What is SSH? What is SFTP?
SSH (Secure Shell Protocol) is a secure replacement for telnet. Like telnet, SSH can be used to connect to a remote host computer using an account name and password. The advantages of SSH over telnet are:
- All information transmitted between your computer and the host is encrypted. This protects your password during login as well as information transmitted after logging in.
- If available, you can use a publicly published “fingerprint” for a host’s “key” to verify the host’s identity.
Make a Connection to a Remote Host
- Open Terminal in the Applications > Utilities folder.
- Type ssh account_name@host_name in the terminal window, where account_name is your account name on the host and host_name is the host’s full Internet name. Press the Return key. If you are connecting to apollo.sfsu.edu or libra.sfsu.edu then replace account_name with your SFSU email account name and replace host_name with either apollo.sfsu.edu or libra.sfsu.edu. For example, Jane Doe, with SFSU email account janedoe, would connect to host libra.sfsu.edu by typing:ssh janedoe@libra.sfsu.edu then pressing the Return key.
- The first time you connect to a host you will see a message similar to:
The authenticity of host ‘libra.sfsu.edu (130.212.10.238)’ can’t be established.
RSA key fingerprint is 57:fe:4b:78:94:1e:8c:3d:28:ce:67:40:85:fe:24:85.
Are you sure you want to continue connecting (yes/no)?If you are connecting to apollo.sfsu.edu, libra.sfsu.edu, online.sfsu.edu, or www.sfsu.edu, browse to SSH/SFTP Fingerprints for DOIT Supported Hosts to verify that the displayed fingerprint matches one of the fingerprints published for the host you are connecting to. Read the sections What does it mean if the Fingerprints Don’t Match? and What if the fingerprints matched originally but now they don’t?
- If the fingerprints do NOT match, click the Cancel button to cancel your connection. Call 415-338-1420 and ask for the Consultant On Duty or fill out aHelp Desk Service Request. Mismatched fingerprints might mean that your connection has been compromised.
- If the fingerprints DO match, type yes then press the Return key. You will see a message similar to:
Warning: Permanently added ‘libra.sfsu.edu,130.212.10.238’ (RSA) to the list of known hosts.
- Type your password when prompted then press the Return key.
- Use the resulting SSH session the same way you would use a telnet session.
- When you are finished exit your SSH session, close your terminal window, then close Terminal.
What if the Fingerprints Matched Originally but They Don’t Now?
Using the SSH client built in to Mac OS X you will you get a message similar to the following:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is 57:fe:4b:78:94:1e:8c:3d:28:ce:67:40:85:fe:24:85.
Please contact your system administrator.
Add correct host key in /Users/janedoe/.ssh/known_hosts to get rid of this message.
Offending key in /Users/janedoe/.ssh/known_hosts:1
RSA host key for libra.sfsu.edu has changed and you have requested strict checking.
Host key verification failed.
This either means that the host has a new key and the fingerprint has changed or that you are the victim of a man-in-the-middle exploit. In order to protect you, the Mac OS X SSH client will not let you complete the connection to this host until the old key is removed from your computer. If you determine that the host’s key has been changed (browse to SSH/SFTP Fingerprints for DOIT Supported Hosts to see a list of current fingerprints for apollo.sfsu.edu, libra.sfsu.edu, online.sfsu.edu, and www.sfsu.edu, ), follow these steps to remove the old key:
- Open Terminal in the Applications > Utilities folder.
- Type open .ssh in the terminal window then press the Return key. This opens the .ssh folder which contains the file known_hosts.
- Drag known_hosts into the trash then close the .ssh folder.
- Close Terminal.
Deleting known_hosts removes all host keys from your computer so all hosts you connect to will be treated as though you are connecting to them for the first time.