WHY should I use SSH -------------------- Ssh uses a pair of public and private keys to identify a specific account. That is the account is specified! Not the machine it is on, nor a specific account name, but the actual account with an "id" private key matching its corresponding public keys! IE: the actual account! It also automatically encrypts all the network traffic between the machines, to prevent network snoopers (even easier for hackers to do). And will set up an encrypted X windows link between the machines. Also, if you try to execute a remote command on a machine it does NOT have authorization to use without a password, it will ask you the password for that machine. SSH and X windows ----------------- On many machines X window forwarding is turned off by default. This especially includes PC SSH client programs, like "TerraTerm", or "Putty". Also many servers will not allow the use of X Window port forwarding, so even if you enable it for yourself, it may not be allowed to a specific server. Under Unix you can turn it on in a number of ways. * You can add the line "FowardX11=yes" in either your personal ssh config file. "$HOME/.ssh/config" or in the system wide configuration "/etc/ssh/ssh_config" (ask your system administrator). * Alternatively the -X command line option can be added when executing ssh. Refer to the SSH manpage for further information on configuration options. Setup SSH for use without a password ------------------------------------ First you need to give the account FROM which you want login, a public key identification. That is something to identify that account. On the machine FROM which you use ssh, run the command ssh-keygen -t ecdsa And just press return after EVERY question. ASIDE: 'ECDSA' is a type of public key, known as 'Ecliptic DSA'. There are quite a number of such public key types, such as 'RSA', while others (like 'DSA') have been discontinued due to weakness in the algorithm (it's not broken, just weak). You can have different types of keys identifying the same account, though only one is needed. This command will generate two files in the ".ssh" sub-directory of your home. These are the two keys forming a private/public key identification. ".ssh/id_ecdsa" and ".ssh/id_ecdsa.pub". Now append the public key from the file ".ssh/id_ecdsa.pub" generated by ssh-keygen into the file ".ssh/authorized_keys" on the machine you would like to login TO without a password. This can be done with... ssh dest_host "echo `cat $HOME/.ssh/id_ecdsa.pub` >> .ssh/authorized_keys" You will need to type in a password for this command to login to the remote 'dest_host', but once done, a password will no longer be required, to go from the machine you generated the public keys on to the dest_host you copied the public part of the key to. In the student linux labs, the home directories are shared across all the machines you can do this with the much simplier command... cat .ssh/id_ecdsa.pub >> .ssh/authorized_keys What are these files? --------------------- In the ".ssh" sub-directory of your home... id_{type} Identifies this specific account on the machine you found it. IE: its private key -- this should NEVER be copied or made readable by anyone except you. It should just exist. id_{type}.pub The public identification of this account. Append this to the ".ssh/authorized_keys" file of the destination machine you wish to login to without a password. (See above). authorized_keys A list of public keys, identifying the accounts (those holding the associated private key) which is allowed to login to this machine without a password. You may have to create this file. It can contain multiple keys, to give multiple accounts password-less access to the account with this file. known_hosts A list of the "host keys" (the machines own public key) identifying a machine with its machine name. This is much more secure than just the machines "network name" which DNS which hackers could "fake". The file may or may not exist, and could be empty as the system programmers may have set up a 'system' version of this list. It is used on the account FROM which you ssh, and is used ensure you are talking to the machine you think you are talking to. If the machine you are talking to changes, then SSH will report that it does not know that host, and/or its host key is different. That is it lets you know when something changed, so that you can check to see what is going on. Permissions ----------- Ssh being a 'secure shell' is very particular about file permissions. It insists that permission are correct. If they are not correct it will not work. At a minimum, your home directory cannot have group or world write permissions, turned on. Also the ".ssh" sub-directory and contents must have permissions for just you the owner, and that you actually ARE the owner. Other How to Use SSH Guides --------------------------- A very complete guide can be found on the web at http://kimmo.suominen.com/docs/ssh/ For details and differences between OpenSSH and the Commercial SSH see https://antofthy.gitlab.io/info/apps/ssh.hints Using ssh and X windows from a PC (via putty (preferred) or terraterm) https://antofthy.gitlab.io/info/apps/ssh_putty.hints https://antofthy.gitlab.io/info/apps/ssh_terraterm.hints The Secure Shell FAQ (mirrors page) http://www.employees.org/~satch/ssh/faq/