SSH Access to UCAR/NCAR/UOP
End-To-End Encryption with SSH
We encourage you to use secure, end-to-end encryption when logging in to your accounts at UCAR/NCAR/UOP.
Use of end-to-end encryption, instead of old cleartext protocols like telnet, rlogin, and non-anonymous ftp, will help avoid having your activities monitored and your password sniffed by ne'er do wells. It will help prevent such miscreants stealing your data in transit, as well as keep them from logging in as you to steal or damage your files, or to use your resources to attack others. All of those are very Bad Things.
For the present, the best method to make such secure, private end-to-end encrypted connections is Secure Shell, or ssh. Ssh is a Good Thing because it elegantly prevents such Bad Things.
If you haven't switched to ssh from telnet and ftp already, using ssh for interactive shell logins will require almost no changes to the way you work. After you get the client you want, you will just type ssh instead of telnet and rlogin, or run a different terminal emulator (or perhaps just an add-on for your current one), for your logins. The only significant changes may be to the file transfers you might be used to doing with rcp or with ftp clients. We'll help you with both here.
Protecting Your Logins
Note that it's safest for you to use ssh directly from your home or office system. If you use a password, you want to avoid ever exposing it across a cleartext connection anywhere else.
For example, using the password you have here also over cleartext connections to other systems (via telnet, rlogin, ftp, pop, imap, in web pages, etc.) means someone can sniff your password on its way to those other systems. Once they have your password, and perhaps have seen you mention this place your email they've read or in files they found after they violated another of your systems, they can then come here and use it to impersonate you.
For another example, logging in via telnet elsewhere, and then using ssh from that system to log in here, makes the use of ssh meaningless. Any information you transfer or passwords you type would be sent exposed between your system and the machine you're telnetting to, before it is protected only for the last hop. It can be sniffed on any untrustworthy exposed portions of the link.
Those kinds of unnecessary exposures to privacy violation are examples of Wrong Things. Instead, you want the Right Thing of true end-to-end privacy, direct from your desktop to the server. Using ssh from end to end, plus using unique passwords for such secure systems, will keep your logins and data secret from just about any network snooper.
Client Availability
Ssh clients are available for just about any operating system out there, either with commercial support or for free. We'll go over recommended free ssh clients (released under either the GPL, a BSD-style license, or similar) in this document, plus at least mention commercial clients for those who want commercial support.
First, we'll cover getting the clients we recommend for Unix-like systems, Mac OS, and Microsoft Windows. Then, we'll cover the file transfer mechanisms you can use instead of direct user ftp with each of the recommended clients. Finally, we'll sum up with capsule recommendations for each OS.
SSH is available for Palm Pilots, Windows CE machines, and perhaps even game consoles. However, we've only covered Unix-like systems, Mac OS, and Microsoft Windows here.
free
We strongly recommend the free OpenSSH. OpenSSH comes with OpenBSD (its home base), Debian Linux, and Red Hat Linux 7 at minimum. You can obtain the Portable OpenSSH distribution for just about any other Unix-like system you have, including pre-built RPMs for Red Hat Linux 6.2 and updates for 7. (You don't need to be root on your Unix-like system to build and install the ssh client for your own use.) OpenSSH uses command line scp and rsync for efficient file and directory transfer.
If you're adventurous, you might also check out lsh by Neils MöIler. It's a GPLed SSH-2 implementation.
commercial
If you instead want the commercial support you can get from a for-pay product, plus perhaps a few additional features, SSH Communications Security sells SSH for Unix-like systems online. Their original US distributor, F-Secure, also sells a similar version online, known as F-Secure SSH.
free
We strongly recommend the free NiftyTelnet SSH by Jonas Walldén. It is an excellent terminal emulator (thanks to the original NiftyTelnet by Chris Newman). NiftyTelnet SSH provides a drag and drop GUI front end for scp file and directory transfers.
We also recommend the Java ssh client, Mindterm. It works well on Mac OS, particularly for port forwarding, though the user interface is somewhat generic Java and thus not Mac standard. We have a Mac OS runtime of the GPLed version 1.2 available locally. Mindterm has a rudimentary dialog-based front-end for scp file and directory transfers on all platforms.
A new contender is the free MacSSH, currently in early development release, based on BetterTelnet by Rolf Braun and lsh by Neils MöIler. You might want to try it out, especially if you are an advanced user who wants the SSH-2 support and port forwarding that NiftyTelnet SSH lacks.
commercial
If you instead want the commercial support you can get from a for-pay product, the original US distributor of SSH Communications Security's product, F-Secure, sells a Mac version of their F-Secure SSH online. It does SSH-2 only (no support for the less secure SSH-1), and forwards your standard ftp command channel connections for file transfers.
free
We strongly recommend PuTTY for our MS Windows users. PuTTY does command line scp with pscp.exe for file and directory transfer. The iXplorer graphical front end for PuTTY's scp (reviewed by Jeremy C. Reed) provides a point and click scp transfer interface. PuTTY also now includes a command line sftp file transfer client.
We also strongly recommend the cygwin GNU utility suite for MS Windows, which can run OpenSSH. Cygwin is best for those Microsoft Windows users who also wish to use other GNU and open source tools. It is tremendously useful for getting all kinds of work done on a Windows machine, not just for running OpenSSH. When using OpenSHH, it does command line scp and rsync for efficient file and directory transfer.
We also recommend the Java ssh client, Mindterm. It works fairly well under the Java preinstalled on most recent Windows systems. Mindterm has a rudimentary dialog front-end for scp file and directory transfers on all platforms. It can also port forward the ftp command channel.
Also available is the TerraTerm SSH (ttssh) add-on for the excellent TerraTerm Pro terminal emulator by T. Teranishi. It uses zmodem to transfer individual files. To transfer entire directories, use pkzip to make an archive first then use unzip on the web server, or use PuTTY's pscp.exe or a similar utility instead.
commercial
If you instead want the commercial support you can get from a for-pay product, SecureCRT is available online from VanDyke. SecureCRT is easy to set up and use. SecureCRT offers multi-file zmodem transfers, and the new version will ship with a command-line sftp called vcp as well. A separate product, SecureFX, does both sftp, and ftp command channel port forwarding.
In addition SSH Communications Security sells a Windows version of SSH online. Their original US distributor, F-Secure, also sells a similar version online, known as F-Secure SSH. Both do file and directory transfers with a drag-and-drop sftp client.
Ssh provides a clean path across which many different types of file transfers can be run. These include scp and rsync originally from Unix, zmodem (originally used extensively for BBSes), port-forwarded ftp command channels, and a more secure system designed to mimic ftp commands known as sftp, among others.
Which you choose will depend on what is available for your platform, and your preferences regarding command line vs gui. We support all of the following: scp, rsync, zmodem, port-forwarded ftp command channels, and sftp.
NiftyTelnet SSH (Mac OS) has a very smooth file transfer window. Mindterm (Java) has a dialog-based front end for scp that isn't as nice, but it can get the job done if it's all you have. Other clients, like OpenSSH (Unix, Windows cygwin), SSH (Unix), F-Secure SSH (Unix), and PuTTY's pscp.exe (Windows) use a command line scp.
If you want to recursively copy mydirectory to host h.example.com (where you log in as myname) into the location /www/example.com/web/, type the hostname or select the shortcut for that hostname in the New Connection dialog, and click the Scp… �S button. Then set up the resulting file transfer dialog as follows:
You can drag and drop files into the "Source Files" pane from the Finder as well. This makes copying large numbers of individual files that aren't stored in one directory quite quick and easy. It's almost embarassing how smoothly it works.
If you want to recursively copy a directory called log from the location /www/example.com/ on a host h.example.com where you log in as myname to your download folder, type the hostname or select the shortcut for that hostname in the New Connection dialog, and click the Scp… �S button. Then set up the resulting file transfer dialog as follows:
Mindterm's file transfer dialog is not as snazzy, but it gets the job done if you're willing to type directory names and select files one by one with a standard file picker. After you have logged in to a server, you can select "SCP File Transfer…" from the "File" menu. The resulting dialog is used both to upload and download files and directories:
To switch from copying files to the server to downloading files from it, click the "Change Direction" button.
Depending on the platform you're using to run Mindterm, you may be able to select directories through the "…" button, or you may have to select a file in the directory, and manually edit the resulting path Mindterm generates. It's certainly not the prettiest implementation, but it does work.
The command line for doing a recursive scp of mydirectory from your websites directory to host h.example.com (where you log in as myname) into the location /www/example.com/web/ typically looks like this:
scp -r ~/websites/mydirectory myname@h.example.com:/www/example.com/web
Or with pscp.exe:
pscp -r c:\websites\mydirectory myname@h.example.com:/www/example.com/web
(Replace the directory, host, and login names with those for your own system. If your login name is the same on both ends of the transfer, you can omit the myname@ portion when using scp.)
If you want to copy just the contents of mydirectory instead of mydirectory itself, refer to those contents like this:
~/websites/mydirectory/*
Or with pscp.exe:
c:\websites\mydirectory\*.*
The /* or \*.* tells scp or pscp.exe to copy the contents of mydirectory only into …/web/ instead of creating or replacing a directory called mydirectory within …/web/.
The command line for copying all files whose names start with access from the location /www/example.com/log/ on a host h.example.com where you log in as myname, to the current working directory your workstation, typically looks like this:
scp myname@h.example.com:/www/example.com/log/access\* .
Or with pscp.exe:
pscp myname@h.example.com:/www/example.com/log/access* .
(Replace the directory, host, and login names with those for your own system. If your login name is the same on both ends of the transfer, you can omit the myname@ portion when using scp.)
rsync provides a smart file transfer method that only sends items that differ between the sending and receiving side. It even transfers only those portions of files that have been changed, rather than copying the entire file each time. Clients, like OpenSSH (Unix, Windows cygwin), SSH (Unix), and F-Secure SSH (Unix) can use a command line rsync.
If you keep a local copy of your site's directory tree on your home or office system (highly recommended), rsync can save you the hassle of making sure you transfer only those files or portions that have been changed, while catching all the files that have been changed. This can considerably speed up your updates, as well as make the results more reliable, because you'll have a smaller chance of broken links from that file you changed but forgot to copy to the site.
If rsync is not included with your Unix-like system in the base distribution, it is likely available as a package or in the ports tree. If not, you can download and build the configurable source.
The command line for doing a recursive rsync of mydirectory from your websites directory to host h.example.com (where you log in as myname) into the location /www/example.com/web/ typically looks like this:
rsync -e ssh -avz ~/websites/mydirectory myname@h.example.com:/www/example.com/web
(Replace the directory, host, and login names with those for your own system. If your login name is the same on both ends of the transfer, you can omit the myname@ portion.)
If you want to copy just the contents of mydirectory instead of mydirectory itself, refer to it like this:
~/websites/mydirectory/
The trailing slash signals rsync to copy only the contents of mydirectory into …/web instead of creating or modifying a directory called mydirectory within …/web.
(Replace the directory, host, and login names with those for your own system. If your login name is the same on both ends of the transfer, you can omit the myname@ portion.)
The command line for syncing a directory called log from the location /www/example.com/ on a host h.example.com where you log in as myname, to the current working directory your workstation, typically looks like this:
rsync -avz myname@h.example.com:/www/example.com/log .
(Replace the directory, host, and login names with those for your own system. If your login name is the same on both ends of the transfer, you can omit the myname@ portion.)
Zmodem is usually implemented in terminal emulators with BBS heritage. TerraTerm SSH and SecureCRT are examples.
To copy a file to host h.example.com in the directory /www/example.com/web/, log in to h.example.com, and change working directory to /www/example.com/web/ with the following command line:
cd /www/example.com/web/
(Replace the directory and host names with those for your own system.)
Then set up a zmodem file transfer as follows:
Select the file you wish to transfer in the resulting dialog. TerraTerm SSH will handle invoking the rz (zmodem receive) program on the server, and will send the file to the server, placing it in the current working directory you selected earlier.
To download a file named access_log from host h.example.com's directory /www/example.com/log/, log in to h.example.com, then type the command line:
sz /www/example.com/log/access_log
(Replace the directory and host names with those for your own system.)
The server will begin trying to send the file. Select zmodem as in the picture above, but choose Receive, and TerraTerm SSH will accept the transfer and download the file.
To copy a number of files to host h.example.com in the directory /www/example.com/web/, log in to h.example.com, and change working directory to /www/example.com/web/ with the following command line:
cd /www/example.com/web/
(Replace the directory and host names with those for your own system.)
Then select SecureCRT's zmodem upload list as follows:
In the resulting dialog, select the files you wish to transfer. Then go back to SecureCRT's Transfer menu, and select Start Zmodem Upload. SecureCRT will handle invoking the rz (zmodem receive) program on the server, and will send the files to the server, placing them in the current working directory you selected earlier.
This section is not yet written.
Sftp is a new file transfer application that can mimic interactive ftp without the worries about port forwarding and without using a cleartext data transfer. It does command line transfers under OpenSSH (Unix, Windows cygwin) and SecureCRT vcp (Windows), as well as drag and drop under SecureFX (Windows), SSH (Windows), and F-Secure SSH (Windows).
An sftp client is included with the Portable OpenSSH distribution. It provides for interactive sessions plus commands for directory listings like the usual command line ftp clients. You would invoke sftp like this:
sftp myname@h.example.com
(Replace the login and server name with those for your own system.)
Once connected, the commands in the sftp client are pretty much the same as in an ftp command line client. You can switch to different directories on the server with cd, and on the client with lcd. You can also get and put files.
SecureCRT's vcp uses sftp under the hood, but works like scp. It doesn't offer an interactive session for directory listings the way the OpenSSH sftp client does.
The command line for doing a recursive sftp of mydirectory from your websites directory to host h.example.com (where you log in as myname) into the location /www/example.com/web/ typically looks like this:
vcp -r c:\websites\mydirectory myname@h.example.com:/www/example.com/web
(Replace the directory, host, and login names with those for your own system.)
The command line for copying all files whose names start with access from the location /www/example.com/log/ on a host h.example.com where you log in as myname, to the current working directory your workstation, typically looks like this:
vcp myname@h.example.com:/www/example.com/log/access* .
(Replace the directory, host, and login names with those for your own system.)
SecureFX from VanDyke (they also produce SecureCRT) provides a point and click, drag and drop sftp that mimics the MS Windows Explorer. SecureFX can optionally transfer only those files that are newer on the source than on the destination (though it lacks the partial transfers of rsync).
(picture goes here)
SSH from SSH Communications Security provides a point and click, drag and drop sftp that mimics the MS Windows Explorer:
(picture goes here)
F-Secure SSH from F-Secure also provides a point and click, drag and drop sftp that mimics the MS Windows Explorer:
(picture goes here)
In case all that information is a bit much to swallow at once (it was for us when writing it :-), here are some capsule summaries of what we recommend you use, with alternatives based on specific preferences. Either take our recommendations as is, or make another pass through the specific entries above for each, and see if you agree with us.
Use OpenSSH and rsync.
(If rsync is too much trouble to install, scp is always available with OpenSSH.)
Recommendation for Mac OS
Use NiftyTelnet SSH for logins and file transfers.
(If you need port forwarding, also use Mindterm. If you need port forwarding and SSH-2 support both, try MacSSH instead. If you want ftp command channel port forwarding, you'll need to go commercial with F-Secure SSH.)
Use PuTTY for interactive logins and file transfers. Optionally use iXplorer on top of pscp.exe for file transfers.
(If you want a different terminal emulator, use TerraTerm SSH (ttssh), while still using PuTTY or iXplorer for file transfers. If you want more Unix command line utilities and the ability to use rsync, use cygwin instead of PuTTY. If you really want the snazzy sftp GUI agents, you'll need to go commercial with SecureCRT/SecureFX, SSH, or F-Secure SSH.)
Conclusion
Using ssh instead of telnet and ftp for access to UCAR/NCAR/UOP systems will help keep your information, including your passwords, out of the hands of snoopers. That makes it harder for miscreants to violate your privacy, or to use your login to damage your site or attack others.
However, using ssh doesn't help if you expose your sessions partially in cleartext, such as when logging in via ftp or telnet on an intermediary host. You can solve that problem by making sure your encryption is done end-to-end.
Also, use a secure password (or use public key authentication) for ssh logins and file transfers to secure machines, on which you never use cleartext telnet, rlogin, ftp, pop, imap, etc. In other words, segregate your passwords between secure and insecure hosts, to prevent a password sniffed elsewhere from being used against you here.
If you never use your secure host passwords across a cleartext connection anywhere, you'll be golden.
Switching to ssh for interactive logins should work just like telnet for you after you install an ssh client for your OS. File transfer changes may necessarily be a little more extensive, though they should be easy. File transfers across ssh could even give you a more capable system if you can use rsync, or a smoother drag and drop on Windows if you buy one of the commercial GUI clients.
Whichever client you choose, welcome to the world of secure end-to-end encryption using ssh!