Secure Remote Login to Athena

Telnet programs for remote login
- Kerberized telnet for Mac or PC
- Kerberized telnet for UNIX
SSH (Secure Shell) for remote login
Running X Windows applications remotely

Telnet

Regular telnet programs send data (including your password) over the network "in the clear" where they can be intercepted and used to compromise your account, the machine you're connecting to, and the network as a whole. Kerberized, encrypted telnet provides kerberos authentication (to protect your password), and encryption to protect your data. For general information about kerberized telnet and related security issues, see:

Kerberized Telnet at MIT
"Protect Network Transmissions with Secure Connection Tools" article from i/s newsletter
"Protect Your Computer from Packet Sniffing Programs" article from i/s newslettter

Kerberized telnet from Mac or PC

Kerberized telnet clients for Mac and PC (SecureCRT and HostExplorer, respectively) are available free of charge to the MIT community. For more information and to download the program for your machine, see the I/S page on Kerberized Telnet at MIT.

Kerberized telnet from non-Athena UNIX systems

Installation kits for kerberized telnet and ftp software are available; see the Network group's page on Kerberized Telnet at MIT. They also maintain a Security Primer for UNIX system administrators at MIT.

SSH (Secure Shell)

SSH is a widely-used remote login program which provides authentication (to protect your password) and encryption (to protect your data). It does not generally use Kerberos, although more recent versions include this as an option.

A free version of SSH is available for most Unix platforms; there are commercial and shareware versions for Mac and PC. Alternatively, if your browser includes Java support, you can use MindTerm SSH to connect to athena.dialup.mit.edu securely without installing an SSH client on your machine (please use this page instead if you are using Netscape on a Macintosh); Netscape version 4.06 or higher is recommended for best results. For more information on SSH including links to download sites see our SSH Overview.

Using SSH on Athena

Note that ssh2 clients will not work on Athena. While the ssh2 server has a compatibility mode which allows ssh1 clients to connect to it, ssh2 clients are not backwards-compatible with ssh1 servers. There is work underway on integrating OpenSSH into Athena, which will provide ssh2 and sftp support; this will most likely be added for Athena 9.1 in summer 2002, but may be made available on the dialups sooner.
Unix users can take the approriate ssh1 client from the crypto locker in order to connect to Athena.

Generally, ssh involves users generating public/private key pairs and using them to authenticate, but the default behavior on Athena is to use either Kerberos authentication (with forwardable tickets), or simple password authentication. The reason for this is that you need to get Kerberos tickets to be able to do things like read your files and incorporate your mail, and you can't get tickets on the remote machine without either forwarding them from the machine you're already logged in to, or typing your password.

If you have forwardable Kerberos tickets on your machine (the default in Athena 8.2 and later), then ssh will use them to authenticate you and log you in. If you don't, it will fall back to password authentication (ssh always encrypts your connection, including any password you type).

Note that the first time you connect to a machine, ssh will ask you whether to accept the host key before it connects and adds the public key to your ~/.ssh/known_hosts file; for details on the security concerns involved and information about verifying the key, see the last section of the Athena Dialup SSH page. (If you are connecting to a private Athena workstation, you can view its public key in /etc/ssh_host_key.pub.)

Example

To connect to a dialup:

      ssh athena.dialup.mit.edu

To specify your Athena username (necessary if it is different from your username on the local machine), use the flag -l (lowercase "L") followed by your Athena username:

      ssh athena.dialup.mit.edu -l jqpublic

The first time you connect, you will see:

      Host key not found from the list of known hosts.
      Are you sure you want to continue connecting (yes/no)?

Type `yes'. It will respond:

      Host 'athena.dialup.mit.edu' added to the list of known hosts.
      jqpublic's password:

Type your password now (ssh always encrypts your connection, so it's safe to type it here). You should then see the usual login sequence, culminating in your favorite prompt:

      athena%

To connect from Athena to a machine running SSH, you'd start similarly:

      athena% ssh hostname -l username

where hostname is the full address of the machine you're connecting to, and username is your username on that machine, if different from your Athena username.

If you see an "X11 forwarding error" when you connect, it probably means your ssh client tried to arrange for X connections to go through the encrypted ssh channel, but the remote machine refuses (e.g., because it is a non-X dialup).

Running X Windows applications remotely

X connections are not generally secure (i.e., if you run X applications remotely, what you do within those applications goes across the network in the clear). SSH, however, allows you to run your X connection through an encrypted ssh channel. If you use SSH to connect to athena-x.dialup.mit.edu (or a private Athena workstation with remote-access enabled), it should arrange this for you automatically.

See the OLC stock answer on running X Windows remotely for detailed instructions on setting up remote display.

Remote Access Overview | Remote Login Guide | File Transfer Guide | SSH Overview

Comments and feedback to olh-suggest@mit.edu