Welcome to the second edition of our book on SSH, one of the world's most popular approaches to computer network security. Here's a sampling of what's new in this edition:
...and much more! You might be surprised at how much is changed, but in the past four years, SSH has significantly evolved:
SSH-2 protocol triumphant
Back in 2001, only a handful of SSH products supported the relatively new SSH-2 protocol, and the primary implementation was commercial. Today, the old SSH-1 protocol is dying out and all modern SSH products, free and commercial, use the more secure and flexible SSH-2 protocol. We now recommend that everyone avoid SSH-1.
The rise of OpenSSH
This little upstart from the OpenBSD world has become the dominant implementation of SSH on the Internet, snatching the crown from the original, SSH Secure Shell (now called SSH Tectia, which we abbreviate as Tectia). Tectia is still more powerful than OpenSSH in important ways; but as OpenSSH is now included as standard with Linux, Solaris, Mac OS X, and beyond, it dominates in pure numbers.
The death of telnet and the r-tools
The insecure programs telnet, rsh, rcp, and rlogin--long the standards for communication between computersare effectively extinct.[] FTP is also on the way out, except when operated behind firewalls or over private lines.
An explosion of Windows products
In 2001, there were a handful of SSH implementations for Windows; now there are dozens of GUI clients and several robust servers, not to mention a full port of the free OpenSSH.
Increased attacks
The Internet has experienced a sharp rise in computer intrusions. Now more than ever, your servers and firewalls should be configured to block all remote accesses except via SSH (or other secure protocols).
Protect Your Network with SSH
Let's start with the basics. SSH, the Secure Shell, is a reliable, reasonably easy to use, inexpensive security product for computer networks and the people who use them. It's available for most of today's operating systems.
Privacy is a basic human right, but on today's computer networks, privacy isn't guaranteed. Much of the data that travels on the Internet or local networks is transmitted as plain text, and may be captured and viewed by anybody with a little technical know-how. The email you send, the files you transmit between computers, even the passwords you type may be readable by others. Imagine the damage that can be done if an untrusted third partya competitor, the CIA, your in-laws intercepted your most sensitive communications in transit.
SSH is a small, unassuming, yet powerful and robust solution to many of these issues. It keeps prying eyes away from the data on your network. It doesn't solve every privacy and security problem, but it eliminates several of them effectively. Its major features are:
A secure, client/server protocol for encrypting and transmitting data over a network
Authentication (recognition) of users by password, host, or public key, plus optional integration with other popular authentication systems, such as PAM, Kerberos, SecurID, and PGP
The ability to add security to insecure network applications such as Telnet, NNTP, VNC, and many other TCP/IP-based programs and protocols
Almost complete transparency to the end user
Implementations for most operating systems
Intended Audience
We've written this book for system administrators and technically minded users. Some chapters are suitable for a wide audience, while others are thoroughly technical and intended for computer and networking professionals.
End-User Audience
Do you have two or more computer accounts on different machines? SSH lets you connect one to another with a high degree of security. You can remotely log into one account from the other, execute remote commands, and copy files between accounts, all with the confidence that nobody can intercept your username, password, or data in transit.
Do you connect from a personal computer to an Internet service provider (ISP)? In particular, do you connect to a Unix shell account at your ISP? If so, SSH can make this connection significantly more secure. An increasing number of ISPs are running SSH servers for their users. In case your ISP doesn't, we'll show you how to run a server yourself.
Do you develop software? Are you creating distributed applications that must communicate over a network securely? Then don't reinvent the wheel: use SSH to encrypt the connections. It's a solid technology that may reduce your development time.
Even if you have only a single computer account, as long as it's connected to a network, SSH can still be useful. For example, if you've ever wanted to let other people use your account, such as family members or employees, but didn't want to give them unlimited use, SSH can provide a carefully controlled, limited-access channel into your account.
Prerequisites
We assume you are familiar with computers and networking as found in any modern business office or home system with an Internet connection. Ideally, you are familiar with network applications like Telnet and FTP. If you are a Unix user, you should be familiar with standard network applications (e.g., ftp) and the basics of writing shell scripts and Perl scripts.
System-Administrator Audience
If you're a Unix or Macintosh OS X system administrator, you probably know about SSH already. It's less well known in the Windows world, where secure logins are usually accomplished with radmin (Remote Administrator) and other remote desktop applications, and network file transfers are done using network shares. In contrast, SSH is more focused on the command line and is therefore more scriptable than the usual Windows techniques. SSH also can increase the security of other TCP/IP-based applications on your network by transparently "tunneling" them through SSH-encrypted connections. You will love SSH.
Prerequisites
In addition to the end-user prerequisites in the previous section, you should be familiar with user accounts and groups, networking concepts such as TCP/IP and packets, and basic encryption techniques.