ServiceLink Manual

Chapter 10. Security

ssh (secure shell)

ssh (secure shell) provides a secure, encrypted way to login to a remote machine across a network or to copy ﬁles from a local

machine to a server. Many people do not realize that many programs such as telnet and ftp transmit your password in plain,

unencrypted text across your network or the Internet. ssh and its companion program scp provide a secure way to login or copy

ﬁles. The ssh protocol was originally invented by SSH Communications Security which sells commercial ssh servers, clients,

and other related products. The protocol itself has two versions - SSH1 and SSH2 - both of which are supported by most clients

and servers today. For more information about SSH Communications Security and its commercial products, visit

http://www.ssh.com/.

OpenSSH, included with the SME Server V5 with ServiceLink, is a free version of the ssh tools and protocol. The server

provides the ssh client programs as well as an ssh server daemon and supports both the SSH1 and SSH2 protocols. For more

information about OpenSSH, visit http://www.openssh.com/.

Once ssh is enabled, you should be able to connect to your server simply by launching the ssh client on your remote system and

ensuring that it is pointed to the external domain name or IP address for your server. In the default conﬁguration, you should next be

prompted for your user name. After you enter admin and your administrative password, you will be in the server console. From here

you can change the server conﬁguration, access the server manager through a text browser or perform other server console tasks.

If you do enable ssh access, you have two additional conﬁguration options:

• Allow administrative command line access over ssh - This allows someone to connect to your server and login as "root" with

the administrative password. The user would then have full access to the underlying operating system. This can be useful if

someone is providing remote support for your system, but in most cases we recommend setting this to No.

• Allow ssh using standard passwords - If you choose Yes (the default), users will be able to connect to the server using a standard

user name and password. This may be a concern from a security point of view, in that someone wishing to break into your system

could connect to your ssh server and repeatedly enter user names and passwords in an attempt to ﬁnd a valid combination. A more

secure way to allow ssh access is called RSA Authentication and involves the copying of an ssh key from the client to the server.

This method is supported by your server, but is beyond the scope of this manual and will eventually be covered by additional

documentation on the e-smith.org web site.

Note: By default, only two user names can be used to login remotely to the server: admin (to access the server console) and root

(to use the Linux shell). Regular users are not permitted to login to the server itself. If you give another user the ability to login

remotely to the server, you will need to access the underlying Linux operating system and manually change the user’s shell in

/etc/passwd.

10.2.1.1. ssh clients for Windows and Macintosh systems

A number of different free software programs provide ssh clients for use in a Windows or Macintosh environment. Several are

extensions of existing telnet programs that include ssh functionality. Two different lists of known clients can be found online at

http://www.openssh.com/windows.html and http://www.freessh.org/.

A commercial ssh client is available from SSH Communications Security at: http://www.ssh.com/products/ssh/download.html. Note

that the client is free for evaluation, academic and certain non-commercial uses.