For security reasons logging in UNICC is permitted only using Secure Shell protocol with password or RSA authentication methods. No telnet, straight ftp, rlogin, rsh or similar sessons are permitted. For more information about the Secure Shell Protocol and available implementations see SSH Home page. This page in turn provides thorough, step-by-step instructions for setting up account for RSA authentication, login procedures and some troubleshooting tips.
Ssh (Secure Shell) is a program for logging in another computer over a network. Ssh was designed to replace rlogin, rsh and rcp but can as well be used to replace telnet. Unlike r* utilities ssh provides stronger authentication and secure communications over insecure channels. It can optionally be used to forward or relay any conventional TCP stream (e.g.: X11 traffic, FTP command stream, etc.) over encrypted channel. Because of its rich set of features and wide platform availability the program is getting wider and wider acceptance. Client program (the one you'll run as user) doesn't require any special installation procedure or maintenance. and you can simply download them into your home directory if you don't have them installed in your system.
Those users who can't use password authentication have to use RSA authentication to login. Well, others are very welcomed to use RSA method as well:-) Before you can do so you have to generate RSA key-pair using ssh-keygen command (if you haven't done this before of course:-). Besides keys the program generates a comment attached to your public key. For future extensions (digital signatures and certificates) I'd recommend to override the default comment with your E-mail address. This is done with -C command line option (for full description see corresponding manual page). The program will prompt you for a passphrase to encrypt your private key with. Choice of good, non-guessible passphrase is vital for security. If you choose your current login password, remember that they (login password and passphrase) are actually independent and are changed separately (passwd vs. ssh-keygen -p). Well, it's time for an example:
ssh-keygen -C appro@fy.chalmers.se Initializing random number generator... Generating p: .....................................++ (distance 456) Generating q: ..........++ (distance 128) Computing the keys... Testing the keys... Key generation complete. Enter file in which to save the key ($HOME/.ssh/identity): <- just <Return> here Enter passphrase: <- passphrase is not echoed when entered Enter the same passphrase again: Your identification has been saved in $HOME/.ssh/identity. Your public key is: 1024 35 73733132058769994536904315800235499733979572145746071146953012619067495895210896748934875633161787173067947868759777520074259860133034837045328258598354152377982174101656436620939243173192120526878089134246599935163546032943268331107891087962084415748805229437381147831510678382911288940441810419586800339157 appro@fy.chalmers.se Your public key has been saved in $HOME/.ssh/identity.pub
Then you have to copy your public key into authorized_keys file. This is the file Secure Shell Daemon (server) looks for your public key in, not in your identity.pub! There is a lot of ways to accomplish this, below is just one:
(umask 022; cd; cd .ssh; cat identity.pub >> authorized_keys)
And finally make sure your home directory is not writable by anybody but you:
(cd; chmod go-w .)
To login use ssh command. You can as well use this command to execute single commands at remote host, e.g.: in scripts or similar. If you're using RSA authentication you'll be prompted for the passphrase chosen at previous step, othewise for your login password. Note that if you're logging in from a workstation running X11 or X-terminal, ssh by default forwards X11 stream over encrypted channel and sets up DISPLAY environment variable as well as corresponding registry in authority file. Use -x command line option to disable this if it gives you a trouble. For more details about ssh usage see corresponding manual page.
If you fail to login, retry with -v flag to obtain verbose debugging output:
ssh -v newton.unicc.chalmers.se SSH Version 1.2.17 [sparc-sun-solaris2.5], protocol version 1.5. Standard version. Does not use RSAREF. ssh_connect: getuid 22035 geteuid 22035 anon 1 Connecting to unicorn [129.16.125.141] port 22. Connection established. Remote protocol version 1.5, remote software version 1.2.17 Waiting for server public key. Received server public key (768 bits) and host key (1024 bits). Host 'unicorn' is known and matches the host key. Initializing random; seed file /home/f4a/appro/.ssh/random_seed Encryption type: idea Sent encrypted session key. Received encrypted confirmation. No agent. Trying RSA authentication with key 'appro@fy.chalmers.se' Received RSA challenge from server. Enter passphrase for RSA key 'appro@fy.chalmers.se': Sending response to host key RSA challenge. Remote: RSA authentication accepted. RSA authentication accepted by server. Requesting pty. Failed to get local xauth data. Requesting X11 forwarding with authentication spoofing. Requesting shell. Entering interactive session. Last login: Fri Jan 24 21:21:57 1997 from fysparc9.fy.chalmers.se unicorn:~>
If you can't make any sense of such output, mail it to help@unicc.chalmers.se.
Normally you don't have to do this, do you? Indeed your home directory is mounted over network and thus all your files are directly available for application programs, e.g.: cp:-) Anyway if for any reason you have to transfer a file, use scp command. See corresponding manual page for details.
If scp is not an option for you, then use ftp with command stream forwarded over "ssh'ed" channel. It's a little tricky but you ought to get used to it:-) Idea is to login remote host with 21st port at the remote host relayed to any unused port at your machine. And then to ftp your machine instead the remote host. Under Unix you can accomplish this with following script:
#!/bin/sh
if [ $# -lt 1 ]; then
echo "usage: $0 remote_host [port]"; exit 1
fi
TMP_FILE=/tmp/`basename $0`.$$
trap 'rm -f $TMP_FILE' 0; trap 'exit 1' 1 2 3
PORT=${2:-30000} # any not currently used non-privileged port
if ssh -f -n -x -L $PORT:$1:21 $1 sleep 5 > $TMP_FILE 2>&1; then
rm -f $TMP_FILE
exec ftp `uname -n` $PORT
else
cat $TMP_FILE
fi
It takes two arguments, namely remote hostname and optional number of
local non-privileged port that is not currently used by some other
program. Normally you have to use the second argument only when script
fails with "bind: Address already in use" error message. If it
does so, I'd recommend to simply "walk" through numbers larger
than for example 30000 to find port that is not used. Below you'll find
sample dialog. Note that ftp is connecting to fysparc9,
but it's actually unicorn that asks for username and password.
If you use PC/Mac SSH client and don't run any FTP server software on your computer, use '21:remote_host:21' for local port forwarding "magic" phrase. In this case you don't have to choose some specific port at your machine. It might be handy because not all PC/Mac FTP clients permit to use arbitrary port.ssh.ftp unicorn Connected to fysparc9. 220 unicorn FTP server ready. Name (fysparc9:appro): 331 Password required for appro. Password: 230 User appro logged in. ftp>