SPY HILL Research Spy-Hill.net


Poughkeepsie, New York [DIR] [UP]

Please use Secure Shell (SSH)
instead of Telnet or rsh/rcp/rlogin


The Secure Shell suite of programs can keep unauthorized users out of our computers, both by encrypting passwords to keep them from being "sniffed", and by providing more positive authentication than simple password exchange.

Secure Shell also provides two useful improvements over telnet:

  1. It will automatically forward your X display (it sets the DISPLAY variable for you).

  2. It can allow you to log in without a password, even though you may never have the same IP address (e.g. from home over a dial-up line).

[Unix] [Windows] [Apple] [SSH Info]

The telnet and ftp programs have a serious security problem--when you type your password it is broadcast over the wires in the clear, which means that any other computer listening on that wire can potentially read your password. (In fact, the whole idea of ethernet is based on all the computers on the network listening to the same wire). Hackers make use of this flaw by installing "sniffer" programs that specifically listen for passwords from any computer on the network.

The "remote shell" programs (rsh, rcp, and rlogin) also have security problems. They don't exchange passwords, but instead they rely on the connection comming from a known IP address on a privileged port. That's all. This is relativly easy for a hacker to spoof.

A more secure alternative to telnet or rsh, rcp, or rlogin, is to use the Secure Shell (SSH) protocol, which both encrypts the connection and uses digital signatures to positively identify the host at the other end of the connection. SSH can be made as easy to use as rsh, rcp, and rlogin, with no password required; simply use the commands ssh, scp, or slogin instead.

A useful of advantage of SSH is that it automatically forwards your X window connections (you don't have to set the DISPLAY variable, it sets it for you.) And it encrypts your X connections too. You can also use SSH to log in over a dial-up line without having to present a password. For details on how to set this up please read: Using Public Key Authentication with SSH.

If you are connecting over a slow link (a slow phone line or a very long distance Internet connection) then you may not want the automatic forwarding of your X display. In that case you can turn it off (on a Unix computer, at least) by giving the command:

unsetenv DISPLAY
You give this command after you have established your connection to the other computer.

The slogin, scp and ssh commands are available on all of the Unix computers in our group, as well as on the ITD login servers. Please use them instead of telnet. Telnet may well be disabled in the near future, at least on the machines in our group.

We are working on a secure alternative to ftp (probably called sftp) but nothing that is useful exists at this time. Just keep in mind that whenever you type your password for an FTP session it is being broadcast over the Internet in the clear.

Unix

Windows Clients

Apple/Macintosh Clients

MacOS X is Unix and already includes ssh. Just open the Terminal application and use ssh, scp and scp as you would on any Unix machine! (Macintosh HD -> Applications -> Utilities -> Terminal)

On older Mac's you can use one of the following:

SSH Information

Note on RSA authentication:

SSH can use the RSA algorithm, which was patented in the U.S. and so could not be used there without permission of the patent holder (RSA, Inc.). The patent expired in Sept. of 2000, at which point there are no legal problems with using any of these clients in the U.S.


Last modified: 19 January 2005 Copyright © 2005 by Spy Hill Research http://spy-hill.net /help/SecureShell.html