TweetFollow Us on Twitter

Aug 01 MacTech Online

Volume Number: 17 (2001)
Issue Number: 08
Column Tag: MacTech Online

SSH

by Jeff Clites

SSH

When the Internet was first growing up, it was developing in a rather safe environment. In fact, to the inventors it was probably a miracle that it worked at all. Now, however, those halcyon days are gone, and we live in less innocent times, where security is a genuine concern—it isn’t practical these days to just assume that things will be safe by default. There are a number of steps that users need to take these days to secure their systems, and this month we are going to look at one of them, ssh. It’s a small but important piece.

What’s ssh?

In brief, ssh (the Secure Shell) is a cryptographically secure replacement for telnet. The name is actually a bit of a misnomer—it isn’t really a shell itself, but rather a mechanism for interacting with a remote shell over a secure communication channel. It’s an indispensable tool for working with Mac OS X in a networked environment—like telnet, it allows you to quickly connect to remote machines, which is handy if not essential for a variety of administration and other tasks. In fact, the most significant security enhancement that ssh gives you may not be that it encrypts the contents of your remote session (which it does), but rather that it encrypts the login exchange itself, meaning that your password is never sent unencrypted over the network. Even in a supposedly secure environment, for instance behind a corporate firewall, it’s a good idea to use ssh instead of telnet whenever possible (which basically means whenever the two machines which are communicating both have it installed), both because it adds an extra bit of security, and also because it will get you into the habit of using it and making sure it is installed and available on all machines you routinely connect to, so that when you are operating in a less secure environment (for instance, if you need to connect from off site) you will be in the habit of reaching for ssh and will be opting for security by default.

Mac OS X has ssh installed by default (as part of a regular update package), and you can use it to connect with remote machines without further setup. To enable connections to your machine you merely need to enable remote login in the Sharing pane of System Preferences (after the update which installs ssh on Mac OS X, this setting is connected to ssh rather than to telnet, which is then disabled by default). The ssh “server” component (sshd) can be run out of inetd, but it is more commonly run as a standalone daemon. If you need to install ssh separately (either because you wish to install a newer version or because your current install is damaged), there are instruction on Stepwise for building and installing OpenSSH under Mac OS X. (The article also includes instructions for compiling in support for using tcpwrappers to further secure things by restricting remote login to a specific set of hosts and adding additional logging.) This version of ssh is free and open-source (part of the OpenBSD project, in fact), and leverages the OpenSSL library for many of its cryptographic algorithms. There are commercial versions available as well (and older free version from commercial vendors), but for most users OpenSSH is a good choice. OpenSSH tries very hard to avoid the use of patented algorithms in its implementation, in order to avoid the attendant restrictions to free development and distribution, and consequently does not support some of the algorithms found in commercial versions. This can be seen as either a virtue or a shortcoming, but in practice it does not interfere with its use.

Building OpenSSH 2.9 on Mac OS X 10.0.x
http://www.stepwise.com/Articles/Workbench/2001-05-02.03.html

Securing your Host—tcpwrappers
http://www.theorygroup.com/Theory/Systems/tcpwrappers.html

The SHH Suite

Overall, ssh has a great deal of flexibility in the details of its use. It supports a variety of authentication schemes, from RSA or Kerberos-based authentication to simple passwords or automatic login between trusted hosts; you can choose from several different algorithms (also called ciphers) for the encryption; and you can use ssh for port-forwarding to wrap insecure protocols inside of a secure transfer stream. And in addition to enabling remote login sessions, the ssh distribution contains several related tools which take advantage of ssh’s base facilities for secure communication. For file transfer, there is scp (an analog of rcp and ultimately cp, if you are familiar with those), which is used to copy files between systems over an ssh-based, encrypted channel. Server environments today are often set up without ftp installed in order to enhance security, and in such situations scp is the tool of choice for moving files onto and off of these systems. In addition to encryption, scp also supports compression of files during transit in order to speed transfer, using the same algorithm as gzip. (Compression is also supported by ssh itself, but the benefits are more likely to be noticeable during large file transfers than during a standard interactive login session, although over slow connections compression could make ssh “faster” than telnet for interactive use.) The scp tool has the same semantics as cp, so that source and destination are specified when invoking the tool, rather then being chosen interactively as is commonly done with ftp tools. This can be somewhat inconvenient, as you need to know the exact path to use on the remote system before invoking the tool, which will often necessitate a separate ssh login to “browse around” the remote filesystem to determine the correct path. On the plus side, scp can be used to transfer files between remote systems—neither the source nor the destination needs to be local.

On the other hand, if you need the convenience and flexibility of the interactivity of ftp, you might find sftp more to your liking. It’s a newer addition to the ssh family, and is likely to be less widely deployed at this time. It provides an ftp-like interactive session for file transfer, with similar commands to those used by ftp. Technically, sftp is not itself a secure protocol, but rather it is a protocol designed to be used over a secure channel, provided by ssh. There is a separate executable, sftp-server, which is used by OpenSSH to enable sftp on the server side, but it is invoked by the sshd daemon rather than running separately, so it requires minimal configuration and setup to get it running. One caveat is that sftp is reported to be significantly slower than the traditional scp, although it’s not clear whether this is inherent to the protocol it uses, or if it’s just the result of a still-evolving implementation. Note also that sftp is not simply ftp secured via ssh port-forwarding, because ftp’s use of two separate TCP/IP connections for control commands and data transfer makes this difficult to do; instead, sftp uses a single stream to do its work.

References

Online, you can find most of the essential information you need at the OpenSSH web site, including download locations, online manual pages, and a short FAQ, as well as links to other sites with articles and even more information. There is also another ssh FAQ available online, more general but somewhat geared toward the commercial versions of ssh.

OpenSSH
http://openssh.org

OpenSSH Manual pages
http://openssh.org/manual.html

OpenSSH FAQ
http://openssh.org/faq.html

OpenSSH Articles
http://openssh.org/press.html

The Secure Shell Frequently Asked Questions
http://www.tigerlair.com/ssh/faq/ssh-faq.html

There are also a couple of books available devoted entirely to ssh. They can provide you with all the details and options you have for setting up and using ssh on your systems, as well as using it for advanced applications such as tcp port forwarding. Possibly more importantly, they’ll guide you through the minefield of terminology surrounding different version of ssh products and protocols (which are very easy to confuse), and spell out differences and interoperability issues surrounding the different implementations. Try either SSH, The Secure Shell: The Definitive Guide (ISBN: 0-596-00011-1) from O’Reilly and Associates, or UNIX Secure Shell (ISBN: 0071349332) from Osborne. There is also an excellent web site to accompany the O’Reilly book, with extensive reference information and links to protocol specifications and other reference material.

SSH, The Secure Shell: The Definitive Guide
http://www.snailbook.com

For further helpful info, check out the top 10 FAQ list from Richard Silverman, one of the authors of the O’Reilly book. The security-minded user (which should be everyone, right?) will also want to check out a recent article on SecurityPortal.com about a potential security weakness with ssh, as well as the follow-up rebuttal article from Richard Silverman which corrects some factual errors and gives a less alarmist perspective. For further security info, take a look at the OpenSSH Security page.

Top Ten Secure Shell FAQs
http://sysadmin.oreilly.com/news/sshtips_0101.html

The End of SSL and SSH?
http://www.securityportal.com/cover/coverstory20001218.html

dsniff and SSH: Reports of My Demise are Greatly Exaggerated
http://sysadmin.oreilly.com/news/silverman_1200.html

OpenSSH Security
http://openssh.org/security.html

Finally, for those interested in some of the more advanced features of ssh, start with the SSH Protocol Architecture internet-draft from the IETF for an extensive high-level overview of the protocol. Then, check out an article from the O’Reilly Network on using an ssh tunnel to increase the security of 802.11b wireless networking, such as that used by AirPort.

SSH Protocol Architecture
http://openssh.org/txt/draft-ietf-secsh-architecture-07.txt

Using SSH Tunneling
http://www.oreillynet.com/pub/a/wireless/2001/02/23/wep.html

If you are not yet using Mac OS X (and why aren’t you, huh?), then you can still connect via ssh to remote machines using one of the two clients for the Classic Mac OS. There is NiftyTelnet SSH (based on NiftyTelnet itself) supporting the SSH1 protocol, including scp capabilities, and MacSSH, which is a modified version of BetterTelnet supporting SSH2. Both are available free of charge. If you are running Mac OS X but would prefer a graphical file-transfer tool, try RBrowser, a GUI-based ftp tool which also supports ssh- and scp-based file browsing and transfer. It is still in beta testing, and will require a licensing fee once it is final.

NiftyTelnet SSH
http://www.lysator.liu.se/~jonasw/freeware/niftyssh/

MacSSH
http://www.macsecsh.com/

RBrowser
http://www.rbrowser.com/RBrowser_main.html

 

Community Search:
MacTech Search:

Software Updates via MacUpdate

Remotix 6.1.4 - Access all your computer...
Remotix is a fast and powerful application to easily access multiple Macs (and PCs) from your own Mac. Features: Complete Apple Screen Sharing support - including Mac OS X login, clipboard... Read more
MacFamilyTree 9.0.12 - Create and explor...
MacFamilyTree gives genealogy a facelift: modern, interactive, convenient and fast. Explore your family tree and your family history in a way generations of chroniclers before you would have loved.... Read more
ffWorks 2.0.4 - Convert multimedia files...
ffWorks, focused on simplicity, brings a fresh approach to the use of FFmpeg, allowing you to create ultra-high-quality movies without the need to write a single line of code on the command-line.... Read more
Apple Pages 10.0 - Apple's word pro...
Apple Pages is a powerful word processor that gives you everything you need to create documents that look beautiful. And read beautifully. It lets you work seamlessly between Mac and iOS devices, and... Read more
Numbers 10.0 - Apple's spreadsheet...
With Apple Numbers, sophisticated spreadsheets are just the start. The whole sheet is your canvas. Just add dramatic interactive charts, tables, and images that paint a revealing picture of your data... Read more
Keynote 10.0 - Apple's presentation...
Easily create gorgeous presentations with the all-new Keynote, featuring powerful yet easy-to-use tools and dazzling effects that will make you a very hard act to follow. The Theme Chooser lets you... Read more
Carbon Copy Cloner 5.1.16 - Easy-to-use...
Carbon Copy Cloner backups are better than ordinary backups. Suppose the unthinkable happens while you're under deadline to finish a project: your Mac is unresponsive and all you hear is an ominous,... Read more
PDFpenPro 11.2.2 - Advanced PDF toolkit...
PDFpenPro allows users to edit PDF's easily. Add text, images and signatures. Fill out PDF forms. Merge or split PDF documents. Reorder and delete pages. Create fillable forms and tables of content... Read more
PDFpen 11.2.2 - Edit and annotate PDFs w...
PDFpen allows users to easily edit PDF's. Add text, images and signatures. Fill out PDF forms. Merge or split PDF documents. Reorder and delete pages. Even correct text and edit graphics! Features... Read more
ScreenFlow 9.0.3 - Create screen recordi...
ScreenFlow is powerful, easy-to-use screencasting software for the Mac. With ScreenFlow you can record the contents of your entire monitor while also capturing your video camera, microphone and your... Read more

Latest Forum Discussions

See All

Same Room Games is a great collection of...
Staying at home under lockdown kinda sucks. Totally necessary, yes, but also more than a little anxiety-inducing and often boring. Thankfully, we've got lots of great multiplayer games to play with friends and keep us sane, the latest of which,... | Read more »
Bark Park is a joyfully silly multiplaye...
Bark Park is a charming, good-humoured game about competing against other players to claim as much territory as possible by peeing on nearby trees. Did I mention that everyone is playing as a dog? Makes things a little less weird. [Read more] | Read more »
The 5 Best Games Like Grindstone
Apple Arcade made a splash when it first launched, granting access to over 50 games as soon as it became available. Of those titles, the one that seemed to grab most people’s attention was Grindstone, a matching puzzle game from Capy Games. [Read... | Read more »
Awarding-winning puzzler Make One is now...
Make One is a game with a simple concept that it executes with flair and impressive levels of polish. It comes to us from developer Brazle and publisher PiG, and it's just landed this week for Android. At its core, Make One is a logic-based... | Read more »
Marvel Contest of Champions' latest...
Kabam's Marvel Contest of Champions has now teased some of the latest characters heading to the Battlerealm next month. Here's your chance to watch the new motion comic embedded below, Barons' War, before I spoil the surprise. [Read more] | Read more »
Why Calibria: Crystal Guardians is the p...
We could all use escapism right now, something to focus on and a project to feel part of during these times of social isolation. If you’re one of the many who’s turned to gaming to fill the lockdown void, Calibria: Crystal Guardians should be on... | Read more »
Mini Tank: Fire is a Worms-like, turn-ba...
Mini Tank: Fire is an online multiplayer game that takes a few cues from the likes of Worms and Shell Shock Live. It will feature 5v5 turn-based battles and is available now for both iOS and Android as a free-to-play game. [Read more] | Read more »
Poly is an endless runner for iOS where...
Poly is an endless runner from solo developer Denis Kakacka that's available now for iOS as a free-to-play game. It aims to bring a slight twist to the standard running formula by mixing up what you're actually controlling. [Read more] | Read more »
Reflex Unit 2 brings intense PvP battles...
Reflex Unit 2 will see players engaging in mech-based warfare, fending off waves and waves of autonomous robots that are threatening to destroy the planet. It's available now for iOS and Android. | Read more »
Snake Core is a modern take on a mobile...
Snake Core, from acclaimed indie developer Orangepixel, is a modern take a mobile classic: Snake. The idea is that you'll command a small army of troops as they go about attempting to take down a horde of invading aliens. [Read more] | Read more »

Price Scanner via MacPrices.net

Apple offers Certified Refurbished iPhone XS...
Apple has Certified Refurbished iPhone XS models available for up to $350 off MSRP, with prices starting at $699. Each iPhone is unlocked and comes with Apple’s standard one-year warranty and a new... Read more
Siri, Apple’s AI-Powered Virtual Assistant, N...
FEATURE: 04.01.20- Apple’s virtual assistant powered by AI (artificial intelligence), Siri, can answer almost any question you throw at it, from asking for today’s weather forecast to where the... Read more
Buy Apple’s 16″ 2.6GHz 6-Core MacBook Pro for...
Apple reseller DataVision has new 16″ 2.6GHz 6-Core MacBook Pros on sale for up to $170 off MSRP, each including free shipping. DataVision charges sales tax for NY, NJ, PA, and CA residents only. In... Read more
Boost Mobile 1-day Flash Sale: $100 off all A...
Boost Mobile is offering Apple’s 2019 iPhone 11 and 11 Pro models for $100 off MSRP. Boost is also offering the same $100 discount on new previous-generation iPhone XS, XR, X, 8, and 7 models. For... Read more
In stock! Apple’s new Mac Pro for $5995 with...
Apple reseller DataVision has the new 2019 Apple Mac Pro in stock today for $5995 ($5 off MSRP) including free shipping. DataVision charges sales tax for NY, NJ, PA, and CA residents only. If you don... Read more
Apple Sources Confirm Spring Media Event Canc...
NEWES: 03.31.20- A previously planned Apple media event scheduled to take place sometime this Spring that was rumored and widely expected to be held today, March 31, were confirmed by anonymous... Read more
Apple restocks 2017 13″ Dual-Core non-Touch B...
Apple has restocked a limited number of Certified Refurbished 2017 13″ 2.3GHz Dual-Core non-Touch Bar MacBook Pros starting at $1019. An standard Apple one-year warranty is included with each model,... Read more
Save $300 on the 13″ 2.4GHz MacBook Pro with...
Apple has a full line of Certified Refurbished 2019 13″ 2.4GHz 4-Core Touch Bar MacBook Pros available starting at $1529 and up to $300 off MSRP. Apple’s one-year warranty is included, shipping is... Read more
Just in! Apple’s new 2020 4-Core Mac mini $10...
B&H Photo has Apple’s new 2020 4-Core Mac mini in stock and on sale today for only $699 including free overnight delivery for many US addresses. Their price is $100 off MSRP, and it’s the lowest... Read more
New 2020 13″ Space Gray MacBook Airs on sale...
B&H Photo has Apple’s new 2020 13″ Space Gray MacBook Airs on sale today for $50 off Apple’s MSRP. While they don’t have stock today, preorders are accepted at this discount. Overnight shipping... Read more

Jobs Board

Sephora Merchandise/Operations Supervisor -...
Sephora Merchandise/Operations Supervisor - Apple Blossom Mall Location:Winchester, VA, United States- Apple Blossom Mall 1850 Apple Blossom Dr Job Read more
Sales Supervisor - *Apple* Blossom Mall - J...
Sales Supervisor - Apple Blossom Mall Location:Winchester, VA, United States- Apple Blossom Mall 1850 Apple Blossom Dr Job ID:1083621Store Hourly Positions Read more
*Apple* Mac Product Engineer - Barclays (Uni...
Apple Mac Engineer Whippany, NJ Support the development and delivery of solutions, products, and capabilities into the Barclays environment working across technical Read more
Essbase Developer - *Apple* - Theorem, LLC...
Job Summary Apple is seeking an experienced, detail-minded Essbase developer to join our worldwide business development and strategy team. If you are someone who Read more
Senior Software Engineer @ *Apple* - Theore...
Job Summary Apple is looking for a seasoned senior software engineer to join our worldwide business development and strategy team. This is an opportunity to lead a Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.