Secure Shell (SSH)

Secure Shell (SSH) is a protocol that supports terminal sessions and file transfer (like FTP). The primary advantage of SSH over other protocols is that SSH encrypts all communications, whereas with FTP all transmissions (including logins) are submitted in plain text. Authenticated FTP to CS managed machines is not available.

All of the public login servers allow ssh access and below you will find a list of machines that accept connections:

portal.cs.princeton.edu (equivalent to cycles.cs.princeton.edu)

Linux Machines used for CPU intensive jobs:

  • cycles.cs.princeton.edu (includes soak, wash, rinse, spin)
  • soak.cs.princeton.edu
  • wash.cs.princeton.edu
  • rinse.cs.princeton.edu
  • spin.cs.princeton.edu

On February 1, 2016, CS Department login hosts switched to using RSA type SSH host keys. Since that time, the SSH Host RSA Key Fingerprint for the above hosts is: e0:0e:98:45:c9:4f:11:8f:19:bc:47:d2:07:0e:7c:ff.

Some older SSH clients may display the new fingerprint as: xepon-kibyl-bogur-palik-zyvar-lesuc-rikof-zusab-hypib-volyh-muxux.

Newer SSH clients (OpenSSH 6.8 or later) will use the SHA256 fingerprint: SHA256:9yBBea9Z0ER6asvvtNf6fRXVra6LOQ3OVZLtYKVpNc8.


ssh: A Primer

Introduction

The need for security, as we hardly need reminding, is ever-increasing. We as system administration staff here in the CS department of Princeton are having to deal with break-ins, both attempted and successful, and compromised accounts. Most of these attacks come from people who were able to learn the password of an account of a local user, usually by "sniffing" it right from the network.

Most protocols don't have any encryption, and any packets sent from the client to the host are out there for anyone in-between to intercept and read. Telnet is particularly bad, most notably for the passwords that are typed as the user initiates the session. These passwords, along with the user names, are gathered with a program popularly known as a packet-sniffer, and the new information can be used to gain access to our systems, generally resulting in malicious activity (although usually restricted to the user in question).

The easiest way to prevent these attacks is to encrypt the packets so they are unintelligible to all but the client and the host, and one way this is done is via ssh. Named for Secure SHell, it encapsulates an entire session from the initial login onward, with encryption methods that are, for all practical purposes, unbreakable. SSH helps protect against packet spoofing, IP/host spoofing, password sniffing, and eavesdropping.

Where To Get It

The CS department uses OpenSSHserver software.

Unix variants: OpenSSH can be down-loaded from http://www.openssh.org/. While you can get it directly from their anonymous FTP site, a mirror site is suggested.  You will want a tarball, and openssh-4.4 is the latest as of this writing.  In the above download site, the complete URL would be:

ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/

Note that you want the tar.gz file from the site. After uncompressing and untarring the distribution package ([g]zcat openssh-4.4.tar.gz | tar -xvf -), the INSTALL file in the newly-created directory should help you build the binaries for your system. Note that this distribution will build the server as well as the client, and unless you want the server, it won't be necessary to do the "make install" as the INSTALL file suggests. It will be enough to copy the ssh and scp (more on this below!) binaries into a directory somewhere in your PATH.  If your having problems installing ssh please take a look at the FAQ.

Windows variants:

You can obtain your free copy of SSH For Workstations from the CS web server by pointing your browser to https://csguide.CS.Princeton.EDU/software/.

How To Use It

Various Flavors of Unix
Once installed, ssh on a unix system is not only easy, if you've used rlogin, ssh is a drop-in replacement for it: most of the flags are identical. A new connection is started by typing: ssh <systemname> [-l username]. It will then prompt you for a password, and the connection has been completed. Note that an in-depth discussion of the various command-line arguments are beyond the scope of this document: please refer to the documentation that came with the distribution.

Various Flavors of Windows
Once installed on your Windows box, it behaves just like a telnet client. Just type in your target hostname, username, and password, and, assuming you're connected to a network, a connection to the remote host's ssh server is created.

Using Secure FTP (sftp)

Warning - Secure FTP only works with SSH protocol version 2 servers.

From UNIX:
On a Linux/UNIX command line, simply type sftp hostname (much like you would type ftp hostname with an insecure client).  You will be authenticated just like a normal ssh session.

From Windows:
Not every Windows SSH client contains the facilities to use secure FTP, but one that does (and the one that we most strongly recommend) is the SSH Windows client from SSH Communications.  Once this is installed, just click on the "Secure File Transfer Client" icon in the "SSH Communications" program group of the start menu.  When the program starts, hit return, then enter your login information. 

Once authenticated, your remote (UNIX) file system will be displayed on the left, with the contents of the currently selected folder displayed on the right.  At this point you can either use the Windows drag-and-drop interface to upload and download files, or use the menu functions available from the menu bar at the top of the window.

Note that there is a command-line version available. From the "Run..." option on the Start menu (assuming you've installed the SSH Communications software we recommend), just type "sftp2 <machine name>" (without the quotes) to start your session.


SSH Software Links

Windows XP, Windows Vista, Windows 7 :

UNIX:


Other Related Links:

Tags: