|
main | directory | tickets | login |
|
|
|
A Guide to Using SSHNick Reynolds Revision: 1.0
Last updated: 14th October 2002
IntroductionAs a member of the School you will often find the need to quickly and easily log in to another UNIX or Linux server to perform some tasks. In most cases you will probably be logging into one of the School Solaris servers (robin, tuck, much, scarlet or marian). You may be familiar with the telnet protocol, from one UNIX machine you can log into another using a command such as: telnet marian.cs.nott.ac.uk Many versions of Windows also have a telnet client available (although it may not be in your Start menu, you may have to access it from a command prompt). Telnet is a very simple protocol, what you type on your keyboard simply gets passed over to the server you have connected to, and what comes back simply gets sent to the screen (terminal window). The path between two computers on the Internet is not in general secure, there is no way of knowing exactly which route your data will be passed along to reach it's destination and there is even a good chance that data can be seen by network cards in computers for which it's not intended. (This is all dependant on the infrastructure along the way which is far beyond the scope of this document). Having data freely passed around different parts of networks was not of a major concern when TCP/IP (Internet) protocols were first designed but that was before anybody expected TCP/IP networks to grow quite this big! When you log into servers using telnet you password isn't encrypted in any way, each keypress is sent individually so loging onto sites over the Internet using telnet means your unencrypted passwords are passing through various bits and pieces of equipment to it's destination, and depending on the hardware involved, it could be getting broadcast to networks of hundreds or even thousands of computers! There is no point in starting to panic if you have been using telnet to log into sites for years, it's unlikely that anyone has obtained your password however the point I am making is that it's certainly possible to do so. I'm sure you have heard in the media the importance of ensuring that you don't fill in forms on web sites with your credit card details unless it's a secure page (a URL begins with https://)? Well thats because standard web pages (with http:// urls) simply pass unencrypted data around exactly the same as telnet. SSH was designed as a replacement for telnet which transparently encrypts data for it's path across the Internet, it's usage is very strongly encouraged. Many sites are now removing standard telnet access altogether. This document describes the use of SSH together with secure file copying tools (scp and sftp to replace rcp and ftp). Installing and Using an SSH ClientWindows SSH Client (95/98/ME/NT/2000/XP)Although you may have telnet installed by default, unfortunately there is no SSH client available in a standard Windows install. There are a number of clients downloadable from here, if you are unsure how to install and set one up, I suggest downloading PuTTY and following the instructions below. Installing PuTTY
Using PuTTY
You have now connected using a secure connection. Advanced PuTTY - Tunnelling See Appendix A, Tunnelling/Forwarding for information about SSH tunnelling. To set up PuTTY to forward WWW traffic for School machines using this method (and so to allow you access to pages restricted to local access only):
Remeber to restore your browser settings back to normal! GNU/Linux and UNIX SSH ClientsThere is a good chance you already have an SSH client installed if you are using a recent distribution, see if the command ssh exists. If not, in the case of Linux you can check to see if there is a version available on the distribution media, you can use whatever package manager is available to you to find it, it may be called OpenSSH. Failing that, you can download OpenSSH from http://www.openssh.org/ Using (Open)SSH You can make a secure connection to a foreign machine using the command options: ssh [username]@[hostname] So to connect to school machines, type your CSiT username and full Home UNIX Machine name, eg: ssh nir02u@robin.cs.nott.ac.uk There are many other options available to you, man ssh will probably help you out here. When you connect to a machine for the first time, you will be presented with a message about the hostkey for the machine not being known, select to add it to the known hosts and log in with your password. Advanced (Open)SSH - Tunnelling See Appendix A, Tunnelling/Forwarding for information about SSH tunnelling. To set up SSH to forward WWW traffic for School machines using this method (and so to allow you access to pages restricted to local access only): Run the SSH executable as you did before, but his time you need to add a command line option to add a port forward, you will be forwarding local port 3128 to remote host wwwcache.cs.nott.ac.uk port 3128 so your command should be: ssh -L 3128:wwwcache.cs.nott.ac.uk:3128 [username]@[hostname] eg: ssh -L 3128:wwwcache.cs.nott.ac.uk:3128 nir02u@robin.cs.nott.ac.uk Now you need to configure your web browser, find the option to set the Automatic Configuration Script (in Netscape: Edit -> Preferences -> Advanced -> Proxies, in IE: Tools -> Internet Options -> Connections -> LAN Settings). Set it to:
If there is no option to set an automatic configuration script, you'll have to set a configuration manually by setting your proxy server as: http://127.0.0.1:3128/ Remember to restore your browser settings back to normal! Installing and Using SCP and SFTP ClientsWindows SCP and SFTP Clients (95/98/ME/NT/2000/XP)Although you may have ftp installed by default, unfortunately there is no SCP or SFTP client available in a standard Windows install. There are a number of clients downloadable from here, if you are unsure how to install and set one up, I suggest downloading WinSCP and following the instructions below. Installing WinSCP
Using WinSCP
GNU/Linux and UNIX SCP and SFTP ClientsAs the SCP and sftp utilities are provided within the OpenSSH suite, if you now have SSH installed, you'll probably have these utilities installed also. SCP to Copy FilesTo copy a file from the local machine to a remote one: scp [path to filename] [username]@[remote machine]:[destination path] eg: scp index.html nir02u@robin.cs.nott.ac.uk:public_html/ Or from a remote to local: scp [username]@[remote machine]:[path to filename] [destination path] eg: scp nir02u@robin.cs.nott.ac.uk:public_html/index.html .SFTP to Copy Files To connect to a remote machine using SFTP, type: sftp [username]@[full hostname] eg: sftp nir02u@robin.cs.nott.ac.uk And enter your password. You may now use ftp-like commands to transfer files to and from the remote server, type help for a list of commands. Only a minimum of options have been used in the examples above, don't forget to view the manual, info, and/or online help documents. Appendix A: Tunnelling/Forwarding via SSHThere is a feature that will allow you to tunnel TCP/IP traffic through your SSH connection. What this basicly means is that rather than connecting direcly to a web server for example (eg: www.cs.nott.ac.uk) you can set up a tunnel so that a request for a web page on that server actually gets passed though your SSH connection and onto the web server, so the web server will see the request to be actually comming from the server you are connected to via SSH rather than your machine at home. A diagram would probably make things clearer but I haven't drawn one yet! Here's a quick example: I could be sitting at my computer at home connected to an ISP we'll call the company A Nice Cheap ISP Ltd. I can use an SSH client such as OpenSSH or PuTTY to connect to the School's machines (you should in most cases connect to your home UNIX machine [robin.cs.nott.ac.uk, tuck.cs.nott.ac.uk, much.cs.nott.ac.uk, scarlet.cs.nott.ac.uk or marian.cs.nott.ac.uk] do not try and SSH directly to the final destination machine) in my case I'd use marian.cs.nott.ac.uk and set up port forwarding so that all connections to port 8080 on my machine get forwarded over the SSH connection onto www.cs.nott.ac.uk port 80.
----------- -------------
| Home PC |-SEC-| Cheap ISP |
----------- -------------
|
SEC
|
~~~~~~~~~~
INTERNET
~~~~~~~~~~
/ \
SEC \
/ \
------------- ----------
| marian.cs |---INS---| www.cs |
------------- ----------
NOTE: It's far more complicated than this in reality!
SEC represents my request for a web page getting passed to marian through my secure SSH connection, marian then passes the request onto the web server via a standard insecure connection, the web server passes the contents of the page back and it travels the same route in reverse. But the point of this is that the web server sees the page request coming from marian.cs.nott.ac.uk, not from my home PC. This means I can access pages that are restricted to internal access only. I could now access internal acess only pages on the school web server by altering the url so instead of the host being http://www.cs.nott.ac.uk/ I change it to http://127.0.0.1:8080/. But, what if the authors of some web pages have hardcoded the hostname into local links, when I click on them I'll be bought out of the forwarded connection and be accessing the pages directly again. Also, what if pages on other servers such as http://marian.cs.nott.ac.uk/ are internal access only, will it still work? No! There are a couple of ways around this, but the simpliest and cleanest is to simply forward all your internal web traffic via our proxy servers. So now you've read all of the above you probably could have just skipped to here but it's important to have an understanding of what is going on. Set up the port forwarding so that your local port 3128 is forwarded to wwwcache.cs.nott.ac.uk port 3128. Now configure your browser to use the proxy server as host 127.0.0.1 and port 3128. Once you have finished accessing local acess pages you can set the proxy configuration script in your broswer (in Netscape: Edit -> Preferences -> Advanced -> Proxies, in IE: Tools -> Internet Options -> Connections -> LAN Settings) to be:
Revision History
|
Updated 06/04/2006 by nir
CS20596