Please use Secure Shell (SSH)
instead of Telnet or rsh/rcp/rlogin
The Secure Shell suite of programs can keep unauthorized users out of our computers, both by encrypting passwords to keep them from being "sniffed", and by providing more positive authentication than simple password exchange.Secure Shell also provides two useful improvements over telnet:
DISPLAY variable for you).
- It will automatically forward your X display (it sets the
It can allow you to log in without a password, even though you may never have the same IP address (e.g. from home over a dial-up line). [Unix] [Windows] [Apple] [SSH Info]
The telnet and ftp programs have a serious security problem--when you type your password it is broadcast over the wires in the clear, which means that any other computer listening on that wire can potentially read your password. (In fact, the whole idea of ethernet is based on all the computers on the network listening to the same wire). Hackers make use of this flaw by installing "sniffer" programs that specifically listen for passwords from any computer on the network.
The "remote shell" programs (rsh, rcp, and rlogin) also have security problems. They don't exchange passwords, but instead they rely on the connection comming from a known IP address on a privileged port. That's all. This is relativly easy for a hacker to spoof.
A more secure alternative to telnet or rsh, rcp, or rlogin, is to use the Secure Shell (SSH) protocol, which both encrypts the connection and uses digital signatures to positively identify the host at the other end of the connection. SSH can be made as easy to use as rsh, rcp, and rlogin, with no password required; simply use the commands ssh, scp, or slogin instead.
A useful of advantage of SSH is that it automatically forwards your X window connections (you don't have to set the DISPLAY variable, it sets it for you.) And it encrypts your X connections too. You can also use SSH to log in over a dial-up line without having to present a password. For details on how to set this up please read: Using Public Key Authentication with SSH.
If you are connecting over a slow link (a slow phone line or a very long distance Internet connection) then you may not want the automatic forwarding of your X display. In that case you can turn it off (on a Unix computer, at least) by giving the command:
unsetenv DISPLAYYou give this command after you have established your connection to the other computer.The slogin, scp and ssh commands are available on all of the Unix computers in our group, as well as on the ITD login servers. Please use them instead of telnet. Telnet may well be disabled in the near future, at least on the machines in our group.
We are working on a secure alternative to ftp (probably called sftp) but nothing that is useful exists at this time. Just keep in mind that whenever you type your password for an FTP session it is being broadcast over the Internet in the clear.
Unix
- Version 2.x of ssh is a commercial product, distributed by SSH Communications Security. It can be used for non-commercial and/or Educational use without fee (see the licensing agreement for details.)
- Another way to get SSH is OpenSSH. OpenSSH is based on the last free version of Tatu Ylonen's SSH with all patent-encumbered algorithms removed, all known security bugs fixed, new features reintroduced and many other clean-ups.
- Version 1.x of ssh is "open source" software, covered by the GNU General Public License (GPL). But it has some rather striking security holes and so you should not use it anymore!
- OSSH Project
- LSH project, another GPL'd SSH client
Windows Clients
- PuTTY: a free Win32 telnet/ssh client (and PSCP, which does scp for Window)
- There is now a very nice Windows FTP applications which does sftp available from SSH Communications Security. It can be used for non-commercial and/or Educational use without fee. (see the licensing agreement for details.)
- TeraTerm - a free software terminal emulator for MS-Windows
- TTSSH: An SSH Extension to Teraterm (you'll need this plug-in in addition to TeraTerm itself).
- Win32 Secure Copy Client
- Freeware SSH and SCP for Windows 9x, NT and DOS
- F-Secure SSH 5.1 for Win95/98/ME/NT4.0/2000 Client is a commercial client for Mac, Windows, and Unix, from Data Fellows.
- WinSCP is a freeware SCP (Secure CoPy) client for Windows 95/98/NT/2000/XP/ME using SSH (Secure SHell). It uses cp/cd/ls via ssh rather than the sftp protocol.
Apple/Macintosh Clients
MacOS X is Unix and already includes ssh. Just open the Terminal application and use ssh, scp and scp as you would on any Unix machine! (Macintosh HD -> Applications -> Utilities -> Terminal)On older Mac's you can use one of the following:
- MacSSH This is an easy to use, free SSH2 (only) client.
- NiftyTelnet 1.1 SSH r3 is an extension of NiftyTelnet on the Mac to include the SSH protocol (now including scp and RSA authentication) . I have troubles unpacking this with just the free StuffIt Expander, so it's no longer easy to use.
- MindTerm - Mac ssh client, written in Java
- F-Secure SSH 5.1 for Win95/98/ME/NT4.0/2000 Client is a commercial client for Mac, Windows, and Unix, from Data Fellows.
- dataComet-Secure is a commercial client for Mac which does SSH1 and SSH2, as well as Kerberized telnet.
SSH Information
Note on RSA authentication:
SSH can use the RSA algorithm, which was patented in the U.S. and so could not be used there without permission of the patent holder (RSA, Inc.). The patent expired in Sept. of 2000, at which point there are no legal problems with using any of these clients in the U.S.
Copyright © 2005 by Spy Hill Research http://www.Spy-Hill.com/help/SecureShell.html (served by Islay.spy-hill.com) Last modified: 19 January 2005