What is SSH?
As of October 28, 2004, INCOMING telnet access to Math department servers
(e.g. euclid.ucsd.edu, etc.) has been disabled for security reasons.
Please use SSH (ssh/slogin) for remote terminal login access instead.
Rlogin/rsh/rexec access has already been disabled since January 2002.
SSH (Secure Shell) is a connection protocol that encrypts the entire
connection stream from end-to-end. You use a SSH client software on a
local computer to login to a SSH server software on a remote computer.
The telnet protocol transmits everything in cleartext so any network
traffic, including your passwords and other sensitive information, is
vulnerable to being potentially intercepted by "network sniffers" at
any point between your local computer and the remote server.
In simpler terms, think of SSH as a "secure telnet". Most SSH client
software work and look similarly to existing telnet client software you
are already using.
Why do I have to use SSH now? I've been using telnet for years.
Per the UCSD Minimum Network Connection Standards (Exhibit C of Section 135-3 of the UCSD Policy and Procedure Manual):
6. Minimize unencrypted authentication
Unencrypted device authentication mechanisms are only as secure as the network upon which they are used. Traffic across the campus network may be surreptitiously monitored, rendering these authentication mechanisms vulnerable to compromise. Therefore, all campus devices should use only encrypted authentication mechanisms.
In particular, historically insecure services such as Telnet, FTP, SNMP, POP, and IMAP should be replaced by their encrypted equivalents wherever possible.
Although the SSH client and server software have been available on
department-supported computers for many years and have been recommended
over the use of telnet, the department has not strictly enforced the
use of it.
The following UCSD departments have already long disabled telnet access to their own servers:
San Diego Supercomputer Center (SDSC) at UCSD: Telnet access disabled in September 1998
UCSD Computer Science & Engineering (CSE): Telnet access disabled in July 1999
UCSD Academic Computing Services (ACS): Telnet access disabled in August 2004
How do I use SSH on department-supported computers?
Department-supported computers should already have SSH client software installed as part of the standard department software configuration:
Windows XP
Professional |
Go to Start menu -> All Programs -> SSH Secure Shell -> Secure Shell Client -> Click the "Quick Connect" button (or hit Enter) -> For the "Host Name:" field, type in "euclid.ucsd.edu" -> For the "User Name:" field, type in your Math department username -> Click the "Connect" button (or hit Enter) -> For the "Password:" prompt, type in your password -> Click the "OK" button (or hit Enter). |
| Mac OS X |
Go to Applications -> Utilities -> Terminal -> At the prompt, type "ssh username@euclid.ucsd.edu" or "ssh -l username euclid.ucsd.edu". Substitute your Math department username for the username part. |
Classic Mac OS
(9.x or older) |
Go to Apple menu -> Network -> MacSSH PPC -> Go to File menu -> Open Connection... -> At the "Host Name:" prompt, type in "euclid.ucsd.edu" -> Click the "Connect" button (or hit Return) -> At the "User Name:" prompt, type in your Math department username -> At the "Password:" prompt, type in your password -> Click the "OK" button (or hit Return). |
Solaris UNIX/
Red Hat Linux |
Launch a local xterm or other terminal window program -> At the prompt, type "ssh username@euclid.ucsd.edu" or "ssh -l username euclid.ucsd.edu". Substitute your Math department username for the username part. |
Where can I get SSH for my personal computer?
If the computer you're using does not already have a SSH client installed,
the following SSH clients are available for free download and use:
| PLATFORM |
RECOMMENDED |
ALTERNATIVE |
NOTES |
Microsoft
Windows |
SSH Secure Shell
for Workstations
DOWNLOAD via
HTTP
|
PuTTY
DOWNLOAD via
HTTP
|
The SSH Secure Shell for Workstations client has BOTH SSH remote terminal login and SFTP secure file transfer capabilities built-in.
However, if you do not have local administrative privileges to install software on the PC you're using, then use the PuTTY client instead (SSH remote terminal login only).
Other available SFTP secure file transfer clients are WinSCP and FileZilla.
To run Unix X11 graphical programs, you must use a Windows X11 client such as Xming that can connect to the server using SSH (not via telnet, rlogin, rexec, or XDM).
|
| Mac OS X |
Mac OS X comes with SSH pre-installed.
Go to Applications -> Utilities -> Terminal
At the prompt, type
"ssh username@euclid.ucsd.edu"
OR "ssh -l username euclid.ucsd.edu" |
Use Software Update or manually download software updates to update to the latest SSH version.
For a graphical SFTP secure file transfer client, use Fetch, Cyberduck, or Fugu in SFTP (not regular FTP) mode. Or use the pre-installed command-line "sftp" and "scp" clients.
To run Unix X11 graphical programs, use the Apple X11 client under Applications -> Utilities -> X11 (or download from Apple X11). At the prompt, type "ssh -X username@euclid.ucsd.edu" OR "ssh -X -l username euclid.ucsd.edu" to login with automatic X11 port forwarding enabled. For X11 programs that require the use of trusted X11 forwarding, use the "-Y" flag instead of "-X".
|
Classic Mac OS
(9.x or older) |
MacSSH
DOWNLOAD for
PPC or 68K
|
MacSSH only has SSH remote terminal login capability.
For SFTP secure file transfer, use MacSFTP ($15 shareware).
NiftyTelnet SSH is also available and has BOTH SSH remote terminal login and SCP secure remote file copy capabilities built-in but it can only connect to less secure SSH version 1.x servers.
|
| Unix/Linux |
Most Unix/Linux distributions now
come with SSH pre-installed.
At the prompt, type
"ssh username@euclid.ucsd.edu"
OR "ssh -l username euclid.ucsd.edu" |
If SSH is not installed, please read your system documentation on how to update your system or ask your system administrator to install OpenSSH.
Use the command-line "sftp" or "scp" clients for secure file transfer.
To run Unix X11 graphical programs, type "ssh -X username@euclid.ucsd.edu" OR "ssh -X -l username euclid.ucsd.edu" to login with automatic X11 port forwarding enabled. For X11 programs that require the use of trusted X11 forwarding, use the "-Y" flag instead of "-X". |
| Web/Java |
If you have a Java-enabled web browser,
you can use the
MindTerm SSH Java Applet
to login to euclid.ucsd.edu. |
To run MindTerm SSH properly, your web browser must use a recent version Java Runtime Environment (JRE) (also known as a Java Virtual Machine (JVM)).
If a compatible JRE is not already installed:
Microsoft Windows: Install the latest Sun JSE JRE.
Mac OS X: Use Software Update or manually download software updates to update to the latest Mac OS X Java.
Classic Mac OS: Install the latest Mac OS Runtime for Java (MRJ).
Unix/Linux: Install the latest Sun JSE JRE.
For Classic Mac OS, you must install the latest MRJ and use Microsoft Internet Explorer 5.x to use MindTerm SSH. The internal JRE in Netscape Communicator 4.x lacks certain features needed to run MindTerm SSH successfully. It is recommended that Classic Mac OS users use the MacSSH client instead.
|
Can't I just telnet first to any random outside intermediate host, then SSH to euclid.ucsd.edu?
No. No. No. Don't do that! The SSH connection must be as completely
END-TO-END (to the best of your knowledge) to be secure. Doing that would
defeat the whole purpose of even bothering to use SSH at all. Your
password would still be transmitted in cleartext over the telnet sections
of the connection.
If absolutely necessary, you can SSH to a secure intermediate host, then
SSH from there to euclid.ucsd.edu. Some sites only provide a single
"jumpstation gateway" or firewall server host where one can make such
outside Internet connections from the local network.
If you are travelling and only have access to a web browser on public PCs
running Microsoft Windows (e.g. at libraries, Internet cafes, etc.), in
most cases you can either use the MindTerm SSH Java Applet or download and use the
PuTTY SSH client for Microsoft Windows
(no "installation" required).
If you ONLY need to read your email, you can use the Math WebMail service, which is protected by SSL.
Can I still telnet OUT from department-supported computers?
Yes, outgoing telnet is still currently permitted. However, it is
strongly discouraged.
If the remote server you're connecting to via telnet ALSO supports
incoming SSH connections, it is recommended that you connect to that
server using SSH instead of telnet. This is especially important for user
accounts that you login to using a re-usable password.
We are aware that there exists Internet network resources or publications
which are accessible only via regular telnet. Most of these services run
on dedicated servers and are intentionally designed for anonymous use or
with a publically-advertised common password.
How can I find out more info about SSH?
SSH FAQ
Another SSH FAQ
OpenSSH FAQ
UCSD ACS webpage on SSH
UCSD ResNet webpage on SSH
IETF SECSH Charter
|
