Secure Shell or SSH is a set of standards and an associated network protocol that allows establishing a secure channel between a local and a remote computer. It uses public-key cryptography to authenticate the remote computer and (optionally) to allow the remote computer to authenticate the user. SSH provides confidentiality and integrity of data exchanged between the two computers using encryption and message authentication codes (MACs). SSH is typically used to log into a remote machine and execute commands, but it also supports tunneling, forwarding arbitrary TCP ports and X11 connections; it can transfer files using the associated SFTP or SCP protocols. An SSH server, by default, listens on the standard TCP port 22.
An ssh client program is typically used for establishing connections to an sshd daemon accepting remote connections. Both are commonly present on Unix-like systems, and implementations of SSH exist for most modern operating systems, including Sun OS, Mac OS, Linux-based distributions, Microsoft Windows, BSD operating systems (including Mac OS X), and OpenVMS. Proprietary, freeware and open source versions of various levels of complexity and completeness exist.
SSH is most commonly used:
- with an SSH client that supports terminal protocols, for remote administration of the SSH server computer via terminal (character-mode) console--can be used as an alternative to a terminal on a headless server;
- in combination with SFTP, as a secure alternative to FTP which can be set up more easily on a small scale without a public key infrastructure and X.509 certificates;
- in combination with rsync to backup, copy and mirror files efficiently and securely
- in combination with SCP, as a secure alternative for rcp file transfers—more often used in environments involving Unix
- for port forwarding or tunneling, frequently as an alternative to a full-fledged VPN. In this type of use, a (non-secure) TCP/IP connection of an external application is redirected to the SSH program (client or server), which forwards it to the other SSH party (server or client), which in turn forwards the connection to the desired destination host. The forwarded connection is encrypted and protected on the path between the SSH client and server only. Uses of SSH port forwarding include accessing database servers, email servers, securing X11, Windows Remote Desktop and VNC connections or even forwarding Windows file shares. This is primarily useful for tunneling connections through firewalls which would ordinarily block that type of connection, and for encrypting protocols which are not normally encrypted (e.g. VNC).
- ssh and rdesktop. Three computers, the computer that will run rdesktop and ssh, a computer used to obtain access to a remote network, and the last will be the computer you want rdesktop to display. "ssh -L3389:
:3389 ". Just log into the middle computer and do nothing on it. Open another shell from the first computer running ssh and type rdesktop localhost. This example uses the middle computer to port forward 3389 from the end computer to the first computer. - Sometimes you may log into one machine from your local host, then login from there to another machine, and run an X application (eg. xterm, matlab) on the last machine to display on your local display. This is especially useful for running X applications on a department host from off campus but to which you have had to connect through another department host which is available for ssh login through the campus firewall. Essentially, you want to channel the X-window through a series of logins back to the host at which you are sitting. The best way to do this is to make use of the X11-forwarding feature of ssh. For unix/linux to unix/linux, force an X11-forwarding request with the '-X' option (capitalized x). ssh -X host.com
- X11-forwarding for through multiple hosts ssh -X hostA.com --> ssh -X hostB.com --> ssh -X hostC.com ensure the tunnel is working every step of the way by running something like xterm on host B then C. If this does not work the -Y may be needed. ssh -X -Y hostA.com --> ssh -X -Y hostB.com --> ssh -X -Y hostC.com
- with an SSH client that supports dynamic port forwarding (presenting to other programs a SOCKS or HTTP 'CONNECT' proxy interface), SSH can even be used for generally browsing the web through an encrypted proxy connection, using the SSH server as a proxy;
- with an SSH client that supports SSH exec requests (frequently embedded in other software, e.g. a network monitoring program), for automated remote monitoring and management of servers.
- Using just a normal ssh login on a server, the SSH Filesystem can securely mount a directory on the server as a filesystem on the local computer.
