Remote login programs

Insecure programs

The rsh and rlogin all connect the user to a remote system, based on the .rhosts mechanism (see above). You should not use them, they are intrinsically insecure.

telnet is even worse, it sends your password unencrypted over the network.

If you really have to use telnet and you need to display graphical applications over the network, you will need to adjust a few settings. On the originating host (in an X session, of course), allow access for the destination host to use your display with the xhost command:


tille:~>xhost +blubber

After having set this permission, you can make the connection to the remote host. You have to tell this host to send graphics to your screen in stead of to its local screen. In an X terminal window on the remote host, you may type something like:


tille@blubber:~>export DISPLAY="happy.soti.org:0.0"

tille@blubber:~>xclock &

The above command will display an analogue clock on your screen. This way of working is often used when a remote server has a program installed which you have not, or when you want to run a program that needs a lot of resources on a remote machine that is fully equipped, using your own, less powerful host as a display.

Secure Shell

Secure Shell or ssh is the successor to telnet. It uses an extended encryption scheme for nearly every part of the communication between systems. The example below shows a verbose session:


tille:~>ssh -v blubber
OpenSSH_2.5.2p2, SSH protocols 1.5/2.0, OpenSSL 0x0090600f
debug1: Seeding random number generator
debug1: Rhosts Authentication disabled, originating port will not be 
	trusted.
debug1: ssh_connect: getuid 504 geteuid 0 anon 1
debug1: Connecting to blubber [192.168.42.15] port 22.
debug1: Connection established.
debug1: identity file /nethome/tille/.ssh/identity type 0
debug1: Remote protocol version 1.99, remote software version 
	OpenSSH_2.5.2p2
debug1: match: OpenSSH_2.5.2p2 pat ^OpenSSH
debug1: Local version string SSH-1.5-OpenSSH_2.5.2p2
debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key 
	(1024 bits).
The authenticity of host 'blubber (192.168.42.15)' can't be established.
RSA1 key fingerprint is 52:09:dd:c0:34:71:ab:54:bc:ad:f6:33:1d:d4:70:7b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'blubber,192.168.42.15' (RSA1) to the 
	list of known hosts.
debug1: Encryption type: 3des
debug1: Sent encrypted session key.
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug1: RSA authentication using agent refused.
debug1: Trying RSA authentication with key 'tille@sprawl.soti.org'
debug1: Server refused our key.
debug1: Doing password authentication.
tille@blubber's password: 
debug1: Requesting pty.
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: Requesting shell.
debug1: Entering interactive session.
Last login: Thu Jun 14 16:40:27 2001 from localhost.localdomain
tille:~>

A non-verbose session doesn't look that frightening:


tille@sprawl:~>ssh blubber
tille@blubber's password:
Last login: Wed Jun 13 16:16:23 2001 from sprawl.soti.org
tille@blubber:~>

Secure shell will display a message if it thinks something is wrong. Depending on your settings, it will continue anyway asking your strict permission, or you can configure SSH to behave totally protective in case it suspects a host:


tille@sprawl:~>ssh suspect
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@       WARNING: POSSIBLE DNS SPOOFING DETECTED!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The RSA1 host key for suspect has changed,
and the key for the according IP address 192.168.6.66
is unchanged. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
Offending key for IP in /nethome/tille/.ssh/known_hosts:28
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now 
(man-in-the-middle attack)!
It is also possible that the RSA1 host key has just been 
changed.
The fingerprint for the RSA1 key sent by the remote host is
52:09:dd:c0:34:71:ab:54:bc:ad:f6:33:1d:d4:70:7b.
Please contact your system administrator.
Add correct host key in /nethome/tille/.ssh/known_hosts 
to get rid of this message.
Offending key in /nethome/tille/.ssh/known_hosts:11
Last login: Mon May 14 20:14:44 2001 
from adsl-59785.turboline.skynet.be
*****************************************************************
*                                                               *
* Type 'pine' or 'mail' to read your email                      *
*                                                               *
* Type 'cd web' to access your personal web page                *
* Type 'cd ../../web' to access the site web                    *
* Type 'cd ../../ftp' to access the anonymous FTP site          *
* Type 'cd' to return to your home directory                    *
*                                                               *
* Type 'exit' to end this session                               *
*                                                               *
*****************************************************************
No mail.
[tille@sirius tille]$

Ssh sets your display for you, you don't need to use the xhost in the standard configuration.

Secure shell has lots of options, as one might expect. Since the RSA patent expiration on September 20, 2000, SSH is freely available. Download and install, and preferrably ask your system administration to install it system wide if it is not available on your system. Secure shell is really a must in today's internet wilderness.