Quick Info DoIT Home Forms Forwarding your e-mail Help Desk Service Request Internet Account Request Password Change Server Maintenance Schedule Technical Support Documentation

Using SSH in Mac OS X

---

SSH (Secure Shell Client) is a secure replacement  for telnet.  Like telnet, SSH is used to connect to a remote host computer using an account name and password.  The advantages of SSH over telnet are:

1. All information transmitted between your computer and the host is encrypted.  This protects your password during login as well as information transmitted after loggin in.
2. If available, you can use a publicly published "fingerprint"  for a host's "key" to verify the host's identity.

---

1. Open Terminal in the Applications > Utilities folder.
   
2. Type ssh   account_name@host_name in the terminal window, where account_name is your account name on the host and host_name is the host's full Internet name.  Press the Return key.  If you are connecting to apollo.sfsu.edu or libra.sfsu.edu then replace account_name with your SFSU email account name and replace host_name with either apollo.sfsu.edu or libra.sfsu.edu.

   For example, Jane Doe, with SFSU email account janedoe, would connect to host libra.sfsu.edu by typing:
   
   ssh   janedoe@libra.sfsu.edu
   
   then pressing the Return key.

3. The first time you connect to a host you will see a message similar to:

   The authenticity of host 'libra.sfsu.edu (130.212.10.238)' can't be established.
   RSA key fingerprint is 57:fe:4b:78:94:1e:8c:3d:28:ce:67:40:85:fe:24:85.
   Are you sure you want to continue connecting (yes/no)?

4. If you know the host's fingerprint (See  SSH Fingerprints for SFSU Hosts for SFSU hosts), verify that the fingerprint in the message matches it.
5. If the fingerprints match type yes then press the Return key.  You will see a message similar to:

   Warning: Permanently added 'libra.sfsu.edu,130.212.10.238' (RSA) to the list of known hosts.

6. Type your email password when prompted then press the Return key.
7. Use the resulting SSH session the same way you would use a telnet session.

---

What if the Fingerprints Don't Match?

Fingerprints not matching should virtually never happen.  If it does happen there are two possible causes.

First, the published fingerprint, or your copy of the published fingerprint, is incorrect.  If a host's key is replaced then the host's fingerprint will change so make certain you have the most recent published fingerprint for the host.  If the fingerprint still doesn't match the key may have been replaced and the published fingerprint hasn't been updated to reflect the new key.  If there is contact information listed with the fingerprint use it to find out if the published fingerprint is correct.  If the published fingerprint is correct you may be the victim of a "man-in-the-middle" exploit.

Second, there is a computer that all the information transmitted between your computer and the remote host is being routed through.  Think of this computer as being in-the-middle.  There is a good chance that the information passing between your computer and the remote host is being viewed or recorded.  If you have local computer support contact them and describe the problem.

---

What if the Fingerprints Matched Originally but They Don't Now?

Using the SSH client built in to Mac OS X you will you get a message similar to the following:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is 57:fe:4b:78:94:1e:8c:3d:28:ce:67:40:85:fe:24:85.
Please contact your system administrator.
Add correct host key in /Users/janedoe/.ssh/known_hosts to get rid of this message.
Offending key in /Users/janedoe/.ssh/known_hosts:1
RSA host key for libra.sfsu.edu has changed and you have requested strict checking.
Host key verification failed.

This either means that the host has a new key and the fingerprint has changed or that you are the victim of a man-in-the-middle exploit.  In order to protect you, the Mac OS X SSH client will not let you complete the connection to this host until the old key is removed from your computer.  If you determine that the host's key has been changed (see "What if the Fingerprints Don't Match?"), follow these steps to remove the old key.

1. Open Terminal in the Applications > Utilities folder.
   
2. Type open   .ssh in the terminal window then press the Return key.  This opens the .ssh folder which contains the file known_hosts.
   .
3. Drag known_hosts into the trash then close the .ssh folder.

Deleting know_hosts removes all host keys from your computer so all hosts will be treated as though you are connecting to them for the first time.

---

SSH Fingerprints for DOIT Supported Hosts

Every SSH host has a unique "key" and each key has a unique "fingerprint".  Fingerprints are displayed either as a series of hexadecimal numbers separated by colons or as a series of "words" separated by hyphens.  The first time you connect to a host you will be shown its fingerprint and asked if you want to continue connecting.  If a host's fingerprint is published you can protect yourself from a "man-in-the-middle" attack.  Check that the fingerprint you are shown while connecting to the host matches the published fingerprint.  If they match it is safe to enter yes to continue with the connection.  The host name and key are stored on your computer and you will not normally be asked again for that host.

Fingerprints for DOIT supported hosts shown in hexadecimal and text format:

• apollo.sfsu.edu:

  ff:b4:b3:0e:3d:ec:2e:ab:52:41:c2:e5:86:ba:2a:09
  xolig-cosam-zemyh-nahan-zurem-sidyc-sytac-sucyf-luren-mylep-sixix

• libra.sfsu.edu:

57:fe:4b:78:94:1e:8c:3d:28:ce:67:40:85:fe:24:85
xesak-nihov-tybug-gutos-tisep-senel-gyvul-bonoc-pagin-zeduf-gixox

• online.sfsu.edu:

  fd:4b:d6:24:1e:36:8c:d4:2e:59:fe:6f:58:b9:ef:8b
  xifet-pefep-zypos-luved-sison-bazef-zaguf-vemus-lizov-bizil-maxux

• www.sfsu.edu:

  5e:2c:2f:c5:2f:f9:6e:5b:33:d3:08:ab:d3:db:72:c1
  xovak-dygam-pohav-lykek-zikyz-muhys-fubel-duhuh-colaf-tadit-syxix

Please contact DOIT's Helpdesk if you use SSH to connect to one of these hosts and are shown a fingerprint different than those listed above.  Call 415-338-1420 and ask for the Consultant On Duty or fill out a Help Desk Service Request.

Note:  pluto.sfsu.edu and taurus.sfsu.edu are aliases for apollo.sfsu.edu.  You can connect to apollo with these host names but using apollo.sfsu.edu is recommended.

TOP OF PAGE

---

HOME

---

Site Home | What We Do | Help Desk | Account Services | Software | Hardware | Network
Telephone Services | Training | Computer Labs | Web Publishing | Policies | Sitemap | Contact Us

---

Last Modified: 27 Oct 2005
doit@sfsu.edu