And that word is ...

Imagine a situation where your network has a sniffer installed, without your knowledge, and you're using telnet (yes, I'm really trying to make you ditch that telnet service:)). You have a large network, a lot of sensitive information travels through it, many mission critical jobs depend on it. You're the admin, the entire system is in your hands, yes you have the power... So, you telnet to it, do some minor modifications, fiddle around the system and etc, and logout. Tomorrow, an almost nuclear holocaust happens, your network has been taken over. How come, you had a state of the art firewall, your system was patched regularly and had a flawless setup? Your almighty root password has been restored from the logs a sniffer caught while sniffing the network. You could have just handed your password around, just the same.

SSH can do the same for you, even more, like telnet would do, but in a secure manner. SSH uses several different encryption algorythms, including:

• BlowFish
• Triple DES
• RSA

and others for you to choose from. So you needn't worry about your root password, it's quite safe. I think heard a skeptic in the back row... :)

And on the 7th day, the password got encrypted

I'm going to describe the process of obtaining SSH, and setting it up to fit your needs in the next couple of lines. For several reasons, which of course I'm not going to discuss here :), I'll stick with OpenSSH for linux. OpenSSH can be found here, choose the site appropriate for you, and the flavour of OpenSSH you like.

As usual, I chose the .rpm, and downloaded it. It should be called
something like openssh-2.9p2-1.i386.rpm. There are other packages you can download and install, but not to loose focus, I'll carry on this one.

So, install it by running

rpm -i openssh-2.9p2-1.i386.rpm (or any other you have downloaded)

You can also download the source, and compile it manully, which will give you more flexibilty in configuration, if you want to configure some things manually.

Configuring the SSH

Once you have it installed, you should find these files in the /etc/ssh (or possibly other, varying on your installation/distribution) folder, which you can adjust to suit your own needs:

ssh_config where you can adjust the ssh client configuration, and more importantly sshd_config where you will find all the information and configuration neccessary for the ssh server you plan to start.

sshd_config should contain various entries, most allready set right,
but if not, you can allways check them. Some of these are (in order of
appearance):

LoginGraceTime - here you can adjust the time, in miliseconds, how long before disconnecting if a user fails to login;

PermitRootLogin - if this entry is set to 'yes', root is allowed to login
via ssh;

StrictModes - enableing this entry forces sshd to check users permissions in their /home prior to accepting their login;

KeepAlive - this option if enabled, ssh checks existing logins for
connection;

RhostsAuthentication - this option should be set to 'no', because rhosts authentication is unsecure;

RhostsRSAAuthentication - if these is set , sshd will use rhosts and
RSA, leave it to 'no' unless you need otherwise;

RSAAuthentication - set this to 'yes' in order to use RSA authentication;

PasswordAuthentication - well just set this one to 'yes' if it isnt :);

PermitEmptyPasswords - you don't want anybody to login without a valid password, right? Set this to 'no'.

Basically, everything needed is set. You can also look into the ssh_config, it's quite similar, and also pretty clear.

That's it. All that is left is to start the sshd. Check your installation
path and invoke it by typing:

/your/path/sshd

If you're satisfied with everything, make the sshd start at the boot time, by modifying appropriate files, which are distribution specific some times.

As you can see, installing SSH is quite easy, so there is no obvious reason besides you not wanting it for some extraordinaire reasons.

Using SSH

ssh is used, also, pretty much same as the telnet. Most important, remember to invoke it with the option '-l' to provide a valid username, ie:

ssh -l silentbob IP

This will, provided you have the password, allow silentbob to login to a
remote server. If you'd like to change the cypher method in that session, invoke it with the option '-c' following the appropriate cypher (blowfish, idea, 3des).

Notice that the first time you connect to a remote ssh server, you'll get a warning notice, because that host isn't listed as a known list. If you want to continue with connecting, answer 'yes' and the list will be updated. This question will only concern those hosts to whome you have never connected before with ssh, and all those not in the list.

One of the things that comes in as a part of the ssh package is the scp, or secure copy for remote secure copying, use it whenever possible.

As usual, ssh is not fault free, it has had some security history, and
certainly somethings may arrise in the future, but for know it is pretty
much the safest way for you to do things remotely. Look out for vulnerabilities and patches and you'll keep your system secure.

Roger and out!