TweetFollow Us on Twitter

Aug 01 MacTech Online

Volume Number: 17 (2001)
Issue Number: 08
Column Tag: MacTech Online

SSH

by Jeff Clites

SSH

When the Internet was first growing up, it was developing in a rather safe environment. In fact, to the inventors it was probably a miracle that it worked at all. Now, however, those halcyon days are gone, and we live in less innocent times, where security is a genuine concern—it isn’t practical these days to just assume that things will be safe by default. There are a number of steps that users need to take these days to secure their systems, and this month we are going to look at one of them, ssh. It’s a small but important piece.

What’s ssh?

In brief, ssh (the Secure Shell) is a cryptographically secure replacement for telnet. The name is actually a bit of a misnomer—it isn’t really a shell itself, but rather a mechanism for interacting with a remote shell over a secure communication channel. It’s an indispensable tool for working with Mac OS X in a networked environment—like telnet, it allows you to quickly connect to remote machines, which is handy if not essential for a variety of administration and other tasks. In fact, the most significant security enhancement that ssh gives you may not be that it encrypts the contents of your remote session (which it does), but rather that it encrypts the login exchange itself, meaning that your password is never sent unencrypted over the network. Even in a supposedly secure environment, for instance behind a corporate firewall, it’s a good idea to use ssh instead of telnet whenever possible (which basically means whenever the two machines which are communicating both have it installed), both because it adds an extra bit of security, and also because it will get you into the habit of using it and making sure it is installed and available on all machines you routinely connect to, so that when you are operating in a less secure environment (for instance, if you need to connect from off site) you will be in the habit of reaching for ssh and will be opting for security by default.

Mac OS X has ssh installed by default (as part of a regular update package), and you can use it to connect with remote machines without further setup. To enable connections to your machine you merely need to enable remote login in the Sharing pane of System Preferences (after the update which installs ssh on Mac OS X, this setting is connected to ssh rather than to telnet, which is then disabled by default). The ssh “server” component (sshd) can be run out of inetd, but it is more commonly run as a standalone daemon. If you need to install ssh separately (either because you wish to install a newer version or because your current install is damaged), there are instruction on Stepwise for building and installing OpenSSH under Mac OS X. (The article also includes instructions for compiling in support for using tcpwrappers to further secure things by restricting remote login to a specific set of hosts and adding additional logging.) This version of ssh is free and open-source (part of the OpenBSD project, in fact), and leverages the OpenSSL library for many of its cryptographic algorithms. There are commercial versions available as well (and older free version from commercial vendors), but for most users OpenSSH is a good choice. OpenSSH tries very hard to avoid the use of patented algorithms in its implementation, in order to avoid the attendant restrictions to free development and distribution, and consequently does not support some of the algorithms found in commercial versions. This can be seen as either a virtue or a shortcoming, but in practice it does not interfere with its use.

Building OpenSSH 2.9 on Mac OS X 10.0.x
http://www.stepwise.com/Articles/Workbench/2001-05-02.03.html

Securing your Host—tcpwrappers
http://www.theorygroup.com/Theory/Systems/tcpwrappers.html

The SHH Suite

Overall, ssh has a great deal of flexibility in the details of its use. It supports a variety of authentication schemes, from RSA or Kerberos-based authentication to simple passwords or automatic login between trusted hosts; you can choose from several different algorithms (also called ciphers) for the encryption; and you can use ssh for port-forwarding to wrap insecure protocols inside of a secure transfer stream. And in addition to enabling remote login sessions, the ssh distribution contains several related tools which take advantage of ssh’s base facilities for secure communication. For file transfer, there is scp (an analog of rcp and ultimately cp, if you are familiar with those), which is used to copy files between systems over an ssh-based, encrypted channel. Server environments today are often set up without ftp installed in order to enhance security, and in such situations scp is the tool of choice for moving files onto and off of these systems. In addition to encryption, scp also supports compression of files during transit in order to speed transfer, using the same algorithm as gzip. (Compression is also supported by ssh itself, but the benefits are more likely to be noticeable during large file transfers than during a standard interactive login session, although over slow connections compression could make ssh “faster” than telnet for interactive use.) The scp tool has the same semantics as cp, so that source and destination are specified when invoking the tool, rather then being chosen interactively as is commonly done with ftp tools. This can be somewhat inconvenient, as you need to know the exact path to use on the remote system before invoking the tool, which will often necessitate a separate ssh login to “browse around” the remote filesystem to determine the correct path. On the plus side, scp can be used to transfer files between remote systems—neither the source nor the destination needs to be local.

On the other hand, if you need the convenience and flexibility of the interactivity of ftp, you might find sftp more to your liking. It’s a newer addition to the ssh family, and is likely to be less widely deployed at this time. It provides an ftp-like interactive session for file transfer, with similar commands to those used by ftp. Technically, sftp is not itself a secure protocol, but rather it is a protocol designed to be used over a secure channel, provided by ssh. There is a separate executable, sftp-server, which is used by OpenSSH to enable sftp on the server side, but it is invoked by the sshd daemon rather than running separately, so it requires minimal configuration and setup to get it running. One caveat is that sftp is reported to be significantly slower than the traditional scp, although it’s not clear whether this is inherent to the protocol it uses, or if it’s just the result of a still-evolving implementation. Note also that sftp is not simply ftp secured via ssh port-forwarding, because ftp’s use of two separate TCP/IP connections for control commands and data transfer makes this difficult to do; instead, sftp uses a single stream to do its work.

References

Online, you can find most of the essential information you need at the OpenSSH web site, including download locations, online manual pages, and a short FAQ, as well as links to other sites with articles and even more information. There is also another ssh FAQ available online, more general but somewhat geared toward the commercial versions of ssh.

OpenSSH
http://openssh.org

OpenSSH Manual pages
http://openssh.org/manual.html

OpenSSH FAQ
http://openssh.org/faq.html

OpenSSH Articles
http://openssh.org/press.html

The Secure Shell Frequently Asked Questions
http://www.tigerlair.com/ssh/faq/ssh-faq.html

There are also a couple of books available devoted entirely to ssh. They can provide you with all the details and options you have for setting up and using ssh on your systems, as well as using it for advanced applications such as tcp port forwarding. Possibly more importantly, they’ll guide you through the minefield of terminology surrounding different version of ssh products and protocols (which are very easy to confuse), and spell out differences and interoperability issues surrounding the different implementations. Try either SSH, The Secure Shell: The Definitive Guide (ISBN: 0-596-00011-1) from O’Reilly and Associates, or UNIX Secure Shell (ISBN: 0071349332) from Osborne. There is also an excellent web site to accompany the O’Reilly book, with extensive reference information and links to protocol specifications and other reference material.

SSH, The Secure Shell: The Definitive Guide
http://www.snailbook.com

For further helpful info, check out the top 10 FAQ list from Richard Silverman, one of the authors of the O’Reilly book. The security-minded user (which should be everyone, right?) will also want to check out a recent article on SecurityPortal.com about a potential security weakness with ssh, as well as the follow-up rebuttal article from Richard Silverman which corrects some factual errors and gives a less alarmist perspective. For further security info, take a look at the OpenSSH Security page.

Top Ten Secure Shell FAQs
http://sysadmin.oreilly.com/news/sshtips_0101.html

The End of SSL and SSH?
http://www.securityportal.com/cover/coverstory20001218.html

dsniff and SSH: Reports of My Demise are Greatly Exaggerated
http://sysadmin.oreilly.com/news/silverman_1200.html

OpenSSH Security
http://openssh.org/security.html

Finally, for those interested in some of the more advanced features of ssh, start with the SSH Protocol Architecture internet-draft from the IETF for an extensive high-level overview of the protocol. Then, check out an article from the O’Reilly Network on using an ssh tunnel to increase the security of 802.11b wireless networking, such as that used by AirPort.

SSH Protocol Architecture
http://openssh.org/txt/draft-ietf-secsh-architecture-07.txt

Using SSH Tunneling
http://www.oreillynet.com/pub/a/wireless/2001/02/23/wep.html

If you are not yet using Mac OS X (and why aren’t you, huh?), then you can still connect via ssh to remote machines using one of the two clients for the Classic Mac OS. There is NiftyTelnet SSH (based on NiftyTelnet itself) supporting the SSH1 protocol, including scp capabilities, and MacSSH, which is a modified version of BetterTelnet supporting SSH2. Both are available free of charge. If you are running Mac OS X but would prefer a graphical file-transfer tool, try RBrowser, a GUI-based ftp tool which also supports ssh- and scp-based file browsing and transfer. It is still in beta testing, and will require a licensing fee once it is final.

NiftyTelnet SSH
http://www.lysator.liu.se/~jonasw/freeware/niftyssh/

MacSSH
http://www.macsecsh.com/

RBrowser
http://www.rbrowser.com/RBrowser_main.html

 

Community Search:
MacTech Search:

Software Updates via MacUpdate

FotoMagico 5.6.12 - Powerful slideshow c...
FotoMagico lets you create professional slideshows from your photos and music with just a few, simple mouse clicks. It sports a very clean and intuitive yet powerful user interface. High image... Read more
OmniGraffle Pro 7.12.1 - Create diagrams...
OmniGraffle Pro helps you draw beautiful diagrams, family trees, flow charts, org charts, layouts, and (mathematically speaking) any other directed or non-directed graphs. We've had people use... Read more
beaTunes 5.2.1 - Organize your music col...
beaTunes is a full-featured music player and organizational tool for music collections. How well organized is your music library? Are your artists always spelled the same way? Any R.E.M. vs REM?... Read more
HandBrake 1.3.0 - Versatile video encode...
HandBrake is a tool for converting video from nearly any format to a selection of modern, widely supported codecs. Features Supported Sources VIDEO_TS folder, DVD image or real DVD (unencrypted... Read more
Macs Fan Control 1.5.1.6 - Monitor and c...
Macs Fan Control allows you to monitor and control almost any aspect of your computer's fans, with support for controlling fan speed, temperature sensors pane, menu-bar icon, and autostart with... Read more
TunnelBear 3.9.3 - Subscription-based pr...
TunnelBear is a subscription-based virtual private network (VPN) service and companion app, enabling you to browse the internet privately and securely. Features Browse privately - Secure your data... Read more
calibre 4.3.0 - Complete e-book library...
Calibre is a complete e-book library manager. Organize your collection, convert your books to multiple formats, and sync with all of your devices. Let Calibre be your multi-tasking digital librarian... Read more
Lyn 1.13 - Lightweight image browser and...
Lyn is a fast, lightweight image browser and viewer designed for photographers, graphic artists, and Web designers. Featuring an extremely versatile and aesthetically pleasing interface, it delivers... Read more
Visual Studio Code 1.40.0 - Cross-platfo...
Visual Studio Code provides developers with a new choice of developer tool that combines the simplicity and streamlined experience of a code editor with the best of what developers need for their... Read more
OmniGraffle 7.12.1 - Create diagrams, fl...
OmniGraffle helps you draw beautiful diagrams, family trees, flow charts, org charts, layouts, and (mathematically speaking) any other directed or non-directed graphs. We've had people use Graffle to... Read more

Latest Forum Discussions

See All

The House of Da Vinci 2 gets a new gamep...
The House of Da Vinci launched all the way back in 2017. Now, developer Blue Brain Games is gearing up to deliver a second dose of The Room-inspired puzzling. Some fresh details have now emerged, alongside the game's first official trailer. [Read... | Read more »
Shoot 'em up action awaits in Battl...
BattleBrew Productions has just introduced another entry into its award winning, barrelpunk inspired, BattleSky Brigade series. Whilst its previous title BattleSky Brigade TapTap provided fans with idle town building gameplay, this time the... | Read more »
Arcade classic R-Type Dimensions EX blas...
If you're a long time fan of shmups and have been looking for something to play lately, Tozai Games may have just released an ideal game for you on iOS. R-Type Dimensions EX brings the first R-Type and its sequel to iOS devices. [Read more] | Read more »
Intense VR first-person shooter Colonicl...
Our latest VR obsession is Colonicle, an intense VR FPS, recently released on Oculus and Google Play, courtesy of From Fake Eyes and Goboogie Games. It's a pulse-pounding multiplayer shooter which should appeal to genre fanatics and newcomers alike... | Read more »
PUBG Mobile's incoming update bring...
PUGB Mobile's newest Royale Pass season they're calling Fury of the Wasteland arrives tomorrow and with it comes a fair chunk of new content to the game. We'll be seeing a new map, weapon and even a companion system. [Read more] | Read more »
PSA: Download Bastion for free, but wait...
There hasn’t been much news from Supergiant Games on mobile lately regarding new games, but there’s something going on with their first game. Bastion released on the App Store in 2012, and back then it was published by Warner Bros. This Warner... | Read more »
Apple Arcade: Ranked - 51+ [Updated 11.5...
This is Part 2 of our Apple Arcade Ranking list. To see part 1, go here. 51. Patterned [Read more] | Read more »
NABOKI is a blissful puzzler from acclai...
Acclaimed developer Rainbow Train's latest game, NABOKI, is set to launch for iOS, Android, and Steam on November 13th. It's a blissful puzzler all about taking levels apart in interesting, inventive ways. [Read more] | Read more »
A Case of Distrust is a narrative-driven...
A Case of Distrust a narrative-focused mystery game that's set in the roaring 20s. In it, you play as a detective with one of the most private eye sounding names ever – Phyllis Cadence Malone. You'll follow her journey in San Francisco as she... | Read more »
Brown Dust’s October update offers playe...
October is turning out to be a productive month for the Neowiz team, and a fantastic month to be a Brown Dust player. First, there was a crossover event with the popular manga That Time I Got Reincarnated as a Slime. Then, there was the addition of... | Read more »

Price Scanner via MacPrices.net

Score a 37% discount on Apple Smart Keyboards...
Amazon has Apple Smart Keyboards for current-generation 10″ iPad Airs and previous-generation 10″ iPad Pros on sale today for $99.99 shipped. That’s a 37% discount over Apple’s regular MSRP of $159... Read more
Apple has refurbished 2019 13″ 1.4GHz MacBook...
Apple has a full line of Certified Refurbished 2019 13″ 1.4GHz 4-Core Touch Bar MacBook Pros available starting at $1099 and up to $230 off MSRP. Apple’s one-year warranty is included, shipping is... Read more
2019 13″ 1.4GHz 4-Core MacBook Pros on sale f...
Amazon has new 2019 13″ 1.4GHz 4-Core Touch Bar MacBook Pros on sale for $150-$200 off Apple’s MSRP. These are the same MacBook Pros sold by Apple in its retail and online stores: – 2019 13″ 1.4GHz/... Read more
11″ 64GB Gray WiFi iPad Pro on sale for $674,...
Amazon has the 11″ 64GB Gray WiFi iPad Pro on sale today for $674 shipped. Their price is $125 off MSRP for this iPad, and it’s the lowest price available for the 64GB model from any Apple reseller. Read more
2019 15″ MacBook Pros available for up to $42...
Apple has a full line of 2019 15″ 6-Core and 8-Core Touch Bar MacBook Pros, Certified Refurbished, available for up to $420 off the cost of new models. Each model features a new outer case, shipping... Read more
2019 15″ MacBook Pros on sale this week for $...
Apple resellers B&H Photo and Amazon are offering the new 2019 15″ MacBook Pros for up to $300 off Apple’s MSRP including free shipping. These are the same MacBook Pros sold by Apple in its... Read more
Sunday Sale: AirPods with Wireless Charging C...
B&H Photo has Apple AirPods with Wireless Charging Case on sale for $159.99 through 11:59pm ET on November 11th. Their price is $40 off Apple’s MSRP, and it’s the lowest price available for these... Read more
Details of Sams Club November 9th one day App...
Through midnight Saturday night (November 9th), Sams Club online has several Apple products on sale as part of their One Day sales event. Choose free shipping or free local store pickup (if available... Read more
Sprint is offering the 64GB Apple iPhone 11 f...
Sprint has the new 64GB iPhone 11 available for $15 per month for new lines. That’s about 50% off their standard monthly lease of $29.17. Over is valid until November 24, 2019. The fine print: “Lease... Read more
New Sprint November iPhone deal: Lease one iP...
Switch to Sprint and purchase an Apple iPhone 11, 11 Pro, or 11 Pro Max, and get a second 64GB iPhone 11 for free. Requires 2 new lines or 1 upgrade-eligible line and 1 new line. Offer is valid from... Read more

Jobs Board

*Apple* Mobility Pro - Best Buy (United Stat...
**746087BR** **Job Title:** Apple Mobility Pro **Job Category:** Store Associates **Store NUmber or Department:** 000319-Harlem & Irving-Store **Job Description:** Read more
Best Buy *Apple* Computing Master - Best Bu...
**743392BR** **Job Title:** Best Buy Apple Computing Master **Job Category:** Store Associates **Store NUmber or Department:** 001171-Southglenn-Store **Job Read more
Best Buy *Apple* Computing Master - Best Bu...
**746015BR** **Job Title:** Best Buy Apple Computing Master **Job Category:** Sales **Store NUmber or Department:** 000372-Federal Way-Store **Job Description:** Read more
*Apple* Mobility Pro - Best Buy (United Stat...
**744658BR** **Job Title:** Apple Mobility Pro **Job Category:** Store Associates **Store NUmber or Department:** 000586-South Hills-Store **Job Description:** At Read more
Best Buy *Apple* Computing Master - Best Bu...
**741552BR** **Job Title:** Best Buy Apple Computing Master **Job Category:** Sales **Store NUmber or Department:** 000277-Metcalf-Store **Job Description:** **What Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.