Remote Access and Secure Shell

After Windows->UNIX SSH File Transfer, how do I remove the extra carriage returns from my file?

Use dos2unix to convert each transferred text file from DOS format to ISO format. For example, to remove the extra carriage returns from original_file, yielding converted_file: 
% dos2unix original_file converted_file 

In the past, when you used ftp to transfer files, you didn't have to do this conversion, because ftp did it for you. Secure ftp (sftp) does binary-binary transfers only (in the interest of security), so you must perform the conversion. 

Using Secure Shell File Transfer, how do I see more than just the files under my home directory on the remote machine?

On your local machine (Windows), across the top of the Secure Shell File Transfer window, there is a row of menu items that says "File Edit View Operation".

Click the "View" item. This will cause a drop-down menu to appear.

In that menu, click the box to the left of "Show Root Directory" or "View Root Directory/Files".

This will cause the tree view of the remote file system (on the left side of the window) to change, giving you a view of all of the remote machine's files, starting with "/" (the root directory) at the top of the tree.

Now you can navigate to any readable directory on the remote machine. 

How do I install and use secure FTP?

There is a secure equivalent of ftp on UNIX, Linux, MacOS, and Windows.

On Windows, click the yellow Secure File Transfer icon on your desktop, which 
appeared after you downloaded and installed Secure Shell.

On UNIX, the secure commnd-line equivalent of ftp is called sftp.

On Mac PCs, use command-line sftp or download and install Fugu.

On Linux, command-line sftp should already be installed and in your default path.

How do I upgrade SSH on my Windows PC?

If you use the SSH Client (produced by SSH Communications Security) that is provided free by LPL through the U of A sitelicense program, you can upgrade it using the following procedure. Most LPL Windows SSH users use this product.

1) Check the version of Secure Shell Client that is already installed on your PC.

  • Double-click on the white-and-blue Secure Shell Client desktop icon 
    or 
    Click "Start->Programs->SSH Secure Shell->Secure Shell Client".
  • Along the top of the SSH window, click "Help->About Secure Shell...". 
    If the displayed Version is less than 3.2.9, you should upgrade.
  • Close SSH by clicking "File->Exit" or the "X" in the upper right corner of the SSH window.

2) Download the latest SSH package to your Windows PC.

  • Click here to download the latest package.
  • Save it to your Desktop.

3) Upgrade SSH on Your PC.

  • Close all Secure Shell windows that are running on your PC.
  • If you are on Windows NT/2000/XP/Vista, login as a user that has Administrator privileges
  • Double-click on the file that you just downloaded.
  • Accept all of the defaults as you are prompted. No reboot is required.

4) Test SSH.

  • Double-click the "Secure Shell Client" icon on your desktop. 
    A window titled "- default - SSH Secure Shell Client" will appear.
  • Click Quick Connect
    A "Connect to Remote Host" window will appear.
  • Type "shell.lpl.arizona.edu" (no quotes) into the "Host Name:" window. 
  • Type your login username (e.g., cleopatra) into the "User Name:" window. 
    (For example, if your email address is username@lpl.arizona.edu, enter "username" without the quotes.)
  • Click Connect.
  • You may be asked if you would like to Reset or Use New File Transfer Menu Toolbar items. Click Yes.
  • You may be asked if you wish to save the host key. Click Yes.
  • You may be told that "Host keys have changed", and asked if you want to connect anyway. Click Yes or OK.
  • You may be asked if you wish to update your PC's store of host keys with this new value. Click Yes or OK.
  • A window titled "Enter Password" will appear. 
    Type your login password into the "Password:" window.
  • Click OK. You should now be logged into the server via SSH.

5) Quell SSH's nagging update messages.

If you used SSH Profiles before you upgraded, SSH 3.2.9 might ask you if you would like to reset/update your File Transfer Toolbar every time you start SSH. You can quell these nagging messages by flushing your SSH user folder:

  • Close all open SSH windows.
  • Open Windows Explorer 
    (hold down the Window key and type 'E', or right-click on Start and click Explore, or double-click on My Computer).
  • Navigate to the Secure Shell directory, rename your SSH dir, and create a new empty SSH dir
    using the following table:
    Windows Version Navigate to This Dir Rename This Dir Create New Folder
    95/98/me C:\Program Files\Secure Shell Communications\Users yourname -> yourname.sv yourname
    NT C:\Winnt\Profiles\yourname\Application Data SSH -> SSH.sv SSH
    2000/XP c:\Documents and Settings\yourname\Application Data SSH -> SSH.sv SSH

You should now be able to start SSH without getting nagged. You will have to recreate your SSH Profiles.

How do I download and install SSH on my Windows Machine?

To download, install, and test Secure Shell, perform the following steps on your Windows PC.

1) Check if Secure Shell is already installed on your PC, as follows:

Click "Start" (lower left corner of the screen). Click "Control Panel" Select "Add/Remove Programs" Scan the list of installed programs. You might need to scroll.

If Secure Shell is listed, proceed to step 4. Otherwise, proceed to step 2.

2) Copy the Secure Shell package to your Windows PC, as follows:

Click here to download the SSHSecureShellClient executable. Save it to your desktop.

3) Install Secure Shell.

To install software on your PC, you must be logged in as a user who has administrator rights, so log out of Windows and log back in as Administrator, if necessary. Then install Secure Shell, as follows:

Double-click on the downloaded SSH exe file on your desktop. Click OK Accept all of the defaults as you are prompted.

No reboot is required. 4) Test Secure Shell.

Double Click the "Secure Shell Client" icon on your desktop. A window titled "- default - SSH Secure Shell Client" with a SSH copyright notice will appear. Press the space bar. A "Connect to Remote Host" window will appear. Type "shell.lpl.arizona.edu" (no quotes) into the "Host Name:" window. Type your login username (e.g., cleopatra) into the "User Name:" window. (for example, if your email address is username@lpl.arizona.edu, enter "username" without the quotes.) Click Connect

You will be presented with a "Host Identification" window announcing that you are connecting to shell for the first time. This notice only appears the first time you connect to a particular host if you save the key.

Click Yes to save the key in the local database.

A window titled "Enter Password" will appear. Type your login password into the "Password:" window. Click OK.

You are now be logged into shell via Secure Shell.

How do I access LPL computers/systems from outside of the lpl.arizona.edu network?

Internet access to LPL is available only through Secure Shell (telnet is not permitted). Click here for information on configuring your system for Secure Shell (SSH) access to LPL: LCS SSH FAQ.

If you need to access LPL email from remote sites, the Secure LPL WebMail System is a convenient option. If you have an LPL computer login account, then you can access Secure LPL WebMail. Click here to access the system: LPL WebMail Home.

Unless your laptop/home machine is fast and using a broadband high-speed internet connection, LPL WebMail is likely to be somewhat slow. If you have an LPL computer login account, a much faster way of accessing LPL email from remote sites is to configure your email client to use the main LPL mail server to quickly read and send email from anywhere in the world. Click here to learn how to configure your email client.

How do I use Secure Shell Transfer on my Win PC?

double-click on the yellow folder icon
click Quick Connect
fill in the fields as follows:
Host Name: yourhost.lpl.arizona.edu
User Name: yourusername
click Connect
click Yes if prompted
type your LPL password
you will get a GUI interface showing the files/dirs under your LPL home directory
to upload a file:
click on the Up Arrow button in the middle of the horizontal row of buttons
that runs across the top of the window, just below File Edit View...
use the pop-up window to navigate to the file that you'd like to upload
click once on that file
click Upload

to download:
click once on the file that you wish to download
click on the Down Arrow button next to the Up Arrow button
use the pop-up window to navigate to the folder into which you'd like to download
click once on that folder
click Download 

How do I access LPL's public ftp (anonymous ftp) site?

Click here to access the LPL public ftp site: LPL FTP Site

You can download files from the site by going to pub/lpl/. If you are using a browser to download, click the file of your choice to start the download. If you are using a command -line window to connect to the ftp site, login to shell with your LPL credentials, cd /ftp/pub/lpl/, and use the "get" command to download a file.

If you would like to create a directory from which the public may download files, please contact LCS Support.

How do I set up unchallenged Secure Shell (SSH) access?

The most secure method of unchallenged SSH authentication is to use RSA/DSA keys with authentication agents.  SSH agents give another host secure access to your private keys as if it were local, permitting you to ssh, sftp, or scp using your private keys for authentication, without typing a password.

A less secure method is to use RSA/DSA keys without agents. To do this, follow the instructions below, but enter no passphrase when prompted (just press enter/return), and skip Phase II.

Unchallenged SSH access using agents is set up in two phases:

Phase I: Use RSA and DSA keys to set up passphrase-challenged SSH access.

1. Use ssh-keygen to create public and private keys.
2. Populate other from-hosts with the public and private keys (stored securely).
3. Populate to-hosts with the public keys.
4. Test challenged SSH access.

Phase II: Use ssh-agent and ssh-add to set up unchallenged SSH access.

1. Use ssh-agent to start an authentication agent.
2. Use ssh-add to add your private keys to the agent.
3. Launch terminal windows as child processes of the SSH agent.
4. Test unchallenged SSH access from these windows.

Detailed Instructions

Phase I: Use RSA and DSA keys to set up passphrase-challenged SSH access.

1. Use ssh-keygen to generate keys on the host from which you wish to connect.

   By default, ssh-keygen stores generated public and private key files in $HOME/.ssh.  At LPL this is an NFS file system, so the data would cross the network in the clear if stored there.  Since this data is used to identify the user, the contents must be kept secret, so we use ssh-keygen's -f option to put the key files in /var/.ssh/yourname instead. Contact your system admin to have this directory created, if necessary, using these commands, on all of the from-hosts:

   # mkdir /var/.ssh/yourname
   # chmod 700 /var/.ssh/yourname
   # chown yourname /var/.ssh/yourname
   # chgrp yourgroup /var/.ssh/yourname

   Always use a good passphrase when creating a private key.  A passphrase is between 10 and 30 characters long and does not consist of a simple sentence, as a normal English sentence only generates one or two bits of entropy. If you wish to use unchallenged SSH without agents (less secure), then enter no passphrase (just press enter/return).

   $ ssh-keygen -t rsa -f /var/.ssh/yourname/id_rsa -C "yourname@from-host"
   $ ssh-keygen -t dsa -f /var/.ssh/yourname/id_dsa -C "yourname@from-host"

   Create an SSH config file so SSH knows where to find your private keys.

   $ echo "IdentityFile /var/.ssh/yourname/id_rsa" >  ~/.ssh/config
   $ echo "IdentityFile /var/.ssh/yourname/id_dsa" >> ~/.ssh/config

2. Populate the other from-hosts with securely stored public and private keys.

   $ cd /var/.ssh/yourname
   $ scp id_rsa you@other-from-host:/var/.ssh/yourname
   you@to-host's password:
   $ ssh you@other-from-host 'chmod 600 /var/.ssh/yourname/id_rsa'
   you@to-host's password:
   $ scp id_dsa you@other-from-host:/var/.ssh/yourname
   you@to-host's password:
   $ ssh you@other-from-host 'chmod 600 /var/.ssh/yourname/id_dsa'
   you@to-host's password: 

   If you have a separate (non-NFS-mounted) home directory on any of these from-hosts, you'll need to create ~/.ssh/config as in step 1 above.

3. Populate the to-hosts with the public keys.

   Since LPL home directories are NFS-mounted, adding your public keys to one file under your home dir will populate all of the LPL UNIX to-hosts that mount your home directory.

   $ touch ~/.ssh/authorized_keys; chmod 600 ~/.ssh/authorized_keys
   $ touch ~/.ssh/authorized_keys2; chmod 600 ~/.ssh/authorized_keys2
   $ cd /var/.ssh/yourname
   $ cat id_rsa.pub >> ~/.ssh/authorized_keys
   $ cat id_dsa.pub >> ~/.ssh/authorized_keys
   $ cat id_rsa.pub >> ~/.ssh/authorized_keys2
   $ cat id_dsa.pub >> ~/.ssh/authorized_keys2

4. Test passphrase-challenged access.

   $ ssh you@to-host
   Enter passphrase for DSA key 'you@to-host':

   If you entered a passphrase when running keygen and you don't get the prompt
   for your passphrase, then something is wrong. 

After completing Phase I, the login process has been changed from being password-prompting to passphrase-prompting. This enables us to use an SSH authentication agent to send our keys, so we may login without any prompting.

Phase II: Use ssh-agent and ssh-add to set up unchallenged SSH access.

Ideally, we will type a passphrase once when we sit down at our computer, and every session we establish will use the authentication agent, so we will not need to type passphrases again.

1. Use ssh-agent to start an authentication agent.

   $ ssh-agent csh
   or
   $ ssh-agent tcsh
   or
   $ ssh-agent bash

2. Use ssh-add to add your private keys to the agent.

   When prompted, enter the passphrases you used in Phase I Step 1.

   $ ssh-add /var/.ssh/yourname/id_rsa
   $ ssh-add /var/.ssh/yourname/id_dsa

3. Launch terminal windows as child processes of the SSH agent.

   From the SSH agent's c-shell, launch terminal windows, and other windows from them:

   $ xterm &

4. Test unchallenged SSH access.

   From any of these xterm windows:

   $ ssh to-host

How to automate ssh-agent startup.

There are several ways to configure your account to automatically start an ssh-agent. You can have it create a subprocess which inherits the SSH_AUTH_SOCK env variable, or you can run it as a daemon. For example, if you are using gnome on Redhat, put the following line at the

end of your ~/.xsession file: 

 ssh-agent gnome-session 

Now ssh-agent will start, create a socket, set environment variables, and start an X session.  All of the child programs of the X server will have access to the agent. 

If you are a bash user, an alternative is to start ssh-agent from your
~/.profile or ~/.bash_profile.  To do this, add these lines to your
~/.bash_profile:

SSHAGENT=/usr/bin/ssh-agent
[ -z "$SSH_AUTH_SOCK" -a -x "$SSHAGENT" ] && eval `$SSHAGENT`

This brings SSH_AUTH_SOCK and SSH_AGENT_PID as env variables into the current shell. You still need to run ssh-add after to add your keys.

To kill all ssh-agent daemons when you logout, add the following to your
~/.logout: 

kill $SSH_AGENT_PID

How to change your passphrase.

If your passphrase (the password you type to decrypt your private key) has been guessed, or you have typed it over the network by accident, you should change it. To do so, do the following:

$ ssh-keygen -p

How to indicate whether you are in SSH.

To indicate in your shell prompt whether or not you have logged in through SSH, add these lines to your .cshrc file:

if ($?SSH_TTY || $?SSH_CLIENT|| $?SSH_AUTHENTICATION_SOCKET)
then
  set prompt_ssh="ssh:"
else
  set prompt_ssh=""
endif
set prompt = "$prompt_ssh% "

If your prompt begins with the letters "ssh:", you are using SSH, and anything you type is protected through encryption.

Why is my telnet connection attempt refused?

Telnet is an insecure means of communication, so it is not used at LPL. To ensure secure communications, LCS recommends that you install Secure Shell (SSH) on your system and use it. Click here for information on installing SSH on your Windows or Mac PC: LCS SSH FAQ.

Subscribe to RSS - Remote Access and Secure Shell