SSH: Using the SSH Application

The information in this article applies to:

• Microsoft Windows 2000 Professional
• Microsoft Windows 2000 Server
• Microsoft Windows 2000 Advanced Server

---

 

Don't Use TELNET

TELNET is a program for accessing a server or remote machine, such as a UNIX server, from a client or your workstation. TELNET by default uses an insecure protocol to communicate between the client and the server. This means that any information including your login and password are sent over the network unencrypted. Because of this insecurity, a hacker can steal your login and password off of the network in a matter of seconds just as they can do if you send your password through e-mail. It's important, then, to use a "secured" version of TELNET called SSH or Secure Shell. SSH encrypts the communication between the client and server so that when you authenticate to the server from your client, your login and password do not go over the network unencrypted. Instead, they are transmitted in an encrypted or unreadable format. In order for a hacker to steal your login and password, they must first intercept the communication and then decrypt, or convert the encrypted version into plain text. Decryption of this information is nearly impossible without the use of very high powered computers for very long amounts of time (sometimes years). SSH is available by default on ECN supported machines. If you attempt to run TELNET on an ECN supported Windows 2000 machine, you will be warned about the security risk and prompted to run a secure connection (via SSH) or an insecure connection (via the conventional TELNET).

Using SSH

SSH, while having been available for a number of years, has just recently begun to become more widely used on the Internet. The SSH client provided on an ECN supported workstation is called SecureCRT provided by Van Dyke Technologies. There are some subtle differences between TELNET and SSH. This section will help you transition into using the SSH client provided on an ECN supported workstation.

Starting SSH

You can start SSH by picking one of the icons in the SecureCRT folder under Start->Programs->ECN Software, using Start->Run and entering securecrt, or by using Start->Run and entering telnet. If you choose the latter, the following message box will appear:

Figure 1: Telnet security warning

Choose Secure Telnet to use SSH to connect to the server in this case.

Manually Connecting to a Host

If you typed one of the commands above or chose the SecureCRT icon from the SecureCRT folder, you will not be automatically connected to a host. Instead, you'll need to tell SSH what host you wish to connect to.

Figure 2: Connection request dialog

In the Hostname field enter the name of the remote host to which you wish to connect such as pier.ecn.purdue.edu, shay.ecn.purdue.edu, etc. If the Username field is not automatically filled in, enter your login on the remote host. Click the Connect button. Skip ahead to the topic Authenticating with a Host.

Automatically Connecting to a Host

If you wish to automatically connect to a host, click on one of the pre-defined host icons in the Hosts folder within the SecureCRT folder. You can also use the command telnet hostname where hostname is the name of the remote host to which you which to connect. If you use the telnet command, choose to make a secure connection.

Authenticating with a Host

Before you can finish your connection to the remote host, you will be prompted to enter your password as shown in Figure 3.

Figure 3: Password authentication dialog

Enter your password and click the OK button. If this is the first time you've connected to a host, you will receive a message similar to that in Figure 4.

Figure 4: SSH Host Identification dialog

This dialog is to inform you that you are about to connect to a new host. The server key it provides will be cached so that you will not see the dialog in future connections to this host. If you're confident that the host is a secure host, click Accept & Save. You can click Accept Once and still connect to the host, but the server key will not be cached, and you will be prompted before connecting to the host again. Click Cancel to abort the connection. This dialog will appear for each host you connect to for the first time. Once this process completes, you will be connected to the remote host.

The Host Identification Changed Warning

SSH uses server host keys to identify servers and make sure that the host to which you are connecting is who it says it is. A hacker might be able to impersonate a remote host without the user's knowledge. If a user connects to this "rogue" host, he or she may be vulnerable to attacks by hackers and have personal information compromised. For example, hacker Bob crashes a machine named bliga.ecn.purdue.edu. He then sets up his own machine with the same name so when users connect to it, they think it's the true bliga.ecn.purdue.edu and not Bob's "rogue" host. In the meanwhile, as they login to the "rogue" host, their personal information such as login and password is taken and used to access their data elsewhere.

Fortunately SSH provides protection against this with server keys as discussed above. When you first connect to a server, it presents its key to you and asks you to cache it. You can choose not to, but if you do, you're less prone to an attack such as the one presented here. If Bob were to bring up a machine similar to the real machine, it would have a different server key than the true machine. SSH recognizes this discrepancy between your cached copy of the key and the key presented by the remote host and warns you with a dialog similar to that in Figure 5.

Figure 5: Host Identification Changed dialog

Despite the warning, there may be legitimate reasons for a server's key to change as well. One reason is that a machine was reloaded with its software, but its host key was not saved. This is the situation presented in the 1st warning. The other possibility is that SSH was upgraded from a previous version to the latest version. This is the situation presented in the 2nd warning. If either of these two cases is true, you can still safely connect to the remote host. Simply choose Accept & Save to overwrite the old hoskey.

If you are unsure of the reasons for a host's key changing, you should check with the administrator of the remote machine before connecting to it and/or accepting a new key.

SSH Settings

The SSH client provides a wide range of settings and customizations that can be found by going to the Options menu.