Overview

The College of Computing does not permit clear text password services. This means that TELNET, FTP, rlogin, rcp, rsh connections will not work on the CoC Network. Every one of these commands has a secure counterpart which collectively make up the ssh protocol suite. This document explains how to transition from what you are using today to an ssh equivalent. The process is very simple, and requires minimal effort on your part.

Why do we not permit clear text password services?

Simply put, all telnet sessions are transmitted in plain text. So if you are at home, and log into a CoC machine, your username and password are transmitted in plain text from your home machine across the internet to our machine. Anyone along the way can see/record your username and password, and later use it to log in to our systems as you, access your files and email. SSH provides us with a simple and uniform way to solve those problems, while at the same it provides you with an easier login experience.

How does SSH work?

SSH solves 2 different problems with regular telnet: authentication and encryption.

Authentication refers to how a CoC server knows that you are who you say you are. In regular telnet, so long as you have the matching password to your username, you are let in. However, as was mentioned earlier, when you type your username and password, anyone along the way could be monitoring your connection, capture your username/password, and later use it to log in as you.

SSH allows you to solve this problem in 2 ways. At a very minimum, if you login with username and password, the transmission between your client and the server is encrypted. SSH also allows you to login with RSA or DSA public/private key authentication. In this case, you generate a public/private key pair. You upload a copy of your public key to a CoC machine. From now on, when you try to login, the server uses your public key to send you a challenge, that only the holder of your private key (hopefully just you) can answer. While this scheme is much safer, it does have one major flaw, anyone who gets hold of your private key can login as you. Hence you must be very careful about securing your private key. Read the Why should I use a passphrase section to see one way to help protect your private key.

Encryption is solved using a variety of encryption algorithms. Everything you type and receive in an ssh connection is encrypted. This would prevent people from seeing what commands you are typing, or from reading your email when you have it open in pine.

What are known hosts, and why does it ask me about them?

Short answer: The first time you log into each machine, you'll be asked if you want to add the host key to your known hosts. Say yes.

Longer answer: Each time you log into a machine using ssh, the protocol checks the servers key (this is different from the individual user keys which you setup above). If the servers key doesn't match what your ssh client remembers (or if your client has never connected to this server before), it will ask you if you want to accept that host key.

Why? This is to verify that the machine you are connecting to, is really the machine you think it is. There is a class of attacks known as "man in the middle" attacks. The way they work is that someone sets up a new server, and hijacks a DNS name (perhaps like lennon.cc.gatech.edu). Their goal is to let you login, and hope that they can then steal your password, or modify your account to do things you don't want it to do on other machines.

Luckly ssh will notice if happens, and will tell you. So, when you are asked if you want to accept a host key, you should accept it if you've never connected to that machine from this client before. But if you have connected before, then either the machine has been reinstalled and the key changed, or you are not connecting to where you think you are connecting.

Okay, what do I need to do?

SSH can work just like telnet. At a very minimum you can simply replace commands that you use today as follows:

If you do nothing else, you'll be prompted for your password on connect. If your happy with things working like this, you can stop reading after you find out how to connect from Windows or Mac.

How to setup your Unix account to accept ssh without passwords

If you create a public/private key pair, you will be able to login to any CoC machine you have access to without entering your password. Having these keys setup also replaces the need for a .rhosts file if you use rlogin, rsh or rcp.

The setup of the public/private key is relatively simple, follow these steps:

• mkdir ~/.ssh
• chmod og-rwx ~/.ssh
• ssh-keygen -b 2048 -t rsa -f ~/.ssh/id_rsa -N ''
• cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys

How to log into one CoC Unix machine from another

In the past you probably opened a shell and typed something like:

telnet lennon or perhaps rlogin lennon

Now instead you should type:

ssh lennon

You will not be asked for a username or password. The authentication takes place using your public/private keys. You should simply get a shell on the remote machine.

How to run a single command on a remote CoC Unix machine

In the past you may have done things like:

rsh lennon who (run the command who on the machine lennon.)

In order for this to work, you had to set up a .rhosts file.

Now instead you can simply type:

ssh lennon who

Note: There is no need for a .rhosts file or anything else, this just automatically works once ssh has been setup correctly.

How to copy files from one CoC Unix machine to another

In the past you probably did one of the following:

ftp lennon

or...

rcp blah.txt user@lennon:blah.txt

There are 2 possibilities with SSH:

1. sftp
2. scp

scp

scp is a direct replacement for rcp. If you already know how to use rcp, there is no difference in syntax. The syntax to copy a file from acme (for example) is:

scp gtx123x@acme:filename .

This would copy the file "filename" on gtx123x's acme account to the current directory on your CoC machine. (NOTE: There is a space period at the end of that command that are very important.).

scp filename gtx123x@acme:Mail

This would copy the file named "filename" on your CoC account, to the directory "Mail" on gtx123x's acme account.

NOTE:This will work regardless of whether you have ssh keys set up for connects between acme and CoC or not. If you do not have it setup, this will prompt you for your acme password. Click here for info on how to set up keys to save you from having to enter your password.

sftp

sftp works very simular to regular ftp. The main difference is that sftp assumes your username is the same on both machines (Note: This is almost certainly an invalid assumption when you ftp to or from acme).

The correct syntax is:

sftp user@machine

For example,

sftp gtx123x@acme

From there, it behaves just like ftp.

Other Useful Information

• Connecting to CoC from Windows or Mac
• Connecting to/from acme without passwords