|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 |
Haskins Tech Note HT0001
Author: Alice Faber
The security in SSH involves some (mostly hidden) extra layers that serve to verify to the host computer that you are who you say you are and to your desktop client that the host computer is what it says it is. The goal of this security is to prevent a so-called “Man in the Middle attack”, whereby someone interposes an additional computer in this chain with the goal of stealing your password and, with it, access to your account. (As to what a hacker would do with your account, well they could randomly delete your files, store files in your disk space, or send out spam that appears to be from you.) In order to connect to Alvin using SSH, you need to use a program that supports SSH2 connections. (There is also a SSH1 protocol, but the encryption in SSH2 is more rigorous.) On a Windows computer, you can use FSecureSSH (a commercial program that the lab has a license for). There is also a freeware program called Putty, which may or may not work; I have no direct experience with it. For Mac OS 8.x and 9.x, you can use FSecureSSH also, or MacSSH PPC, a freeware program. If you are connecting from a UNIX computer, including one running OS X, you don’t need any special software; the SSH protocol is available from the command line: at the system prompt, simply type the following to start a connection (here and elsewhere, bolding indicates material that you will need to type): $ ssh alvin.haskins.yale.edu This added layer of security works via a key. Every time the system software on Alvin is changed, a new key is generated. The first time you attempt a secure shell connection to Alvin, you will see something like the following (the exact form of the message will depend on which software you are using; these examples come from another computer running UNIX): The authenticity of host 'alvin.haskins.yale.edu (130.132.95.10)' can't be established. RSA key fingerprint is
Are you sure you want to continue connecting (yes/no)? If you reply ‘yes’ (you must type the entire word; ‘y’ alone will not be accepted), you will receive the following message:
You will then be faced with the ordinary log-in screen for your account on Alvin. And a ‘known hosts’ file will be created. The location of this file will depend on how you are creating your SSH session. If you are connecting from another UNIX computer (say, Dadour or Mermel), this file will reside in a directory .ssh in your home directory. This directory is created the first time you invoke SSH. panix1% pwd (The -2 in the file name known_hosts2 encodes that the connection to Alvin was made using the SSH2 protocol which is, not surprisingly, more secure than the original SSH1 protocol.) Once you have done this, anytime you attempt to connect to Alvin, you should simply see a request for your password. It may happen, however, that, instead of the request for your password, you get the following message: WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
If you know for sure that something has changed on Alvin, go ahead and say yes. If you’re not sure ask me first; if we don’t know, we’ll ask the folks at Yale who provide software maintenance on Alvin if they’ve changed anything. If so, it’s safe to say yes, and have the new key over-write the old key. Dadour is configured to allow you to over-write the key. Some other UNIX machines require you to find the key on your computer and delete it before a new key can be written. Assuming that you’re in your home directory, do the following: $ cd .ssh $ rm known_hosts2 The prompt that you see (instead of or preceding the $) will depend on how your system is set up. The cd command changes directories, and rmis the delete command. Alternatively, you can use pico (or emacs or vi - if you don’t know what these are, don’t worry - or any other editor) to delete the line in known_hosts2 containing they key for Alvin; you may have other keys stored that you’d prefer not to lose. If you are logged on to one of the UNIX machines, or if you are using the Terminal application in Mac OS X, the above directions will work just fine; you don’t need any additional software to run SSH. One catch that you need to be aware of if you’re using OS X, though, is that your name on the OS X machine may not be the same as your account name on Alvin or the other UNIX machines. Instead of typing $ ssh alvin or $ ssh alvin.haskins.yale.edu you can type $ ssh –l yourloginname alvin (That’s a lower-case L, not the numeral one.) If you do this a lot, you can define a shortcut as follows: $ cd .ssh
Pico is a fairly minimal text editor. When you invoke it, you’ll be told you’ve started a new file. Type the following lines, replacing ‘yourloginname’ with your login name: Host alvin
To exit and save the file type ^x (control-x) and confirm the file name. Now, you’ll never again need to specify the different login name. All you’ll have to do is type $ ssh alvin and you will be prompted for your password. If you think you will want to SSH to Dadour or Mermel (or any other UNIX computer), you can put additional copies of the above lines in your /.ssh/config file, making the appropriate changes. If you are using Windows or a Mac running OS 8.x or 9.x, you’ll need to install an SSH client on your computer, if you haven’t done so already. For Windows (any version), if you’re using a Haskins computer, I can install the program FSecureSSH. This program is available or Mac OS 8/9 as well, but there’s also a perfectly adequate free program called MacSSH PPC that you can download (or you can go to Versiontracker.com and search for "MacSSH"). Don’t be deterred by the fact that the program is described as a beta; it works beautifully. Configuring both programs is straightforward. The most important thing to remember is to specify SSH2 as your connection protocol; otherwise you won’t be able to connect. FSecure for Windows stores its keys in the system Registry. If you ever have to delete a key, you can do so by finding it in the Registry and deleting it. If you would rather not do that (and there are very good reasons not to), there is a menu option that will delete keys. Under the Edit menu, select Preferences; then highlight Host Keys. You will see a list of server keys stored in the Registry, and you can delete the out-dated key. MacSSH stores its keys in a ‘known keys’ file in the MacSSH folder in the Preferences folder. To set up a connection in MacSSH, open the program. Under the Favorites menu, select Edit Favorites, and then click New. You will see a tabbed window. On the General tab, fill in the Alias and Host Name blanks with ‘Alvin’ and ‘alvin.haskins.yale.edu’ respectively. Then, move to the Security tab, and, for Protocol, select ‘ssh2 Secure Shell’. You can also fill in your Username here. However, unless you are the only person with physical access to your computer, you shouldn’t succumb to the temptation of entering your Password. Click OK. Now Alvin will appear under the Favorites menu, and you will be prompted for your password. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| All content © 1996-2006 Haskins Laboratories For further information, contact webmaster@haskins.yale.edu |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
