Secure Remote Login to Athena
Contents
Regular telnet programs send data (including your password) over the
network "in the clear" where they can be intercepted and used to
compromise your account, the machine you're connecting to, and the
network as a whole. Kerberized, encrypted telnet provides kerberos
authentication (to protect your password), and encryption to protect
your data. For general information about kerberized telnet and related
security issues, see:
Kerberized telnet clients for Mac and PC (NCSA telnet and HostExplorer,
respectively) are available free of charge to the MIT community. For
more information and to download the program for your machine, see the
I/S page on Kerberized
Telnet at MIT.
Installation kits for kerberized telnet and ftp software are available;
see the Network group's page on Kerberized Telnet at
MIT. They also maintain a Security Primer for
UNIX system administrators at MIT.
SSH is a widely-used remote login program which provides authentication
(to protect your password) and encryption (to protect your data). It
does not generally use Kerberos, although more recent versions include
this as an option.
A free Unix version of SSH is available for most platforms from http://www.ssh.org/. At this writing,
only commercial clients are available for Mac and PC; trial versions
and more information are available from the F-Secure SSH
site.
Generally, ssh involves users generating public/private key pairs and
using them to authenticate, but the default behavior on Athena is to
use either Kerberos authentication (with forwardable tickets), or
simple password authentication. The reason for this is that
you need to get Kerberos tickets to be able to do things like read
your files and incorporate your mail, and you can't get tickets on the
remote machine without either forwarding them from the machine you're
already logged in to, or typing your password.
If you have forwardable Kerberos tickets on your machine (the default
in Athena 8.2 and later), then ssh will use them to authenticate you
and log you in. If you don't, it will fall back to password
authentication (ssh always encrypts your connection, including any
password you type).
To connect to a dialup:
ssh athena.dialup.mit.edu
To specify your Athena username (necessary if it is different from your
username on the local machine), use the flag -l (lowercase "L") followed
by your Athena username:
ssh athena.dialup.mit.edu -l jqpublic
The first time you connect, you will see:
Host key not found from the list of known hosts.
Are you sure you want to continue connecting (yes/no)?
Type `yes'. It will respond:
Host 'athena.dialup.mit.edu' added to the list of known hosts.
jqpublic's password:
Type your password now (ssh always encrypts your
connection, so it's safe to type it here). You should then see the
usual login sequence, culminating in your favorite prompt:
athena%
To connect from Athena to a machine running SSH, you'd start similarly:
athena% ssh hostname -l username
where hostname is the full address of the machine you're
connecting to, and username is your username on that machine,
if different from your Athena username.
If you see an "X11 forwarding error" when you connect, it probably means
your ssh client tried to arrange for X connections to go through the
encrypted ssh channel, but the remote machine refuses (e.g., because it
is a non-X dialup).
For more information on SSH see:
X connections are not generally secure (i.e., if you run X
applications remotely, what you do within those applications
goes across the network in the clear). SSH, however, allows you to run
your X connection through an encrypted ssh channel. If you use SSH to
connect to athena-x.dialup.mit.edu (or a private Athena workstation with
remote-access enabled), it should arrange this for you automatically.
See the OLC stock answer on running X
Windows remotely for detailed instructions on setting up remote
display.
related ACS notes: Remote Access Overview |
File Transfer Guide | SSH Overview
| Academic Computing | Contact us
Last modified: Mon May 10 14:24:36 1999