The Secure Shell (ssh)

The Berkeley Remote Commands and the DARPA Commands allow users access to resources on remote computers. Unfortunately, as mentioned earlier in this chapter, systems that enable these commands are vulnerable to attack by unauthorized parties. For example, an intruder with root access to a computer on the network, or who has tapped into the network itself, can obtain passwords of users. Because of these and other security concerns, system administrators on many UNIX systems disable these remote commands.

To solve the security problems of the Berkeley Remote Commands while allowing the same functions they perform to be carried out, in 1995, Tatu Ylönen at the Helsinki University of Technology, Finland, created the Secure Shell (SSH). Although the first few releases of the Secure Shell were freely available, Ylönen decided to develop later versions as propriety software owned by a company he founded, SSH Communications Security In 1999, members of the OpenBSD development team (see Chapter 1) decided to create an open-source free version of the Secure Shell, which they named OpenSSH. The OpenSSH is available for Linux, Solaris, AIX, OpenBSD, HP-UX, Mac OS X, and other UNIX variants. Other commercial versions of the Secure Shell, besides the SSH Secure Shell, and other open-source versions of the Secure Shell, besides OpenSSH are also available.

The Secure Shell, as offered by a commercial vendor or an open-source supplier, is a program that allows users to log in to computers over a network, to copy files from one computer to another, and to execute commands on a remote machine, all in secure ways. The Secure Shell provides security by authenticating users and by providing secure communications over connections that may not be secure. That is, the Secure Shell was designed to carry out the same functions as the Berkeley Remote Commands, without leading to the same security vulnerabilities. The Secure Shell provides security in many ways. For example, when the Secure Shell is used, both ends of the connection are automatically authenticated and all passwords sent over the network are first encrypted. The Secure Shell uses both private- and public-key cryptography for encryption and authentication functions. The particular algorithms employed vary according to whether you are using a free version or a commercial version of the Secure Shell software.

The specific versions of the commands supported by different variants of the Secure Shell vary For example, the OpenSSH suite replaces the rlogin command, as well as the telnet command, with the ssh command. It replaces rcp with scp, and it replaces ftp with sftp.

For example, suppose you have an account on the remote machine jersey.att.com and are running the OpenSSH suite. To connect to this machine as a remote server, type

 $ ssh jersey.att.com

If this is the first time that you are connecting to this remote host via ssh, you will be asked whether you want to continue connecting. If you answer yes, this host will be added to your known_hosts file. (More precisely, the name of this host and its encryption key are added to the known_hosts file.) When you make successive connections to this remote host, you will not be asked whether you want to continue connecting. When you use ssh to connect to a remote host in your known_hosts file, your password is automatically provided to the remote system. If the host key has changed, you will see a warning message when you attempt to connect to this host. Note that when you use ssh, you are assured that you are connecting to the correct host and that you have an encrypted connection with the remote host that cannot be intercepted and decrypted by an intermediate party

If the Secure Shell is not already installed on the system you use, you can obtain it over the Internet. You can download it from http://www.openssh.com/. You can find the manual pages for the Secure Shell commands at http://www.openssh.com/manual.html.