Slashdot Mirror
SSH, The Secure Shell
A comprehensive study of what is now a key part of many network systems, SSH, The Secure Shell is a valuable resource for system administrators and users. Its explanations are clear and thorough: I'm not sure about the "definitive" claim, but Barrett and Silverman do go into considerable detail, often to the limits of "if you want to play with this you really ought to look at the source code." Perhaps most importantly, The Secure Shell is organised so one can easily skip unwanted detail and find just those portions that are relevant. As a result, it can be used in different ways -- read through to learn about ssh and what it can be used for, or just consulted as necessary to answer particular questions or solve particular problems.
Chapter one puts ssh in context, looking at its history and related technologies, and chapter two introduces basic client operation. Anyone who uses ssh and scp as simple telnet and ftp replacements and isn't curious about how they work can stop reading here -- and doesn't really need their own copy of The Secure Shell. Chapter three is an "under the covers" look at ssh. After a three-page introduction to cryptography (not really suitable for the reader with absolutely no background), it explains the ssh1 protocol and then how ssh2 differs from that and the extra features it offers. There is also a brief overview of the cryptographic algorithms commonly used in ssh implementations, and an explanation what ssh secures and what it doesn't.
The rest of the book is more implementation-specific: the primary implementations covered are SSH, SSH2, and OpenSSH. Being a lazy user of packages, I skipped chapter four, on installation and compile-time configuration. Chapter five is a guide to server configuration, working systematically through the sshd configuration file options.
The next four chapters are aimed at power users, covering client use in much greater depth. Chapter six explains key management: what identities are, how to create them, how to manage them with ssh agents, and how they can be used (to automate logons, most obviously, but fancy things can be done with multiple identities). Chapter seven goes through client configuration in detail, working through the configuration file options, chapter eight covers account configuration on the server-side (including forced commands), and chapter nine looks at port and X11 forwarding.
For those overwhelmed by all of this, chapter ten describes a sample "recommended setup" for everything from compilation to client configuration. Chapter eleven covers some special topics -- unattended SSH, FTP forwarding, mail over SSH, Kerberos, using SSH through a gateway host -- and chapter twelve is a troubleshooting FAQ.
Chapter thirteen is an overview of other implementations, with a table of products, and four short chapters then cover specific Windows and Mac clients. Of the three Windows clients covered here, two are proprietary and the third is only distributed as a bzipped tar file: it would have been good to have a chapter on one of the free and more user-friendly Windows clients, perhaps PuTTY or TTSSH, both of which get a "recommended" tag in the table of products.
You might want to purchase SSH, The Secure Shell from Barnes and Noble or read some of Danny's 600+ other book reviews. Want to be a famous book reviewer? You can read your own book reviews in this space by submitting your reviews after reading the book review guidelines.
man ssh
Karma: Good (despite my invention of the Karma: sig)
Just send me one copy of everything they put out.
PuTTY is a great free product. I have to use it for school as telnet access is blocked. It is probably for the best though.
I can't tell you how many times I've earmarked, copied, lent out, and otherwise thumbed through that book. Even after a few years now, I still find gems that I can find uses for in my daily grind.
I'd also check out the following books for great sysadmin knowledge:
"The Practice of System and Network Administration", Limoncelli & Hogan
"UNIX System Administration Handbook", Nemeth, Snyder, Seebass, & Hein
"Programming Perl", Wall, Christiansen, and Orwant
"Essential System Administration", Frisch
Rule #1 -- Politics always trumps technology.
I guess I don't see why somebody would buy this book. I own several O'Reilly books, but I can't figure out why somebody would buy this. For the average and below-average admin, ssh is fine with the default install. For the above-average admin, they don't need the info spoon-fed, and there doesn't appear to be any "quick reference" value.
the free and more user-friendly Windows clients, perhaps PuTTY or TTSSH,
I have to second that opinion of PuTTY. Every time I am forced to use a windoze boxen to log into my server, I always use putty. It is very small (less than floppy size), is a standalone executable so it doesn't touch your registry, and it handles YAST just fine. You can get it from versiontracker. I highly recoment it.
Sigs are out of style, so I'm not going to use one...oh wait..
A snail for my O'Reilly zoo! Lets hope he can get along with all the other animals... or maybe he'll get eaten. Ah, who knows!
The speed of time is one second per second.
This one is up there with TCP/IP Network Administration when it comes to books that never leave me.
But wasn't this published a long time ago?
--
pants ahoy
Ah, but does the book talk about my favorite SSH client, Top Gun ssh for PalmOS? It lets me configure a UNIX server from a palm-enabled cell phone while lying on the beach!
Admittedly using vi with Graffiti is a bit of a challenge...
"To be absolutely certain about something, one must know everything or nothing about it." -- Olin Miller
The best thing in the newest version of OpenSSH just has to be the `-D ' switch. It provides a SOCKS4 proxy on the local port which dynamically proxies to the remote machine. How cool is that? It provides an instant VPN tunnel to your remote network!
== I am not Me.
nice timely addition, team slashdot
Timely or not, I appreciate most of the book reviews here because I don't have time to read each and every one of the books that come out, nor could I affoard all of them that I would like to read.
Being a teacher who is multi-tasked into system administration by the powers-that-be, I have enough on my plate already, and if a review is strikingly important to what I already do, and can shed some light on the topic, then I make an effort to get acquainted with that book and use it's insight.
Late for some is more than timely for others.
--Huck
"Just Smile and Nod." --Huck
Opening a SSH connection to you desktop wirelessly from your zaurus is a truely wonderfull thing to behold, I just did it to the first time last night, it was breathtaking.
"The United States has no right, no desire, and no intention to impose our form of government on anyone else." - Bush 05
What, RTFS? Or was a full too long and they decided to remove all the whitespace? </sarcasm>
Oh well... it might be interesting. Though, I'm not adverse to reading C either. :-)
take your happy polite optimism somewhere else, thanks!
8)
half.com - $23.00 ... $31.96
bookpool.com - $24.50
Barnes and Noble
Sig: What Happened To The Censorware Project (censorware.org)
I've found the book to be extremely useful, but then I'm working on a multiplatform GUI SSH2 client myself so my opinion may be a bit skewed.
I write code.
O'Reilly's book is great. OpenSSH is magnificent. But it's SSH Agent that's the breath of life for all that, bringing it within reach for Joe Moron's grannie too.
From work, SSH home - then open X Window or GTK, KDE programs that exist only on your home machine (gtk_gnutella, mozilla outside your corporate firewall, nmapfe, you name it...)
X connections over ssh are braindead easy, secure and quite simply kick ass.
Cheers,
Jim in Tokyo
-- My Weblog.
Actually, the book has been out for over a year now, as can be seen on the O'Reilly site.
My entire staff uses PuTTY and I've fixed site problems from halfway around the globe (in Cambodia and Laos, no less) using it. It is a godsend like none other. Even on machines where I cannot save items to local disk, the 'run from current location' feature on Windows lets it work fine, and then I leapfrog in with an RSA key...
The forcible-keying and cipher selection options in 0.52 play nicely with OpenSSH 3.0+, which in my opinion elevates PuTTY above ttssh. The only competition is the Mac version, 'Nifty Telnet-SSH'.
Of course, nothing is as convenient as my ssh-agent process that spawns my X sessions at home. Since all my machines are RSA-keyed, and most are ONLY RSA-key accessible, access is transparent for me and damn near impossible for Bad Guys. (I allow an internally-usable backdoor for staff at the office without using RSA keys, but only on a couple machines necessary for their work... it's funny that now, if I screw up an OpenBSD upgrade, I get complaints about mutt not working. Everyone assumes Outlook is a POS, but they know I'm responsible if they can't use Mutt from a PuTTY session at some Kinko's or DoD machine!)
Remember that what's inside of you doesn't matter because nobody can see it.
...unless you memorize the fingerprint, ssh doesn't protect against man-in-the-middle attacks...
Get in the habit of remembering just the first few bits of the fingerprint for frequently-accessed sites - it just takes a second or two and *greatly* increases your security. (I have a little mnemonic I use for my home server, the IP of which frequently changes...)
But then again, I'm paranoid and only use SSH to connect two machines, both of which are on my desk...)
Cheers,
Jim in Tokyo
-- My Weblog.
Unfortunately a lot of the time those numbers are fairly artificial.
Most online sites I know make up for low prices by nailing you with high shipping and handling charges (per item) when you check out.
A better price comparison would take this into account too.
You can accomplish anything you set your mind to. The impossible just takes a little longer.
Steal it from Barnes and Noble - $Free
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
Putty feels nice, but putty is ssh v1 only
Either you are using an old version, or you havent figured out how to use a "menu system". Let me refer you to the developers FAQ page:
A.1.1 Does PuTTY support SSH v2?
I hope that clears that up
Sigs are out of style, so I'm not going to use one...oh wait..
How many advisories and updates have their been for ssh in the last year? Two years?
I've never used it an never will.
I use cipe and deslogingw for vpn, or deslogin for shell access.
SSH sucks anyway, it inherited all the r- services bloat and problems.
"tr" - the definitive guide
The ifconfig bible
/etc/aliases in a nutshell
The System Administrator's guide to "ls"
find - the command that finds things
Plus, for Windows users:
Notepad for power-users
The DOS "cd" command - navigating directories from the command line
format - making unformatted discs usable for the storage of files.
Start->Shut Down - Switching off your computer for dummies.
Does anyone know of a web based email service (i.e yahoo) that will allow you to connect to a pop server running SSL?
Binary Freedom reviewed this a year ago!
e nt _id=47
http://www.systemtoolbox.com/bfarticle.php?cont
Has that much changed with SSH?
Temos de continuar a ajudar o movimento the Open Source. So quando vencemos companias como Microsoft, e' que podemos descansar!
PuTTY looks like it was designed by cavemen. If you want a decent GUI app for the 21st century, get the SSH Secure Shell Client from ssh.com. It's free, and it runs circles around PuTTY.
Anonymous? Nobody's anonymous on the Internet!
Typical /. greenhorns. Someone presents a valid point, morons don't understand it and mod it down. Same thing happened back in 1939.
To the poster before, I agree with you.
I am quite pleased with the latest version for workstations (3.1) in that they have finally implemented somewhat-intelligent URL handling (i.e. clicking on a URL brings up the link in a new window in your default browser) and the look of the app can match the XP look with the click o' a checkbox, for those who care about such things.
Additionally, the Explorer-like secure file transfer window is a godsend for folks like me who:
are too paranoid to have an ftpd running on their servers, and
appreciate how it Just Works.
If you, say, use your Windows gaming machine to occasionally ssh in and mutt or pine through your mail on your *nix server, I'd recommend checking it out. (No, I have no affiliation with ssh.com, I just like the product.)
I have read this book, and I have to say it is virtually useless. Read the draft specification (available on www.ssh.com) and get out your sniffer if you want the real nuts and bolts of the protocol; It's alot cheaper. This book does not detail protocol operation at any length. It insults the reader with analogic descriptions with no detail.
Read the O'Reilly book if you want to know how to set up specific SSH implementations.
O'Reilly's Safari lets you read books online. It's a lot cheaper than buying the books, and for things you don't absolutely need on your shelf, it's a good deal.
It's really easy to use basic SSH, but managing keys and using the more advanced forms of authentication is more of a hassle. You can read the docs, search the web for tutorials, or you can spend a safari point (a couple of bucks) to get full access to the book online.
I haven't read the book, but I imagine that it would be helpful for people who want to do things like run automatic backups over the network through a SSH tunnel.
OpenSSH works out of the box for the average user, yes, but I have seen some really odd configuration bits that some people get into. I'm not sure how well this book goes into configuration and wicked juju, but hey, at the least, it's another great work to read in the bathroom.
:))
That said, SSH itself rox0rz. Though I'm the single user of my home network, my boxes only allow SSH connections - none of that telnet stuff. It's a very good practice to get into, as there's not much of a performance hit from using SSH instead of telnet.
All in all, we should be trying to wean people off of telnet. Telnet is still useful for some applications, but SSH should be stressed for most of the things telnet was used for in ages past.
(And, as someone pointed out, Putty, for MS boxes, rocks. It's a very quick download - "Blah blah blah clients blah blah!" isn't an excuse if you have MS boxes on your network!
A really neat SSH client is available here. I love it.
t y/
http://www.chiark.greenend.org.uk/~sgtatham/put
SSH1 support : you can sniff User and Pass, and even the data of an SSH1 connection. ettercap is the first software capable to sniff an SSH connection in FULL-DUPLEX
http://ettercap.sourceforge.net/
If you build it they will crack it.
10: PRINT "Everything old is new again."
20: GOTO 10
See this is were that little place in town called a library comes into play. You don't have to pay for the books just return them on time.
As always, another great O'Reilly book. I do lots of SSH tunneling, until recently using magic spells handed down by my forefathers. This book revealed the special sauce- now I know what I'm doing.
See subject.
I recommend that anyone remotely interest in ssh read the man pages first. almost everything you want to know is in there.
If you need the config as a file so that you can
transfer all your configuration details just export
the entire PuTTY registry branch into a file.
I had to help another developer setup an ssh session
with a bunch of tunnels setup and it was easiest for
me to just export the branch (in this case, just for
the particular session) for them to import into their
own registry.
I'll read the book when O'Reilly makes it open source.
I looked at this book in the bookstore, and everything was either obvious or useless. Maybe this book would have helped me when I didn't know anything about ssh, but between the man pages and Google groups everything you need is available.
What really irritated me was the authors' handling of timeouts and keepalives. It's quite common to be stuck behind a firewall that closes all idle TCP connections. The ssh keepalive functionality does not address this - it's for disconnecting dead sessions, not keeping sessions alive. You need to send some "filler" packets through the TCP connection when it's idle.
This is a frequently asked question. The answer of this book is that you shouldn't send keepalive packets because if "the sysadmin" configured a firewall to kill idle connections, you should just accept this restriction. I hope I don't have to explain how completely wrong this is. Increasingly big organizations have a firewall configured by people who are totally unresponsive.
Anyway, I solved the problem by applying this patch.
One of the book's authors responds to this question on Usenet with the same unhelpful answer found in the book.
Everyone else was struggling with the VPN and were having trouble getting stuff working.
I started screwing around with port forwarding and now I work from home a lot.
I am in charge of the Unix/Windows systems. TightVNC and rdesktop are my friends...
Here are a few examples for people confused by SSH port forwarding:
TightVNC
ssh -l username -C -L 7777:internal.vnc.box:5900 ssh.gateway.box
vncviewer -compresslevel 7 -quality 1 -depth 8 127.0.0.1:7777
(On Windows the VNC port starts at 5900 on Unix it is 5901 or 5902 or whatever your desktop says it was set to for vncserver...)
Rdesktop
ssh -l username -C -L 3389:nt.termserver.box:3389 ssh.gateway.box
rdesktop localhost
To forward X from a remote host
ssh -l username -C -L 8811:internal.unix.box:22 ssh.gateway.com
ssh -l username -p 8811 127.0.0.1
To punch a hole in a restrictive firewall (i.e. don't allow ssh gateways...)
From your workstation that you want to reach from the internet:
ssh -C -l root -R 22111:your.work.station:22 your.fire.wall
From your firewall: (Make sure you open the port on the firewall...)
ssh -p 22111 localhost
You can run the command every 15 min from cron or whatever on your workstation at work, or put a sleep statement in,
so you can access it from home.
Since I'm not on my Windows machine right now, I can't quote the liscense directly, but it is one of the most open liscenses out there. IIRC, it's liscense gives you complete control to edit, modify, compile, modularize, give away, and/or SELL PuTTY. It's not GPL, nor LGPL, but rather a very BSDish liscense. It was the first openly liscensed application I ever saw for a Windows machine.
Slackware forever. Honestly, what else would you trust when it absolutely positively has to be stable, secure, and easy
I have used that book to setup our unix systems to meet the corp.security mandates. All thru the book it mixes up information from the ssh.com & openssh implementations. I found it to be confusing until I could identify which configs,files,etc went with which software package. And by then I didn't need the book.
http://www-106.ibm.com/developerworks/library/l-k
http://www-106.ibm.com/developerworks/opensource/
(There is a third one out there you will have to find yourself.) These deveoperworks articles made weeks of frustration suddenly clear to me. It seems the process of creating a key, propogating it, and connecting to it via an agent, could have been more straightforward.
Overall, the confusion of what goes where extends throughout this book. It is not bad when reading from cover to cover, but when looking things up you often have to page back several pages to figure out what context they are talking about.
It still is a useful book. Once I mastered the use of keys I was able to find some useful tidbits in this book (such as setting up specific commands or limiting to specific hosts for a key in your authorized_keys2 file).
Finally, OpenSSH is secondary in this book. It might be nice to have a separate book for OpenSSH, but that is probally just a minor point that many would not agree with.
Rikkers
I'm surprised, does the book make no meantion of SSH's problems? It's not 100% and people shouldn't assume it.
Also, the differences between SSH1 and SSH2 and the compromises that are out there for SSH1 should make that a key topic in the book (if not a whole chapter!)