Carnegie Mellon University School of Computer Science

Secure Shell (SSH)

Secure Shell (SSH) is a cryptographic network protocol which allows for data to be securely exchanged between two computers using an encrypted channel. SSH is typically used to log into a remote machine and execute commands or to perform secure file transfer using the associated SFTP or SCP protocols. Additionally, SSH supports a range of features including tunneling arbitrary TCP ports and X11 connections. In SCS, we use the OpenSSH implementation of the SSH protocol suite.  

How To Get SSH Client Software

SCS Computing Facilities includes SSH clients by default on all Linux, macOS and Windows systems that we build. 

Linux: Linux machines provided by SCSCF have the OpenSSH client installed by default. Most other Linux systems should also have an SSH client installed by default. If there is no SSH client present, see the package management documentation for the appropriate Linux distribution for notes on how to install an SSH client.

macOS: The OpenSSH client is installed by default on all systems running macOS.

Windows: Windows machines provided by SCSCF will include the command line SSH client PuTTY by default. The WinSCP client is also installed by default for users seeking a graphical interface for transferring files over SSH using SCP. Either of these clients can be used to access AFS from a Windows computer by SSHing to a Linux computer that mounts AFS, like linux.gp.cs.cmu.edu.

Using SSH on SCS Linux hosts

Linux hosts built by SCS Computing Facilities allow remote login via SSH to users on the system by default. In order to connect to an account on an SCS Linux computer via SSH, the SCS username and Kerberos password for that account will be required. 

SCS Computing Facilities enables the sshd_config option PermitRootLogin without-password in order to allow select SCSCF staff to securely log in to Linux machines we manage as root. This option must remain enabled in order for us to log in to a machine in order to assist with support requests. 

Connecting to an SCS Linux host

Both Linux and macOS support connecting to a remote system via SSH through their respective command line interfaces. To use SSH on these machines, first open a terminal program. 

Launch Interactive Shell Session on Remote Host

To initiate a shell session on a remote host like the general purpose Linux computers, use a command like this:

% ssh username@linux.gp.cs.cmu.edu

This will launch a new shell session that will persist until the connection is terminated.

Run a Single Command on a Remote Server

To run a single command on a remote server instead of spawning a shell session, you can add the command after the connection information, like this:

% ssh username@linux.gp.cs.cmu.edu command

 This will connect to the remote host, authenticate with your credentials, and execute the command specified. The connection will immediately close afterwards.

Logging into a Server with a Different Port

By default, the SSH daemon on a server listens for incoming requests on port 22. SSH clients will attempt to connect on port 22 unless instructed otherwise. When using the SSH command line client, the -p option can be use to specify that a non-standard port is being used. For example, to connect to a remote system called example.com on port 2222, a command like this would be used:

% ssh -p 2222 username@example.com

You can avoid having to use the -p option every time you login to the remote server by creating or editing the ~/.ssh/config file in your home directory on the computer that runs the ssh command. This file supports setting different configuration options for different remote hosts. An example entry that will connect to example.com on port 2222 follows:

Host example
HostName example.com
Port 2222


Once that is complete, SSH connections to example.com on the non-standard port can be initiated with this command:

% ssh example

 

Using SSH on macOS hosts

Connecting to a macOS Host

 macOS hosts built by SCS Computing Facilities are not accessible via SSH by default. Enabling Remote Login can be enabled in order to make the machine accessible via SSH. This guide contains instructions on enabling Remote Login. Once Remote Login has been enabled, you will be able to use your username and password to log in to the macOS machine using an SSH client on another computer.

The SSH Client on macOS hosts works similarly to the one on Linux hosts:

Launch Interactive Shell Session on Remote Host

To initiate a shell session on a remote host like the general purpose Linux computers, use a command like this:

% ssh username@linux.gp.cs.cmu.edu

This will launch a new shell session that will persist until the connection is terminated.

Run a Single Command on a Remote Server

To run a single command on a remote server instead of spawning a shell session, you can add the command after the connection information, like this:

% ssh username@linux.gp.cs.cmu.edu command

 This will connect to the remote host, authenticate with your credentials, and execute the command specified. The connection will immediately close afterwards.

Logging into a Server with a Different Port

By default, the SSH daemon on a server listens for incoming requests on port 22. SSH clients will attempt to connect on port 22 unless instructed otherwise. When using the SSH command line client, the -p option can be use to specify that a non-standard port is being used. For example, to connect to a remote system called example.com on port 2222, a command like this would be used:

% ssh -p 2222 username@example.com

You can avoid having to use the -p option every time you login to the remote server by creating or editing the ~/.ssh/config file in your home directory on the computer that runs the ssh command. This file supports setting different configuration options for different remote hosts. An example entry that will connect to example.com on port 2222 follows:

Host example
HostName example.com
Port 2222


Once that is complete, SSH connections to example.com on the non-standard port can be initiated with this command:

% ssh example

 

Using SSH on Windows hosts

The SSH clients on Windows provide the much of the same functionality as the clients for Linux and macOS. To support Kerberized authentication for Windows SSH clients, we install MIT Kerberos for Windows by default on Windows computers that we build.

Launch Interactive Shell Session on Remote Host

  • Open PuTTY
  • Set the remote host in the "Hostname or IP address" text box under Session
  • (Optional) Enable credential delegation under Connection > SSH > Auth > GSSAPI
  • (Optional) Turn on X11 forwarding under Connection > SSH > X11
  • (Optional) Save your session configuration under Session using the Saved Sessions dialog

Depending on your Kerberos configuration, you may be prompted for credentials upon connecting. For more information on Kerberos credentials and authentication, visit the page on Kerberos.
 

Run a Single Command on a Remote Server

The plink command-line client comes as part of the complete PuTTY distribution.  It has a similar syntax to the command-line ssh Linux client. To run a single command on a remote host, run a command like this:

plink <user>@<host> <command>

For example, to run the date command on linux.gp.cs.cmu.edu as the user example:

plink example@linux.gp.cs.cmu.edu date

Copy Files Between Two Hosts

The pscp command-line client comes as part of the complete PuTTY distribution. It has a similar syntax to the command-line scp Linux client. Use a command like this to transfer a file on the local computer to a remote host via SCP:

pscp <local file> <user>@<host>:<remote directory>


See the PuTTY documentation for more information about plink and pscp usage. 

Tips & Tricks

SSH Keys

SSH supports public key authentication as an alternative to password-based authentication. SCS Computing Facilities strongly recommends using a passphrase when generating an SSH key pair. SSH keys created without a passphrase should be stored in a secure location and should not be stored in a networked file system like AFS or NFS. SCS users may wish to explore using public key authentication for connecting to or from computers that do not use the SCS Kerberos configuration. 

A strong SSH key pair can be generated by running the following command

ssh-keygen -t rsa -b 4096 -C "$(whoami)@$(hostname) [$(date)]" 

By default, this will create a key in ~/.ssh/id_rsa.pub. 

The public key can be transferred to a remote host using the ssh-copy-id command. 

ssh-copy-id username@remote_host

Future attempts to SSH to this remote host will first attempt to use the public key for authentication, rather than your password. You will be prompted for the passphrase for the private key, if you set one. 

Managing SSH keys for multiple hosts

The SSH configuration file on your local computer lets you provide default SSH options when connecting to remote hosts. This includes using a different key for a particular remote host. Here is an example of some popularly used settings you can put in the SSH configuration file (~/.ssh/config):


Host remote_alias
HostName example.com
User username
Port port_number
IdentityFile ~/.ssh/alternate_key

When you issue the command ssh remote_alias, the SSH client will include the options specified in the section of the configuration file for this host.

SSH Tunneling

SSH supports the setup of encrypted tunnels between a specific port on your local machine and a specific port on a remote host. This is also commonly referred to as SSH port forwarding and is useful  in order to provide SSH encryption for traffic that would otherwise go over the network in the clear.

See this article on How to Use SSH Tunneling to Access Restricted Servers and Browse Securely for more information on the possibilities provided by SSH tunneling.