Socrates Secure Shell FAQ

Socrates SSH Secure Shell FAQ

1. IST no longer supports unsecure connections to Socrates. For terminal (shell login) sessions, you must use a Secure Shell (SSH) client program or equivalent instead of TELNET. For file transfer, you must use a Secure FTP (SFTP) client program or equivalent instead of FTP for file transfers.

A Virtual Private Network (VPN) connection may be an option if you are connecting from off campus in the United States to work around missing DNS PTR records.

Secure Shell terminal emulation and Secure FTP capable programs, and the Cisco VPN program are available to the UC Berkeley community from:

   http://software-central.berkeley.edu

2. As of December 14, 2006, SSH/SFTP connections to IST Shared Unix systems now require the use of Secure Shell protocol and that the connecting Internet host pass a reverse Domain Name System (DNS) check.

If you are trying to connect from off campus, you need to know that internet service providers have been inconsistent in defining PTR records in DNS. If your provider does not have PTR records defined, ask that they define them and refer them to RFC-1912 section 2.1 "Inconsistent, Missing, or Bad Data" (February 1996).

Some Internet Service Providers require that you pay a higher price for a static IP address in order to have a PTR record for your IP address.

3. An alternative to using an IP address with a PTR record is to use VPN after you have connected to the Internet. VPN does IP network address translation and provides an IP address with the PTR record. For more see:

   http://www.lib.berkeley.edu/Help/vpn.html
   http://www.net.berkeley.edu/vpn/

Due to export/inport restrictions, VPN may not be solution when connecting from other countries.

1. About Secure Shell

1.1 What is Secure Shell?

1.2 Why Secure Shell? Why now?

1.3 What encryption algorithms does Secure Shell use?

1.4 How does Secure Shell authenticate?

1.5 What does Secure Shell protect against?

1.6 What doesn't Secure Shell protect against?

1.7 Is Secure Shell legal?

1.8 What operating systems does Secure Shell run on?

2. Obtaining and Using Secure Shell

2.1 Where can I obtain a copy of Secure Shell for Windows?

2.2 Where can I obtain a copy of Secure Shell for a Mac or a Unix system?

2.3 How do I connect to other computers using Secure Shell?

2.4 How do I copy and paste text within Secure Shell SSH for Windows?

2.5 How do I transfer files using Secure Shell?

2.6 How do I connect to other servers using SSH from the Socrates command prompt?

2.7 Where can I get help with my Secure Shell client?

Section 1: About Secure Shell

1.1 What is Secure Shell?

Secure Shell is a protocol, or method of electronic communication used to log into another computer over a network, to execute commands in a remote machine, and to move files from one computer to another. It provides strong authentication and secure communication over unsecured channels. It is intended as a replacement for telnet, rlogin, rsh, and rcp.

The SSH2 protocol was standardized by the IETF secsh working group and is specified in several RFCs and drafts. The overall structure of Secure Shell is described in the RFC 4251.

1.2 Why Secure Shell? Why now?

Secure shell has become a common standard of electronic communication, widely used all over the world. The number of people estimated to be using SSH in 2001 was somewhere over 2 million users in over 60 countries. It is replacing other methods such as telnet mainly for security reasons. Information sent across the Internet using older protocols such as telnet, which pass all information sent from your computer to another (such as Socrates), or vice versa, in clear text. Research, addresses, and even passwords sent over older protocols like telnet are all readily available to an individual who has caused a security breach in a computer using telnet, or one who has managed to gain physical access to a line. SSH does not pass any information in clear text, instead it uses secure encryption.

1.3 What encryption algorithms does Secure Shell use?

Secure Shell uses the following ciphers for encryption:

Cipher	SSH1	SSH2
DES	yes	no
3DES	yes	yes
IDEA	yes	no
Blowfish	yes	yes
Twofish	no	yes
Arcfour	no	yes
Cast128-cbc	no	yes

Secure Shell uses the following ciphers for authentication:

Cipher	SSH1	SSH2
RSA	yes	yes
DSA	no	yes

1.4 How does Secure Shell authenticate?

Secure Shell authenticates using one or more of the following:

Password
User public key (RSA or DSA)
Kerberos (SSH1)
Host-based

1.5 What does Secure Shell protect against?

Secure Shell protects against:

IP spoofing, where a remote host sends out packets which pretend to come from another, trusted host. SSH also protects against a spoofer on the local network, who can pretend they are your router to the outside.
IP source routing, where a host can pretend that an IP packet comes from another, trusted host.
DNS spoofing, where an attacker forges name server records.
Interception of cleartext passwords and other data by intermediate hosts.
Manipulation of data by people in control of intermediate hosts.
Attacks based on listening to X authentication data and spoofed connection to the X11 server.

If a malicious individual has taken over a network, they can only force SSH to disconnect, but cannot decrypt the traffic nor hijack the connection.

The above is true if you use encryption with SSH. Encryption should be on by default, but an option does exist to use encryption of type "none." This is for debugging purposes and should not be used.

1.6 What doesn't Secure Shell protect against?

Secure shell will not help you with anything that compromises your host's security in some other way. Once an attacker has gained administrative/root access to a machine such as Socrates, he can subvert SSH as well. Similarly, if someone has physically stolen your computer, SSH is not a security measure that will protect your data from unlawful intrusions.

1.7 Can I run Secure Shell legally?

In most cases, yes. This will depend on your country's laws for cryptography and which version of Secure Shell that you're using.

In some countries, particularly France, Russia, Iraq, and Pakistan, it may be illegal to use any encryption at all without a special permit.

If you are in the United States, you should be aware that, while SSH was written outside the United States using information publicly available everywhere, the US Government may consider it a criminal offense to export this software from the US once it has been imported, including putting it on a FTP site. For more information about encryption export controls, you can contact the Department of Commerce's Bureau of Industry and Security , under the US Department of Commerce.

1.8 What operating systems does Secure Shell run on?
SSH clients have been developed for most operating systems out there, including all Windows, Unix (Linux, Solaris, OpenBSD, etc.) and Macintosh flavors.

Section 2: Obtaining and Using Secure Shell

2.1 Where can I obtain a copy of Secure Shell for Windows?

Students, Faculty, Staff, and Affiliates of the University of California Berkeley that have a functioning CalNet ID can obtain a copy of Secure Shell for free from the IST Software Central web site. Windows users should download the most current version available of "SSH Secure Shell." This Secure Shell client is supported by the University. Other SSH2/SFTP2 programs are also available to the UC Berkeley community such as HostExplorer (2007 or later) with Connectivity Secure Shell (CSS), or Exceed (2007 or later) with Connectivity Secure Shell (CSS) which includes HostExplorer and a X Windows graphic display server. Secure Shell capable software may also be available on the Connecting&Berkeley CD.

2.2 How do I obtain a copy of Secure Shell for a Mac or a Unix system?

If you have an Apple computer and you're using the OS X operating system, you can use the built-in SSH application. Please refer to section 2.3 for instructions on connecting using the built-in SSH application.

OS X does not have a built-in secure FTP program. If you use Mac OS X and want to transfer files to and from UC Servers such as Socrates that will no longer be supporting standard FTP, you will need to download a Secure FTP client for Mac OS X.

FUGU, developed by the University of Michigan, is distributed at the IST software download web page and can also be found at UMich..

Fetch version 5 also provides SSH and SFTP. Fetch can be found on the IST software download webpage.

Many Unix systems now come with Secure Shell software. Secure Shell software may also be available as optional software distributed by the manufacturer. OpenSSH is available at http://www.openssh.org/

2.3 How do I connect to other computers using Secure Shell?

Instructions for connecting to other computers using SSH Secure Shell for windows can be found here.

Instructions for connecting to other computers using SSH on Mac OSX be found here.

Instructions for connecting to other computers using MacSSH for non-OSX can be found here. (thank you Ohio State)

Instructions for connecting to other computers using SSH on Socrates and Linux/Unix environment: "man ssh" at the command prompt.

2.4 How do I copy and paste text within SecureShell SSH for Windows?

In a SecureShell SSH session for windows, the control+C and control+V commands don't work like they do in windows to copy/paste. Instead, Control+Insert copies and Shift+Insert pastes.

2.5 How do I transfer files using Secure Shell?

Instructions for transferring files using SSH Secure Shell for windows can be found here.

Instructions for transferring files using FUGU for Mac OS X can be found here. (Please note Adobe PDF format)

2.6 How do I connect to other servers using SSH from the Socrates command prompt?

From the Socrates% prompt, type "ssh <hostname>" where hostname is the name or ip of the server you wish to connect to. This will attempt to connect you the host using the username you're logged in as on Socrates. To specify your username to the server, you can use the -l flag (lowercase L) followed by your username, for example: "ssh plato.berkeley.edu -l darkcave" where darkcave is your login ("ssh username@host" will work as well). The first time you connect, you'll see: "Host key not found from the list of known hosts. / Are you sure you want to continue connecting (yes/no)?" Type yes and it will respond: Host 'plato.berkeley.edu' added to the list of known hosts / darkcave's password:" and then type your password and hit enter.

2.7 Where can I get help with my Secure Shell client?

The University provides software support for both SecureShell SSH and MacSSH. Faculty and Staff can get help by contacting the Connecting@Berkeley Consulting team at e-mail: connecting@berkeley.edu, or by phone at: 642-8899.

For more information regarding Secure Shell, please visit Steve Acheson's Secure Shell FAQ

Much of the information in this document was borrowed or paraphrased from the FAQ above.

SSH is a registered trademark ® of SSH Communications Security. Secure Shell TM is trademarked by SSH Communications Security. All further references SSH ® and Secure Shell TM; are rights of their owners.

If you need clarification, or have any further questions, please contact:

CalMail Consulting: consult@berkeley.edu, 642-7776.
Connecting@Berkeley Consulting (Faculty and Staff only): connecting@berkeley.edu, 642-8899.
Socrates Consulting: socrates_consult@berkeley.edu, 642-4920 (IST Service Desk).

Links to commercial web pages or references to companies on this page are for the information of our customers and do not indicate an endorsement by the University of California or the State of California. Links or references to non-University entities do not represent endorsement by the Regents of the University of California.

This document was last modified on June 15, 2007.