Author Topic: SSH in Mac OS X  (Read 5665 times)

mr_a

  • Guest
SSH in Mac OS X
« on: October 16, 2010, 05:29:19 AM »
Panix - Public Access Networks Corporation

SSH in Mac OS X

Mac OS X comes with its own implementation of OpenSSH, so you don't need to install any third-party software to take advantage of the extra security SSH offers! Just open a terminal window and jump in.

There's no graphical front-end, however, so you'll need to use some shell commands. In particular, you'll need to change directories and possibly create the .ssh directory if you don't already have one. Also, you'll need to use emacs or vi to paste your public key, because pico inserts "line breaks" that will ruin your public key.
Okay, let's get started.

Step 1: Adding the OSX Terminal to the dock

    If you haven't already put an alias to "Terminal" on the dock, open your Macintosh HD and go to the Applications folder, then Utilities from within that. Terminal is in the Utilities folder. Just drag it to an empty space in the Dock, and it'll put an alias there.

    Now, any time you want to open a Terminal window, you can do it from the Dock.

Step 2: Getting the Panix host keys

    One of the best things about SSH is its ability to verify that you're actually connecting to the server you expect. But to do that, you need to have the proper host keys that identify those servers. We make the host keys for the Panix shell servers available online here for this purpose.

    Go to the link marked DSA keys, and then save it (either by choosing "File:Save As" or pressing Command-S). Where the save dialog says Where, choose Home. Now you can close the Web browser.

    Be sure to save it as a file. DO NOT copy and paste the keys! Copy/paste will add newlines, which will make the keys unusable.

    Now open a Terminal window. Use the ls -a command to show the new "ssh.dsa" file, and to see whether you have a ".ssh" directory yet. If you don't see ".ssh" listed, create it with the mkdir .ssh command.

    Now add the Panix host keys, using this command:

        cat ssh.dsa >> .ssh/known_hosts

    This is the "safe way" to add keys, and will preserve any other host keys you might already have in there. Okay, now you have a known_hosts file in the right place, with the Panix servers in it We're ready to connect!


Step 3: Using SSH to reach Panix

    With a terminal window open, type this command:

        ssh -l (username) panix1.panix.com

    (Use your actual Panix login instead of "(username)", of course.)

    This will take you to panix1, and give you a password prompt right away. Just enter your usual Panix password, and you're in business.

    NOTE: You can go to panix2, panix3, or panix5 just by replacing "panix1" with the one you want.

For advanced users: Secure Authentication Methods

    Simply using SSH instead of telnet is a big increase in login security, because you type your password into an encrypted session. However, if you want the added security of public/private-key login, it's pretty simple to set up.

    NOTE: Public/private-key login saves the private-key file on your Mac, which can present a security risk. Only use this method if you can control other people's access to your Mac. Laptops are very bad places to store private keys.

    To create your DSA key pair to use for login, type this command in an OSX Terminal window:

        ssh-keygen -t dsa

    You will be prompted for a filename to give the keys (just press RETURN to accept the default), and then for a passphrase. This passphrase will be what you'll type (instead of your Panix password) to unlock the key and log into Panix.

    Now that you've created the keys, you need to paste your public key into a file on Panix. For this, you'll have to connect to Panix normally, just this once. After you log in, type cd .ssh to get into your .ssh directory. (If you don't have a .ssh directory, just use mkdir to make one.)

    On your Mac, go to your "Home" folder, and look in the .ssh directory for a file called "id_dsa.pub". This is your public key. Open it, select all the text, and copy. Now, go back to your Panix session. Use emacs or vi to open (or create) the file "authorized_keys", and paste your public key into this file.

    Watch out for line breaks! Your cut/paste might have put some line breaks in the middle of the key. If it did, be sure to get rid of them before you save and quit; otherwise, the key won't work.

    Now you can log into Panix with SSH, just like above:

        ssh -l (username) panix1.panix.com

    This time, you'll be prompted for your passphrase before SSH connects, and then you'll be logged in without further ado.


More advanced: One login, many sessions

    If you're the type of user who likes to open multiple SSH screens at once, and don't want to keep typing your passphrase to unlock the same private-key half a dozen times in a row, you're a prime candidate for an SSH agent.

    SSH agents (sometimes called "keychains") are little applications that you can use to open an SSH private authentication key, and hold it open for use by your SSH clients until you decide to close it. In other words, after you type your passphrase to open your private key in the agent, you can then open as many SSH sessions as you like without typing your passphrase again.

    OpenSSH has a built-in agent, "ssh-agent". Like the rest of OpenSSH, though, it's strictly command-line in its plain form. Here are some graphical helper programs we can recommend to make ssh-agent friendlier in Mac OS X:

        * SSHKeychain by dreamflow.nl
        * SSH Agent by Xander Schrijen of Universiteit Utrecht


Seriously advanced: The .ssh/config file

    If you want to tweak your SSH setup beyond the defaults, the first place to look is your .ssh/config file. Read the manpage, man ssh_config, for more details; here are a few tips to get you started in the meantime.

        * The keywords in this file are NOT case sensitive, but the paramaters are. In other words, you can specify User batman or user batman or USER batman and it'll work, but if you type user BaTmAn, it will break.
        *
          If your Panix login is different from your username on your Mac, you can add the following line to your .ssh/config file:

              User (Panix username)

          This will let you just type ssh panix1.panix.com to connect, and skip the "-l username" part.
        *
          If you have multiple private keys for logging into different systems, you can use the IdentityFile keyword to declare them. For example:

              IdentityFile ~/.ssh/panix_identity
              IdentityFile ~/.ssh/work_identity
              IdentityFile ~/.ssh/bobs_linuxbox_identity

          SSH will try each of these keys in turn, and prompt you for the appropriate passphrase when it finds a matching public key on the server.
        *
          If you want to set up port forwarding (for firewall circumvention or just to encrypt part of your data path), use the LocalForward keyword:

              LocalForward (localport) (remotehost):(remoteport)

          There's also a RemoteForward keyword, but you probably won't have much call for it on Panix.

There. That ought to be a good enough intro for just about everyone...
webmaster@panix.com