 |
|
|
What is SSH and why should I use it?
(From the SSH FAQ.)
The short answer: because evil crackers can (and do) use "sniffing" techniques to intercept your login information, including passwords. SSH is securely encrypted, so the crackers can't do this. You use SSH instead of telnet (and, hopefully, FTP.) Otherwise, brush up on Steps for Recovering from a UNIX Root Compromise.
For Red Hat or Mandrake, you need to download ssh-1.2.27-1us.i386.rpm, ssh-extras-1.2.27-1us.i386.rpm, ssh-clients-1.2.27-1us.i386.rpm, and ssh-server-1.2.27-1us.i386.rpm. (Or whatever are the newest versions.) They are available from, uh, someplace on the Internet, possibly from this site.
Also note that SSH has both SSH1 and SSH2 versions. We are sticking with the SSH1 version, because our Windows client only supports SSH1 and also because SSH1 has less restrictive licensing. SSH1 is indicated by files that are numbered like 1.2.27. SSH2, like 2.0.13. If you are using a SSH client that supports SSH2, then feel free to use a SSH2 version.
Recent versions of Red Hat and Mandrake have OpenSSH on the install CD, which is a functional equivilent to SSH.
To install them, just FTP them somewhere on your Linux machine and (as root)
rpm -Uvh ssh*.rpm
Then start the SSH server by typing /etc/rc.d/init.d/sshd start
If you have installed SSH on your Linux machine(s) and Tera Term and TTSSH on your Windows machine, you should be able to start TTSSH on your Windows machine, choose SSH as a protocol and log into your Linux machine. Answer "yes" when it asks you to add this machine to your "ssh_known_hosts" file. Use the same user name you normally use to log in. Use your normal password for the TTSSH "passphrase."
Make sure that TTSSH uses port 22 for SSH connections. 22 is for SSH, 23 is for regular telnet. Port 23 won't work for SSH.
When you connect it should act just like a normal telnet session except that everything (especially including your logon password) is very securely encrypted, so that nobody can use sniffing techniques to intercept anything from your session.
If SSH works, then you should disable the telnet service on your Linux machine by editing /etc/inetd.conf, commenting out the "telnet" line, saving /etc/inetd.conf, and then typing /etc/rc.d/init.d/inet restart to re-read /etc/inetd.conf.
You also might want to comment out "linuxconf" because the web administered version of Linuxconf also sends everything, including your root password, unencrypted. In general, try to disable all inet services, unless you absolutly need to use them.
Now try to telnet (regular old telnet, not TTSSH) into your Linux machine. You should get a "connection refused" error. Good. So will all the crackers! But you can connect using the secure and encrypted SSH protocol. This is a good thing.
You use SSH as a replacement for the telnet client to securely log onto other Linux machines. Just type ssh host -l user instead of telnet host -l user. Each time you use SSH to connect to a new server, it will ask "Do you want to save the host information in your hosts file? (yes/no)". You should answer 'yes' (and it has to be 'yes', not 'y', not 'enter', etc.)
This is most valuable when you use SSH to connect to other machines over the Internet. Of course the other machine must also be running SSH. See man ssh for more information.
Use the scp command to securely copy files. See man scp for more information.
See the SSH reference, below, for more information on using ssh.
Thanks to Bruce Buhler and Eric Bradway for valuable assistance and suggestions in preparing this.
Back to the scrounge.org home page.