Using SSH

What is SSH?

SSH or Secure Shell is a login method that provides encryption of the data and sent password. There are three replacement clients for use:

  • ssh or slogin: replaces traditional rsh/rlogin and provides many more features.
  • scp: replaces traditional rcp
  • sftp: replaces ftp with a more or less similar interface It is strongly recommended that you read the manpages for ssh, scp, slogin, sftp and other ssh manpages.

SSH can also forward other insecure services over the same encrypted tunnel. For example X11, POP, IMAP, all can be tunneled over a ssh channel. See below for more details.

Download SSH Clients

You can also download SSH clients from the CATS website. You need a UCSC student account for access, however (your SOE username and login will not work). Download from: http://www2.ucsc.edu/cats/sc/software/ssh/

Whats the difference between OpenSSH and SSH?

SSH is the original now commercial version of the Secure Shell protocol developed at the University of Helsinki by Tatu Ylonen. OpenSSH was developed by a separate group as part of the OpenBSD project. There are sadly several differences which make using these products in a mixed environment difficult. Notably:

  • OpenSSH's version 2.X protocol 2 does not support hostbased authentication (.shosts)
  • OpenSSH uses a slightly different agent forwarding scheme, making it difficult to use ssh-agent with SSH.COM's daemon.

I tried to connect using my SSH client and it said "Connection closed"

If you are on a SOE machine, contact help@ucsc.edu since this should not happen and is probably a system situation. If you are on a non-SOE machine, check the version of your SSH client and confirm it supports SSH protocol version 2. SOE is phasing out SSH protocol version 1 for security reasons. Compare to some examples below.

ssh -V
SSH Version 1.2.27 [sparc-sun-solaris2.6], protocol version 1.5.

This is the SSH.COM version 1 client. It does not support protocol version 2. See if there is a ssh2 client installed:

ssh2 -V

If it is not found, you need to obtain a ssh2 client to use on the system in question. If it is found, it will return something like:

ssh2: SSH Secure Shell 2.4.0 (non-commercial version) on sparc-sun-solaris2.6

Use this client and ask why it is not the default ssh client. If your client returns:

ssh -V
SSH Version OpenSSH-1.2.3, protocol version 1.5.
Compiled with SSL.

This is an earlier version of OpenSSH from openssh.com. Note the protocol version support of 1.5 means it is an ssh protocol 1 client only. You will need to upgrade to either a newer OpenSSH that supports version 2 of the protocol or SSH.COM's ssh2. Compare to newer versions of OpenSSH as below:

ssh -V
SSH Version OpenSSH_2.3.0, protocol versions 1.5/2.0.
Compiled with SSL (0x0090600f).

Note the 1.5/2.0 protocol support. Then check to see if the ssh client is configured to use version 2 of the protocol first. If you have a default OpenSSH installation, several things often expected from using SSH.COM's ssh are not the default. Look at the config file /etc/ssh/ssh_config. Lines you may want to uncomment or override in your ~/.ssh/config are:

 Host *
ForwardAgent yes
ForwardX11 yes
RhostsRSAAuthentication yes
IdentityFile ~/.ssh/identity
Protocol 2,1

NONE OF THESE ITEMS ARE ENABLED BY DEFAULT IN OPENSSH This last line is critical if you do not want to type: ssh -2 [hostname] to make a ssh version 2 connection. Again, this is only an issue with OpenSSH.

How do I setup login without password?

There are two primary methods, one which we support only without SOE systems for legacy reasons, and one which we recommend converting to. Within SOE systems, hostbased authentication is supported if you use the SSH.COM which is the supported ssh client on SOE systems for this reason. Hostbased authentication uses a file identical in format to rlogin/rsh .rhosts. A .shosts file lists the hosts and usernames you wish to be able to ssh from without password to another system where that same .shosts file is often available over NFS. For example, the following .shosts file allows joeuser@cse.ucsc.edu to SSH from sundance.cse.ucsc.edu to any other SOE system where that .shosts file is in ~joeuser/.shosts

sundance.cse.ucsc.edu joeuser

The other preferred method of connection without password involves the use of the ssh-agent program.