SSH uses (slow) public key encryption for authentication purposes and one of several (faster) symmetrical encryption methods to encrypt the data stream between your system and the remote systems.
Thus you can use SSH to work over the (insecure) Internet, for example, to log in to your work from home or from a hotel room using about just any Internet provider available. Using the appropriate configuration, you can run telnet, run X Window applications, or read you mail - this all in a secure way since all data traveling from your local machine to the remote machine running the sshd process is encrypted end-to-end.
The file ssh-os2-bin-1.2.16.sig contains the PGP signature for this file. The PGP signature is made with my PGP key (key ID 6223DE0D, H. Michael Stahl <[email protected]>), see my home page for information on how to obtain my public PGP key.
This zip package contains all executables for SSH, the description you are currently reading, and the manual pages for all distributed programs as HTML files. Unzip it in a directory of your choice and move all executables to a directory on your PATH, preferrably where all other TCP/IP applications are stored (normally this is x:\TCPIP\BIN, where x: is your boot drive).
You also need the emx run time library ddls which you can download from e.g. ftp://ftp.leo.org/pub/comp/os/os2/leo/devtools/emx+gcc/emxrt.zip.
Optionally, you might want to get a syslog daemon so that sshd can write its messages to a central log file. If your OS/2 has the DHCP software installed you already have a syslog daemon as part of this software (DHCP is a standard component under Warp 4 and also part ot the more recent TCP/IP CSDs for Warp 3). Alternatively, you can get a complete syslog package containing a syslog daemon ported by Jochen Friedrich <[email protected]> as ftp://ftp.leo.org/pub/comp/os/os2/leo/tcpip/systools/syslog2b.zip (syslog.h and syslog.c are part of this package).
To protect your private key it is encrypted using a a so-called pass phrase before it is stored in the file %HOME%/.ssh/identity. This will prevent other people from abusing it even if they gain access to your files. Therefore always type in pass phrase when prompted for one. It can consist of multiple words (i.e. blanks are just fine within the phrase), so you could choose a sentence which you can remember. Changing some of the words by misspelling them or by changing some of the letters into digits is highly recommended to increase the strength of your pass phrase.
Here is a sample session, your input is shown underlined. Note that the pass phrase - though being shown here - is not echoed back as you type it.
[D:\mike] ssh-keygen Initializing random number generator... Generating p: .++ (distance 6) Generating q: ........++ (distance 110) Computing the keys... Testing the keys... Key generation complete. Enter file in which to save the key ($HOME/.ssh/identity): [RETURN] Enter passphrase (empty for no passphrase): litt1e 1amp jumb3d Enter same passphrase again: litt1e 1amp jumb3d Your identification has been saved in D:/mike/.ssh/identity. Your public key is: 1024 37 [lots of numbers] [email protected] Your public key has been saved in D:/mike/.ssh/identity.pub [d:\mike]The comment at the end of the output of the public key which looks like a mail address (here [email protected]) is composed of the values found in the environment variables USER and HOSTNAME. It is transferred to the remote system when you log in using SSH and is used to find a matching public key on that system.
If you have multiple accounts you might want to create a separate key on each of them. For example, you might have separate keys for
[D:\mike] ssh-keygen -p Enter file in which the key is ($HOME/.ssh/identity): [RETURN] Enter old passphrase: litt1e 1amp jumb3d Key has comment '[email protected]' Enter new passphrase (empty for no passphrase): br0wn cow 3ats grass Enter same passphrase again: br0wn cow 3ats grass Your identification has been saved with the new passphrase. [d:\mike]The pass phrases are not echoed as you type them.
remote% cd ~/.ssh remote% cat identity.pub >> authorized_keys remote%You could now copy the ~/.ssh/authorized_keys file to other systems to allow access from the OS/2 system. One way to copy the file is to use the ftp command.
Use a text editor to add more keys to the file. If you use cut and paste to copy a key make sure each key entry is a single line in the file. The keys to add are always the public keys (from files with the .pub extension).
NOTE: To gain access to restricted systems you might need to send your public key in an electronic mail message to the administrator of that system. Just include the contents of the %HOME%/.ssh/identity.pub file in the message.
[d:\mike] ssh remote.system.de Enter passphrase for RSA key '[email protected]': litt1e 1amp jumb3d Last login: Wed Oct 16 20:37:00 1996 from mike.snafu.de [more output from the remote machine] remote.system.de%You can avoid to type in the pass phrase for each session you start on the remote system if you use ssh-agent to keep the authentication keys in memory. You need to type the pass-phrase only once when you use ssh-add to add a key to memory.
If your account name on the remote system differs from the one on the local system (the system you are connecting from) you can use the -l switch to specify the remote account name.
[d:\mike] ssh -l Maik remote.system.de Enter passphrase for RSA key '[email protected]': litt1e 1amp jumb3d Last login: Wed Oct 16 20:37:00 1996 from mike.snafu.de [more output from the remote machine] remote.system.de%
[d:\mike] ssh remote.system.de who christos ttyp8 Oct 17 20:42 (milou) [d:\mike]If you are using the X Window System you can use this feature to start an interactive session on the remote system:
[d:\mike] ssh -n remote.system.de xtermA new X terminal window from the remote system should appear shortly on your display. Note that the OS/2 session you started ssh in will not be usable for further command input as long as ssh is running.
If you leave off the filename of the copy or specify a directory only the name of the source file will be used. An easy way of retrieving a copy of a remote file into the current directory while keeping the name of the source file is to use a single dot as the destination.
[d:\mike] scp -p remote:aliases . [d:\mike]The -p option is not required. It indicates that the modification and access times as well as modes of the source file should be preserved on the copy. This is usually desirable.
You can copy several files in a single command if the destination is a directory.
[d:\mike] scp -p remote:.login remote:.logout panix.com:. [d:\mike]Relative filenames resolve differently on the local system than on the remote system. On the local system the current directory is assumed (as usual with all commands). On the remote system the command runs in the home directory! Thus relative filenames will be relative to the home directory of the remote account.
NOTE: When you specify remote machines in both the source and the destination the connection to copy the files is made directly between those hosts. The files are not copied through the local system. Sometimes this makes a difference in a firewalled or otherwise restricted environment.
[d:\mike] ssh-agent cmd OS/2 Command Interpreter Version 3 [d:\mike]When you exit from this command interpreter all keys will be removed from memory:
[d:\mike] exit Authentication agent exiting. [d:\mike]
[d:\mike] ssh-add Need passphrase for d:/mike/.ssh/identity ([email protected]). Enter passphrase: litt1e 1amp jumb3d Identity added: d:/mike/.ssh/identity ([email protected]) [d:\mike]You can specify the file that contains the key if you want to add an identity other than the default. You must specify the file with the private key i.e. the one that does not have the
.pub
extension. The -d option will have the key deleted from memory. There is no ssh-delete command.
[d:\mike] ssh-add -d %HOME%/.ssh/isp [d:\mike]To list all keys currently in memory use the -l option.
[d:\mike] ssh-add -l 1024 37 [lots of numbers] [email protected] [d:\mike]You can delete all keys from memory at once with the -D option.
[d:\mike] ssh-add -D All identities removed. [d:\mike]This is useful if you have added keys into memory on remote systems and don't want to reconnect just to delete the keys.
Host keyword. You can use
wildcards to match all the appropriate systems:
Compression yes/no (no)
CompressionLevel 1-9 (6)
FallBackToRsh yes/no (yes)
KeepAlive yes/no (yes)
User account (local account)
Host *snafu.de
User mike
Compression no
Host mailhost
HostName mailhost.snafu.de
# Forward POP (110) and SMTP (25) to target host
LocalForward 110 mailhost.snafu.de:110
LocalForward 25 mailhost.snafu.de:25
Host *gw.com
FallBackToRsh no
Host *
Compression yes
CompressionLevel 9
FallBackToRsh yes
KeepAlive no
Options are accumulated over entries, but a more specific entry will
override a less specific one. E.g. in the above compression will not
be used for hosts that match *snafu.de but will be used
for hosts that match *gw.com (and all other hosts since
the * entry matches all hosts).
This example also shows how to use LocalForward to forward the ports 110 (POP) and 25 (SMTP) from the remote host mailhost.snafu.de to the local host. If we specify localhost:110 and localhost:25 for the POP and SMTP host:port combination when setting up our local POP mail client, we can read and write our mail in a secure way - since it will be tunneled through SSH's encrypted comunication channel.
For a complete list of options please refer to the manual pages of both ssh and sshd.
auth-rhosts.c clientloop.c config.h genminfd.c newchannels.c packet.c scp.c serverloop.c randoms.c signals.c ssh-agent.c ssh.c ssh.h sshd.c ttymodes.h userfile.cAll changes are bracketed by #ifdef OS2 and #endif /* OS2 */. (If I could convince the authors of ssh to incorporate the changes into the sources one would have less work adapting to the next source distributions.)
I had to change the makefiles by hand since I do not have all components to run the configure script supplied with the ssh distribution.
Makefile gmp-2.0.2\Makefile gmp-2.0.2\mpn\Makefile zlib-1.0.3\MakefileI also added the following files taken from other sources:
syslog.h syslog.c vt220.h vt220.cThe files syslog.h and syslog.c are part of the syslog package by Jochen Friedrich <[email protected]>.
The VT220 emulator contained in vt220.h and vt220.c was
written by Robert Muchsel
<[email protected]>) and
are part of a previous port of ssh to OS/2
which can be found e.g. as
Obtaining the changed source files
You can get the changed source file from here:
The PGP signature is made with my PGP key (key ID 6223DE0D,
H. Michael Stahl <[email protected]>), see my
home page for information on how to
obtain my public PGP key.
To regenerate the library libgmp.a, change directory to gmp-2.0.2\mpn, copy all assembler file from x86 and all C files from generic. Then delete all copied C files which have an assembler counterpart. Copy bsd.h to sysdep.h . Edit Makefile and add -D__STDC__ to CDEFS. Then run make in the subdirectories mpn, mpf, mpq and mpz. Finally do a
ar rc libgmp.a mpn/*.o mpf/*.o mpq/*.o mpz/*.o *.oto generate the library.
Regeneration fo library libz.a is a bit easier: change directory to zlib-1.0.3, edit the Makefile, set CC to gcc, and then run make.
Once the libraries exist the rest is easy: run make in the main directory and all components will be generated.