The Secure SHell
There be dragons here…
One of the best things about using Westhost is that they provide us with a secure shell for site logins. For those of you who are comfortable with Unix or Linux, this is familiar ground, but for those who come from a Windows™ background it will be strange and forbidding territory.
So, at some point I’ll get round to writing an intro to using SSH, but until I find time, here are a few useful tips.
Start learning on your own machine.
The best way to start learning how to use the shell is to practise and if you are a Windows user, that will mean downloading and installing the Cygwin package, available from RedHat Software. Once installed you will have a pretty complete version of Unix running on your computer, and as an added bonus, you will also get the full set of man pages (which aren’t installed on your Westhost site). Try out the various commands, in particular learning how to copy and move files, how to use tar to create and extract packages, learning how to use vi, grep and perl for working with files.
Automating the SSH login.
[Thanks to Matt Domsch for sorting out how this works on Westhost2]
SSH works by authenticating the client and the server and then encrypting the connection (hence "Secure SHell"). The authentication can be automated using client keys, which then means that the password is not needed to be entered. If your machine has a client key that matches the one on the server, the connection is authenticated. Thus one can login by just entering:
$ ssh mydomain@mydomain.com
First, you will need to create the keys on your own computer. This is done using the ssh-keygen application. On your local computer, type:
$ ssh-keygen -t rsa
You will be prompted to enter the file to store the key in, the passphrase to use, and a passphrase confirmation. Hit Enter to use the default values for these (which in this case means no passphrase, this is OK).
This should create two files: ~/.ssh/idrsa and ~/.ssh/idrsa.pub. Now to install the key on the server.
Now create a directory /.ssh on your site and set the correct mode, so:
$ ssh mydomain@mydomain.com "mkdir /.ssh;chmod 0700 /.ssh"
and upload the keys to this directory:
$ scp ~/.ssh/idrsa.pub mydomain@mydomain.com:/.ssh/authorizedkeys
and enter the password when prompted. This should now upload the file to that location. (If you get an error that “scp could not be found” or similar it means that you need to install the wh-utils package).
And, that should do it. You can now type ssh mydomain@mydomain.com and be logged on. This is especially useful if you use scp for copying files around, as it can be used in a cron job.
Automating the SSH login on Windows.
[Thanks to Fayez Zaheer for this information]
- Download "PuTTygen" (from: http://www.chiark.greenend.org.uk/~sgtatham/putty/).
- Open PuTTygen, select "SSH2 (RSA)" at the bottom.
- Click "Generate" and then move your mouse around the blank area to "generate randomness" (as instructed).
- Change the "key comment" if you wish, and use a "key passphrase" if you like (but neither is necessary). Copy the text shown and paste it into a new text file. It should have the following format (don’t close PuTTygen just yet):
ssh-rsa [random string] [key comment]
i.e. all on one line, where [random string] is the generated random string (its quite long, but it must all be on one line) and [key comment] is, of course, the key comment you entered. Save the text file as "authorizedkeys" (no file extension) and upload it (in ASCII mode) into your root directory in a folder called .ssh (which you must create yourself and then CHMOD 700 .ssh). You must also CHMOD 644 authorizedkeys once it is uploaded. - Now switch back to PuTTygen, and click "Save private key". A warning will appear if you have not chosen a "key passphrase" (click "Yes"). Save the file anywhere you like, I recommend saving it in the same directory as PuTTy, and out of a very visible location (such as the desktop). It should be saved in the format filename.PPK - you can now close PuTTygen.
- Fire up PuTTy. If you have previously saved your WestHost SSH settings as a session, choose it from the list and click "Load". If this is your first time using PuTTy, then see the WestHost Manual for more details on how to set up PuTTy. One change I would recommend to save you more time is to change the "Host Name (or IP address)" setting to "username@domainname.com" instead of just "domainname.com" since then you do not have to type your username each time you connect. Click the + next to "Connection" then click "SSH" and make sure that in "Encryption cipher selection policy", you have the following order:
Blowfish
If your order is different, change it to match the above. Also make sure your "Preferred SSH protocol version" is set to 2, and if you like, you can select "Enable Compression".
AES (SSH2 only)
3DES
-- warn below here --
DES - Now click on "Auth" (on the left, below "SSH"). Click "Browse" at the bottom, next to "Private key file for authorization" and select the .PPK file you just created above. In the left window pane, click on "Session", and save the changes to your session, so your settings are saved the next time you launch PuTTy. Now just click "Open", and if you have done everything correctly, you will see something like this:
Using username "[username]".
Where [username] is your username, [key comment] the key comment you entered, [Day...] the timestamp and [IP address] the last IP address you used to log in.
Authenticating with public key "[key comment]"
Last login: [Day Month Date Time Year] from [IP address]
If you get an error such as "Server refused our key" then you have done something wrong. Please go back to step one and retrace your steps and make sure you do everything correctly.
SSH on the road.
I’m often on the road and its quite likely that within 24 hours of me leaving the office some disaster will befall a web site or some text needs urgently changing. If I can find an Internet cafe running Linux then I can probably login with SSH and make any changes that are needed. But most Internet cafes are running Windows and few if any will have a SSH client installed. But now I think I have a solution:
Install a Java applet that can function as an SSH client!
I’ve found one that seems to work quite well, its called Mindterm and is available from www.appgate.com/. They offer a limited free version and a pay-for version. The free one seems to be powerful enough. The same program (but an earlier version) is also available from ISNetworks.
The applet will need to be installed on your website along with an HTML page to embed it in. Create a directory, upload the java jar files and create the HTML page. If you want an extra layer of security, then protect the directory with a .htaccess file. Then you can log on as usual to your site. And even better you can do it from any Java enabled browser anywhere in the world.
Of course, I don’t want to install this on all my clients web sites, that would be a lot of work and would also be an intrusion on their web site. But I don’t need to. Once I have shell access to my site, I can SSH out of there into any of the other sites that I need to work on. (Note that you might need to install the wh-utils package to have the ssh client available).