Shaman  >  Everyday use

The everyday use of SSH is surprisingly straightforward. With additional support for smart cards, the mystical juggling of keys suddenly becomes obvious. As a result, users develop secure habits when accessing a company's servers.

This page describes how OpenSSH is used with a cryptographic token, assuming that the Shaman was previously added to the basic OpenSSH setup. For most new users this differs slightly from what they are used to, but doing it once or twice is enough to learn how to do it.

Commandline operation

In its basic form, OpenSSH is a tool that advanced users run from a commandline to access the commandline of a remote system. Scroll down if you are only interested in graphical layers built on top of this default presentation.

To login to a remote system named server.openfortress.nl one enters the following command:

ssh  server.openfortress.nl
Note that this works just as easy as the insecure Telnet tool, except for the command name! When used without a token, the password must be entered to gain access to the remote server -- again, just like Telnet.

It is also common to use OpenSSH to replace FTP's function of moving files between the local account and one on a remote server. The following three commands show examples how this can be done:

sftp  server.openfortress.nl

scp  localfile_to_be_published.txt    server.openfortress.nl:

scp  server.openfortress.nl:data.txt  /home/rick/tmp
There are many variations, ranging from renaming files in transit to wildcards, but we will not repeat all those here; the OpenSSH manual pages already explain that in depth.

Access to the token is protected with a PIN. When the Shaman Agent has not logged in since the token was inserted, it will prompt for the token PIN, using a standard ssh-askpass interaction. This usually pops up a window such as this one: One possible ssh-askpass popup You only need to enter the PIN once, and it will remain valid until you unplug the token. The PIN is not memorised by the agent; instead, the token remembers that the agent logged in successfully. Keep this in mind and verify that the software behaves accordingly. The agent will not ask for a PIN before the first attempt to establish remote contact.

To get the token accepted for remote access, one has to set it up properly. This is a one-time effort, which we simplify with the Shaman, our graphical interface to the token-based setup.

Graphical wrappers for Windows

We have not yet completed our integration with PuTTY and WinSCP at this time.

Graphical wrappers for Mac OS X

We have not yet completed our integration with Fugu at this time.

Graphical wrappers for Linux

Linux has a range of graphical applications based on OpenSSH. The list below is probably far from complete, but it does give an idea of the tools that exist. Your feedback on this list is kindly appreciated.

  • SecPanel serves as a graphical user interface for managing and running SSH (Secure Shell) and SCP (Secure Copy) connections.
    When starting SecPanel for the first time, you will be prompted for a setup. Filling in the following values for SSH-Keygen and SSH-Agent was all we needed to do to get SecPanel working with a token. It enables agent forwarding by default. Most of the key management facilities are useless; they can only work on keys stored in the file system, so use Shaman Setup for that.
  • GRCM is the Gnome Remote Connection Manager, and it seems to be in beta-release. It provides buttons that launch remote connections using telnet, ssh, rdesktop or almost anything else.
    In version 0.1.5 the SSH connection type is not configured by default, but once setup it will work fluently with the token-aware Agent. Note that the arguments field must include the remote hostname.
  • Gnome Telnet can be a client for Telnet, SSH and rlogin. It collaborates with the token without any further configuration.
  • SSH Tunnel manager is explained in French as a piece of software that can build a secure link between two systems. We expect it to easily work with a token.

Advanced topics

The following topics may be of interest to advanced users, but they are not needed for most average users.

Running the Shaman Agent: To use a token with these standard OpenSSH commands, it is necessary to have the Shaman Agent running in the background. Our distribution packages install automatic support for that need. The OpenSSH commands have built-in support that looks for our Shaman Agent software. This is why you can use the same commands as before, even though authentication is henceforth arranged from the token. Note that this also means that most graphical utilities can also benefit from the token without any specific configuration.

The use of this popup has one side-effect, namely that the Shaman Agent must first be started in a graphical environment with properly setup variables $DISPLAY and $SSH_ASKPASS -- if not, an error will be displayed and the agent is not started. Textual environments can benefit from a previously started Shaman Agent, but keep in mind that the prompt for the token PIN always appears on the graphical interface from which it was started.

If you need to change the desktop to which the Shaman Agent is attached, you should kill the old one and start the new one on the new desktop, with the following commands:

shaman-agent -k
eval `shaman-agent -b`
If your shell is in the csh family, replace the -b option with -c to achieve the desired effect. As an alternative to the last statement, it is also possible to just start a new commandline shell.

The Shaman Agent is a personal process, it is not accessible from other accounts. Other users may start an agent for themselves, but to get access to the token they must know its PIN.

Agent Forwarding: When you are on the remote server, you may want to login to a next-hop remote server. Even this can be done with the card if you forward the agent's functionality over the secure link to the remote server. Please realise that this can have security implications.

The method of doing this is setting the option ForwardAgent to yes (the default is no) in one of the files $HOME/.ssh/config or /etc/ssh/ssh_config. Alternatively, use the -o commandline option to the ssh command.

The remote servers that can now be reached without password from the remote system are the same ones as can be reached from your desktop. In other words, agent forwarding grants the remote system all the access rights that have been setup with the Shaman.


 
   ------ 8< ---------- 8< ----------- 8< ------ | OpenFortress*