Setting Up and Using MacSSH for Panix

Panix - Public Access
Networks Corporation

Using MacSSH at Panix

(Including "port forwarding")

MacSSH is a very good open-source SSH client for Mac OS 9.x and below (The "Classic" environment), adapted from the excellent BetterTelnet. It's available for download at: http://www.macssh.com/

Here's how to set it up and use it.

1. Getting the SSH Host Keys for the Panix Servers

Download and install MacSSH. Now, before we set it up and start using it, we need to get the canonical host keys for Panix. (otherwise, you can't log in without defeating a good portion of the purpose of SSH in the first place. :) )

You can get the keys here: https://setup.panix.com/sshdata/known_hosts

Save this file, and put it in your "System Folder:Preferences:MacSSH" folder. Now MacSSH has identifying information for Panix, and we can start.

2. Logging Into the Panix Shell with MacSSH

Open MacSSH, go to the "Favorites" menu, and choose "Edit Favorites". If you don't have any favorites set up yet, just click "New" here instead.

The "Edit Favorite.." dialog will appear, with several index tabs. Here are the required settings for connecting to Panix using a normal username and password:

In the General tab:

Alias	Panix SSH Web tunnel (or whatever you like)
Host name	`shell.panix.com`
Port	SSH (22)

In the Security tab:

Protocol	SSH 2
Username	Enter your username here to avoid the "username" prompt every time you connect, if you're the only one who uses this favorite. Otherwise, leave it blank.

In the SSH2 tab:

Put a checkmark in "never trust unknown host key".
Encryption	Use all methods shown, in order (except "<none>)
Authentication	MD5
Compression	<none>
Method	Request pty (default)

Now click "OK", and "OK" again to save your new favorite.

To connect with your new favorite, just choose its name from the "Favorites" menu. MacSSH will prompt you for a password (sometimes a username also, if you didn't enter it above), and then you should be in!

Appendix I. Using Port Forwarding to Create a Secure Web Tunnel

Once you've gotten an SSH connection to Panix, you can set up a "port forwarding session" to create a secure tunnel to a trusted Web proxy (for example). Here's how.

Go back to "Edit Favorites" (from the "Favorites" menu) and duplicate (or edit) the favorite you created earlier. Here are the changes you need to make, to add Port Forwarding.

In the SSH2 tab:

Method	change to "Local TCP port forward"
Local port	9999 (almost any number over 8000 will do)
Panix offers Privoxy to our subscribers; to use your SSH tunnel for Privoxy on Panix, use the following settings.
Remote host	localhost
Remote port	8008 (or 8118 if you want to block banner ads too)

Click "OK" and "OK" again to save.

Now, when you connect with this favorite, you have an active tunnel to Panix's Privoxy daemon. To use it, you need to go to your Web browser, and tell it to use a proxy for HTTP and HTTPS.

Set "127.0.0.1" (that's the same as "localhost") as the proxy address, and 9999 (or whatever you put as the "local port" in MacSSH) as the proxy port number. Now, all your Web browsing will go out over the proxy, and appear to be coming from Panix directly.

Appendix II. Using DSA public/private key authentication (advanced)

You don't have to change your favorites to use DSA key-pair authentication, but the tools to set it up are only found in the "Edit Favorites" dialog, under the SSH2 tab. It doesn't matter which favorite you "edit" to do this; your key gets put in a place accessible to all of your favorites.

Click on "Initialize SSH". This will ask you for a pass phrase for your public/private key pair.

Click on "Export public key". This will allow you to save your public key to a file which you can upload to the Unix host.

Now the hard part. Upload the file and edit it. When you bring it up into your editor, it will look like this:
---- BEGIN SSH2 PUBLIC KEY ----
AAAAB3NzaC1kc3MAAACBAMWzNSEeaetgGrCNAR1wtmZHTmMf2E6lrYnEnKRIEe1sfmHVu9
eWDzKV8wnTDZ65y8tSi1ZoqmzzZJVuT5BGOD8tgQtfdHEf1pq/Zn1Cx650tn1WCxkOoZgB
djj1G9Ke25M30OpHZ6CX78efnww9oVGLg1+N21rJS7aQdzopAd7Pdxf/d2QYHMVAEqksNu
gCx3AqT+sbZoITiftrTIeoQgKexq+VzQSecP0vuWobwvx4tmX7j0r2zTwZ27Dg5vnMpy3G
HcI4xiDzl5bAiv5FHw==
---- END SSH2 PUBLIC KEY ----
You need to change it so that it looks like this:
ssh-dss AAAAB3NzaC1kc3MAAACBA(...etc....)HcI4xiDzl5bAiv5FHw==
That is, remove the "BEGIN" and "END" lines, crunch the key-string gobbledygook lines into ONE long line, and add the word "ssh-dss" at the front.

This line should go into your ".ssh" directory, and must be named authorized_keys2.

Now, you should be able to just use your favorites to connect to Panix. MacSSH will ask you for your pass phrase once per session. If you can get that far, it is very easy to apply port forwarding rules to other hosts.

NOTE: Many Mac Web browsers don't properly send the public-key over. Mozilla works, and of course any FTP client will do just fine in "Raw Data" mode.

webmaster@panix.com

[ Panix Home ] [ Panix Help System Index ] [ Panix Help System - Security Help ] [ Top of This Page ]