This and related documents evolved as introductions for my friends and co-workers in using SSH. Most notably, I often found myself answering questions such as:
- how to get CVS working with SSH
- how to use ssh-agent to stop typing my password in SSH all the time
- how do I tunnel SSH through draconian firewalls
Those and often simpler questions should be answered in this document.
- SSH Background
- Using SSH-Identities (Public Key Cryptography)
- What version of SSH should you use?
- Common issues using SSH under CYGWIN
If you have never used SSH before, perhaps you've used telnet or rlogin on some UNIX box before at least. In any case, think of SSH (the SSH client at least) as a program for logging into a remote machine and for executing commands on a remote machine. It is intended to replace rlogin and rsh, and provide secure encrypted communications between two untrusted hosts over an insecure network.
When one uses SSH, the ssh-client connects and logs into the specified hostname. To do so, the user must prove his/her identity to the remote machine using one of several methods, but typically this means typing one's password for the remote machine; i.e. the machine to which you are trying to connect.
SSH Identities and Public Key Cryptography
Alternatively, one can enable identity-based authentication, which uses public-key cryptography to accomplish the authentication. There are other methods of authentication (e.g. host-based), but often require root-user intervention and offer no additional functionality or security. Setting up an identity for authentication is the main point of this document.
Public key cryptography usually involves using a public key to encrypt data and a private key to decrypt it. The name public key comes from the fact that you can make the encryption key public without compromising the secrecy of the data or the decryption key. That means it is safe to send your public key (e.g. the contents of the ~/.ssh/id_dsa.pub or id_rsa.pub) in unencrypted electronic mail or by other means. You can even leave it on your web page or in a world-readable file (e.g. ~/.ssh/authorized_keys). For anyone to actually make illicit use of your public key, they would require access to the corresponding private key (e.g. the decrypted contents of ~/.ssh/id_dsa).
To further protect your private key, you should always, repeat always, use a passphrase to encrypt the private key when it is stored in the file system. This will prevent people from using it even if they gain access to the file itself. Don't worry; I'll show you how to avoid typing that passphrase more than absolutely necessary.
There are two versions of SSH clients that I use, depending upon the situation; The first is the OpenSSH implementation that is often already installed on most Linux and some other UNIX machines. This is also the implementation of SSH that comes with CYGWIN for your Windows boxes. The other option for Windows is PuTTY, a Windows-based SSH client. Either works well; the choice is yours. There are commecial versions of SSH available, but why bother when OpenSSH or PuTTY are free and the most widely used.
- ssh gives me the error Could not create directory '/cygdrive/c/Documents and Settings/user/.ssh'
OpenSSH under CYGWIN uses the /etc/passwd file to determine your HOME directory, NOT whatever you might have set for HOME as an environment variable, either inside of your BASH shell or in Windows itself. The answer is to patch the /etc/passwd file to have a correct directory.
Much of the information I collected here was gathered from friends and from the SSH man-pages, but there are other sources I continually run across that might be helpful in other situations. Here is a short list: