SSH - Securing Your Network Communications
1. What is it?
SSH stands for Secure Shell. You can use SSH simply as a secure replacement for telnet, but it's actually a lot more than that. SSH is a protocol that can be used to protect many different types of network communications (see section 6 below) - frequently being used to secure connections to UNIX servers, such as the IS-managed socrates, plato and POP mail services.
Many SSH implementations also include secure ftp clients.
2. Why do I need it?
Because the traditional alternatives aren't very secure. When you log in to a remote computer with telnet or ftp, your password is sent across the network to the server - and with the right software and a computer attached to the same network anyone can see it if they wish to. Likewise, the rest of your session - commands you type, e-mail you send, can readily be monitored. (Unauthorised interception of network communications is of course a criminal offence , but this may not deter the reckless hacker .) In the early days of networked computing, the risk of this happening was rather remote, but now with the Internet linking us all together, so-called sniffer attacks are relatively commonplace. SSH protects you against such eavesdropping by encrypting your transaction. An observer watching your traffic will see only random garbage; your password and your work remain private.
3. Where do I get it?
SSH clients are already installed on IS-managed WTS and UNIX timesharing systems.
For department- or user-managed machines, SSH clients can easily be obtained and installed. Two popular offerings (oriented towards Windows platforms) are:
SSH Communications Security(1) SSH client. A free licence is available covering academic and non-commercial use of the software. Registration is required.
PuTTY is a free Win32 combined telnet and SSH client.
The SSH Communications Security client is the one used on IS WTS. The UNIX client is from the same source, though many UNIX administrators now prefer OpenSSH (from http://www.openssh.org ).
4. How do I use it?
WTS users can find the SSH client by selecting
Start / Programs / Software O-Z / SSH Secure Shell / Secure Shell Client
then clicking Quick Connect and typing in the username and hostname (or IP address) for the computer you wish to connect to. Settings can be saved in profiles for convenience.
Unix users can run a client from the command line:
ssh2 -l username hostname
where username should be replaced by the username you wish to log on as, and hostname represents the name of the system you are trying to connect to.
After a moment the system will prompt you to supply a password, and you will then be connected.
The first time you connect to a new system, you will normally receive a warning message to check its identity. The SSH Communications Security client on WTS explains why on its help screen, but the issues involved are quite technical and can, for the most part, be ignored.
Once you've connected, the SSH client will look and behave very much like telnet - you'll probably forget after a while you're using it.
The secure ftp client works similarly under WTS (Start / Programs / Software O-Z / SSH Secure Shell / Secure File Transfer Client), and offers a graphical interface. The facility is not currently available on IS-managed UNIX systems.
5. Which IS servers allow SSH access?
You can use SSH to connect to most IS-managed UNIX servers, provided you are authorised to do so. These include:
socrates socrates.ucl.ac.uk 18.104.22.168
plato plato.ucl.ac.uk 22.214.171.124
6. Tips for advanced users
As noted above, SSH can do more than just providing substitutes for telnet and ftp. It can protect other types of network traffic too. For instance, you can use it to provide a secure channel for your POP e-mail. This is a more complicated undertaking, and not one that we'd recommend to less experienced users.
For illustration, here's the set up for securing Eudora on WTS. Note that the procedure requires configuration changes to be made both to the SSH client and to Eudora itself.
First, the SSH client:
1. Start the SSH client and click Profiles / Add Profile. Call the profile 'socrates'.
2. Click Profiles / Edit Profiles. and then the Outgoing Tunneling tab.
3. Click the Add. button and provide the following details:
Display Name: POP mail
Listen port: 110
Destination Host: pop-server.ucl.ac.uk
Destination Port : 110
4. Click OK twice to return to the opening screen.
5. Click File / Save Settings to save your new configuration.
6. Click Profiles / socrates and login as normal.
7. Minimise the SSH client window by clicking on the control in its top right corner. Do not close it accidentally by clicking on the X control.
You should still see the socrates session visible in the taskbar at the bottom of the screen - if you don't, start the client up again and repeat steps 6 and 7.
Now set up Eudora:
1. Start Eudora and click Tools / Options.
2. Click hosts, and in the box labelled POP Account type
in place of username @ pop-server.ucl.ac.uk, where username is your e-mail username.
3. Click OK to save your changes.
That's the end of the configuration. Try checking your e-mail in the usual way.
1. This procedure tunnels Eudora's POP traffic through the SSH connection. The SSH connection must exist for this to work. If you try to check your mail before you establish the SSH connection and log in, Eudora will fail.
2. Tunneling Eudora's traffic between WTS and the POP server is not a particularly useful exercise, as the network link between the two systems is private and not available to eavesdroppers. Where this might be very useful, however, is when you are checking your e-mail from your computer at home using an ISP. In such scenarios, your password will be transmitted across multiple untrusted networks.
3. The steps described protect only Eudora's POP traffic - which means, basically, your password and any mail you download. It does not protect mail you send, since this involves a different protocol is used (SMTP - destination port 25, destination host pop2-smtp-server.ucl.ac.uk); if you want to protect this as well, you'll need to define a second tunnel in your profile.
(1) A company founded by Tatu Ylönen, the creator of the SSH protocol.