University of California at Berkeley Department of Electrical Engineering & Computer Sciences Instructional Support Group /share/b/pub/ssh.help /share/b/pub/putty.help /share/b/pub/xming.help /share/b/pub/winscp.help Sep 3 2008 (william) Nov 23 2011 (kevinm) *************************************************************************** SSH or Putty is required for logging into Instructional UNIX systems. Download for free from http://inst.eecs.berkeley.edu/download-ssh.html *************************************************************************** CONTENTS: Putty, Xming and WinSCP Replace SSH and Exceed on Windows SSH Quick Guide (login to UNIX) SCP Quick Guide (file copy to UNIX) SSH Variants (SSH2 and OpenSSH) SSH Public and Private Keys (passphrases) Password-less Logins (OpenSSH) X11 Forwarding (Tunneling) SSH on UNIX SSH Hostkeys "X Error of failed request: BadAtom" Error "X protocol Error: BadAccess" Error "Host key verification failed." Error "scp: FATAL: Executing ssh1 in compatibility mode failed" Error "warning: Executing /usr/local/bin/ssh1 for ssh1 compatibility" Error "FATAL ERROR: Server unexpectedly closed network connection" Alternatives to SSH Tutorials Vista 64: Xming, Exceed, and Cygwin's Xwin don't work Putty, Xming and WinSCP Replace SSH and Exceed on Windows --------------------------------------------------------- Windows users note: Putty replaces SSH Secure Shell. Putty lets you login to UNIX from Windows. Current version: PuTTY version 0.60 SSH Secure Shell is no longer supported. WinSCP replaces SSH File Transfer. WinSCP gives a graphical interface for file transfers. Current version: WinSCP 4.0.7 Putty does not have its own file transfer feature. Xming (and Xming-fonts) replaces Exceeed. Xming lets you display graphics from UNIX commands on Windows. Current versions: Xming 6.9.0.28; Xming-fonts 7.3.0.22 Exceed has complex security settings; it is unsafe by default. For Putty/WinSCP/Xming downloads and instructions, please see http://inst.eecs.berkeley.edu/download-ssh.html http://inst.eecs.berkeley.edu/cgi-bin/pub.cgi?file=doc/putty.doc Putty documentation: http://www.chiark.greenend.org.uk/~sgtatham/putty/docs.html http://inst.eecs.berkeley.edu/cgi-bin/pub.cgi?file=putty.help http://www.chiark.greenend.org.uk/~sgtatham/putty/faq.html If Putty closes too soon for you to read the contents: In the Putty configuration window, change the "Close Window on Exit" setting to "Never" to prevent Putty from closing before the content is displayed. This is needed when the server displays non-interactive content such as a "no login" message. SSH Quick Guide (login to UNIX) ------------------------------- The SSH (or Putty) program is required to login to the UNIX computers in EECS, because it encrypts your data as it is transmitted over the network. Sample commands (logging into cory.eecs as user 'foobar'): from Linux: /usr/bin/ssh cory.eecs.berkeley.edu -l foobar from MacOSX: /usr/bin/ssh cory.eecs.berkeley.edu -l foobar from Solaris: /usr/bin/ssh cory.eecs.berkeley.edu -l foobar from Windows: select Start->Programs->Putty Host Name: cory.eecs.berkeley.edu Port : 22 Connection Type : SSH Login As: foobar If it is the first time you have connected to cory.eecs (or if the sys admins have recently updated cory.eecs), SSH will ask you if you want to accept the new "host key". You should answer "yes". The password that is requested is your UNIX password. The initial UNIX password for Instructional accounts is on the account form. (You may have changed that password.) If you wish to display UNIX graphics output from the UNIX server to your local computer, see "X11 Forwarding (Tunneling)" below. If you wish to use an SSH passphrase instead of the UNIX password, see "SSH Public and Private Keys" below. EECS Instructional users may download 'SSH' for free from http://inst.eecs.berkeley.edu/download-ssh.html OpenSSH 3.1 is available from www.openssh.com. Earlier versions are not recommended because of the bug described in http://www.pine.nl/advisories/pine-cert-20020301.txt . EECS no longer supports the commercial "SSH Secure Shell" or "SSH Secure File Transfer" user programs on Windows. SCP Quick Guide (file copy to UNIX) ----------------------------------- The SFTP program is required to do file transfers with the UNIX computers in EECS, because it encrypts your data as it is transmitted over the network. Sample commands (logging into cory.eecs as user 'foobar'): from Linux: /usr/bin/scp file1 foobar@cory.eecs.berkeley.edu:file2 from MacOSX: /usr/bin/scp file1 foobar@cory.eecs.berkeley.edu:file2 from Solaris: /usr/bin/scp file1 foobar@cory.eecs.berkeley.edu:file2 from Windows: select Start->Programs->Winscp Host Name: cory.eecs.berkeley.edu Port Number: 22 User Name: foobar Password: secret File Protocol: SFTP Allow SCP FallBack: \/ Click: Open See above for the typical login dialog. EECS no longer supports the commercial "SSH Secure Shell" or "SSH Secure File Transfer" user programs on Windows. SSH Variants (SSH2 and OpenSSH) ------------------------------- There are 2 variants of SSH on EECS computers: "OpenSSH" - found on Linux, MacOSX, Cygwin, Solaris 10 "Putty" - ("Putty", "WinSCP"), on Windows "SSH2" - ("Secure SSH", "commercial SSH"), on Windows, older Solaris A third version of SSH, called "SSH2", "Secure SSH" of "commercial SSH", is no longer supported on EECS computers, so we have converted to OpenSSH on UNIX and Putty on Windows. You can tell which one you have with the command ssh -V The basic "ssh" command that allows you to login is cross-compatable. That is, if you have SSH2 or OpenSSH on your local computer, you can login to a remote computer that has either variant. However, the "scp" (file copy) command is limited; you must connect to a remote computer that has the same variant that you do. (See the "scp: FATAL:.." section, below for details.) And if you want to use your own SSH password, the public and private keys you create with one variant must be converted to the format of the other version if you want to login between computers with different variants. (Yes, that's bothersome.) See "SSH Public and Private Keys" below for more information. EECS Instructional users may download free versions of SSH for home use from http://inst.eecs.berkeley.edu/download-ssh.html and http://inst.eecs.berkeley.edu/~instcd. SSH Public and Private Keys (passphrases) ----------------------------------------- By default, ssh prompts you for your UNIX password on the server you connect to. But you can also generate your own SSH 'passphrase' that is independent of the UNIX password. Your SSH passphrase is represented as 2 files, your SSH public and private keys. The private key file should be stored secretly on your local computer or computer account. The public key can be installed in yours and other users' UNIX home directories, which will allow you to login to those accounts using your own passphrase. On UNIX: You can make these OpenSSH keys and password with the commands: /bin/ssh-keygen -t rsa -f ${USER} cp ~/.ssh/${USER}.pub >> ~/.ssh/authorized_keys cp ~/.ssh/${USER} ~/.ssh/id_rsa chmod 600 ~/.ssh/${USER} ~/.ssh/id_rsa Others can allow you to login to their UNIX accounts using your passphrase by adding your *.pub file to their .ssh/authorized_keys file. Here's how: Your *.pub file is located in your .ssh directory. Copy or email the *.pub file to the owner if the account that you want to login to, who should append it to her /.ssh/authorized_keys file. If you have an older SSH2 key, you may need to convert it to OpenSSH format. In general, you can convert a *.pub key from one variant to the other, but only with the OpenSSH version of "ssh-keygen": /bin/ssh-keygen -i -f your-ssh2.pub > your-openssh.pub /bin/ssh-keygen -e -f your-openssh.pub > your-ssh2.pub On Windows: The instructions for generating public/private keys using Putty are at: http://inst.eecs.berkeley.edu/cgi-bin/pub.cgi?file=doc/putty.doc Password-less Logins (OpenSSH) ------------------------------ You can generate a "ticket" that will let you login to UNIX accounts without typing your SSH password each time. The target account must have your public key in ~/.ssh/authorized_keys (see "SSH Public and Private Keys" above). Here's how to generate the "ticket" on UNIX: eval `ssh-agent -c` ssh-add (it prompts for your passphrase) ssh -l jdoe cory.eecs (it will login to 'jdoe' without prompting) You have to do this once each time you login. Be aware that this is generally a risky thing to do because it opens the second account to breakins if the first account is cracked. X11 Forwarding (Tunneling) -------------------------- In addition to your login session, SSH can create additional secure sessions ("tunnels") for other networked applications. This is most commonly used to run UNIX X Windows programs. That is, if you 'ssh' into a UNIX server and start a program such as 'xterm', the xterm window will be "forwarded" to your desktop computer and will pop up on your screen. If you have an X Window manager on your computer, you can display UNIX graphics there. Linux, MaxOSX and Solaris workstations usually have X Window managers. On Windows, Exceed and Cygwin are 2 popular X Window managers that you can install. EECS Windows computers have Exceed. For more information about that, see /share/b/pub/xwindows.help. You must enable "X11 Forwarding" when you start 'ssh'. In the graphical SSH versions for Microsoft Windows and MacOSX, you will typically find a check box for "X11 Forwarding" under Settings. In the UNIX command line versions, these are typically the options (type "man ssh" to see which ones are right for your version of 'ssh'): OpenSSH uses ssh -X = set up X Windows forwarding (usually this is the default) ssh -Y = set up X Windows 'trusted' forwarding (sometimes required) ssh -x = no forwarding (use this if you have no X windows server) ssh -2 = forces it to use version 2 (required for EECS computers) SSH Secure Shell uses ssh +x = set up X Windows forwarding (usually this is the default) ssh +X = set up X Windows 'trusted' forwarding (sometimes required) ssh -x = no forwarding (use this if you have no X windows server) SSH on UNIX ----------- SSH commands on UNIX include: sshd Server program run on the server machine. ssh This is the client program used to log into another machine. scp Securely copies files from one machine to another. ssh-keygen Used to create public/private keys (for SSH passphrases) ssh-agent Authentication agent. Holds keys for authentication. ssh-add Used to register new keys with the agent. For more infomation, see the manual pages ssh(1), sshd(8), scp(1), ssh-keygen(1), ssh-agent(1), ssh-add(1). SSH programs are available on all EECS Instructional UNIX systems in the /usr/local/bin and /usr/sww/bin directories. Documentation is in UNIX man pages that are stored in directories that are specific to the version of SSH. Here are examples of how to read the man pages that are currently available: man -M /usr/sww/man ssh SSH Hostkeys ------------ Our UNIX login servers have "hostkeys" that SSH programs use to verify the identity of the computer. This is to prevent someone from setting up a rogue computer and trying to intercept your login attempt. (Banks and e-commerce sites really need this, but it is less likely that anyone would want to masquerade as one of our computers.) When you first connect to the server, SSH copies the hostkey to your local computer. Your copy of these hostkeys are probably in UNIX: ~/.ssh/known_hosts Windows: for Putty, it's inaccessible (in the Windows Registry); for more information, see http://the.earth.li/~sgtatham/putty/0.60/htmldoc/Chapter2.html#gs-hostkey We sometimes have to change the hostkey on one of our servers, such as when we install a new version of the operating system. In that case, you will get a "man in the middle" security warning from SSH commands the next time you try to login. Generally, you can just say "yes" accept the new hostkey. The SSH hostkeys for all Instructional UNIX systems are now accessible in http://inst.eecs.berkeley.edu/~inst/hostkeys/ and /share/b/hostkeys. If you get a "man in the middle" security warning, you can check there for confirmation that we have really installed a new hostkey. The way you accept a new key is different in each of the two versions of SSH that are commonly in use now: 1) For Putty, you can load the current hostkeys for the Instructional servers by loading William's puttySession.reg into your registry hive. That will get all of the UNIX server keys that were in that file when it was created. This will also set several sessions to all the unix login servers for you so that you won't have to enter them. The file is in /share/b/hostkeys/puttySessions.reg. 2) The open source "OpenSSH" that is typically on Linux and MacOSX systems (and recent Solaris systems) may require that you manually delete the previous host key from the "known_hosts" file in your local home directory. You can identify the line that should be deleted from a line in the error message. For example, if you see the error message: Offending key in /Users/JohnDoe/.ssh/known_hosts:2 then delete line 2 from the file /Users/JohnDoe/.ssh/known_hosts. Then run 'ssh' again and accept the new host key when it asks you. If you have recent versions of OpenSSH and the X.Org X11 server, you may see errors like these when you try to open an XWindows window after logging to a remote computer using "ssh": "X Error of failed request: BadAtom" Error ------------------------------------------- If you get this error, you are probably using OpenSSH and the X.Org X11 server. Try using "ssh -X -Y" when connecting. See below for more information. "X protocol Error: BadAccess" Error ----------------------------------- If you have recent (7.x) versions of OpenSSH and the X.Org X11 server, you may see errors like these when you try to open an XWindows window after logging to a remote computer using "ssh": X protocol error: BadAccess (attempt to access private resource denied) X Error of failed request: BadAtom (invalid Atom parameter) This is solved by using the ssh "-Y" option, for example: ssh -X -Y -2 user@hostname The "-Y" (X Windows 'trusted' forwarding) seems to be required when your computer is running the X11R6.8.2 (or newer) server from http://www.x.org. For example, MacOSX 10.4 running OpenSSH_3.8.1p1 requires this. "Host key verification failed." Error ------------------------------------- If you have OpenSSH on your computer and you have an old host key from one of our computers (running an SSH Secure Shell server), you may an error like this from your 'ssh' command: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the DSA host key has just been changed. The fingerprint for the DSA key sent by the remote host is 55:7b:29:88:67:20:99:4d:8d:b8:e9:e0:09:39:ec:fc. Please contact your system administrator. Add correct host key in /Users/Albert/.ssh/known_hosts to get rid of this message. Offending key in /Users/JohnDoe/.ssh/known_hosts:2 DSA host key for c199.eecs.berkeley.edu has changed and you have requested strict checking. Host key verification failed. You can generally trust that we have installed a new host key and accept a new host key from our server. To do that, delete your old host key for that server and run 'ssh' again. For example, in the example above, the line Offending key in /Users/JohnDoe/.ssh/known_hosts:2 tells you that you can delete line 2 from /Users/JohnDoe/.ssh/known_hosts, which is the old host key for that server. Then run 'ssh' again and accept the new host key when it asks you. You can confirm that we have installed a new host key by looking up that server under https://inst.eecs.berkeley.edu/~inst/hostkeys, or by asking inst@eecs.berkeley.edu. "scp: FATAL: Executing ssh1 in compatibility mode failed" Error --------------------------------------------------------------- If you have OpenSSH on your computer and you use 'scp' to connect to a server running SSH2, you may get this error: scp: FATAL: Executing ssh1 in compatibility mode failed (Check that scp1 iis in your PATH). lost connection You can tell what version of scp you have with the command scp -V You cannot use "scp" from an OpenSSH computer to an SSH2 computer. The OpenSSH version of "scp" refuses to use SSH2 (although the OpenSSH version of "ssh" does). "warning: Executing /usr/local/bin/ssh1 for ssh1 compatibility" Error --------------------------------------------------------------------- If you use a new SSH client to login to a computer that only has an old SSH1 server, you will see this alarming warning: warning: Executing /usr/local/bin/ssh1 for ssh1 compatibility. Host key not found from the list of known hosts. !! If host key is new or changed, ssh1 protocol is vulnerable to an !! attack known as false-split, which makes it relativily easy to !! hijack the connection without the attack being detected. It is !! highly advisable to turn StrictHostKeyChecking to "yes" and !! manually copy host keys to known_hosts. Are you sure you want to continue connecting (yes/no)? Just answer "yes" and continue as usual. "FATAL ERROR: Server unexpectedly closed network connection" ------------------------------------------------------------ Putty has a default sequence of encrytion policies that is uses. Sometimes a server you are trying to login to does not support the one that Putty is trying to use. You can change the order of the encrytion types in Putty Configuration -> SSH. Usually changing the first encryption cipher from AES to Blowfish fixes it. Alternatives to SSH ------------------- These are other 'terminal' programs that support SSH: Note that the commercial version of SSH Secure Shell is being replaced in EECS by putty. SSH Secure Shell is no longer free and the older, free version does not mean current campus security standards. 1) PuTTY: A Free Win32 Telnet/SSH Client from http://www.chiark.greenend.org.uk/~sgtatham/putty/ This version of SSH handles the emacs metakey correctly from MS Windows. 2) WinSCP: A Free SCP/SFTP client to complement PuTTY. http://winscp.net/eng/download.php 3) TeraTerm SSH for Windows machines (a free implementation) can be had from http://hp.vector.co.jp/authors/VA002416/teraterm.html 4) SecureCRT for Windows machines can be purchased from Van Dyke Technologies, http://www.vandyke.com/products/securecrt/ Tutorials --------- Exceed: http://inst.eecs.berkeley.edu/pub/doc/SSH_EXCEED.doc passphrase: http://inst.eecs.berkeley.edu/pub/doc/SSH_Public.doc Instructional Support Group Vista 64: Xming, Exceed, and Cygwin's Xwin don't work ----------------------------------------------------- (Sep 2009) Xming, Exceed, and Cygwin's Xwin all fail to work properly in Vista-64. For details, please see http://inst.eecs.berkeley.edu/cgi-bin/pub.cgi?file=xwindows.help#8 378/386/384 Cory, 333 Soda inst@eecs.berkeley.edu