Usually referred to as ssh The name is used for both the program and the protocol ssh is an extremely versatile network program data encryption and compression terminal access to remote host file transfer command execution on remote host port forwarding For some more detailed examples see http://wiki.ae.gatech.edu/ http://faq.asdl.ae.gatech.edu/
There are currently two versions of the SSH protocol. Always use version 2 unless you have no choice. The version to use can be configured on both the client and server systems. The protocol implements remote terminal remote file transfer (scp and sftp) remote command execution The Protocol
scp is the secure copy operation. It is based on the Unix cp (file copy) program but does so securely and over a network. sftp is a file transfer program loosely based on the standard ftp file transfer program. uses an ftp-like client interface cannot connect to an ftp server The Protocol
There are several implementations of secure shell available both commercial and free A list of available versions can be found at http://freessh.org/ The Program
The Program Microsoft Windows PuTTY Georgia Tech has a license for the commercial SecureCRT program Linux/Unix/MacOS OpenSSH is usually pre-installed PuTTy is available knowledge how to compile and install from source is helpful
PuTTy PuTTy is an implementation of the ssh program. http://www.chiark.greenend.org.uk/~sgtatham/putty/ It consists of these component programs putty.exe the terminal access program pscp.exe the file copy program psftp.exe the ftp-like file transfer program plink.exe the remote command execution program pageant.exe program to handle key pass-phrases puttygen.exe program to generate keys
Windows installation Secure Shell Installing Windows PuTTy download all the executables from the web site directly to a folder such as c:\putty or c:\bin, avoid using Program Files, there is no elaborate install process place this directory in your path (see following slide) open System control panel entry modify path in the System Variables section (this will allow every user to use it on that computer) append path, eg, c:\putty to end of list, separate each entry with ;
Setting Windows path for PuTTy
Setting Windows path for PuTTy
WinSCP is a graphical frontend for performing ssh file file transfers http://winscp.net/ Windows GUI Frontends for PuTTy it implements both scp and sftp, sftp configure it to use sftp whenever possible FileZilla is a multi-purpose graphical interface that implements both the ssh/sftp and ftp http://filezilla.sourceforge.net/
WinSCP Window
The OpenSSH program implements the ssh protocol for Linux, Unix, MacOS, and Windows http://www.openssh.org/ OpenSSH this package implements the client, server, and key generation software is pre-installed on most Linux and MacOS systems Windows installation requires the Cygwin environment only free ssh server for Windows, http://sshwindows.sourceforge.net/ fugu is a Mac OS graphical interface for sftp, http://rsug.itd.umich.edu/software/fugu/
PuTTy has numerous configuration options Session creation Terminal characteristics Connection parameters SSH protocol parameters PuTTy Configuration In most cases the defaults are sufficient, however special applications of PuTTy require knowledge of other settings The PuTTy documentation at the PuTTy web site is authoritative The following slides provide a survey of common settings
When PuTTy is started the window at the right is opened The Saved Sessions window shows the list of configurations that you have already saved Press Load to load a saved session into the panel, from there it can be modified Press Save to save the settings in the registry The values in Default Settings apply to all new sessions Secure Shell PuTTy Configuration
PuTTy Configuration Session Host Name is the true DNS name of the computer to which to connect Save Sessions shows the name under which to save the session, this is frequently the same
PuTTy Configuration Connection The null packets setting is used to periodically send empty packets from the client to the server Some networks will drop TCP connections that have not had any traffic for a period of time The setting will require some experimentation
PuTTy Configuration Connection / Data Auto-login username is used to preset the username to login with Environment variables will pre-set values for a Unix environment upon successfully logging in
PuTTy Configuration Connection / Proxy This panel is used to configure proxymediated connections Most users will never need this There is one use, the ssh-bounce (later in slide set)
PuTTy Configuration Connection / SSH This panel and its sub-panels control the SSH options available Remote command specifies a command to be executed on the remote computer
PuTTy Configuration Connection / SSH item Protocol options no shell setting this will prevent a shell being opened on the server, this is used primarily for tunneling configurations compression setting this will compress traffic sent thru the link, this will decrease traffic at the expense of increased CPU usage version 2 always use version two (preferably 2 only) unless forced to use version 1 because of an old server
PuTTy Configuration Connection / SSH / Auth The configuration shown is normal PuTTy will attempt to authenticate using key files first, then ask for a password, it expects pageant to be running to be able to use the key files Agent forwarding makes it possible for downstream ssh connections to refer back to the pageant program to process key authentication
PuTTy Configuration Connection / SSH / X11 This is useful when connecting to a Unix/Linux system The Windows system where PuTTy is running must also have an XServer running Not commonly used by Windows clients
Connection / SSH / Tunnels This is an extremely useful function The normal settings for the checkboxes and radio buttons is as shown This will be covered in more detail later Secure Shell PuTTy Configuration
PuTTy Configuration Create saved sessions for later use To start a saved session in PuTTy, double-click the name Saved sessions can be used with the other PuTTy programs this is the only way to get special parameters set up for these programs plink load session_name pscp load session_name source destination
PuTTy Configuration First to a remote computer will cause the dialog above, or one similar, to appear A similar dialog will appear if the server s key has changed, this will happen if the server has been re-installed If you accept the server s identity then press Yes.
PuTTy / SSH Notation A remote system is referenced as user@computer.domain A remote files is referenced as user@computer.domain:/file/path
PuTTy Remote Terminal Since ssh is primarily a remote terminal program you will see a screen like this appear (Linux login)
PuTTy Remote Terminal After successfully logging in a shell prompt will appear.
File Transfer PuTTy scp The PuTTY secure copy program is named pscp The format of the command is pscp [options] source destination source and destination look like - username@host:path for path use the target system s file naming conventions spaces in path require quotes pscp c:\data\data1.dat gburdell@newton.asdl.ae.gatech.edu:/project/data/ pscp gburdell@newton:presentation1.ppt presentation1.ppt
File Transfer PuTTy psftp The PuTTY secure ftp program is named psftp The format of the command is psftp [options] server commands are executed inside psftp cd change directory on server get retrieve a file put upload a file quit
File Transfer WinSCP The WinSCP program is a graphical shell over PuTTy psftp and pscp When configuring specify sftp as the transfer mechanism to use Next slide shows a WinSCP window
File Transfer WinSCP
WinSCP Configuration Session Define a session Note the Protocol setting of SFTP, best to select the leftmost radio button
Session / Stored sessions Select a session to connect to Secure Shell WinSCP Configuration
WinSCP Configuration Environment Most important element here is the Server EOL indicator, this shows the end-of-line used on the server for text files
Environment / Directories Specifies the directories in which to start Secure Shell WinSCP Configuration
WinSCP Configuration SSH Specifies whether to use compression and the version of SSH, use 2 only
WinSCP Configuration SSH Selects the interface that you wish to use The Preferences button displays another window with more options
WinSCP Configuration The display resulting of pressing the Preferences button There are many additional options that primarily control how the interface will operate
Remote Command Execution PuTTy The plink command is the component of PuTTy that is used to execute commands on a remote computer The format of this command is plink ssh [options] usename@host command To execute a directory listing on a remote Linux system plink ssh gburdell@euler ls To list a file on the remote computer plink ssh gburdell@euler cat file
plink options
-v display sequence of operations -ssh use ssh protocol Secure Shell -load session_name load settings for named session -P port connect to a non-standard port (22 is default) -l username specify the username to connect as -L l_ip:l_port:t_ip:t_port - specify a local port mapping (tunnel) -C enable compression plink options -m file read commands from a local file to execute remotely (a batch script) -N do not open a shell or execute commands at remote computer By using load you will have access to more configuration options, many are available using command line option however
The ssh server will authenticate every connection attempt by a client The usual process SSH Authentication Process the host keys are checked, further access may be blocked until client updates its know_hosts file if the client has a private key that matches a public key in the server s authorized_keys file, the client will request the private key s passphrase (if any) if the private key is not supplied or the passphrase is incorrect the server will request the password for the username note that some servers will only accept key pairs for authentication
Public Key Authentication for SSH Public key authentication is an alternative to password based authentication Prevents problems with easily guessed passwords A passphrase may be used to encrypt the private key A key pair represent a stand-alone entity, there is no reference to a particular username or computer in the key The client uses the private key to authenticate against the public key retained by the server, possession of the private key is sufficient, protect your private key
Public Key Authentication for SSH Setup generate a public/private key pair distribute the public key to servers enable public key authentication in client, if required Placing a copy of the public key in a user s authorized_keys file on a server will allow any client that presents the corresponding private key to log in as that user
Server (OpenSSH) files ~/.ssh/authorized_keys Secure Shell Public Key Authentication for SSH this file contains, one per line, the public keys of those that are allowed to log in as this user
Client (OpenSSH) files ~/.ssh/known_hosts Secure Shell this file contains the host keys of remote hosts that have been previously accessed ~/.ssh/id_rsa this is the private key that will be used in connections to remote systems ~/.ssh/id_rsa.pub this is the corresponding private key (not used by client) ~/.ssh/config Public Key Authentication for SSH this client s configuration file
Public Key Authentication for SSH Client (PuTTy) files the lists of known_hosts is kept in the Windows registry the putty configurations are kept in the Windows registry the client s private key is kept in a local file with the extension.ppk example: id_rsa.ppk the client s public key is kept in a local file with no extension these files do not have a standard location for security, they can be placed on a memory stick
Use the ssh-keygen program to create key pairs Generate the key pair ssh-keygen t rsa f ~/.ssh/id_rsa The program will ask for a passphrase, just press Return if no passphrase is to be used This will create two files Creating key pairs using OpenSSH ~/.ssh/id_rsa private key ~/.ssh/id_rsa.pub corresponding public key
Creating key pairs using PuTTy Use the puttygen.exe program to generate key pair
Select the key type and size Secure Shell Press Generate and move the mouse over the panel Decide where to store the keys Creating key pairs using PuTTy Use Save public key button to save a copy of the public key User Save private key button to save the private key before pressing the button enter the passphrase The top part of the window has the OpenSSH public key for putting into authorized_keys
Creating key pairs using PuTTy The Conversions menu item makes it possible to import an OpenSSH or ssh.com private key, and save as a PuTTy key export a PuTTy private key as OpenSSH or ssh.com Each software vendor uses a different format
If.ssh/authorized_keys does not exist on the server to which you wish to connect touch.ssh/authorized_keys chmod 600.ssh/authorized_keys Get a copy of.ssh/authorized_keys from server (scp/pscp) Open in WordPad Setting authorized_keys in Windows Paste the key from puttygen into the file Send back to server (scp/pscp)
pageant When public key authentication is used by the client the software will read the private key, to do so it requests the passphrase The PuTTy pageant.exe program, when run on the client PC, will request the passphrase and automatically supply it later when needed pageant is not needed if you do not use passphrases
Start pageant from the Windows tray Press Add Key to add your private keys to the list that pageant will manage Supply the passphrase Secure Shell pageant
pageant After a private key has been added At this point all logins happen with user intervention
If key based authentication is being used with putty the option exists to use the same keys in downstream logins A downstream login is an ssh made via and existing ssh connection This requires that pageant be running and that one of the keys that it is maintaining is used by the remote server The putty configuration has Allow agent forwarding checked Secure Shell Authentication Forwarding - PuTTy
Port Forwarding Port forwarding, or tunneling, is a mechanism provided by ssh that makes it possible to access services inside a firewall protected network Requires an ssh gateway system inside the firewall be available that you have access to knight.ae.gatech.edu the gateway for general AE access asdl.ae.gatech.edu the gateway for access into ASDL Any connections at the target will appear to come from the gateway
Port Forwarding Setup configure the connection connect the client computer to the gateway system use the tunneled port
Port Forwarding The ssh L option controls port forwarding -L local-loopback-addr:local-port:remote-addr:remote-port local-loopback-addr this is the ip address on the local system that will accept the connection local-port this is the tcp port number that the local system will wait for a connection on remote-addr this is the ip address of the remote target system remote-port this is the tcp port that the remote target system is waiting for a connection on The local-loopback-addr is by default 127.0.0.1 This parameter is available only to putty and plink Other 127 addresses can be used with patched WinXP http://support.microsoft.com/kb/884020
Port Forwarding <diagram here>
Connect to your office WinXP computer from your home WinXP computer (clients available for WinXP, Win2K, Linux, MacOS) plink command to port forward plink ssh L 9000:172.16.4.13:3389 gburdell@asdl.ae.gatech.edu cat plink ssh N L 9000:172.16.4.13:3389 gburdell@asdl.ae.gatech.edu Be very careful not to connect to your own system. plink ssh L 9000:172.16.4.13:3389 gburdell@asdl.ae.gatech.edu cat - Tutorial on using remote desktop NO! http://www.microsoft.com/windowsxp/using/mobility/getstarted/remoteintro.mspx By building a putty configuration plink load tunnel-office Or place into a command file Port Forwarding Remote Desktop
Port Forwarding Remote Desktop On WinXP to start the remote desktop program Start/Programs/Accessories/Communications/Remote Desktop Connection
Showing the expanded display Note the remote computer is listed as localhost:9000 localhost resolves to 127.0.0.1 Secure Shell Port Forwarding Remote Desktop
Port Forwarding Remote Desktop The Display tab allows you to make the disk and printers on your local (home) computer visible on the remote (office) computer
Port Forwarding Internal Web Server Connect to a web server that is only accessible inside the firewall The web server is wiki.ae.gatech.edu Connect via knight.ae.gatech.edu plink ssh N L 80:wiki.ae.gatech.edu:80 rl6@knight.ae.gatech.edu Then run your web browser with the following address http://localhost/
An ssh bounce connection is useful when your final destination is an ssh server and you are making a terminal connection Methods ssh to gateway then ssh to target ssh to gateway with a tunnel setup to ssh on target ssh N L 22:target:22 user@gateway ssh user@localhost use the bounce connection SSH Bounce Connection
SSH Bounce Connection - OpenSSH On your local system create the following entry in.ssh/config
SSH Bounce Connection - OpenSSH The first line defines a host that can be used on the ssh command line ssh user@dhcp2-knight The next 2 lines define which host will ultimately be connected to, dhcp2.ae.gatech.edu The last line indicates to the ssh program that rather than open a network tcp connection it will start another ssh program, locally, which will in turn make the ultimate connection The ProxyCommand will make the connection to the gateway and from there forward the data stream to dhcp2.ae.gatech.edu using the nc program
SSH Bounce Connection - PuTTy The bounce operation is also possible when using PuTTy as your to access the remote system (Linux) In order to work it requires that key authorization be used on the gateway system
In Connection Proxy Set local proxy Secure Shell SSH Bounce Connection - PuTTy Enter the command at the bottom, replacing the connection parameters with your data