Chapter 10. Security
ssh (secure shell)
ssh (secure shell) provides a secure, encrypted way to login to a remote machine across a network or to copy files from a local
machine to a server. Many people do not realize that many programs such as telnet and ftp transmit your password in plain,
unencrypted text across your network or the Internet. ssh and its companion program scp provide a secure way to login or copy
files. The ssh protocol was originally invented by SSH Communications Security which sells commercial ssh servers, clients,
and other related products. The protocol itself has two versions - SSH1 and SSH2 - both of which are supported by most clients
and servers today. For more information about SSH Communications Security and its commercial products, visit
http://www.ssh.com/.
OpenSSH, included with the SME Server V5 with ServiceLink, is a free version of the ssh tools and protocol. The server
provides the ssh client programs as well as an ssh server daemon and supports both the SSH1 and SSH2 protocols. For more
information about OpenSSH, visit http://www.openssh.com/.
Once ssh is enabled, you should be able to connect to your server simply by launching the ssh client on your remote system and
ensuring that it is pointed to the external domain name or IP address for your server. In the default configuration, you should next be
prompted for your user name. After you enter admin and your administrative password, you will be in the server console. From here
you can change the server configuration, access the server manager through a text browser or perform other server console tasks.
If you do enable ssh access, you have two additional configuration options:
•
Allow administrative command line access over ssh - This allows someone to connect to your server and login as "root" with
the administrative password. The user would then have full access to the underlying operating system. This can be useful if
someone is providing remote support for your system, but in most cases we recommend setting this to No.
•
Allow ssh using standard passwords - If you choose Yes (the default), users will be able to connect to the server using a standard
user name and password. This may be a concern from a security point of view, in that someone wishing to break into your system
could connect to your ssh server and repeatedly enter user names and passwords in an attempt to find a valid combination. A more
secure way to allow ssh access is called RSA Authentication and involves the copying of an ssh key from the client to the server.
This method is supported by your server, but is beyond the scope of this manual and will eventually be covered by additional
documentation on the e-smith.org web site.
Note: By default, only two user names can be used to login remotely to the server: admin (to access the server console) and root
(to use the Linux shell). Regular users are not permitted to login to the server itself. If you give another user the ability to login
remotely to the server, you will need to access the underlying Linux operating system and manually change the user’s shell in
/etc/passwd.
10.2.1.1. ssh clients for Windows and Macintosh systems
A number of different free software programs provide ssh clients for use in a Windows or Macintosh environment. Several are
extensions of existing telnet programs that include ssh functionality. Two different lists of known clients can be found online at
http://www.openssh.com/windows.html and http://www.freessh.org/.
A commercial ssh client is available from SSH Communications Security at: http://www.ssh.com/products/ssh/download.html. Note
that the client is free for evaluation, academic and certain non-commercial uses.
64