Basic ssh Usage

ssh as replacement for telnet, rlogin, xrlogin

If you only want to open a remote session with password authentication as you would with telnet or rlogin, just type

ssh <hostname>

You will be prompted for your password on the remote host, and after typing it in your login will proceed as usual. (If <hostname> is not yet in the known hosts database, ssh will ask for confirmation once before proceeding and then add it to the database for future reference.)

The advantages of ssh here are that

Note: If you received an error message after trying ssh <hostname>, saying

Secure connection to <hostname> refused; reverting to insecure method.
Using rsh.  WARNING: Connection will not be encrypted.
the remote host has no ssh daemon running. Ask the administrator of <hostname> to install it!

ssh as replacement for rsh

You may have set up .rhosts files on all your accounts to be able to quickly hop around from one computer to the other, remotely execute commands and copy files with rcp without always being asked for a password. This is very convenient and very unsecure, because your only authentication is the username@hostname pair, and this is easy to fake. Actually, the first and most basic example in hackers' guides uses a .rhosts file on an NFS exported disk. You basically open all your accounts to the rest of the world when you use this mechanism. That's why many sites have forbidden the use of .rhosts authentication completely.

There is an equivalent to the $HOME/.rhosts file in ssh: The $HOME/.ssh/authorized_keys. This file contains one line for each username@hostname who shall be allowed to log in without being prompted for a password. In addition to username and hostname, there is a key in form of a long text string. This is the public key of username@hostname, while the private key is stored on the host requesting login. While this mechanism gives security against IP spoofing, it does still not protect you against bad NFS setups, so use it with care!

How to Generate a Key Pair

You get a RSA key pair by running ssh-keygen on host A. This will create a private and a public key in $HOME/.ssh/identity and $HOME/.ssh/identity.pub. When prompted for a passphrase, just hit 'return'. Otherwise you have to type this passphrase on each login, which is eactly what you are trying to avoid.

You need to copy the contents of $HOME/.ssh/identity.pub on host A to the $HOME/.ssh/authorized_keys file on host B. You better use scp to do this. Make sure that it is only one line and not being split by the editor. Make the file read-writeable by the owner only. That's it. You can have multiple host keys for different hosts in your $HOME/.ssh/authorized_keys. Now you can use ssh and scp on host A to execute commands on and copy files to and from B just as you would with rsh and rcp, but without their vulnerabilities and with added encryption.

Note that while this is much better than the .rhosts based authentication alone, it still means that if someone gains access to your account on A, he also has access to B. Do this only between hosts where you really need it.

Main parts of this description were adopted from Knut Woller's web page "Basic ssh Usage for Hermes Users".

Birgit Lewendel(birgit.lewendel(at)desy.de)
Last modified: