SSH Tutorial for Linux

This document was written on Febuary 21st, 1999. A lot of the information here is out of date. You should probably be reading the new ssh tutorial. This document is just here for historical purposes and for reference.

Since this document was originally written in 1999, over 30,000 people have read it and it has been as high as #1 in google's results when searching for ssh and linux. The new document continues that tradition.

What is SSH?

The Acronym SSH stands for Secure Shell. There are a couple of ways that you can access most Linux/Unix systems. The most common way is to use a telnet program such as the one called telnet(for Unix and Windows). Accessing a shell account in this fashion though poses a danger in that everything that you do over that telnet session is visible in plain text on your local network, and the local network of the machine you are connecting to.

As one solution SSH was created to encrypt the data being sent over the network as well as provide an option that prevents passwords from being ever passed over the network. SSH can use several different forms of encryption, anywhere from 56 to 1024 bit. SSH has been ported to Operating Systems on several platforms including Linux, Microsoft Windows and Macintosh.

Linux Setup and Tutorial

su -

rpm --rebuild ssh-1.2.27-7us.src.rpm

cd /usr/src/redhat/RPMS/i386

rpm -Uhv ssh*.rpm

Now you should have all the ssh programs you need in their proper place. Just to check, you can type 'whereis ssh' and it should spit out the locations of some of the ssh programs.

Now you'll want to drop back to your user account. The first thing you'll be tempted to do is run ssh . That's fine and we'll try that first. So here's how it works. Let's say that I wanted to logon to a host called yoshi.af.mil and my username there was mario. I would type the following on the command line:

ssh -l mario yoshi.nes.com

The first time around it will ask you if you wish to add the remote host to a list of known_hosts, go ahead and say yes. After saying yes, and if there is an account on the remote system named mario, it will prompt you for mario's password on the remote system. If you type in the remote password correctly it should let you in.

Now that you have connected, go ahead and logout. ;-) Once you're back to your local host's command prompt enter the command 'ssh-keygen', It should begin spitting out the following:

Initializing random number generator...
Generating p:  ......................................++ (distance 522)
Generating q:  ......................................++ (distance 526)
Computing the keys...
Testing the keys...
Key generation complete.
Enter file in which to save the key (/home/username/.ssh/identity):

Go ahead and hit enter when it prompts for where to save the keyfile. This will also create a file called identity.pub in the same directory. Next it will prompt you for a passphrase. This can be anything and can be very long. Over 600 characters will be accepted in the passphrase. A passphrase can be something like "The quick red fox jumped over the lazy brown dog" or "Cookie Crisp is a part of this complete breakfast". But don't use those because I'm just trying to give you examples. The point is that passphrases are not supposed to be like your normal password and should be much longer and kept just as secret as your normal password.

After you've typed in a passphrase twice it will spit out a long string of numbers with your username@hostaddress at the end. Should look something like this:

Your public key is:
1024 37 14778460247218050904351588722321517055123584828217005439417513631457
4700783722553215641637680858087639085539532112747345388967435408329602376667
8969747204817435463141474417481840997084238854140567975702433016211222304840
3694746126263274873559426257079911948883867367070509301285695117678586907951
2422006506053 username@hostname.com

However your terminal program will have wrapped the long lines around so that it all fits on one screen. It's important to keep in mind though that the string of numbers is and must all be on one line.

Go ahead and use your mouse to copy the long string of numbers and characters that makes up the passphrase, being from the part that starts with 1024 to the part that ends with the hostname. Now log back into the remote machine using the same ssh command that you used to log in with before. Once you are at a command prompt on the remote machine make a directory called '.ssh' and change into that directory. Start a file with your favorite editor called 'authorized_keys'. On the first line of this file you'll want to paste the long string that you had copied. Make absolute sure that it is all on one line and that there are no spaces in the third set of numbers. The line that you copied consists of 4 sections. It's important that each of those sections have no spaces in them. The first section is the bit level and is usually going to be 1024, the second section is the salt, the third is the actual key and the forth section is the user@host identification.

Once you've pasted the line into the authorized_keys file go ahead and close it up. Now you'll want to make sure that the permissions are set correctly on the directory and files. Use the following commands to accomplish this:

chown yourusername.yourgroupname . *

chmod 700 .

chmod 600 *

SSH is *very* strict about the permissions that you have on your remote .ssh directory and the files underneath. Keep this in mind if SSH ever ceases to work correctly for you. Most of the problems you will have with SSH are due to the permissions that you have on the files on the remote side.

Now go ahead and logout out of the remote host, and then try to log back in using ssh again. This time it should prompt you for your passphrase for your local ssh key instead of your password on the remote machine. After typing in your passphrase you should be logged in normally. Note that by using your passphrase it is not sending your password or passphrase over the network. What happens is that the remote machine, which knows your public key, sends a challenge to your local computer. If your local computer is able to answer that challenge correctly then it proves to the remote computer that you do have the correct key and passphrase. Then it lets you in to your shell.

You might be wondering what's good about all this. Well for one, it's much more secure than the way you are used to logging into a remote machine. It's very easy for anyone to sit on a network and watch passwords go by in plain text(unencrypted) and then break into your account, read your email, etc. Another good reason to use it is because through the use of Xwindows you can enter your password once when you start Xwindows and then you will never have to enter it again during that session for any remote host that has your key setup on it. I'll show you how that works in the next section.

Setting up your Xwindows session for ssh

A lot of the questions I get asked go something like this, "How are you able to log into that machine without a password". The answer is that I use a program called ssh-agent. ssh-agent allows you to enter your passphrase once and never enter it again. The ssh-agent program will remember your passphrase and use it when appropriate. Setting this up on Xwindows is only a matter of configuring your .xinitrc file and restarting Xwindows.

Below is a sample .xinitrc file that will setup ssh-agent at the beginning of your Xwindows session.

#!/bin/sh
# -- .xinitrc file --
userresources=$HOME/.Xresources
usermodmap=$HOME/.Xmodmap
sysresources=/usr/X11R6/lib/X11/xinit/.Xresources
sysmodmap=/usr/X11R6/lib/X11/xinit/.Xmodmap

# merge in defaults and keymaps


if [ -f $sysresources ]; then
    xrdb -merge $sysresources
fi

if [ -f $sysmodmap ]; then
    xmodmap $sysmodmap
fi

if [ -f $userresources ]; then
    xrdb -merge $userresources
fi

if [ -f $usermodmap ]; then
    xmodmap $usermodmap
fi

# run ssh-agent.

eval `ssh-agent`
ssh-add < /dev/null

# start a windowmanger

exec fvwm2
# --end of .xinitrc--

The only part that pertains to the starting of ssh-agent are the too lines below the commented line that says run ssh-agent. Everything else is up to the way you like to run Xwindows.

Coming soon..... "How to setup the SSH daemon on your system" and "How to use Windows95 with SSH".

Where to find more info:

• The SSH FAQ

Modified: 2006-01-10 04:32:35