|
On August 23rd at 5:00PM, the Computer Center will make a change to the SSH configuration which will affect all JLab users. At this time, Computer Center staff will configure all CUE-managed Unix/Linux systems to require SSH clients to login using the newer SSH version 2 protocol. This document will introduce the changes, explain what they mean to you, and tell you what you need to do to prepare for the change.
During the past several years, more and more weaknesses have been exposed in the older SSH 1 protocol. The SSH 2 protocol addresses several critical security and performance issues and all SSH vendors currently recommend its use over v1. For a more detailed breakdown of the differences between the SSH 1 and SSH 2 protocols, please see this excerpt from the SSH FAQ. It is for this reason that all logins will be required to use SSH V2 only.
For users that are connecting to CUE machines from other CUE
machines, you probably don't need to do anything except ensure that
your ~/.ssh/config file does
not contain a line that starts with "Protocol"
(eg, "Protocol 1,2" or "Protocol 1"). The Computer
Center will manage the default settings for the SSH clients on its
machines to make sure they are correct for the new configuration
Most users will NOT notice any change at all. If you routinely log in from unix/linux systems managed by the Computer Center to others which are not managed by the Computer Center (either onsite hosts or offsite hosts), you may also need to read the question entitled "I want to log in to a remote host without a password. How do I do that?" for more information on setting up remote hosts to use your new SSH 2 keys.
Windows users should check their PuTTy
configurations to confirm that they are using PuTTy version
0.55. When installed from JLAB - CUE, PuTTy is configured to use
SSH protocol 2 with X11 forwarding enabled. To upgrade to PuTTy 0.55
from Windows XP or Windows 2000 machines, open Control Panel, Add or
Remove Programs, Add New Programs. Highlight PuTTy and click the Add
button. To upgrade to PuTTy 0.55 from Windows NT machines, click on
your Start button, Programs, JLab - CUE, Client Installed Programs,
PuTTy. Either method of installation will maintain your previous
configurations (specific servers, screen fonts and sizes, colors) if
your original copy of PuTTy was installed in the default directory.
You cannot upgrade your existing keys to SSHv2. You must create entirely new SSHv2 keys if you wish to continue to use key-based logins. Please see Creating your public & private keypair for instructions.
All the files used by the new client are in the ~/.ssh directory.
| File name | Purpose |
| id_dsa | Your private key. The filename denotes a DSA key of 1024 bits (the defaults). |
| id_dsa.pub | The public key that goes with your private key. This is the file you will need to distribute to remote hosts in order to log in without a password. |
| known_hosts | A list of the all the host keys from each machine you have ever logged into. |
| random_seed | Random data used by the encryption process to initialize ("seed") the algorithm's parameters with unpredictable values. |
JLab uses the OpenSSH server, which expects to see the following in your ~/.ssh directory.
| File name | Purpose |
| authorized_keys | This file contains a list of public keys that are allowed to access this account without typing a password. You will need to put your public key (id_dsa.pub) into this file. |
Please see the document entitled "How to use the SSH agent for Unix".
This document is maintained by {helpdesk@jlab.org}
Copyright Jefferson Lab 2007