Activating SSH

If you want to be able to connect to your machine via the command line, and do it securely, using SSH is the best security precaution available to you today. If you are just interested in connecting from your OS X machine to another machine running an SSH server, then you do not need to activate the SSH server on your machine. However, if you want to be able to access your Macintosh remotely, you need to turn on the SSH server. To activate the SSH server, check the Remote Login box under the Services tab of the Sharing pane.

The SSH server starts from /System/Library/StartupItems/ and also has a control in /etc/hostconfig .

Basic Configuration

There are two basic configuration files for SSH: /etc/sshd_config and /etc/ssh_config . The first file is the configuration file for the SSH server itself, sshd . The second file is the configuration file for the client, ssh . You can also use command-line options at startup for configuring sshd . Command-line options override settings in /etc/sshd_config .

`/etc/sshd_config`

The default configuration file for sshd , /etc/sshd_config , is shown here. Because sshd processes run for each incoming connection, it is easiest to make changes to your sshd from the console. A brief explanation for the sections is included.

 #       $OpenBSD: sshd_config,v 1.56 2002/06/20 23:37:12 markus Exp $ # This is the sshd server system-wide configuration file.  See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented.  Uncommented options change a # default value. #Port 22 #Protocol 2,1 #ListenAddress 0.0.0.0 #ListenAddress :: # HostKey for protocol version 1 #HostKey /etc/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh_host_rsa_key #HostKey /etc/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 3600 #ServerKeyBits 768

This section of the configuration file sets some general configuration settings. By default, sshd runs on port 22 . The protocol option enables you to specify which SSH protocols sshd should support. The default is 2,1 . By default, sshd listens on all local addresses. However, there can be multiple ListenAddress statements, where you can specify settings for each interface.

 # Logging #obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO

This section controls the facility code and level of logging that sshd does.

 # Authentication: #LoginGraceTime 600 #PermitRootLogin yes #StrictModes yes #RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile     .ssh/authorized_keys # rhosts authentication should not be used #RhostsAuthentication no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #AFSTokenPassing no # Kerberos TGT Passing only works with the AFS kaserver #KerberosTgtPassing no # Set this to 'yes' to enable PAM keyboard-interactive authentication # Warning: enabling this may bypass the setting of 'PasswordAuthentication' #PAMAuthenticationViaKbdInt yes

This section addresses various authentication issues. By default, PermitRootLogin is set to yes . This is typically a poor choice in networked Unix installations. It's usually better to require administrative users to log in as themselves and then su to root , rather than allowing direct login as root . This forces slightly better tracking of who's doing what. Possible values for this directive are yes , without-password , forced-commands-only , or no . The without-password value disables password authentication for root . The forced-commands-only option permits root to log in with public key authentication, but only if the command has been specified on a key in the authorized_keys file with the command=... option. This option can be useful for doing remote backups on a system where root is not normally permitted to log in. If the only commands that root is allowed to execute are commands that can't compromise security (be very careful when making this assessment!), then the without-password option may be acceptable in this case.

This section also provides some settings for a user's session. By default, ~/.rhosts and ~/.shosts are ignored for RhostsAuthentication , RhostsRSAAuthentication , or HostbasedAuthentication . The /etc/ hosts .equiv files and /etc/shosts.equiv are still used. The ~/.rhosts and ~/.shosts files allow users to specify trusted hosts. Typically, the /etc/hosts.equiv and /etc/shosts.equiv files specify systemwide trusted hosts. In Mac OS X, it might be necessary to create these maps in the NetInfo database instead.

This section also specifies what authentication methods are allowed. The RhostsRSAAuthentication and RSAAuthentication are protocol 1 directives. Public key authentication is allowed by default for protocol 2. By default, PasswordAuthentication is set to yes . If you only want to permit public key authentication, set this option to no .

 #X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #KeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #Compression yes

In this section you can also set whether to allow X11 forwarding, the printing of the message of the day, when the user last logged in, and whether the server sends TCP keepalive messages. Having the server send TCP keepalive messages prevents a connection from hanging if the network goes down or the client crashes.

 #MaxStartups 10 # no default banner path #Banner /some/path #VerifyReverseMapping no

This section includes options for more general settings for sshd . The MaxStartups option enables you to specify the maximum number of concurrent unauthenticated connections to sshd . When specified as a set of three colon -separated numbers , this option specifies a random early drop as start:rate:full . The point at which random early dropoff starts is when the number of unauthenticated connections reaches start . When the number of unauthenticated connections reaches full , all the connections are refused . The sshd refuses connections with a probability of rate /100 if the number of connections is start . The probability increases linearly to 100% as the number of unauthenticated connections reaches full . The VerifyReverseMapping directive specifies whether sshd should verify the remote hostname for an IP address by checking that the resolved hostname maps back to the same IP address.

 Subsystem       sftp    /usr/libexec/sftp-server

The default configuration file ends with the preceding line. This option activates the sftp server. It is on by default. In earlier versions of Mac OS X, this option was commented out, and therefore off by default. If you don't think you will have a need for the sftp functionality, you can turn it off here.

Some additional interesting directives are noted in Table 14.1. Be sure to read the man page for more details.

Table 14.1. Select Additional Options for `/etc/sshd_config`

Option	Function
`AllowGroups`	Takes a list of group name patterns, separated by spaces. If specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns. By default, login is allowed for all groups.
`AllowUsers`	Takes a list of username patterns, separated by spaces. If specified, login is allowed only for usernames that match one of the patterns. By default, login is allowed for all users.
`Ciphers`	Specifies the ciphers allowed for protocol version 2. Multiple ciphers must be comma separated. The default is [View full width] aes128-cbc,3des-cbc,blowfish-cbc,cast128cbc, arcfour,aes192-cbc,aes256-cbc.
`ClientAliveInterval`	Sets a timeout interval in seconds, after which if no data has been received from the client, `sshd` sends a message through the encrypted channel to request a response from the client. The default is , indicating that these messages will not be sent to the client. Protocol version 2 option only.
`ClientAliveCountMax`	Sets the number of client alive queries that may be sent without `sshd` receiving any messages back from the client before `sshd` gets suspicious. If this threshold is reached while client alive messages are being sent, `sshd` disconnects the client, terminating the session. The default value is `3` .
`DenyGroups`	Takes a list of group name patterns, separated by spaces. Login is disallowed for users whose primary group or supplementary group list matches one of the patterns. By default, login is allowed for all groups.
`DenyUsers`	Takes a list of username patterns, separated by spaces. Login is disallowed for usernames that match one of the patterns. By default, login is allowed for all users.
`MACs`	Specifies the available MAC (message authentication code) algorithms. The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma separated. The default is [View full width] hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96, hmac-md5-96
`PidFile`	Specifies the file that contains the process identifier of `sshd` .
`PubkeyAuthentication`	Specifies whether public key authentication is allowed. Argument must be `yes` or `no` . Default is `yes` . Protocol version 2 option only.
`UsePrivilegeSeparation`	Specifies whether `sshd` separates privileges by creating an unprivileged child process to deal with incoming network traffic. After successful authentication, another process will be created that has the privilege of the authenticated user. The goal of privilege separation is to prevent privilege escalation by containing any corruption within the unprivileged processes. The default is `yes` .
`VerifyReverseMapping`	Specifies whether `sshd` should try to verify the remote hostname by checking that the resolved hostname for the remote IP address maps back to the very same IP address. The default is `no` .
`X11DisplayOffset`	Specifies the first display number available for `sshd` 's X11 forwarding. This prevents `sshd` from interfering with real X11 servers. The default is `10` .
`X11Forwarding`	Specifies whether X11 forwarding is permitted. The default is `no` . Note that disabling X11 forwarding does not improve security in any way; users can always install their own forwarders. X11 forwarding is automatically disabled if `UseLogin` is enabled.
`X11UseLocalhost`	Specifies whether `sshd` should bind the X11 forwarding server to the loopback address or to the wildcard address. By default, `sshd` binds the forwarding server to the loopback address and sets the `hostname` part of the `DISPLAY` environment variable to `localhost` . This prevents remote hosts from connecting to the proxy display. However, some older X11 clients may not function with this configuration. `X11UseLocalhost` may be set to `no` to specify that the forwarding server should be bound to the wildcard address. The argument must be `yes` or `no` . The default is `yes` .
`XAuthLocation`	Specifies the full pathname of the `xauth` program. The default is `/usr/X11R6/bin/xauth` .

`sshd` Command-Line Options

By default sshd does not start with any commnd-line options, but you can edit the startup file to control which options will be used for your installation. Command-line options override settings in /etc/sshd_config . If you choose to have sshd start with certain command-line options, edit /System/Library/StartupItems/SSH/SSH accordingly and restart sshd . Table 14.2 provides a listing of possible runtime options. See the man page for more details.

Table 14.2. Command-Line Options for `sshd`

Option	Function
`-b <bits>`	Specifies the number of bits in the ephemeral protocol version 1 server key (default 768).
`-d`	Debug mode. The server sends verbose debug output to the system log, and does not put itself in the background. The server also does not fork and only processes one connection.
`-e`	Sends output to standard error instead of `/var/log/system.log` .
`-f <configuration_file>`	Specifies the name of the configuration file. Default is `/etc/sshd_config` . `sshd` refuses to start if there is no configuration file.
`-g <login_grace_time>`	Gives the grace time for clients to authenticate themselves.
`-h <host_key_file>`	Specifies a file from which a host key is read. This option must be given if `sshd` is not run as `root` (because the normal host key files are normally not readable by anyone but `root` ).
`-i`	Runs `sshd` from `inetd` . `sshd` is normally not run from `inetd` because it needs to generate the server key before it can respond to the client, and this may take tens of seconds. Clients would have to wait too long if the key was regenerated every time. However, with small key sizes (for example, 512) using `sshd` from `inetd` may be feasible .
`-k <key_gen_time>`	Specifies how often the ephemeral protocol version 1 server key is regenerated. A value of indicates that the key will never be regenerated. Default is 3600 seconds or 1 hour .
`-o <option>`	Can be used to give options in the format used in the configuration file. Useful for specifying options for which there is no separate command-line flag.
`-p <port>`	Specifies the port on which the server listens for connections. Multiple port options are permitted. Ports specified in the configuration file are ignored when a command-line port is specified. Default is `22` .
`-q`	Quiet mode. Sends no output to `/var/log/system.log` .
`-t`	Test mode. Checks only the validity of the configuration file and the sanity of the keys. Useful for updating `sshd` reliably because configuration options may change.
`-u <len>`	Specifies the size of the field in the `utmp` structure that holds the remote hostname. If the resolved hostname is longer than `<len>` , the dotted decimal value is used instead.
`-d`	`sshd` does not detach and does not become a daemon. Allows for easy monitoring of `sshd` .
`-4`	Forces `sshd` to use IPv4 addresses only.
`-6`	Forces `sshd` to use IPv6 addresses only.

`/etc/ssh_config`

/etc/ssh_config , the default systemwide configuration file for the client, ssh , is shown following. The configuration file is divided into host sections. Because parameters are determined on a first-match-wins basis, more host-specific values should be given at the beginning of the file, with general values at the end of the file. Users can also configure the ssh client to suit their needs by creating a ~/.ssh/config file . Specifying Host as * sets parameters for all hosts.

 #       $OpenBSD: ssh_config,v 1.15 2002/06/20 20:03:34 stevesk Exp $ # This is the ssh client system-wide configuration file.  See # ssh_config(5) for more information.  This file provides defaults for # users, and the values can be changed in per-user configuration files # or on the command line. # Configuration data is parsed as follows: #  1. command line options #  2. user-specific file #  3. system-wide file # Any configuration value is only changed the first time it is set. # Thus, host-specific definitions should be at the beginning of the # configuration file, and defaults at the end. # Site-wide defaults for various options # Host * #   ForwardAgent no #   ForwardX11 no #   RhostsAuthentication no #   RhostsRSAAuthentication no #   RSAAuthentication yes #   PasswordAuthentication yes #   BatchMode no #   CheckHostIP yes #   StrictHostKeyChecking ask #   IdentityFile ~/.ssh/identity #   IdentityFile ~/.ssh/id_rsa #   IdentityFile ~/.ssh/id_dsa #   Port 22 #   Protocol 2,1 #   Cipher 3des #   Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes 256-cbc #   EscapeChar ~

The default /etc/ssh_config file lists some options that you may want to set. Table 14.3 includes a description of some of the options shown in this file, along with other selected options. For more details, be sure to read the man pages for ssh and ssh_config .

CAUTION

Options that you can set in a systemwide /etc/ssh_config include LocalForward and RemoteForward . We discourage setting up any tunnels in a systemwide configuration. If an intruder does gain access to your machine, your systemwide forwarding settings make it that much easier for an intruder to access other machines.

Table 14.3. Select Options for `/etc/ssh_config` or `~/.ssh/config`

Option	Function
`Host`	Restricts the following declarations (up to the next Host keyword) to be for only those hosts that match one of the patterns given after the keyword. The host is the hostname argument given on the command line (that is, the name is not converted to a canonicalized host name before matching).
`BatchMode`	If set to `yes` , disables passphrase/password querying. Useful in scripts and other batch jobs where no user is present to supply the password. The argument must be `yes` or `no` . Default is `no` .
`BindAddress`	Specifies the interface from which to transmit on machines with multiple interfaces or aliased addresses. Option does not work if `UsePrivilegedPort` is set to `yes` .
`CheckHostIP`	If set to `yes` , `ssh` also checks the host IP address in the `known_hosts` file. This allows `ssh` to detect whether a host key changed because of DNS spoofing. If set to `no` , the check is not executed. Default is `yes` .
`Cipher`	Specifies the cipher to use for encrypting the session in protocol version 1. `blowfish` , `3des` , and `des` are supported, although `des` is supported in the `ssh` client only for interoperability with legacy protocol 1 implementations that do not support the `3des` cipher. Its use is strongly discouraged because of cryptographic weaknesses. Default is `3des` .
`Ciphers`	Specifies the ciphers allowed for protocol version 2 in order of preference. Multiple ciphers must be comma separated. The default is `aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc` .
`ClearAllForwardings`	Specifies that all local, remote, and dynamic port forwardings specified in the configuration files or on the command line be cleared. Primarily useful when used from the `ssh` command line to clear port forwardings set in configuration files, and is automatically set by `scp` and `sftp` . Argument must be `yes` or `no` . Default is `no` .
`ForwardX11`	Specifies whether X11 connections will be automatically redirected over the secure channel and `DISPLAY` set on the remote machine. Argument must be `yes` or `no` . Default is `no` .
`GlobalKnownHostsFile`	Specifies a file to use for the global host key database instead of `/etc/ssh_known_hosts` .
`HostKeyAlgorithms`	Specifies, in order of preference, the protocol version 2 host key algorithms that the client should use. Default is `ssh-rsa,ssh-dss` .
`HostKeyAlias`	Specifies an alias that should be used instead of the real hostname when looking up or saving the host key in the host key database files. Useful for tunneling `ssh` connections or for multiple servers running on a single host.
`HostName`	Specifies the real hostname to log in to. This can be used to specify nicknames or abbreviations for hosts. Default is the name given on the command line.
`IdentityFile`	Specifies a file from which the user's `RSA` or `DSA` authentication identity is read. Defaults are `$HOME/.ssh/identity` for protocol version 1, and `$HOME/.ssh/id_rsa` and `$HOME/.ssh/id_dsa` for protocol version 2.
`LocalForward`	Specifies that a TCP/IP port on the local machine be forwarded over the secure channel to the specified host and port from the remote machine. Only the superuser can forward privileged ports.
`MACs`	Specifies the MAC (message authentication code) algorithms in order of preference. The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma separated. Default is `hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96` .
`NumberOfPasswordPrompts`	Specifies the number of password prompts before giving up. Argument must be an integer. Default is `3` .
`Port`	Specifies the port number to connect to on the remote host. Default is `22` .
`PreferredAuthentications`	Specifies the order in which the client should try protocol 2 authentication methods. Default is `hostbased, publickey ,keyboard-interactive,password` .
`Protocol`	Specifies the protocol versions `ssh` should support, in order of preference. The possible values are `1` and `2` . The default is `2,1` . In other words, `ssh` tries version `2` and falls back to version `1` if version `2` is not available.
`PubkeyAuthentication`	Specifies whether to try public key authentication. Argument must be `yes` or `no` . Default is `yes` . Protocol version 2 option only.
`RemoteForward`	Specifies that a TCP/IP port on the remote machine be forwarded over the secure channel to the specified host and port from the local machine. Only the superuser can forward privileged ports.
`StrictHostKeyChecking`	Argument must be `yes` , `no` , or `ask` . Default is `ask` . If set to `yes` , `ssh` never automatically adds host keys to the `$HOME/.ssh/known_hosts` file, and refuses to connect to hosts whose host key has changed. This provides maximum protection against Trojan horse attacks, but can be annoying when the `/etc/ssh_known_hosts` file is poorly maintained , or connections to new hosts are frequently made. Forces the user to manually add all new hosts. If set to `no` , `ssh` automatically adds new host keys to the user-known hosts files. If set to `ask` , new host keys are added to the user-known host files only after the user has confirmed that that is what he really wants to do, and `ssh` refuses to connect to hosts whose host key has changed. The host keys of known hosts are verified automatically in all cases.
`UsePrivilegedPort`	Specifies whether to use a privileged port for outgoing connections. Argument must be `yes` or `no` . Default is `no` .
`User`	Specifies as what user to log in. This can be useful when a different user name is used on different machines. This saves the trouble of having to remember to give the username on the command line.
`UserKnownHostsFile`	Specifies a file to use for the user host key database instead of `$HOME/.ssh/known_hosts` .

Use

SSH provides for secure encrypted traffic transmission across a network. Most SSH software, including that provided by Apple, includes both the encrypted transmission facility and rudimentary tools for making use of that functionality. These tools include the ability to use the encryption to provide secure terminal services and file transfer support. The user can add other functionality as needed by making use of just the secure transport portion of the software to encrypt the traffic between otherwise insecure external software packages.

A common use for the SSH package is for making remote terminal connections. Although you can set a number of options to ssh in a user configuration file, you will probably find yourself using ssh with command-line options initially. This is actually the easiest way to start using ssh . After you have been using ssh with command-line options for a while, you will get a feel for what options, if any, you may want to specify in either ~/.ssh/config or /etc/ssh_config .

To use the ssh client, you can run either ssh or slogin . If you are accustomed to using rlogin on a system, then slogin will be the natural choice for you. Otherwise, you probably won't have any preferences.

The most commonly used syntax for ssh is

 ssh l <username> <remote_host> ssh <username>@<remote_host>

If you are logging in to a remote host for the first time, you will be asked if you want to accept the host's key:

 [localhost:~] joray% slogin -l jray primal.ag.ohio-state.edu The authenticity of host 'primal.ag.ohio-state.edu (140.254.85.2)' can't be established. RSA key fingerprint is b3:60:d8:e3:1d:59:bc:2c:2d:9e:c3:83:9a:84:c3:a1. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'primal.ag.ohio-state.edu,140.254.85.2' (RSA)  to the list of known hosts. jray@primal.ag.ohio-state.edu's password: Welcome to Darwin! [primal:~] jray%

Table 14.4 provides a listing of select command-line options to ssh . Be sure to read the man page for more details.

Table 14.4. Select Command-Line Options to `ssh`

Option	Function
`-b <bind_address>`	Specifies the interface to transmit from on machines with multiple interfaces or aliased addresses.
`-c blowfish3desdes`	Selects the cipher to use for encrypting the session. Default is `3des` . `des` is supported only for compatibility with legacy protocol 1 servers.
`-c <cipher_spec>`	Additionally, for SSH2, a comma-separated list of ciphers.
`-f`	Requests `ssh` to go to background just before command execution. Useful if `ssh` is going to ask for passwords or passphrases, but the user wants it in the background. Implies `-n` .
`-g`	Allows remote hosts to connect to local forwarded ports.
`-i <identity_file>`	Selects a file from which the identity (private key) for `RSA` or `DSA` authentication is read. Defaults are `$HOME/.ssh/` identity for protocol version 1, and `$HOME/.ssh/id_rsa` and `$HOME/.ssh/id_dsa` for protocol version 2. Identity files may also be specified on a per-host basis in the configuration file.
`-l <login_name>`	Specifies the user as which to log in on the remote machine. This may also be specified on a per-host basis in the configuration file.
`-m <mac_spec>`	Specifies a comma-separated list of MAC (message authentication code) algorithms in order of preference for protocol version 2.
`-n`	Redirects `stdin` from `/dev/null` (actually, prevents reading from `stdin` ). This must be used when `ssh` is run in the background.
`-n`	Does not execute a remote command. This is useful for just forwarding ports (SSH2 only).
`-o <option>`	Can be used to give options in the format used in the configuration file. Useful for specifying options for which there is no separate command-line flag.
`-p <port>`	Specifies the port to connect to on the remote host. This can be specified on a per-host basis in the configuration file.
`-P`	Uses a nonprivileged port for outgoing connections. This can be used if a firewall does not permit connections from privileged ports.
`-v`	Verbose mode. Causes `ssh` to print debugging messages about its progress.
`-x`	Disables `X11` forwarding.
`-x`	Enables `X11` forwarding. This can also be specified on a per-host basis in a configuration file.
`-F <configfile>`	Specifies an alternative per-user configuration file. If a configuration file is given on the command line, the systemwide configuration file ( `/etc/ssh_config` ) is ignored. Default per-user configuration file is `$HOME/.ssh/config` .
`-L <port>:<host>:<hostport>`	Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side. Port forwardings can also be specified in the configuration file. Only root can forward privileged ports.
`-R <port>:<host>:<hostport>`	Specifies that the given port on the remote (server) host is to be forwarded to the given host and port on the local side. Port forwardings can also be specified in the configuration file. Privileged ports can be forwarded only when you are logging in as root on the remote machine.
`-1`	Forces SSH1 protocol only.
`-2`	Forces SSH2 protocol only.
`-4`	Forces `ssh` to use IPv4 addresses only.
`-6`	Forces `ssh` to use IPv6 addresses only.

Clients

From other Unix machines with an SSH server installed you should be able to use ssh or slogin to connect to your Mac OS X machine remotely. But you don't need a Unix machine to connect to your Mac OS X machine. Windows and traditional Mac OS clients are also available. A brief description of each client's features is included. At this time, not all the features will necessarily have meaning, but they will by the end of the chapter.

Windows

A number of Windows SSH clients are available. Among the available clients are

Tera Term Pro with TTSSH . Tera Term is a free terminal emulation program available at http://hp.vector.co.jp/authors/VA002416/teraterm.html. A free extension DLL called TTSSH is available for Tera Term at http://www.zip.com.au/~roca/ttssh.html. With the extension, Tera Term can be used as an SSH client. It supports only the SSH1 protocol. Additionally, it can handle public key authentication, tunneling, and X11 forwarding.
PuTTY . PuTTY is a free telnet and SSH client available at http://www.chiark.greenend.org.uk/~sgtatham/putty/. PuTTY supports both the SSH1 and SSH2 protocols, with SSH1 being the default protocol. It also supports public key authentication, tunneling, and X11 forwarding. Additionally, it includes scp (PSCP) and sftp (PSFTP) clients.
F-Secure SSH . F-Secure SSH is a commercial SSH client. It is available for Windows 95/98/ME/NT 4.0/2000/XP. It supports both the SSH1 and SSH2 protocols. It also supports public key authentication, tunneling, and X11 forwarding. Additionally, it includes a built-in - sftp client and command-line - ssh tools. For more product information, see http://www.f-secure.com/.
SSH Secure Shell . SSH Communications Security has both a commercial and free SSH client for Windows 95/98/ME/NT 4.0/2000/XP. It supports both the SSH1 and SSH2 protocols. It also supports public key authentication, tunneling, and X11 forwarding. Additionally, it includes a built-in sftp client. For more product information, see http://www.ssh.com/. To download the freely available client, go to ftp://ftp.ssh.com/pub/ssh/ and select the latest Windows client.
SecureCRT . SecureCRT is a commercial SSH client available from http://www.vandyke.com/products/securecrt/. It supports both the SSH1 and SSH2 protocols. It also supports public key authentication, tunneling, X11 forwarding, and sftp .

Macintosh 8/9

A few SSH clients are available for the traditional Mac OS. The clients that work in the traditional Mac OS probably also work in Mac OS X's Classic mode. As a matter of fact, to tunnel connections in Classic mode, you need one of these clients with tunneling capabilities. Available clients include

NiftyTelnet 1.1 SSH r3 . NiftyTelnet 1.1 SSH r3 is a free telnet and SSH client available at http://www.lysator.liu.se/~jonasw/freeware/niftyssh/. It supports only the SSH1 protocol. It also supports public key authentication and has a built-in scp function.
MacSSH . MacSSH is a free SSH, telnet, and various other protocols client available at http://www.macssh.com/. For SSH, it supports only the SSH2 protocol. Additionally, it supports public key authentication, tunneling, and X11 forwarding.
MacSFTP . MacSFTP is a shareware sftp client available at http://www.macssh.com/. You can download a 15-day trial. If you decide you like it, the shareware cost is $25. It has an interface similar to Fetch's.
F-Secure SSH . F-Secure SSH is a commercial SSH client. It supports both the SSH1 and SSH2 protocols. Additionally, it supports public key authentication, tunneling, and X11 forwarding. For more product information, see http://www.f-secure.com/.

Mac OS X

Mac OS X, of course, has the command-line - ssh tools available. However, if you are new to the command line, you may also be wondering whether any SSH GUI tools are available. You should also check whether your favorite FTP client includes or will include SFTP support. Available clients include

JellyfiSSH . JellyfiSSH is a freeware product available from http://www.arenasoftware.com/grepsoft/. It provides a GUI login interface and bookmarking capabilities. After you enter your login information, it brings up a terminal window to the remote host. If you are comfortable with using slogin or ssh to log in to a remote host, this application may not be useful to you. If you like the basic GUI login interface of the clients for traditional Mac OS, this application may be useful to you. If you want to learn how to use the ssh command-line client, this application might be useful for you because you can see how the command was issued.
Fugu . Fugu is a freeware product available from http://rsug.itd.umich.edu/software/fugu/. It is an ssh tunneling/ scp / sftp client.
MacSFTP . MacSFTP also works in OS X. It is a shareware sftp client available at http://www.macssh.com/. You can download a 15-day trial. If you decide you like it, the shareware cost is $25. It has an interface similar to Fetch's.
RBrowser . RBrowser is an application available from http://www.rbrowser.com/. It provides a finder interface to ssh , scp , and sftp , and also supports tunneling. If you do not like the command line at all, this may be the application for you. The sftp feature works by dragging files from one "finder" to the other. This is a shareware product with two levels of licensing ”a basic level that covers ftp and sftp features and a professional level that includes ftp , sftp , Unix, ssh , and ssh tunneling. Demo licenses are also available.
F-Secure SSH . As of this writing, F-Secure is working on a client for OS X. However, it is not yet available. Because it is supposed to be similar to the F-Secure SSH 2.4 client, it is expected to be able to do tunneling. Check http://www.f-secure.com/ for more information.

Top

Basic Configuration

/etc/sshd_config

Table 14.1. Select Additional Options for /etc/sshd_config

sshd Command-Line Options

Table 14.2. Command-Line Options for sshd

/etc/ssh_config