WHY should I use SSH -------------------- Ssh uses a pair of public and private keys to identify a specific account. That is the account is specified! Not the machine it is on, nor a specific account name, but the actual account with an "id" private key matching its corrispending public keys! IE: the actual account! The old ".rhosts" access method is not safe from hackers which set up machines to pretend they are other machines, and create appropriate accounts to remotely login. Note that that should not be posible either on a secure network, but it is more difficult to protect against, particularly from networks your system programmers have no control of. It also automatically encrypts all the network traffic between the machines, to prevent network snoopers (even easier for hackers to do). And will set up an encrypted X windows link between the machines. IE: no more messing around with "xauth" or "DISPLAY" stuff, ssh does all this for you automatically. Also, if you try to execute a remote command on a machine it does NOT have authorization to use without a password, it will ask you the password for that machine. Rsh on the other hand will just say ``Permission Denied'' and abort. SSH and X windows ----------------- On many machines X winodw forwarding is turned off by default. This especially includes PC SSH client programs, like "TerraTerm", or "Putty". See http://www.cit.gu.edu.au/~anthony/info/app/ssh_terraterm.hints All CIT UNIX machine turn on X11 forwarding by default. Under Unix you can turn it on in a number of ways. * You can add the line "FowardX11=yes" in either your personal ssh config file. "$HOME/.ssh/config" or in the system wide configuration "/etc/ssh/ssh_config" (ask your system administrator). * Alternatively the -X command line option can be added when executing ssh. Refer to the SSH manpage for further information on configuration options. Setup SSH for use without a password) ------------------------------------- On each machine you have an account run the command ssh-keygen -t dsa And press return after EVERY question. ASIDE: DSA is a public type and method, there are others, like RSA, or a very very old version called RSA1 (version 1 of ssh protocol). DSA is usually enough. This command will generate two files in a ".ssh" sub-directory of your home. These are the two keys forming a private/public key pair. ".ssh/id_dsa" and ".ssh/id_dsa.pub". Now append the public key from the file ".ssh/id_dsa.pub" generated by ssh-keygen into the file ".ssh/authorized_keys" on the machine you would like to login to without a password. This can be done with... ssh dest_host "echo `cat $HOME/.ssh/id_dsa.pub` >> .ssh/authorized_keys" You will need to type in a password for this command but once done, a password will nolonger be required. to go from the machine you generated the public keys on to the dest_host you copied the public part of the key to. In the linux Labs as the home directories are shared across all the machines you can do this with the much simplier command... cp .ssh/id_dsa.pub .ssh/authorized_keys What are these files? --------------------- In the ".ssh" sub-directory of your home... id_dsa Identifys this specific account on the machine you found it. IE: its private key -- this should NEVER be copied or made readable by anyone except you. It should just exist. id_dsa.pub The public identification of this account. Append this to the ".ssh/authorized_keys" file of the destination machine you wish to login to without a password. (See above). authorized_keys A list of which accounts (IE the accounts public key) are allowed to login to this machine without a password. You may have to create this file. It can contain multiple public keys, to give multiple accounts access to this account. known_hosts A list of the "host keys" (the machines own public key) identifing a machine with its machine name. This is much more secure than just the machine "network name" or DNS which hackers could "fake". The file may or may not exist, and could be empty as the system programmers should have set up a "system" version of this list. In OpenSSH verison 2 you can also use the files "authorized_keys2" "known_hosts2" as a extra source of this information, on top of those provided by the files above. Permissions ----------- Ssh being a `secure shell' is very particular about file permissions. For example though it understands the rsh ".rhosts" authorization (if the system programmers allows this) it insists on tighter permission checks than rsh. It also has a ".shosts" file which has even tighter restrictions. Better to use the public keys in any case. At a minimum, your home directory cannot have group or world write permissions turned on, the ".ssh" sub-directory and contents only has permissions for you the owner, and that you actually ARE the owner. Other How to Use SSH Guides --------------------------- A very complete guide can be found on the web at http://kimmo.suominen.com/docs/ssh/ For details and differences between OpenSSH and the Comercial SSH see http://www.cit.gu.edu.au/~anthony/info/apps/ssh.hints Using ssh and Xwindows from a PC (via terraterm or putty) http://www.cit.gu.edu.au/~anthony/info/apps/ssh_putty.hints http://www.cit.gu.edu.au/~anthony/info/apps/ssh_terraterm.hints Key Authentication with OpenSSH http://networking.earthweb.com/netsecur/article/0,,12084_992091,00.html