often this is due to a server rebuild or install of a new SSH daemon on the server side, but it is prudent to ensure this is the case by asking the sysadmin if the SSH key fingerprint should have changed.

MindTerm

Open your web browser and go to the MindTerm page, located at http://www.its.caltech.edu/ssh. Here you will see the sign-in screen for MindTerm. Enter your IMSS username and password. If you would like to use publickey authentication rather than password authentication (default), see below for instructions before proceeding. If you would like your SSH window to remain "inside" your browser, click the "Get Mindterm, Same Window" button. Otherwise, just press <Return>, which chooses the "Get Mindterm, Separate Window" button. At this point, a new window opens, or a new browser screen appears. The system will ask again for your IMSS password, or your passphrase if you chose to use publickey authentication. Enter it and you are now signed into the IMSS cluster.

Note: If you open MindTerm in a seperate window, you may not be able to close the browser window that you started it from until your ssh session ends.

Using publickey authentication - Perform the following steps to use publickey authentication instead of the default password authentication:

Create a link in your .mindterm directory (in your /home/<imss_account_name> directory) called "identity" that points to your private key. If your private key is named "id_dsa" and resides in your /home/<imss_account_name>/.ssh directory, go to your /home/<imss_account_name>/.mindterm directory and type ln -s /home/<imss_account_name>/.ssh/id_dsa identity . For example, if your IMSS username is "jsmith", the command would be ln -s /home/jsmith/.ssh/id_dsa identity . The link is created because Mindterm uses "identity" as the default private-key name.

Once the "identity" link is created, check the "Publickey Authentication" checkbox on the Mindterm page before clicking one of the buttons to sign in.