Back to the Home Page of IFH

Back to "computer_topics"
 
 

Secure shell

Content:

  1. Short description and name of binaries
  2. Usage: how to start, how to use it
  3. Some concepts and working principles
Description:

     ssh (Secure Shell) is a program for logging into  a  remote

     machine  and  executing commands in a remote machine.  It is
     intended to replace  rlogin  and  rsh,  and  provide  secure
     encrypted communications between two untrusted hosts over an
     insecure network.   X11  connections  and  arbitrary  TCP/IP
     ports can also be forwarded over the secure channel.
 
 
 
The "secure shell" software consists of the following programs (see man pages):
sshd the server daemon which receive connections from clients.
ssh the ssh client program which works like rlogin and rsh.
scp the ssh remote copy program, like rcp.
ssh-keygen creates your personal RSA keys.
ssh-agent the authentication agent which olds the RSA keys.
ssh-add adds new keys with the agent.
make-ssh-known-hosts a tool which scans for public host keys on other hosts.


Above commands are links to the "old" version 1.2.26

You can now also use the command "xssh" to open a new Secure connection using a xterm window.
The syntax is (curl brackets mean that the parameter is optional):

xssh {-l logname} {-t title} machine_name

where "machine_name" is the host you want to connect with.
The default for "logname" is your login_name on the local machine.
The default for "title" is "machine_name".

New version's ssh2 binaries (Vers. 2.0.12 - Feb 16 1999 - RB)
COMMAND MEANING
ssh2 ssh2  -  client
sshd2 ssh2  -  daemon
scp2 scp   - client
ssh-keygen2 utility for generating keys. -h for help.
ssh-agent2 the authentication agent
ssh-add2 add identities to the authentication agent.
ssh-askpass2 X11 utility for querying passwords.
sftp2 sftp client (needs ssh2). Type "?" in the command line for help.
sftp-server2  sftp server (executed by sshd2).
Back to "Content"

USAGE: how to start, what has to be done

Goal:

you are working on machine A and  want to establish a secure connection with host B.

  1. Create your private and public keys on machine A using ssh-keygen (resp. ssh-keygen2).

    2. ===> this needs to be done only once and is OK on all our machines
  2. (for Vers. 2 only:)Create an "identification" file on machine A

Example: create a new key on machine deneb:

deneb:ballisti:[ballisti]:109 % ssh-keygen
Initializing random number generator...
Generating p: ...................................................................................................++ (distance 1644)
Generating q: ....................++ (distance 270)
Computing the keys...
Testing the keys...
Key generation complete.
Enter file in which to save the key (/home/ballisti/.ssh/identity):
/home/ballisti/.ssh/identity already exists.
Overwrite (y/n)? y
Enter passphrase:
Enter the same passphrase again:
Your identification has been saved in /home/ballisti/.ssh/identity.
Your public key is:
1024 35 143720736277904566988996753727977505649683941328130094437977744496362953526511704471580675799374990404939833814056673056073949037483304245934771080435441145251432869337568289300380172576984181340174038536407882645136564829854172935254302178277902000896526468423804418385796112355252613972344088581574314733701 ballisti@deneb
Your public key has been saved in /home/ballisti/.ssh/identity.pub

Check that the permissions are correctly setted:

deneb:ballisti:[ballisti]:111 % ls -ld .ssh
drwxr-xr-x 2 ballisti ifh 512 May 22 15:36 .ssh/
deneb:ballisti:[ballisti]:112 % ls -l .ssh
total 16
-rw------- 1 ballisti ifh 529 May 23 16:27 identity
-rw-r--r-- 1 ballisti ifh 333 May 23 16:27 identity.pub
-rw------- 1 ballisti ifh 4566 May 23 16:31 known_hosts
-rw------- 1 ballisti ifh 512 May 23 16:31 random_seed
deneb:ballisti:[ballisti]:113 %

Now you are ready to use ssh and all the related commands.

Example nr. 2 using Vers. 2: user "ballisti" on machine "sirius":

sirius:ballisti:[ballisti]:274 % ssh-keygen2
Generating 1024-bit dsa key pair
   2 Oo.ooOo.oOo.
Key generated.
1024-bit dsa, created by ballisti@sirius Wed Feb 17 09:30:32 1999
Passphrase :
Again      :
Private key saved to /home/ifh/ballisti/.ssh2/id_dsa_1024_a
Public key saved to /home/ifh/ballisti/.ssh2/id_dsa_1024_a.pub

sirius:ballisti:[ballisti]:275 % ls -l .ssh2
total 6
-rw-------   1 ballisti ifh          890 Feb 17 09:32 id_dsa_1024_a
-rw-r-----   1 ballisti ifh          748 Feb 17 09:32 id_dsa_1024_a.pub
-rw-------   1 ballisti ifh          512 Feb 17 09:32 random_seed

sirius:ballisti:[ballisti]:276 % chmod 644 .ssh2/id_dsa_1024_a.pub

Please, do not forget this last command, because everybody should be able to read the public key.
Also check the permission of the directory ~/.ssh2: it should be 755:
sirius:ballisti:[ballisti]:277 % ls -ld .ssh2
drwxr-x---   2 ballisti ifh     512 Feb 17 09:32   .ssh2/
sirius:ballisti:[ballisti]:278 % chmod 755 .ssh2
sirius:ballisti:[ballisti]:279 % ls -ld .ssh2
drwxr-xr-x   2 ballisti ifh    512 Feb 17 09:32   .ssh2/

sirius:ballisti:[ballisti]:280 % cd ~/.ssh2
New directory is : /home/sirius67/ballisti/.ssh2
sirius:ballisti:[.ssh2]:281 % echo "IdKey id_dsa_1024_a" > identification
sirius:ballisti:[.ssh2]:282 % chmod 644 identification
 


 
 

Connection to a host using the ssh1 version:

deneb:ballisti:[ballisti]:114 % ssh yed
Host key not found from the list of known hosts.
Are you sure you want to continue connecting (yes/no)? yes
Host 'yed' added to the list of known hosts.
Last login: Mon May 22 12:18:55 2000 from deneb
Sun Microsystems Inc. SunOS 5.7 Generic October 1998
No mail.
Sun Microsystems Inc. SunOS 5.7 Generic October 1998
yed:ballisti:[ballisti]:41 %

With a machine outside our network:

sirius:ballisti:[ballisti]:287 % ssh baloo
Host key not found from the list of known hosts.
Are you sure you want to continue connecting (yes/no)? yes
Host 'baloo' added to the list of known hosts.
ballisti@baloo's password:
Last login: Mon Nov  3 14:43:03 1997
..... now you can work ..  :-)
 
 

Some concepts and working principles

More about for instance in : ftp://ftp.pgpi.com/pub/pgp/2.x/doc/pgpdoc1.txt

RSA means:  Rivest-Shamir-Adleman public key cryptosystem
For instance the very well known "Pretty Good Privacy" (PGP) software
make use of this RSA technology, and so does the "secure shell" software.
Public key cryptosystem allows people to exchange files or

messages with privacy, authentication, and convenience.

Privacy means that only those intended to receive a message can read it.

Authentication means that messages that appear to be from a
particular person can only have originated from that person.

Convenience means that privacy and authentication are provided
without the hassles of managing keys associated with conventional
cryptographic software.

Important: no secure channels are needed to exchange keys between users!

In conventional cryptosystems, such as the US Federal Data Encryption
Standard (DES), a single key is used for both encryption and
decryption.  This means that a key must be initially transmitted via
secure channels so that both parties can know it before encrypted
messages can be sent over insecure channels.

In public key cryptosystems, everyone has two related complementary
keys, a publicly revealed key and a secret key (also frequently called
a private key).  Each key unlocks the code that the other key makes.
Knowing the public key does not help you deduce the corresponding
secret key.  The public key can be published and widely disseminated
across a communications network.  This protocol provides privacy
without the need for the same kind of secure channels that a
conventional cryptosystem requires.
 

Anyone can use a recipient's public key to encrypt a message to that
person, and that recipient uses her own corresponding secret key to
decrypt that message.  No one but the recipient can decrypt it,
because no one else has access to that secret key.  Not even the
person who encrypted the message can decrypt it!

Message authentication is also provided.  The sender's own secret key
can be used to encrypt a message, thereby "signing" it.  This creates
a digital signature of a message, which the recipient (or anyone
else) can check by using the sender's public key to decrypt it.  This
proves that the sender was the true originator of the message, and
that the message has not been subsequently altered by anyone else,
because the sender alone possesses the secret key that made that
signature.  Forgery of a signed message is infeasible, and the sender
cannot later disavow his signature!!
 

These two processes can be combined to provide both privacy and
authentication by first signing a message with your own secret key,
then encrypting the signed message with the recipient's public key.
The recipient reverses these steps by first decrypting the message
with her own secret key, then checking the enclosed signature with
your public key.  These steps are done automatically by the
recipient's software.
 

Because the public key encryption algorithm is much slower than
conventional single-key encryption, encryption is better accomplished
by using a high-quality fast conventional single-key encryption
algorithm to encipher the message.  This original unenciphered
message is called "plaintext".  In a process invisible to the user, a
temporary random key, created just for this one "session", is used to
conventionally encipher the plaintext file.  Then the recipient's
public key is used to encipher this temporary random conventional
key.  This public-key-enciphered conventional "session" key is sent
along with the enciphered text (called "ciphertext") to the
recipient.  The recipient uses her own secret key to recover this
temporary session key, and then uses that key to run the fast
conventional single-key algorithm to decipher the large ciphertext
message.