Secure Shell (SSH)

Remote Links


Some of the links and text below were provided by Joe Buck and John Reekie.
  • SSH Downloads from ftp.cs.hut.fi
  • http://www.openssh.org/
  • ssh faq: http://www.employees.org/~satch/ssh/faq/
  • http://www.snailbook.com/faq/
  • Commercial versions
  • The UC Berkeley EECS department has a site license for ssh from http://www.ssh.com/, from within Windows, you can download it by mounting winsww and looking in \\winsww\public\ssh (See ssh and Windows for details)
  • DataFellows, makers of a commercial windows Version) - Winter '98 issue of Berkeley Computing & Communications article on ssh - Local License - Local Cluster Download Page
  • SecureCRT from Van Dyke Technologies
  • Freely available Windows ports:
  • MSVC++ 6.0 ssh-1.2.27 patch: ssh-1.2.27-win.patch.gz - README.NT This patch is based on Gordon Chaffee's patch below
  • Gordon Chaffee's SSH NT page: http://bmrc.berkeley.edu/people/chaffee/winntutil.html#sshnt
  • http://www.geocities.com/SiliconValley/Bay/1692/ssh-index.html or http://www.doc.ic.ac.uk/~ci2/ssh/
  • TTSSH An SSH Extension to TeraTerm
  • Mindbright Java SSH client
  • Cygwin ports
  • Note that using an ssh server compiled with Cygwin is probably not very secure: http://www.cygwin.com/faq/faq_4.html#SEC81 says
    How secure is Cygwin in a multi-user environment?

    Cygwin is not secure in a multi-user environment. For example if you have a long running daemon such as "inetd" running as admin while ordinary users are logged in, or if you have a user logged in remotely while another user is logged into the console, one cygwin client can trick another into running code for it. In this way one user may gain the priveledge of another cygwin program running on the machine. This is because cygwin has shared state that is accessible by all processes.

    (Thanks to Tim Newsham for this explanation).

  • Free implementation of ssh
  • http://www.sshtools.com Open Source Secure Shell toolkits for Java.
  • Search the Cygwin pages for sshd
  • MacOS SSH clients (thanks to Johann Beda for the links)
  • Nifty Telnet with ssh
  • BetterTelnet is planning on supporting ssh
  • DataFellows also sells a mac client, which is available as a limited time trial.

    • Local Links

  • Kerberos
  • PPTP
  • S/KEY

    • Contents

  • What is ssh?
  • ssh and Windows
  • ssh and sww
  • ssh files
  • Building and Installation from sources
  • SSH and CVS
  • Compiling ssh under Windows

    • What is ssh

    The ssh README says:
    Ssh (Secure Shell) is a program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over unsecure channels. It is intended as a replacement for rlogin, rsh, and rcp. Additionally, ssh provides secure X connections and secure forwarding of arbitrary TCP connections.

    The advantage of SSH over kerberos is that SSH does not require a central database of users, and users can use their regular passwd. However, SSH and kerberos can safely coexist.

    The advantage of SSH of pptp is that it works today for both Unix and PCs.

    The main disadvantage of SSH is that the Windows client costs money.

    ssh and Windows

    Datafellows sells a Windows SSH client for about $50 per seat at educational pricing.

    In December, 1997, a bulk purchase was negotiated between UCB and DataFellows for about $7/seat.

    See the Winter '98 issue of Berkeley Computing & Communications

    In April '01, we found that the University no longer had a contract with F-Secure. We asked about getting 100 licenses, and they do not charge by the seat any more, but the cost would be $7.50/seat/year (regularly $19.80/seat/year) for a Right To Use license with support.

    The departmental Windows 2000 server at \\winsww has a version of ssh that we have a campus license for. To mount \\winsww, you must have a EECS Windows 2000 domain account.

    ssh Windows bugs

  • The F-Secure sshd client has a 'Cipher' property that can be set to 'None'. Don't do it!
    If you set the Cipher property to None, then your password will be sent in cleartext, and anyone with a sniffer will be able to grab it.
    The Unix ssh client at least warns you if you call ssh -c none machinename. The Unix ssh manpage also correctly documents this.
    Upgrading the sshd client to 1.2.20 or later might workaround this.
  • If you connect via a 28.8 modem, F-Secure SSH is rather slow. One workaround is to turn off compression. If you turn off encryption, then your passwd will be sent over in clear text.
    The SSH faq suggests using blowfish if performance is an issue.
    Also, make sure that you are not attempting to compress your session too much. Compression is good for downloading large files, but can slow the response for interactive sessions. Under NT4.0, try turning off the modem compression:
    1. Start up the Modem Control Pane
    2. Select your modem, then select Properties -> Connection->Advanced And then turn off Compress Data
    Also, under the Dial-Up Networking window, select More -> Edit Entry and Modem Properties Server and then turn off Enable Software Compression. You might also try turning off Enable modem compression under the Basic tab and Configure.
  • F-Secure released a patch to SSH-1.0, which might help. The patch converts SSH-1.0 SSH-1.0a to sshpatch.zip is available to group members only. If you are not in the local group, then contact F-Secure support for the patch. SSH-1.1 might also help.

    If you are running under NT, you might try getting the 32-bit SSH1.1 client from DataFellows. Locally, we have a copy of this, see the NT localization page.

  • Using ssh to protect an ftp session does not work for me The SSH faq question 4.8 Can I use ssh to protect services like ftp or POP? gives hints on setup. However, I can connect to the ftp daemon on a Solaris2.x or SunOS4.x machine, but I cannot list my files: 
    ftp> get .cshrc -
200 PORT command successful.
425 Can't build data connection: Connection refused.
    Jim Bolin said that he was able to use FTP with ssh port forwarding from the NT TeraTerm ssh client. A colleague of his also had succes using the command line ssh client for NT, see http://www.rhic.bnl.gov/RCF/Software/Commercial/SSH/SSHCommandLineFTP.html

    For information about setting up ssh and ftp, see http://ls.berkeley.edu/lscr/services/servers/unix/ssh_tunnel.html and http://www.net.berkeley.edu/~mikef/bcc/apr98.html

    • ssh and sww

    Below is Michael Short's mail announcing SSH. 
    From: mshort (Michael Short)
Subject: SSH 1.2.17
Newsgroups: ucb.cs.sww.announce
Date: 7 Mar 97 23:32:15 GMT
Organization: The Internet Gateway Service
Path: agate!agateway!CS.Berkeley.EDU!mshort
Message-ID: <199703072332.PAA03484@oceanus.CS.Berkeley.EDU>
Sender: usenet
Distribution: ucb
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0
Lines: 38


SSH, version 1.2.17, has been added to the Software Warehouse
for all supported operating systems.

Ssh (Secure Shell) is a package for logging into a remote machine and
for executing commands in a remote machine.  It is intended to replace
rlogin and rsh, and provide secure encrypted communications between
two untrusted hosts over an insecure network.  X11 connections and
arbitrary TCP/IP ports can also be forwarded over the secure channel.


OS:		HP-UX	OSF/1	Solaris	  SunOS	  Ultrix

Executables:	ssh		ssh-add
		sshd		ssh-agent
		slogin		ssh-keygen
		scp		make-ssh-known-hosts


Documentation:	New users should first read the README and README.SWW
		files under /usr/sww/doc/security/SSH.  (This directory
		also holds the release notes.  There are manpages for 
		all executables.


As always, bug-sightings should be reported using the program `sww-bug.'

Please remember there may be a one-day delay for filesystem updates 
to appear on individual systems, as software is distributed throughout 
the department by file server mirroring.


Michael Short
mshort@cs

    ssh files

    SSH uses the following files:
    /usr/sww/bin/ssh
    The ssh binary
    /usr/sww/bin/sshd
    The ssh daemon, run by root.
    /usr/sww/share/man/man1/ssh.1
    SSH man page
    /usr/sww/share/src/ssh
    ssh sources, available on po, cory and selected other machines.

    Setting up SSH as root

    1. As root, run /usr/sww/share/etc/ssh_install

    Building and Installation from sources

    Installing openssh

    Yassp includes an installation of openssh, below are instructions on installing it on systems that don't have yassp installed

    OpenSSH Portable version: http://www.openssh.com/portable.html

    You can also try getting it from http://www.sunfreeware.com/programlistsparc8.html#openssh ftp://ftp5.usa.openbsd.org/pub/OpenBSD/OpenSSH/portable/

  • I had to run configure on mho so that I did not build sparcv8 binaries. If sparcv8 binaries are built, then ssh-keygen will fail to run on forney with: 
    forney.eecs 7# /usr/local/ssh/openssh/bin/ssh-keygen -t dsa -f /etc/ssh_host_dsa_key -N ""
/usr/local/ssh/openssh/bin/ssh-keygen: Exec format error
forney.eecs 8# file /usr/local/ssh/openssh/bin/ssh-keygen
/usr/local/ssh/openssh/bin/ssh-keygen:	ELF 32-bit MSB executable SPARC32PLUS Version 1, V8+ Required, dynamically linked, stripped
  • For doppler: 
     ./configure --prefix=/usr/local/openssh-3.1p1 --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/ssl --with-pid-dir=/etc
    --prefix
    so that we can have multiple versions installed
    --sysconfdir
    so that we can share the installation among different hosts.
    --with-ssl-dir
    so that we can find the secure sockets layer library
    --with-pid-dir
    so that /etc/init.d/sshd will work
  • Installed zlib
  • Installed Mindterm on my laptop so I could use ssh2
  • Install the random generator for ssh.
    OpenSSH after about v2.9 needs a better random number generator, see http://www.cosy.sbg.ac.at/~andi/
    Below are my notes about the installation that was on eesww (Very Obsolete)
    1. Looked at the faq and downloaded from ftp://ftp.gw.com/pub/unix/ssh/
    2. Configured with: configure --prefix=/usr/eesww/share/etc/ssh/ssh-1.2.26 --exec_prefix=/usr/eesww/etc/ssh/ssh-1.2.26 See INSTALL for other flags: 
      The package comes with an Autoconf-generated configure script.  The
script accepts several options
 All standard options, including:
  --prefix=PREFIX	where to install files (default: subdirs of /usr/local)
  --exec_prefix=PREFIX	where to install executables (default: same as prefix)
  --srcdir=DIR		find sources in DIR (default: where configure is)
 Specific options:
  --with-rsh=PATH	Use rsh specified by PATH when needed
  --with-etcdir=PATH    Store system files in the given dir (default: /etc)
  --with-path=PATH	Default path to pass to user shell.
  --with-rsaref		Use rsaref2 from rsaref2 subdirectory (see below).
  --with-libwrap[=PATH] Use libwrap (tcp_wrappers) and identd (see below).
  --with-socks4[=PATH]	Include SOCKS (firewall traversal) support.
  --with-socks5[=PATH]	Include SOCKS5 (firewall traversal) support.
  --without-idea	Don't include IDEA (see below).
  --with-securid[=PATH] Support for the SecurID card (see README.SECURID).
  --with-tis=PATH       Support for the Tis authsrv (see README.TIS).
  --enable-warnings	Adds -Wall to CFLAGS if using gcc.
    3. Run make
    4. To do this install on /eesww, I logged into dewitt and mounted those filesystems read/write: 
      umount /usr/eesww/share
umount /usr/eesww
mount -o rw nexus:/eesww/solaris.sun4 /usr/eesww
mount -o rw nexus:/eesww/share /usr/eesww/share
    5. Run make install on dewitt
    6. /etc/ssh_host_key wants to be written
    7. /etc/sshd_config wants to be written
    8. /usr/eesww/ssh/ssh-1.2.26/bin/ssh wants to be suid root
    9. As root on dewitt, create some links: 
      cd /usr/eesww/etc
rm -f sshd
ln -s ssh/ssh-1.2.26/sbin/sshd .

    SSH and CVS

  • John Reekie has some Notes about CVS that include info about SSH and CVS.
  • Gigascale CVS Page Includes notes about SSH

    • John writes:

    It is possible to use ssh to perform remote checkout with cvs. To verify that this works in principle, I have tried it in Solaris:
    1. Run 'ssh-keygen' to generate your RSA encryption keys.
    2. Copy ~/.ssh/identity to ~/.ssh/authorized_keys.
    3. Run ssh-agent xterm to start an xterm inside an ssh agent.
    4. In the new xterm, run 'ssh-add' to add your identity file to the agent.
    5. Go 'setenv CVS_RSH ssh' to tell CVS to use ssh.
    6. Run cvs. eg: 
        cvs -d :ext:brahe.eecs.berkeley.edu:/users/johnr/Repository checkout diva

    CVS uses ssh to connect to brahe and get the files. The reason for steps 3 and 4 is so that you don't have to type in your RSA password when ssh makes the connection -- the agent does it for you.

    Compiling ssh under Windows

    I wanted to experiment with the ssh-agent binary under windows, so I compiled using Gordon Chaffee's SSH NT page: http://bmrc.berkeley.edu/people/chaffee/winntutil.html#sshnt and created ssh-1.2.27-win.patch.gz

    Below are my notes on the process:

    1. Download the ssh-1.2.14 sources
    2. Download Gordon Chaffee's patch
    3. Apply the patch

      I had problems under Cygwin b20.1, so I patched under Solaris and then copied the distribution over to NT. The error I saw under cygwin was: 

      patching file `minfd.c'
patching file `newchannels.c'
missing header for unified diff at line 2969 of patch
can't find file to patch at input line 2969
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|k_strerror(sock_lasterror()));
|
|       /* Dup some descriptors to get the authentication fd to pfd,
|        because some shells arbitrarily close descriptors below that.
--------------------------
File to patch:
    4. Under Cygwin bash, set the TOOLS32 variable 
      TOOLS32=d:\\PROGRA~1\\MICROS~2\VC98
export TOOLS32
nmake -f makefile.vc

    Using RhostsRSAAuthentication Authentication

    In theory, if RhostsRSAAuthentication authentication is turned on, then it should be possible to use ssh from Windows to a Unix host without typing in your password.

    However, the sshd server on the Unix side requires the connection to come in from a privileged port (a port less than 1024, port 22 is the default).

    The patch has code in sshconnect.c that turns disables privileged ports, probably because Winodws seems to leave the port open.

  • Add the full hostname to your ~/.shosts file on the Unix side.
  • Build ssh under Windows as above
  • Edit sshconnect.c and comment out the line that sets privileged to 0: 
    int ssh_create_socket(uid_t original_real_uid, int privileged)
{
  SOCKET sock;

#ifdef WIN32
/*  privileged = 0;*/
#endif
  • Remake ssh
  • nmake -f makefile.vc
  • Create a host key with ssh-key: 
    cd c:/ssh/etc
ssh-keygen -b 1024 -f ssh_host_key -N '' -C `hostname`
    If you don't use the -C option, you may see 
    gethostname: No such file or directory
  • Copy the contents of the public key in c:/ssh/etc/ssh_host_key.pub to your ~/.ssh/known_hosts file on the unix side. Be sure that all the text is on one line, and prepend the complete hostname onto the line.

    If your c:/ssh/etc/ssh_host_key.pub file looks like: 

    1024 37 92211548838575631857149044962012412396920175293846451688615537064780339276060115099782841074084392508144053454713147819522126021522131292433368697049383297843845159907203804687763827359894904226651209411021449832358159081065887574077437205573601830190940892759547909261963762935289181497643192397592132052261 foo.eecs.berkeley.edu
    Then what you will add ~/.ssh/known_hosts on the Unix machine should look like 
    foo.eecs.berkeley.edu 1024 37 92211548838575631857149044962012412396920175293846451688615537064780339276060115099782841074084392508144053454713147819522126021522131292433368697049383297843845159907203804687763827359894904226651209411021449832358159081065887574077437205573601830190940892759547909261963762935289181497643192397592132052261 foo.eecs.berkeley.edu

    • Problems

  • Connecting to carson.eecs.berkeley.edu [128.32.171.132] port 22.
Allocated local port 1023.
connect: Address already in use in call to Winsock.
Trying again...
Connecting to carson.eecs.berkeley.edu [128.32.171.132] port 22.
Allocated local port 1023.
    This message comes from the ssh winsockutil.c file 
        case WSAEADDRINUSE:
	return "Address already in use in call to Winsock.";
    Apparently, this is a known bug in Micorsoft products.

    My fix was to add a remport option to ssh_create_socket() in sshconnect.c and then modify ssh_connect() so that remport is set to 1023 and then decremented each time we retry.

    • SSH Debugging hints

    1. First, set up a connection between two Unix machines
      1. Log in from the local machine to the remote machine using ssh and the full hostname of the remote machine e.g: 
        	you@localmachine 1% ssh remotemachine.eecs.berkeley.edu
      2. On the remote machine, create a ~/.shosts file that contains the full name of the local machine 
        	you@remotemachine 1% echo "localmachine.eecs.berkeley.edu" >> ~/.shosts
      3. Log in from the remote machine to the local machine using ssh and the full hostname of the local machine 
        	you@remotemachine 1% ssh localmachine.eecs.berkeley.edu
      4. From the localmachine, run ssh -v remotemachine date
    2. Use the ssh -v debugging option: 
      ssh -v foo date
    3. Use the sshd -d option on the Unix server. If you have root access, then you should stop any sshd processes that are running and then start up sshd -d, which will handle one connection and then exit. If you don't have root, then you could try using the port options of ssh and sshd to connect via a non-privileged port

    Using SSH with dynamic addresses

    The problem here is that if you try to use ssh to connect via and ISP such as ibm.net then you have to type in our passwd each time since the IP address of the remote client (perhaps a laptop) is usually different each time.

    I poked around, and I could not log in if I used added something like *.eecs.berkeley.edu to ~/.shosts. If this would work, then we could add things like *.ibm.net to ~/.shosts

    My temporary workaround is to modify ~/.ssh/known_hosts and add*.ibm.net to the key for the laptop so that it looks like 

    xxx.berkeley.edu,*.ibm.net 1024 37 1417...
    Then I modified my .cshrc and placed the following command at the end. 
    # If we are logging in via ssh, this command adds the current host
# to ~/.shosts
/usr/local/bin/shostsadd

    This script checks the value of SSH_CLIENT and if that variable is present, and the value of the variable is not in your .shosts file, the script adds it to your .shosts file so that the next time you log in, you will not need to type in your RSA passwd 

    #!/bin/sh
# Add a host to .shosts if necessary
# 
# Call this script while logging in to add new hosts to .shosts so
# that we can connect via ssh easily from accounts like ibm.net

prog=$0

if [ "${SSH_CLIENT}x" != "x" ]; then
	# SSH_CLIENT is set if we are logging in via ssh
	REMOTE_HOSTIP=`echo $SSH_CLIENT | awk '{print $1}'`
	grep -s $REMOTE_HOSTIP $HOME/.shosts > /dev/null
	result=$?
	if [ "$result" -eq 1 ]; then
		if [ -f "/usr/local/bin/host" ]; then
			REMOTE_HOSTNAME=`/usr/local/bin/host $REMOTE_HOSTIP | awk '{print $NR'}`
			grep -s $REMOTE_HOSTNAME $HOME/.shosts  > /dev/null
			result=$?
			if [ "$result" -eq 1 ]; then
			    echo "$0: Adding $REMOTE_HOSTIP to $HOME/.shosts"
			    echo "$REMOTE_HOSTIP" >> $HOME/.shosts
			fi    
		else	
		    echo "$0 Adding $REMOTE_HOSTIP to $HOME/.shosts"
		    echo "$REMOTE_HOSTIP" >> $HOME/.shosts
		fi
	fi 
fi

    In the example below, my .shosts file did not have the ip address of my laptop in it, so shostsadd added it. The second time I ran rsh, everything worked. 

    

bash-2.02$ ssh maury date
Enter passphrase for RSA key 'cxh@maury.eecs.berkeley.edu':
ld.so.1: /usr/local/bin/xauth: warning: /usr/4lib/libXmu.so.4.0: has older revision than expected 10
/usr/local/bin/shostsadd: Adding 169.129.59.148 to /users/cxh/.shosts 
Sun Jun 13 17:25:06 PDT 1999
bash-2.02$ ssh maury date
ld.so.1: /usr/local/bin/xauth: warning: /usr/4lib/libXmu.so.4.0: has older revision than expected 10
Sun Jun 13 17:25:15 PDT 1999
bash-2.02$
    The downside of this is that you will probably need to type in your passwd once each time you log in. The upside is that once you get your .shosts file set up, then you can run a script of cvs commands to add your changes.
    Send comments to cxh at eecs.