SSH edit

SSH (Secure Shell) is a tool used to securely login to remote computers from anywhere with an internet connection. All Computer Science students and staff have SSH access to a variety of computers operated by the School of Computer Science, including:

  • mimi.cs.mcgill.ca
  • linux.cs.mcgill.ca
  • freebsd.cs.mcgill.ca
  • ubuntu.cs.mcgill.ca

Installation

Linux/Mac OS X

If you are using a machine running Linux, OS X, or some other UNIX varient, then you should already have SSH installed. To confirm that it is installed, open a terminal and enter:

which ssh

SSH is installed if you see some output like:

/usr/bin/ssh

If you do not see output, you will have to install SSH yourself.

  • On Linux, use your distribution's package manager (ie. apt-get install openssh-client)

Windows

Windows does not include an SSH client by default, users should install the open-source program called PuTTY.

Basic Usage

On Linux/OS X SSH is very easy to use; to connect to our server named mimi, simply run the command:

ssh your_cs_username@mimi.cs.mcgill.ca

You will then be prompted to enter your password. If your credentials are accepted, then you're done; you are now logged in to mimi and can use the bash shell normally.

Windows users should open PuTTY, then enter your_cs_username@mimi.cs.mcgill.ca as the host name. A terminal will open up where you can enter your password then use the bash shell normally.

To terminate the SSH session, use the command exit

exit
Connection to mimi.cs.mcgill.ca closed.

SSH Keys

A more convenient and secure way to login to a remote computer is to use SSH keys instead of a password.

How Do SSH Keys Work?

SSH keys are based on public key cryptography. The basic protocal is as follows:

  1. On your personal computer, generate an SSH key pair. The key pair contains a public key, which you can place anywhere you want, and a private key, which you must keep safe.
  2. Place your public key on the server you would like to access.
  3. When you try to login to the server, the SSH program on the server will use your public key to generate a message that can only be decrypted using your private key.
  4. If your computer has your private key on it, it will decrypt the message and send an appropriate response.
  5. SSH will then log you in and encrypt all the traffic between your two computers.

How to Set Up SSH Keys

First, on your local machine, create an ssh key pair:

ssh-keygen -t rsa -C "your_email@example.com"

It is recommended to use the default settings and use a strong passphrase. The passphrase is used to encrypt the key itself in case it is lost or stolen. There is no way to recover your key if you forget your passphrase.

The keys live in the ~/.ssh directory

ls -l ~/.ssh
-rw-r--r-- 1 demo demo 807 Sep 9 22:15 authorized_keys
-rw------- 1 demo demo 1679 Sep 9 23:13 id_rsa
-rw-r--r-- 1 demo demo 396 Sep 9 23:13 id_rsa.pub

Note that the id_rsa (private key) file is only readable and writable by the owner. It needs these strict permissions to keep it safe. SSH will reject keys that do not have these permissions. The id_rsa.pub is the public key that you can share. authorized_keys is a file used to keep track of the public keys that are able to access this computer.

You can now transfer your public key to the remote server

ssh-copy-id your_cs_username@mimi.cs.mcgill.ca

Which will start an SSH session, once you enter your password, your public key will be transfered to the server. From now on, you won't have to enter your password when loging in over SSH.

SSH Tunnelling + SOCKS Proxy

When using insecure networks the following will allow you to browse privately

ssh -D 9999 linux.cs.mcgill.ca -l cs_username (or first.last@mail.mcgill.ca) 

Remember to point your browser to use the proxy on port 9999

Graphics over SSH

To be able to log in to one of the cs.mcgill.ca lab machines from an MS Windows machine at home and then run applications like Eclipse, xemacs, etc...

Go here and follow the instructions for downloading and installing an X server (Cygwin/X).

To be able to use graphics over ssh while using OpenSSH on a UNIX environment, simply use a command like this:

ssh -X -Y -C host.cs.mcgill.ca

This will tell OpenSSH to use X forwarding so you can run graphical applications remotely.

Connecting to a Computer for the First Time

When you connect to a server for the first time, SSH will prompt you to confirm that you would like to connect to the machine.

ssh mimi@cs.mcgill.ca
Host key not found from the list of known hosts. Are you sure you want to continue connecting (yes/no)?

If you anwser "yes" then it will add the new server to the list of know hosts. This list contains servers that SSH accepts as secure. In the future, SSH will find the server on the list and will not ask you to continue.

Host 'mimi@cs.mcgill.ca' added to the list of known hosts.
Last login: Fri Jan  7 14:23:00 2000 from console
Linux mimi.cs.mcgill.ca 2.2.16 #4 Fri Jun 9 14:06:43 EDT 2000 i686 unknown

SSH's Most Common Warning Message Explained

ssh mimi@cs.mcgill.ca
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@       WARNING: HOST IDENTIFICATION HAS CHANGED!         @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the host key has just been changed.
Please contact your system administrator.
Add correct host key in /user/abatko/.ssh/known_hosts to get rid of this message.
Agent forwarding is disabled to avoid attacks by corrupted servers.
X11 forwarding is disabled to avoid attacks by corrupted servers.
Are you sure you want to continue connecting (yes/no)?

This means that the identity (or key fingerprint) of the server has changed. Most likely the machine was upgraded...

If you are confident that you are not the subject of a man-in-the-middle attack. Follow the directions in the error statement to remove the old key (inside ~/.ssh/known_hosts) of the machine that you are trying to contact. Remember that the keys are stored in a file within your home directory.

Securly Copying Files with SCP

Scp allows you to copy files between coputers.

To copy the file ~/foo.txt on mimi to the directory you are in on your local computer:

scp your_cs_username@mimi.cs.mcgill.ca:foo.txt ./

To copy the file foo.txt in the directory you are in on your local computer to your home folder on mimi:

scp foo.txt your_cs_username@mimi.cs.mcgill.ca:

Arguments of note:

  • Recursively copy entire directories: scp -r
  • Verbose mode: scp -v
  • Compression enable: scp -C