SSH and sFTP for Macs -- A Secure Replacement for Telnet and FTP

SSH (Secure SHell) is a secure alternative to telnet. The ACCC supports the SSH that comes with Mac OS X and has a site-license for Fetch, a FTP and secure FTP -- SFTP -- application for Mac OS X. You'll probably find that they work a lot like whatever telnet and FTP you've been using. The ACCC also supports Fugu, a freeware Mac OS application that does sFTP.

But don't stop at just using SSH as a telnet substitute -- it can do more, including providing an easy and secure way to use X Windows -- SSH X11 Tunneling.

You've listened when we told you to be careful with your password, haven't you? You never write it down, you don't tell it to your friends, you don't save it in Eudora, and you don't enter it on the Web except when you use WebMail or when you're asked for it by the UIC WWW Identification Service, a.k.a. Bluestem. When you choose your passwords you don't use your spouse's name or your dog's name and you don't use a dictionary word that could be guessed.

That means your password is safe, doesn't it?

Well, not really. Each time you login to your argo, icarus, or tigger account, after you type your password and press Enter, your password is sent out over "the network." That ******** stuff you see as you type your password is just to fool anyone who's looking over your shoulder -- your actual password is sent over the network "in the clear," exactly as you typed it. That means that it could be intercepted and read by anyone else who's on the same network.

The same privacy considerations that apply to email and files also apply to remote logins. You have every right to expect security for your interactions when you're logged in to a remote host machine:

Authenticity:

Being able to tell without a doubt what the source of the data is. Your password tells the server who you are, but that's only half of the question; the server should also assure you what it is.

Privacy:

Scrambling data so it can't be used by anyone except the person or machine that it's intended for. Privacy in remote logins means encrypting your password and, for that matter, your entire session, so only you and the server you're logged into can read it.

Integrity:

Assurance that the server is receiving everything you send it, nothing more, nothing less. And vice versa -- assurance that you're receiving the exact messages, output, and files the server sends you, nothing more, nothing less.

Yes, remote logins are vulnerable in all these areas. Say you're going from here to there. If the route from here to there goes though someone else's network, a bad guy on that network could eavesdrop on your transmission, looking for passwords, credit card numbers, or business secrets. Or they could use IP spoofing to redirect your communications to a fake server. Or the bad guy on a machine that's somewhere in the middle of your route from here to there could intercept your traffic and respond to you as if it was there and respond to there as if it was you. That's called a "man-in-the-middle" attack, and if the man in the middle is careful, you wouldn't even know it happened to you.

SSH's security is transparent because it's an application layer protocol -- you use SSH software to login to a remote host instead of using telnet. And SSH really is secure. It supplies two-way authentication, including the server authenticating itself to you. After exchanging keys, your entire session is encrypted, including your password and everything that you send to the host server and everything it sends to you.

The best thing about SSH is that all this security stuff goes on behind the scenes. From your point of view as a user, an SSH login session looks like just another version of telnet.

It's no harder to switch to an SSH secure remote login application than it is to change from one vendor's telnet to another's.

This is all why the ACCC is about to require SSH for remote logins to its machines. There is an ssh client built into Mac OS X.

SSH Secure Shell, the software, was written in 1995 by Tatu Ylonen, a Finish computer scientist. Both "SSH" and "secure shell" are trademarks of his company, SSH Communications Security Corp. The U of I has a site license for their products for Windows.

The SSH code, however, is freely available and is used in a number of other secure remote login applications, for a wide range of operating systems; see: http://linuxmafia.com/ssh/ for an up-to-date list and links.

For more information, see:

• SSH clients (and servers): http://linuxmafia.com/ssh/
  
  
• IETF standards info on SECSH, SECure SHell, the SSH protocol: http://www.ssh.com/support/cryptography/protocols/
  
  
• The SSH FAQ: http://www.employees.org/~satch/ssh/faq/

Mac OS X comes with an SSH client. To use it:

1. Open Applications -> Utilities -> Terminal
   (or Control-click Terminal -> Connect to server if you have it in your dock.)
2. Click Secure Shell (ssh).
3. If the server you want to connect to is listed in the Server box, click on it; if not, type it after the ssh -1 in the box at the bottom.
4. Select SSH Protocol 2 from the dropdown list.
5. Type your netid in the User: box.
6. Click Connect.
7. Note: To logoff, you must use: exit
   not logoff or logout.

Figure 4: Opening SSH on Mac OS X Mac OS X's Terminal utility has an SSH function and also allows you to do sFTP, which you open similarly to SSH. But this sFTP is a command line utility, not a graphic utility, so it might be harder to use.

The same security considerations for your passwords apply to FTP; and there is the admittedly rare possibility that the files you are transferring could get tampered with. The ACCC supports two GUI Secure FTP packages for Mac OS X:

• Fugu, a freeware graphical frontend to the command line sFTP that comes with Mac OS X, and
• Fetch, the Mac OS FTP software that's been in the ACCC's Network Services Kit for a long time, and, with its new Fetch 5.0 and higher, now supports sFTP.

Again, soon you will only be able to use SFTP to transfer files to an ACCC machine.

For more information on Fugu, see the Fugu Readme file, which is a lot more than a Readme file. It also explains how to use it. Some of the screenshots are a bit out of date, but all in all, it's quite good. It's on the Fugu home page; click Documentation.

Installing Fugu

1. Go to Fugu's Web home page, click on Download, and download the most recent version of Fugu in the language of your choice. I'm downloading Fugu-1.2.0-English.dmg.
2. Save the .dmg file to your desktop or where ever else you'd like to stash it.
3. It downloads as an .exe file, but when you click on it, it's name will change to .dmg. Double-click on the .dmg file.
4. Read the License Agreement and click Agree to proceed.
5. The installer will attach the .dmg file
6. If the Fugu "disk" doesn't open by itself, open Finder and double-click on the Fugu disk image to open.
7. Drag and drop the Fugu fish into your Applications folder.
8. Delete the .dmg file and eject the disk in Finder.Fugu

Using Fugu

1. Double-click on the Fugu fish icon in your Applications folder.
2. Fugu is quite easy to use. Your first level Mac directory will be displayed on the left-hand side.
3. On the right-hand side, you type the name of the computer you want to transfer files to or from, in the Connect to: box. For example, tigger.cc.uic.edu.
4. You also type your Username: on that machine. Since my username on my Mac and my username -- netid -- on tigger are the same -- judygs -- that's already filled in for me.
5. You can optionally specify the Port: you want to connect at and the Directory: on the other machine that you want to be at when you connect. And there are other options as well; check them out.
6. If you're going to be using this machine again, click Add to Favorites; then it will be listed in the dropdown list headed by the globe.
7. Click Connect to connect.
   
   
8. You will be asked to enter your password. Do so and click Authenticate.
9. Now your tigger home directory will be displayed on the right-hand side.
   
   
   
10. Drag the items you want to upload from the left side and drop them on the right side and do the reverse for downloading. In fact, you can drag files that you are downloading anywhere on your desktop or to any open Finder window. Uploading or downloading files does not remove them from their original location. These file transfers use SFTP.
11. Most everything about the Fugu screen is obvious, except for the large blue arrows just above the scroll bars of the local and remote directories. They don't mean upload; they mean go up one directory. If it's not obvious to you, read the Fugu Readme file; it has step-by-step instructions.
    
12. Downloading and Uploading directories. Fugu's SFTP won't download or upload whole directories; use SCP (Secure CoPy) for that:
    1. Select SCP from the Fugu main menu, then New Secure Copy.
    2. Fill out the New Secure Copy dialog box:
       • Item to Copy: It's easiest to click Choose and choose it from the directory list.
       • Copy Type: click the Upload or Download radio button.
       • Remote Host: You will most likely be able to select this from the pop-up list.
       • User Name: Your netid if we're talking about tigger or icarus
       • Copy File to Path: If you are copying to your tigger or icarus account, it will start out in your home directory, so if you want something to be ~yournetid/directory/, just use directory/.
    3. Click Secure Copy.
    4. If necessary, it will ask you for your password; type it and click Authenticate.
    5. Both the directory and its contents will be up or downloaded.
       

Changing Permissions with Fugu

Control-click on the name of a file or directory and select Get Info from the menu.

The items that Info allows you to change on a Unix workstation are: Owner, Group, and Permissions. (Providing, of course, that you have the authority to do so.)

• Fetch 5.1.1 is a Universal application, compatible with Mac OS X 10.3.9 or later, including Mac OS X 10.4 Tiger on Intel and PowerPC Macintoshes.
• Not running Mac OS X 10.3.9 or later? Fetch 5.0.5 is compatible with Mac OS X 10.2.4 or later and Fetch 4 is compatible with Mac OS X, Mac OS 9, Mac OS 8, and System 7. Fetch 5 supports sFTP; Fetch 4 does not.

Installing Fetch

1. Fetch 5.04 is available for free download from E-Sales; if you need Fetch 5.1.1, go to E-Sales to get the license name and serial number, and download Fetch 5.1.1 from Fetch Softworks.
2. Save the .dmg file to your desktop of where ever else you'd like to stash it.
3. Double-click on the .dmg file.
4. Drag the Fetch.app dog into your Applications folder.
5. Then a dialog box will open asking whether you want to install the Fetch Dashboard widget. Click Not Now or Install Widget.
6. Click OK when the Dashboard widget is installed.

Using Fetch

1. Double-click on the Fetch dog icon in your Applications folder.
2. The connection dialog box opens. Fill in the Hostname:, Username:, and Password: boxes with the name of the machine you're connecting to, your login ID on that machine, and your password on that machine. In the figure, Ada Byron is logging into tigger.uic.edu and her netid is adabyron. The Password: is her ACCC common password. Select SFTP from the dropdown list, and click Connect.
   
   
3. If this is a connection that you will want to use again, click the heart icon at the end of the Hostname: line before you click Connect, and click Make Shortcut in the small dialog box that opens. This opens another dialog box where you enter the name for the shortcut. The default name for the shortcut will be the host name. If you also click Make this the default shortcut, it will be opened by default for you when you open Fetch. Click OK to create the shortcut.
   
   The shortcuts are listed in Fetch's other screen, Fetch Shortcuts, which is at the top left of your desktop, where you can delete or edit them. You can use them from the heart dialog box.
   
   
4. Then Ada's home directory on tigger will be displayed in Fetch's screen:
   
5. You can highlight a file and click Get to download it, or click Put to open up a Mac file dialog box to select a file to upload. But it's easier to double-click on the name of a directory that you want to open, double-click the name of a file that you want download, and drag and drop a file from your Mac to the Fetch screen to upload it or vice versa.
6. To change a file on the server's permissions or to delete it, Control-click on its name, and select Get Info or Delete item respectively. To change the permissions, click in the type of permissions you want to give and click Apply. In the instance below, the uploaded file UIC.pdf on tigger had the default permissions owner, adabyron, read and write. Ada clicked group, comp, read and write, and clicked Apply. If this were a Web file, for files you'd want to have Owner read, write; Group read, write; Others, read, and the same plus all execute for directories. Of course, you have to have proper permission on the file on the server to do this.