ssh

Ssh is a program that enables secure logins over an unsecure network. It encrypts the data passing both ways so that if it is intercepted it cannot be read.

Ssh is client-server software; both machines must have ssh installed for it to work. We have already installed ssh server software on all the PSC machines.

You must install ssh client software on your local machine.

Why does the PSC require me to use ssh?

We are concerned with the increasing frequency of attacks on computers and networks. We want to provide you with a secure environment in which to conduct your research.

Obtaining ssh for your local machine

Ssh is available without charge for almost all versions of Unix. Clients for Mac and PC Windows are available free from vendors or from the Internet.

Types of authentication

Ssh logs you into the remote machine using one of these methods of authenticating you to the remote machine:

1. RSA Authentication using a public-private key pair
   

   One authentication scheme involves the use of two keys to encrypt and decrypt an authentication message. One key is private, available only to the user, and the other is public, and is publicly accessible. Data encoded by one key can only be decoded by the other. Knowledge of the public key does not allow one to deduce the private key.

   If a set of public/private keys exist, the remote machine encodes a message using the public key when ssh makes a connection to it. It sends the encoded message back to the client machine. Ssh decrypts the message using the private key. The private key is not disclosed during this transaction. Ssh then sends the decoded message back to the remote machine; if it matches, the user is authenticated, and can log in without using a password.

   You can create your own set of public/private keys with the ssh-keygen command.

2. Password Authentication
   

   If other authentication methods fail, ssh prompts you for a password for the remote machine. Your password is encrypted, so even if it is intercepted, it is secure. If the password is correct, you are logged in.

Using ssh to connect to PSC machines

1. Start your ssh client from your PC or Mac.
2. A connection window requesting the hostname to connect to, your username and password may automatically open. If it does not, select "Open" from the File menu, and the connection window will appear.
3. For "Hostname", specify the PSC machine you wish to access, e.g., bigben.psc.edu
4. Enter your username and password for the PSC machine you are connecting to.
5. Check Password Authentication.
6. Select "OK"

The first time that you use ssh to connect to a PSC machine, you will receive a warning that ssh has received an unknown host key from the host server. You can:

• Select "Accept once". You will be logged in, but the next time you use ssh to connect to this PSC host, you will receive the same warning.
• Select "Accept and save". You will be logged in. You should NOT receive this warning when connecting to this host via ssh again.
• Select "Cancel". Your connection to PSC will be dropped.

Internet machines also have numeric IP addresses, but we recommend using the name to reach it. On occasion, however, the "name server" may be down and you may need to reach the desired machine by using the numeric address. AFS users authenticated to PSC's AFS cell can find a list of PSC internet machine node names and numeric addresses in the file /usr/local/doc/authuser/net_names.doc.

Secure file transfer using ssh

The scp command can be used to copy files securely over an insecure network. The format of the command is:

scp username@source-system:filename username@target-system:filename

See man scp for additional information.

ssh and AFS tokens

You do not always receive an AFS token at login when connecting through ssh. The type of authentication used determines whether or not a token is automatically granted.

If you use Password Authentication,

you receive an AFS token when you log in.

If you use RSA Authentication with a key you made - or -

If you use a .rhosts file plus host RSA Authentication,

you will have an AFS token on login ONLY IF you are connecting from another AFS machine. If you connect to PSC from a non-AFS system, you do not receive an AFS token automatically. Use the klog command to get a token.

For more information on AFS tokens, see the AFS documentation.

More ssh information

These websites are good sources of information on ssh.

• The ssh homepage
• A comprehensive FAQ

For help using ssh at the PSC, contact PSC User Services.