Many SSH clients provide different types of functionality and usage. The list
of SSH clients includes freeware, downloadable easily from the information
superhighway; noncommercial freeware, available for all development and
learning environments; and pay commercial clients, used only for commercial
use and commercial development. While there may be several SSH clients that
can be used for various operating systems, all SSH clients are not created
equal. The type of SSH client you use can significantly affect the type of SSH
experience you have. For example, several SSH clients do not have built-in
SFTP or SCP functionality. The absence of such functionality requires you to
download and use two separate tools: one for SSH usage and one for
SFTP/SCP usage. Although using two tools may be simple enough, the cumbersome
process might discourage novice users. The SSH clients that provide
built-in SFTP/SCP functionality might offer you a superior SSH experience.
This chapter explores several SSH clients available for Unix and Windows.
Also, the configuration of various SSH clients and customization for optimal
usage is discussed. The following clients are the focus of this chapter:
Command-Line SSH Clients
■■ Secure Shell Communications
■■ OpenSSH
■■ GUI SSH clients
■■ SecureCRT
■■ PuTTY
■■ WinSCP
■■ MindTerm
■■ MacSSH
The discussion of SSH clients in this chapter, and throughout this book, is
limited to the major ones. Keep in mind that there are many other types of SSH
clients, very similar to and as good as the ones covered here. For example,
F-Secure’s SSH client and SSH Communications’ SSH client are extremely similar.
Although many of the SSH clients discussed in this chapter offer similar
functionality, there are various subtle differences among them. For example,
SSH Communications’ SSH client offers an integrated SFTP client that can be
used in a seamless fashion. On the other hand, SecureCRT does not provide a
fully integrated tool for SFTP in its SecureCRT SSH client; however, Secure-
CRT does contain an HTTP proxy tunnel that is very easily configurable but
not so simple on SSH Commutations’ SSH client. Furthermore, MindTerm’s
FTP-to-SFTP bridging capability provides an easy method for connecting non-
SSH enabled clients to gain access to an SFTP server. Despite the fact that the
connection from the FTP client to the SFTP client is still insecure, the connection
from the SFTP server to SFTP client is still secure, which might be the only
connection used over an insecure network such as the Internet.
Your choice of an SSH client is highly dependant on the type of functionality
required for SSH. Since SSH can be used in a variety of ways, it is important
to understand the various clients and the specific functionality that each offers.
This chapter will allow your SSH-client decision to be as informed as possible.
For example, if SSH is being deployed primarily for its file-transfer capabilities,
WinSCP and SSH Communications’ SSH clients are probably good
choices. On the other hand, if SSH is being deployed for remote shell access via
an HTTP proxy server, the SecureCRT and PuTTY clients are probably good
choices. Lastly, if SSH is being deployed for remote access from undefined and
uncontrolled terminal locations, MindTerm is probably a good choice, since it
offers SSH access with the need of only a Web browser.
The SSH client you choose does not have to be based exclusively on technical
capabilities; personal preference is important as well. While there may be
many differences among SSH clients, their basic principle is the same:
encrypted communication.
Command-Line SSH Clients
Secure Shell Communications (www.ssh.com) and OpenSSH (www.openssh
.org) produce two of the most-used command-line clients for both Windows
and Unix. Since the OpenSSH and Secure Shell Communications’ clients are so
similar, the following paragraphs cover both of the clients’ features. Also, since
the command-line clients contain similar features, if not the same features, on
Windows and Unix versions, the following section can be used on Windows
command-line clients or Unix command-line clients.
The SSH clients can be purchased and/or downloaded for commercial or
noncommercial use from the following Web site:
www.ssh.com/support/downloads/secureshellwks/
Since we will be using SSH for a noncommercial use, the noncommercial
version can be downloaded from www.secondstory.org/mirror/ssh/. Also,
the OpenSSH client for Unix can be downloaded from the following site:
ftp://ftp3.usa.openbsd.org/pub/OpenBSD/OpenSSH/portable
/openssh03.5p1.tar
The Windows command-line client can be downloaded from the following
site:
http://lexa.mckenna.edu/sshwindows/
Windows Installation
Installing the SSH client is a relatively easy process on a Windows operating
system. Once you have downloaded the executable files from http://lexa
.mckenna.edu/sshwindows/ (OpenSSH) or www.ssh.com (SSH Communications),
a wizard will walk you through the installation process. Keep in mind
that you need to install only the clients for the purposes of this chapter. Installation
of the server is discussed in Chapter 1. Many of the client binaries are
installed automatically when an SSH server has been installed on a Windows
machine.
Unix Installation
Once you have downloaded the SSH client from www.ssh.com or www.openssh
.com on a Unix operating system, it must first be extracted. (The letters XYZ that
follow are a variable that signifies the version number of the SSH client you will
be downloading):
#gunzip –c ssh-XYZ.tar.gz | tar xvf –
After extraction, change directories to the SSH folder. Once inside the SSH
folder, the binary must be compiled and created:
#cd ssh-XYZ
#./configure
#make
#make install
Once the binary has been compiled, it will place the binary in /usr/local/bin.
At this point, the help file should be ready for viewing. SSH Communications’
SSH client binary is called ssh2 on both Windows and Unix. On Windows,
the file can be located at \Program Files\SSH Secure Shell\ssh2.exe. On
Unix, the file can be located at /usr/local/bin/ssh2. OpenSSH client binary is
called ssh on both Unix and Windows. On Windows, the file can be located at
\Program Files\OpenSSH\bin\ssh.exe. On Unix, the file can be located at
/usr/local/bin/ssh. Once you have located the SSH client binary, type ssh2
–h for the SSH Communications’ binary or ssh –h for OpenSSH’s binary. The
following help should appear:
Usage: ssh2 [options] [user@]host[#port] [command]
Options:
-l login_name Log in using this user name.
-n Redirect input from /dev/null.
+a Enable authentication agent forwarding.
-a Disable authentication agent forwarding.
+x Enable X11 connection forwarding (treat X11 clients as
UNTRUSTED).
+X Enable X11 connection forwarding (treat X11 clients as
TRUSTED).
-x Disable X11 connection forwarding.
-i file Identity file for public key authentication
-F file Read an alternative configuration file.
-t Tty; allocate a tty even if command is given.
-v Verbose; display verbose debugging messages.
Equal to ‘-d 2’
-d level Set debug level.
-V Display version string.
-q Quiet; don’t display any warning messages.
-f[o] Fork into background after authentication.
With optional ‘o’ argument, goes to “one-shot” mode.
-e char Set escape character; ‘none’ = disable (default: ~).
-c cipher Select encryption algorithm. Multiple -c options are
allowed and a single -c flag can have only one cipher.
-m MAC Select MAC algorithm. Multiple -m options are
allowed and a single -m flag can have only one MAC.
-p port Connect to this port. Server must be on the same port.
-S Don’t request a session channel.
-L listen-port:host:port Forward local port to remote address
-R listen-port:host:port Forward remote port to local address
-g Gateway ports, i.e. remote hosts may connect to locally
forwarded ports.
+g Don’t gateway ports.
+C Enable compression.
-C Disable compression.
-4 Use IPv4 to connect.
-6 Use IPv6 to connect.
-o ‘option’ Process the option as if it was read from a
configuration file.
-1[ti] Choose ssh1-protocol fallback type.
-h Display this help.
As shown previously, the SSH help file is exhaustive and shows the wide
array of options that SSH can provide. In its simplest sense, SSH can connect
an SSH server listening on its default port, which is 22. The –p switch is
required in order to specify a port other than 22; however, if –p is not used,
port 22 will be used as the default. Similarly, the –l switch needs to be used in
order to specify a username. If you do not use the –l switch, the current user
that the command is being executed from will be used:
ssh 10.0.0.3 –l cdwivedi –p 22
cdwivedi’s password:
Authentication successful.
Last login: Thurs June 12 05:52:06 2003 from 172.16.11.17
As an alternative, the same command can be written without any switches,
using SSH defaults:
ssh cdwivedi@10.0.0.3#22
–l and –p are two of the various switches used with the SSH client. The
following section describes some of the more important switches used
throughout the rest of this book.
The first switch is –i. The –i switch can be used to point to a pubic-key file
used to authenticate to an SSH server. A copy of the public-key file needs to
exist on the SSH server for public-key authentication, discussed further in
Chapter 4. An example of the –i switch follows:
ssh 10.0.0.3 –l cdwivedi –p 60599 –i publickey.pub
The –L and –R switches are used for local port forwarding and remote port
forwarding. Port forwarding is discussed in Chapter 6; however, a general
understanding of its syntax is required now. Local port forwarding allows the
local connection to a port to be forwarded to a remote server on any remote
port through the SSH server. For example, a mail server that has the IP address
10.0.0.100 and is listening on port 143 can be accessed using SSH. The SSH
server, which has the IP address 10.0.0.3, needs a valid route to the machine.
The following is an example of using the –L switch for local port forwarding:
ssh 10.0.0.3 –l cdwivedi –L 143:10.0.0.100:143
Remote port forwarding can also be conducted; it is discussed further in
Chapter 6. The following is an example of remote port forwarding:
ssh 10.0.0.3 –l cdwivedi –R 139:127.0.0.1:139
Options can be also set for the type of encryption desired as well as the type
of MAC algorithm. For example, if the SSH server accepts only connections
using Triple-DES (3DES), the –c switch should be used. Triple-DES is an
algorithm that can be used to encrypt data. This allows 3DES to be used to
encrypt data that traverses the network. If more than one type of encryption is
supported, multiple –c options can be used. The following are two examples of
the encryption options:
ssh 10.0.0.3 –l cdwivedi –c 3DES
ssh 10.0.0.3 –l cdwivedi –c 3DES –c Blowfish
The MAC algorithms used can either be MD5 or SHA1. Both MD5 and
SHA1 are algorithms that can be used to verify the integrity of data. MD5 uses
a 128-bit message digest from data input that is unique to the data. SHA1
uses a 160-bit message digest from data input that is also unique to the data.
This allows the MD5 and SHA1 hashes to be used as a fingerprint for a particular
piece of data. To use the MAC algorithms, the –m flag should be used with
the specific option (hmac-md5 or hmac-sha1) in order to hash the data that will
be transferred between to entities. The following are two examples of the MAC
options:
ssh 10.0.0.3 –l cdwivedi –m hmac-md5
ssh 10.0.0.3 –l cdwivedi –m hmac-sha1
The –F switch is used to point to a different configuration file for the SSH
session. Every SSH session uses a configuration file as input when attempting
to establish a connection. Configuration files are discussed in the next section,
“SSH Client Configuration File.” If an end user needs to connect to two or
more SSH servers that have different parameters, such as listening on different
ports, it is easier to point to a different configuration file than to remember the
input parameters required for the SSH servers. Let’s say that SSH server A listens
on port 101, enables local forwarding to the mail server, and requires
3DES for encryption. Furthermore, server B listens on port 701, enables local
forwarding to the file server, and requires Blowfish for encryption. The two
commands, without using configuration files, would be as follows:
ssh 10.0.0.3 –l cdwivedi –p 101 -L 143:172.16.1.100:143 –c 3DES
ssh 10.0.0.4 –l cdwivedi –p 701 –L 139:172.16.1.200:139 –c Blowfish
Although remembering two commands may not be that difficult, connecting
to more than two SSH servers with different forwarding rules, different
port specifications, and different encryption algorithms becomes a cumbersome
process. Using two configuration files significantly eases the log in
process and user experience, as shown in the following example:
ssh 10.0.0.3 –l cdwivedi –F mail.config
ssh 10.0.0.4 –l cdwivedi –F file.config
The next two switches are quite simple when you are using them with IP
version 4 or IP version 6. Using IP version 6 assumes that an IP version 6 network
is in use, which is beyond the scope of this book and SSH; however, SSH
provides support for IP version 6 packets. IP version 4 is the default packet
type, but both flags can be used if the networks are available. Following are
two examples of the switches:
ssh 10.0.0.3 –l cdwivedi –4
ssh 10.0.0.3 –l cdwivedi -6
The next switches do not add functionality to the SSH client, but they do
provide the opportunity to gather additional information regarding the connection.
The –d switch sets the debug level for a connection. The higher the
debug value, the greater the amount of information that will be printed on the
screen regarding the connection. The following is an example of the –d switch.
Notice all the information that comes before the password request:
ssh 10.0.0.3 –l cdwivedi –d 1
debug: Connecting to 10.0.0.3, port 22... (SOCKS not used)
debug: client supports 3 auth methods:* ‘publickey,keyboardinteractive,
password’
debug: Ssh2Common/sshcommon.c:537/ssh_common_wrap:
local ip = 10.0.0.3, local port = 1077
debug: Ssh2Common/sshcommon.c:539/ssh_common_wrap:
remote ip = 10.0.0.3, remote port = 22
debug: Remote version: SSH-1.99-OpenSSH_3.4p1
debug: OpenSSH: Major: 3 Minor: 4 Revision: 0
debug: Remote host key found from database.
debug: server offers auth methods
publickey,password,keyboard-interactive’.
debug: SshConfig/sshconfig.c:2717/ssh2_parse_config_ext:
Unable to open /root/.ssh2/identification
debug: server offers auth methods
publickey,password,keyboard-interactive’.
debug: server offers auth methods
publickey,password,keyboard-interactive’.
cdwivedi’s password:
The next informational switch, -V, displays the version of the remote SSH
server. This is helpful when you are trying to understand what version the
remote SSH server is running for patching and security purposes. The following
is an example of the –V switch:
ssh 10.0.0.3 –V
ssh: SSH Secure Shell 3.2.3 (non-commercial version) on i686-pc-linux-gnu
The last informational switch discussed here is –q. In essence, it tells the SSH
server to be quiet and not display any warning messages to the end-user. If the
–q switch is used, the SSH server will display only the request for the user’s
password. The following is an example of the –q switch:
ssh 10.0.0.3 –q
root’s password:
SSH Client Configuration File
Now that I have covered the switches that may be used with the SSH client, I’ll
discuss the configuration file itself. Table 3.1 describes where the configuration
file can be located, depending on the operating system and type of SSH client.
The SSH client configuration file is divided into the following categories:
■■ General
■■ Network
■■ Crypto
■■ User Public Key Authentication
■■ Tunneling
■■ SSH1 Compatibility
■■ Authentication
Each of these categories is explored in the paragraphs that follow.
Table 3.1 Location of Configuration Files
CLIENT WINDOWS OS UNIX OS
OpenSSH \Program Files\OpenSSH\etc /etc/ssh_config
SSH Communications \Program Files\SSH Secure Shell /etc/ssh2/ssh2_config
\ssh2_config
General
The general section of the of the configuration file lists generic flags and
switches that can limit the number of commands the end-user needs to type
when trying to access the SSH server. Fields such as VerboseMode, Quiet-
Mode, Compression, GoBackground, and EscapeChar allow customized
generic settings to be enabled from the profile file itself instead of typed into
the command line. Some of the selected fields in the General section are provided
in Table 3.2, as well as a brief description of each.
Network
The Network section of the configuration file lists networking settings
required for the connection. An example of a network setting is the specific
port that the SSH client should use when attempting to connect to the SSH
server. Table 3.3 gives a brief description of some of the selected fields in the
Network section.
Table 3.2 Fields in the General Section
FIELD DESCRIPTION
VerboseMode Displays verbose information of the SSH session
QuietMode Displays warning messages
DontReadStdin Disables input for Standard input
BatchMode Enables/Disables batch-mode processing
Compression Enables/Disables compression
GoBackground Sends the connection to the background
EscapeChar Sets the ESC character for the session
PasswordPrompt Type of Password prompt
AuthenticationSuccessMsg Displays success message after login
SetRemoteEnv Sets environment variables for the session
Table 3.3 Fields in the Network Section
FIELD DESCRIPTION
Port Sets the port to connect to
NoDelay Enables/Disables the delay process
KeepAlive Keeps the connection active
SocksServer The network ID of SOCKS server
UseSocks5 Support for SOCKS version 5
Crypto
The Crypto section of the configuration file lists the types of cryptography that
can be set for the SSH clients. This section is useful when different SSH servers
require different types of encryption algorithms. For example, a different SSH
configuration file can be set for backups, enabling certain types of encryption
that have the least effect on bandwidth and enabled data validation with
MAC. Table 3.4 gives a brief description of some of the selected fields in the
Crypto section.
Table 3.4 Fields in the Crypto Section
FIELD DESCRIPTION
Ciphers Specifies which Ciphers can be used
MACs Specifies which MACs can be used
StrictHostKeyChecking Enables hostkey checking server validation
RekeyIntervalSeconds Interval length for re-keying the session
User Public Key Authentication
The Public Key Authentication section of the configuration file simply specifies
the location and name of the user’s public key to use for authentication.
The fields in the Public Key Authentication section are described in Table 3.5.
Table 3.5 Fields in the Public key Authentication Section
FIELD DESCRIPTION
IdentityFile Name of identification file
RandomSeedFile Name of random_seed file
Tunneling
The Tunneling section of the configuration file specifies the local and remote
tunneling options that should be used on the SSH client. This section adds
a great deal of value when the client has enabled multiple local and remote
port forwards. The selected fields in the Tunnel section are described in
Table 3.6.
Table 3.6 Fields in Tunnel Section
FIELD
TUNNELING DESCRIPTION
GatewayPorts Allow interfaces to act as a gateway
ForwardAgent Enable/Disable forwarding of packets
ForwardX11 Enable/Disable X11 emulation
TrustX11Applications Options to trust/distrust X11
TUNNELS SET UP UPON LOGIN
LocalForward Local port forwarding setting (143:IP:143)
LocalForward Local port forwarding setting (25:IP:25)
RemoteForward Remote port forwarding setting (22:IP:23)
SSH1 Compatibility
The SSH1 Compatibility section of the configuration file specifies the options
to use in order to be compatible with SSH1 version 1. In order for SSH2 clients
to be compatible with SSH1 servers, the following fields must be set (shown in
Table 3.7).
Table 3.7 SSH Compatibility
FIELD DESCRIPTION
Ssh1Compatibility Enable/Disable SSH1 support
Ssh1Path The path to use for SSH1. The default is
/usr/local/bin/ssh1
Ssh1MaskPasswordLength Enable/Disable masking for the password length
Authentication
The Authentication section of the configuration file specifies the options supported
for authentication. This section allows the client to know which type of
authentication to use, whether to use a password and public key instead of just
a password, in order to authenticate. Table 3.8 is a brief list of the selected
fields of the authentication section.
Table 3.8 Authentication
FIELD DESCRIPTION
AllowedAuthentication Specifies the authentication types allowed, such as
password, public key, or all of the above
GUI SSH Clients
Secure Shell Communications (www.ssh.com), VanDyke Software, PuTTY,
AppGate, and WinSCP are several of the vendors that provide graphical user
interfaces (GUIs) for SSH clients. Since there are several GUI clients on the
market, the following section examines some of the optimal features of the
GUI SSH clients. Also, since the GUI clients are primarily available for
Windows, the following section focuses on Windows 2000 and Windows XP.
Table 3.9 shows where the SSH clients can be purchased and/or downloaded.
Table 3.9 Web Sites Where SSH Clients Are Available
CLIENTS URL
SSH Communications www.ssh.com
VanDyke Software www.vandyke.com/
Putty www.chiark.greenend.org.uk/~sgtatham/putty/
WinSCP winscp.vse.cz/eng/
Mindterm www.appgate.com/mindterm/
MacSSH pro.wanadoo.fr/chombier/
Windows Installation
Installing Windows-based SSH clients is relatively straightforward. I do not
describe the process of installing each of the SSH clients listed in Table 3.9, but
a wizard of each will walk you through the installation process.
SSH Communications
SSH Communications’ SSH client is the first I will discuss. Open the SSH client
and initiate a simple SSH connection by executing the following steps:
1. Start ➪ Programs ➪ SSH Secure Shell ➪ Secure Shell Client
2. File ➪ Open ➪ Quick Connect
As shown in Figure 3.1, the Host Name field is either the fully qualified DSN
name for the SSH server, such as sshserver.aum.com, or the dot notation of the
IP address of the SSH server, such as 172.16.11.17. The User Name field is the
username on the remote SSH server. The username can either be the local
account on a Windows machine or a domain account on a Windows domain,
depending on how the SSH server is implemented. In Unix environments, the
username is the same in the /etc/passwd file. The Port Number field is
used to specify the port number. If the SSH server is listening on a nonstandard
port (a port other than port 22), the appropriate port number should
be placed in the port box, such as 202. Lastly, the Authentication Method specifies
the type of authentication that should be used when attempting to
connect to the remote SSH server. The possible values and their descriptions
are in Table 3.10.
Table 3.10 Authentication Types
AUTHENTICATION TYPE DESCRIPTION
Password Username and password combination
Public Key Public and Private-key authentication
SecureID RSA SecureID tokens for authentication*
PAM Pluggable authentication module**
* Requires RSA ACE server.
** The pluggable authentication module is a Unix authentication method that integrates various authentication
methods into one.
SSH Communications offers different settings on SSH clients. Using the
Menu bar, open the settings menu by selecting Edit ➪ Settings.
Under the settings menu, there should be two sections: Profile Settings and
Global Settings. Under profile and global settings, there should be several
more options. In the following sections, each option is examined individually
and its purpose and usage described.
Profile Settings
The profile settings are similar to the ssh2_config file discussed previously with
the command-line utilities. All options under the Profile Settings section
directly correlate to settings used by default when attempting to connect to an
SSH server. The description and usage of the settings are provided in Table 3.11.
Table 3.11 Options Under the Profile Settings Section
SETTING DESCRIPTION AND USAGE
Connection The following describes the options on each of the sections to the
left. The options within those sections are also explained.
- Host Name: DNS name or IP address of the remote SSH server.
- User Name: Username of the account to log in with.
- Port Number: Port number that the SSH server is listening on.
- Authentication Methods: Authentication types that can be used
in order to log in to the SSH server. Options can be password,
public key, SecureID, and PAM.
- Encryption Algorithm: Sets the type of cryptography to be used
for the session.
-MAC Algorithm: Sets the type of hashes to be used when hashing
the data being sent across the network. Options can be MD5 or
SHA1. (The option chosen must be supported by the SSH server.)
- Compression: Enables compression on the connection. The valid
choice for compression in only zlib.
Table 3.11 (continued)
SETTING DESCRIPTION AND USAGE
Terminal Answerback: Set the type of emulator to receive from the
SSH server. Valid choices range from VT100 to xterm.
- Connect Through Firewall: This checkbox determines if the
connection will be taken through a SOCKS or proxy server.
- Request Tunnels Only (Disable Terminal): Enables/Disables the
terminal window from appearing. If this is enabled, the user will
not receive a command-line shell to execute commands, but only
the session itself to port forward to.
Cipher List Lists the types of Ciphers that can be used. Options can be 3DES,
Blowfish, Twofish, AES, Arcfour, and CAST128. (The option chosen
must be supported by the SSH server.)
Colors Allows the cosmetic appearance to be modified.
Keyboard Changes the keyboard functions.
Tunneling Provides the ability to secure X11 connections via the SSH
connection by tunneling the X11 packets inside SSH.
- Outgoing: Sets Outgoing tunnels for the session (discussed
more in the port-forwarding chapter).
- Incoming: Sets Incoming tunnels for the session (discussed
more in the port-forwarding chapter).
Global Settings
The global settings are used for any SSH connection attempt, regardless of the
profile that might be used. All options under the Global Settings section
directly correlate to settings used by default when attempting to connect to an
SSH server. The description and usage of the settings are shown in Table 3.12.
Table 3.12 Options Under the Global Settings
SETTING DESCRIPTION AND USAGE
Appearance Sets some of the cosmetic items to display by default, such as
profiles, hostname, color, and font.
User Keys Manages the public and private-key pairs that can be used for
authentication (instead of a password). This section allows you to
create a key pair, delete an old key pair, export a key to a flat
*.pub file, import a key pair to a flat *.pub file, view the flat
connects of a public key, change the passphrase in order to use
the public key, and upload a public key to an SSH server (the SSH
server must be compatible with the type of key created). The User
Keys section is discussed further in Chapter 4.
Table 3.12 (continued)
SETTING DESCRIPTION AND USAGE
Host Key Identifies the SSH server. The host key is a virtual fingerprint of
the server. The use of host keys protects against IP address
attacks on IPv4 networks, such as Man-in-the-Middle and
spoofing attacks.
Public Key Provides support for a certificate-based authentication system.
Infrastructure The options can include certificates from SSH clients, certificates
(PKI) from integrated directory services architecture, such as LDAP, or
using hardware devices.
- Certificates: Allows the SSH client to import, enroll, view, delete,
or change the passphrase of a certificate.
- LDAP: Provides LDAP directory integration with PKI certificates.
- PKCS #11: Provides a certificate-based system to access
hardware devices.
File Transfer Configures Secure FTP and Secure Copy. Options that can be
configured are the display types of Icons, the display of hidden or
root directories, and the ability to confirm the deletion or
overwriting of a file on the SFTP server. Also, allows the
configuration of the default file viewing application of an
extension that is not available for a particular file.
Firewall Configures SOCKS firewall operability. For example,
socks://172.16.1.100:1117 would be used to make an SSH
connection via a SOCKS server (172.16.1.100) on port 1117.
Security Configures basic security options, such as the option to clear the
host name upon exit or deleting the contents of the clipbook
upon exit.
Printing Sets the options for printing, such as fonts, margins, and
header/footer information.
The profile and global settings are the primary areas where the SSH client
can be configured for functionality. Like the command-line clients, the GUI
client can save settings based on different SSH servers. To customize the profile
settings based on a particular SSH server, go to the File Menu bar and
select File ➪ Profiles ➪ Add/Edit Profiles.
A profile can automatically be set up after the initial valid connection to an
SSH server. As shown in Figure 3.2, once the initial connect is made, the option
to save the profile appears in the upper right-hand corner. The Add/Edit profile
option is a simple way to customize SSH connections. After opening the
File ➪ Profiles ➪ Edit/Add profile option, you should notice the same profile
options that are available with the Edit/Setting menu. However, these options
do not globally change all options; they make changes based on the specific
connection.
One of the most useful options with SSH Communications’ SSH client is the
built-in SFTP client. It allows the SFTP client to be executed without the need
for any secondary client or another SSH connection. The SFTP client can be
executed from the menu bar with Windows ➪ New File Transfer.
After this option has been selected, the SFTP client, with the original session
to the SSH server enabled, displays the contents of the local machine on the left
pane, which is the SSH Client machine, and the contents of the remote SSH
server on the right pane. This allows safe and simple SFTP usage for the
SSH session. Figure 3.3 demonstrates the use of the SFTP client option with
an SSH session that has already been established.
The last option I will discuss for the SSH Communications’ SSH client is the
Log Session. This option logs the entire connection, including commands, outputs,
and inputs, to a log file. The log file can be saved locally on the client
machine for viewing at a later time. The log session option is also located at the
file menu bar at File ➪ Log Session.
After Log Session is chosen, the client will display a prompt for a location to
save the log file to. Session-logging capabilities will be enabled for the following
connection after the option is enabled.
VanDyke Software’s SecureCRT
VanDyke Software has an SSH client called SecureCRT. Open the SSH client
and initiate a simple SSH connection by selecting Start ➪ Programs ➪ Secure-
CRT 4.0 ➪ SecureCRT 4.0.
After you select the shortcut, SecureCRT will automatically open its Quick
Connect menu (see Figure 3.4) to begin an SSH connection.
The field options shown in Table 3.13 are available in the Quick Connect
display.
Table 3.13 Field Options in the Quick Connect Display
FIELD DESCRIPTION
Protocol Option to use SSH1, SSH2, or other non-SSH connections,
such as Telnet, Rlogin, serial interfaces, or TAPI.
Hostname The fully qualified host name for DNS resolution, such as
sshserver.Aum.com. The dot notation of an IP address can also
be used (for example, 10.8.15.47).
Port The port number to use for the remote SSH server. Default SSH
port is 22. The use firewall to connect checkbox enables
firewall settings in the Global Options menu, such as SOCKS or
Proxy settings.
Username The username used on the remote SSH server.
Cipher The encryption algorithm used for the SSH connection.
Available options are DES, 3DES, RC4, and Blowfish.
Authentication Authentication mechanism to be used for the SSH connection.
Possible choices are RSA authentication (requires RSA ACE
server on the server side of the connection), password, and TIS
(requires TIS firewall server on the server side of the
connection).
The last options on the Quick Connect display are two checkboxes: The
Show Quick Connect on Startup checkbox displays Quick Connect upon
startup, and the Save Session checkbox saves the custom settings to a profile.
SecureCRT offers different settings to be enabled on SSH clients. Using the
Menu bar, open the options menu by selecting Options ➪ Global Options.
Under the Global Options menu are seven sections, including Options,
Appearance, Firewall, SSH1, SSH2, Printing, and Web Browser. Under each of
the sections are several more sections that can be used to configure the client. I
will select options individually and describe their purpose and usage.
All Global Options under this section directly correlate to settings that will
be used by default when attempting to connect to an SSH server. The description
and usage of each setting is shown in Table 3.14.
Table 3.14 Settings Under Global Options
SETTING DESCRIPTION AND USAGE
Options Mouse settings:
- Copy
- Paste
- Hide Mouse
Dialogs—Various Dialog information settings
Other— Various appearance settings.
Appearance Various appearance settings, including color, menu/tool bar
options, margin settings, and so on.
Firewall Enables an SSH session via a SOCKS server, version 4 or
version 5, or a proxy server. Both SOCKS and proxy servers can
be used to relay an SSH connection to a device on behalf of an
SSH client, discussed further in Chapter 9.
Type:
- SOCKS (v4 or v5) with or without authentication.
- Generic Proxy: Can be used on most proxy servers.
Parameters (SOCKS):
- Hostname or IP: DNS name or IP address of SOCKS server.
- Port: Port number that the SOCKS service is listening on
(default is 1080).
Parameters (Generic Proxy):
- Hostname or IP: DNS name or IP address of the proxy server
- Port: Port number that the proxy service is listening on. Note:
If your remote SSH server is listening on port 22 and all
outbound traffic is allowed via a proxy server only, consider
changing the SSH server to port 443 and using the proxy
server to proxy the SSH connection (discussed in detail in
Chapter 9).
- Prompt: This field should be filled with the information that
SecureCRT should expect from the proxy server.
Table 3.14 (continued)
SETTING DESCRIPTION AND USAGE
- Command: This field should be filled with the information
that SecureCRT should provide to the proxy server once the
connection with the proxy server is established. For example,
to connect to an SSH server listening on port 443 via a proxy
server, check the firewall checkbox in the login screen and
enter the following text in the command field: CONNECT
%h:%p HTTP/1.0\r\n\r\n.
SSH1 Allows the use of a pubic key, instead of a password, to
authenticate an SSH server.
Create Identity File: Allows the ability to create a public and
private-key file.
SSH2 Allows the use of a public key, instead of a password, to
authenticate an SSH server, discussed further in Chapter 4.
- Create Identity File: Allows the ability to create a public and
private-key file.
- Use Certificate: Allows the use of X.509 certificate-based
authentication, instead of a password or public key. Requires
the use of a Certificate Authority.
-Agent: Add keys to agent: Allow the use of the SecureCRT
agent, which allows the ability to connect to multiple SSH
servers with a single public key.
Enable OpenSSH agent forwarding: Allow the ability to connect
to an SSH server via an intermediate server.
- Host Keys: Host keys are public keys used to identify the SSH
server. The host key is virtually a fingerprint of the server. The
use of host keys protects against IP-address attacks on IPv4
networks, such as Man-in-the-Middle and spoofing attacks.
Printing Set the options for printing, such as fonts, margins, and
header/footer information.
Web Browser Sets the default Web browser to use when opening a URL via
Secure CRT. In order to use this open, right-click on the URL
string in Secure CRT, such as www.theonion.com, and select
“Open URL”.
SecureCRT offers different settings to be enabled once a session has been
established. Once a connection has been enabled with the Quick Connect
dialog, open the session options menu using the Menu bar; select Options ➪
Session Options.
Under the settings menu are seven sections: Connection, Emulation,
Appearance, Options, File Transfer, Log File, and Printing. Under each of the
sections are several more sections that can be used to configure the client. I will
select options individually and describe the purpose and usage of each.
All Session Options directly correlate to settings that will be used only when
connecting to the appropriate SSH server. The description and usage of the settings
are provided in Table 3.15.
Table 3.15 Session Options Settings and Descriptions
SECTION USAGE AND DESCRIPTION
Connection Connection-specific information can be configured under this
section.
Logon Scripts
- Automate Logon: Creates a script to automate the login
process to an SSH server.
- Logon Scripts: Allows the Secure CRT client to run automatic
scripts to be used when logging on to a remote SSH server.
SSH2
- Use Compression: Enables compression on the connection.
- Cipher: Encryption algorithm to be used for the connection.
- MAC: Sets the type of hashes to be used when hashing the
data being sent across the network.
- SSH Server: Sets the type of SSH server being used on the
remote server. Options are: Auto Detect, which is the best
option; DataFellows, SSH Communications, and Standard.
Port Forwarding
- Locally sets outgoing tunnels for the session (discussed more
in Chapters 6 and 7).
- Remote: Set Incoming tunnels for the session (discussed
more in Chapters 6 and 7).
X11
Allows the ability to secure X11 connections via the SSH
connection by tunneling the X11 packets inside SSH
Emulation Sets options and properties for emulated terminals with
Secure CRT.
Appearance Sets cosmetic appearances for the session.
Options Sets keyboard options for the session.
File Transfer Allows the specific location to be set for the Upload and
Download of file with the Xmodem and Zmodem utilities.
- Xmodem: File transfer utility that supports error detection
during transfer. Note: Xmodem functionality is required on the
remote server.
- Zmodem: File transfer utility to download and upload files.
Note: Zmodem functionality is required on the remote server.
Table 3.15 (continued)
SECTION USAGE AND DESCRIPTION
Log File Allows the location of the log file to set to a specific location.
Note: Logging must be enabled with “File > Log Session” or
“File > Raw Log Session.”
Printing Allows printing information to be configured.
File-transfer capabilities are partially available via the SecureCRT
client. Another client, SecureFX, is the fully supported SFTP/SCP client for
VanDyke Software. Some utilities, such as Zmodem and Xmodem, allow basic
file-transfer options, located under the Transfer menu bar.
To further automate Secure CRT, ActiveX scripting is available with
VBScript and Jscript by selecting Script ➪ Run.
Any VB script, Microsoft Java script, and even certain Perl scripts can be
loaded from the client’s machine to the SecureCRT SSH client, to be executed
within the SSH session.
Secure CRT also offers the ability to create and use public keys for authentication
instead of passwords. To use a public key for authentication, a key must
be generated. Use the utilities under the Tools menu, which can create keys for
SecureCRT clients.
1. Select Tools ➪ Create Public Key. This creates a public key for the user.
2. Select Tools ➪ Public-key Assistant. This manages the public key for the
current user on the remote SSH server.
To use a created public key that has been uploaded on the remote SSH
server, the PublicKey option needs to be set under the Authentication dropdown
box in the Connection or Quick Connect dialog.
The last options I will discuss for SecureCRT are Log Session and Trace. The
log options simply log the entire SSH session, including commands, outputs,
and inputs, to a log file. There are two options with Log Session: formatted,
which only logs selected items; or Raw, which logs everything in an unformatted
fashion. The log file can be saved locally on the client machine for
viewing at a later date. The Log Session option is also located at the file menu
bar. Open the SSH client and complete the following steps:
1. Select File ➪ Open ➪ Quick Connect.
2. Choose File ➪ Log Session or File ➪ Raw Log Session.
After Log Session or Raw Log Session is chosen, the client will save the session
under the location specified in the Session Options section. The only difference
between the two settings is that the Raw Log Session records
connections between the SecureCRT client and the SSH service, including
escape commands.
The Trace options menu allows the display of hidden communication between
the SSH server and the SecureCRT SSH client. To enable the Trace options, select
the option File ➪ Trace Options.
PuTTY
PuTTY is a free Telnet and SSH client for Win32 platforms, available from
www.chiark.greenend.org.uk/~sgtatham/putty/. PuTTY has similar functionality
as described in other SSH clients. After downloading PuTTY, doubleclick
the executable and the configuration menu should appear.
As shown in Figure 3.5, four sections can be configured using PuTTY:
Session, Terminal, Window, and Connection. The description and usage of the
settings are provided in Table 3.16.
Table 3.16 Options for PuTTY Settings and Descriptions
SETTING DESCRIPTION AND USAGE
Session Configurations for the specific SSH session.
- Host Name (or IP address): Fully qualified DNS name or dot
notation of IP address of the SSH server.
- Port: Port that the remote SSH server is listening on, typically
port 22.
- Protocol: Since PuTTY can be used for various items, the SSH
radio box should be used for SSH connections.
- Saved Sessions: Provides the ability to save a session or load
a session that has been saved beforehand.
- Logging: Provides the ability to log the SSH session.
Terminal Allows the ability to set specific options for the terminal
session of the SSH connection.
Windows Allows the ability to make cosmetic changes to the SSH
connection.
Connection Allows the ability to set session specific information, such as
terminal type and username.
Proxy:
Settings to configure to enable an SSH connection via a proxy
server (either a Web proxy (HTTP) or a SOCKS server).
SSH:
SSH specific settings.- Remote Command: Commands to
automatically to send to the SSH server after the session has
been established.
- Protocol Options: Options for SSH 1 or 2, compression, and
pseudo-terminals.
- Encryption Options: Options for encryption algorithms to use
for the SSH connection, including AES, Blowfish, 3DES, and
DES.
- Auth: Authentication settings for the session, including
keyboard (password) or key options.
- Tunnels: X11 and Port forwarding options for the SSH
sessions. Supports both Local and Remote forwarding
(discussed further in the port-forwarding chapter).
- Bugs: Allows the ability to configure options to subvert
problems in the SSH connection, specifically in the
SSH server.
WinSCP
WinSCP is a free secure copy (SCP) client for Win32 platforms. WinSCP
provides a terminal session similar to other clients we have discussed, but its
primary feature is a Win32 secure copy client. After downloading WinSCP,
open the client by selecting Start ➪ Programs ➪WinSCP2 ➪WinSCP2.
As shown in Figure 3.6, WinSCP has four main sections for configuration:
Session, Directories, SSH, and Preferences. The description and usage of the
settings are provided in Table 3.17.
Table 3.17 Options for WinSCP Settings
OPTION DESCRIPTION AND USAGE
Session Configurations for the specific SSH session.
- Host Name: Fully qualified DNS name or dot notation of IP
address of the remote SSH server.
- Port Number: Port number the SSH server is listening on,
usually port 22.
- User name: Username on the remote SSH server to log in with.
- Password: Password on the remote SSH server, which
correlates to the username used in the Username field.
- Private-key file: If key authentication is being used instead
of a password, the location of the private key file to use for
authentication.
- Stored Session: Options to load stored sessions that have been
saved or to create new sessions.
- Logging (Advanced Option): Enabled logging SSH session to
local files.
Table 3.17 (continued)
OPTION DESCRIPTION AND USAGE
Shell (Advanced Allows various items to be customized with the Shell, including
Option) the Shell itself, the return code submitted, and Unix or
Windows types of displays.
Directories Specifies the path for the local and remote directories.
- Remote Directory: Path of the remote directory (of the
remote SSH server) to display in the right-hand panel of
WinSCP (for example, /home/ssh or d:\ssh\share).
- Local Directory: Path to local directory to be displayed in
the left-hand panel of WinSCP.
Connection Settings to configure to enable an SSH connection via a proxy
(Advanced Option) server (either a Web proxy (HTTP) or a SOCKS server).
SSH Specifies the SSH options that can be used, such as protocol
version, encryption type, authentication type, and bugs.
- Protocol Options: Options for SSH 1 or 2, and compression.
- Encryption Options: Options for encryption algorithms to
use for the SSH connection, including AES, Blowfish, 3DES,
and DES.
- Authentication (Advanced Option): Authentication settings for
the session, including keyboard (password), or key options.
- Bugs (Advanced Options) Allows the ability to configure
options to subvert problems in the SSH connection, specifically
in the SSH server.
Preferences Allows the display to be customized.
To configure the advanced options for WinSCP, click the checkbox in the
lower right-hand corner of the WinSCP display.
MindTerm
AppGate provides an SSH client called MindTerm. MindTerm is an SSH client
that uses a Java applet. Using MindTerm, it is possible to connect to an SSH
server with any Java-enabled Web browser such as Internet Explorer, Netscape,
Mozilla, and Opera. To install MindTerm, Java Runtime Environment (JRE)
needs to be installed. JRE can be downloaded from the following locations:
Linux: www.blackdown.org/java-linux.htmlwww.ibm
.com/developer/java
Win32 and Solaris: www.javasoft.com/products/
Macintosh: www.apple.com/java/
Other platforms: http://java.sun.com/cgi-bin/java-ports.cgi
After downloading and installing the JVM, follow the directions in
MindTerm’s readme.txt file to install the client. In many environments, the following
command can be used to install the client:
java -jar mindterm.jar
As shown in Figure 3.7, the AppGate MindTerm client can also be used outside
of a Web browser. Once the MindTerm client is displayed, the prompt
allows a connection to a remote SSH server to be established. Table 3.18 lists
some of MindTerm’s prompts.
Table 3.18 MindTerm Prompts and Description of Usage
PROMPT DESCRIPTION
SSH Server/Alias Alias or dot notation of the IP address
Save as alias Name to save the connection using an alias
Do you want to add this host to Yes or No option to save the host file of the
your set of Known hosts (check remote SSH server
fingerprint)
Login Username to log in to the remote SSH server
Password Password to use for the remote SSH server,
correlating to the username used
MindTerm allows several settings other than user prompts. Table 3.19 summarizes
some of the selected functions of the SSH client.
To fully use a MindTerm client with a Web browser, the AppGate server
needs to be deployed on the server side of the connection. The AppGate server
provides the MindTerm SSH client via a Web browser; however, the session is
still secure with SSH (versus HTTPS).
Table 3.19 Settings of SSH Client
SETTINGS DESCRIPTION
File > Create Keypair Allows the ability to create a public/private key
pair for authentication, instead of using a
password
File > Edit/Convert Keypair Allows the ability to edit or convert the key to a
different format
File > Capture to File Enables logging of the SSH session
Setting > Preferences Allows the ability to set session-specific options
such as:
- Protocol: SSH1 or SSH2, or auto detect
- Cipher: Encryption algorithm to be used
- Mac: Hash algorithm to be used
- Compression: Level of compression to be used
Plugins > SFTP file transfer Allows the ability to transfer files with the
remote SSH server over the SFTP protocol
Plugins > SCP file transfer Allows the ability to transfer files with the
remote SSH server over the SCP protocol
Plugins > FTP to SFTP bridge Allows the ability to bridge an SFTP connection
to an FTP connection. For example, if a client is
connected to an SSH server with MindTerm and
the “FTP to SFTP bridge” is enabled, any other
machine that makes an FTP connection to the
SSH client with be able to view the contents of
the folder on the remote SFTP server (FTP client
> SSH client (with MindTerm bridge enabled) >
SFTP server).
Tunnels > Basic Allows the ability to set local port-forwarding
tunnels
Tunnels > Advances Allows the ability to set remote port-forwarding
options
MacSSH
MacSSH is an SSH client for Macintosh environments. MacSSH supports SSH2
only, with no support for SSH1. MacSFTP is similar to MacSSH but is used for
the file-transfer portion of the connection. There are some other good clients
for the Macintosh environment, including JellyfiSSH (www.arenasoftware
.com/grepsoft/) and Rbrowser (www.rbrowser.com).
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment