By Jonas WalldÄn, <jonasw@lysator.liu.se>. Based on NiftyTelnet 1.1 by Chris Newman, <chrisn+@cmu.edu>.
NiftyTelnet 1.1 SSH home page: <http://www.lysator.liu.se/~jonasw/freeware/>.
Important notes
¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼
Due to a patent conflict on the RSA public-key encryption algorithm this software cannot be used in United States. Affected users may want to try the commercial F-Secure SSH from Data Fellows, Inc instead.
People living in countries where use of encryption software is illegal should not use this program. Check with your local authorities if you are not sure.
This version is based on the US-exportable release of NiftyTelnet and therefore doesn't include the old-style telnet encryption algorithms used in the US-only distribution.
What is NiftyTelnet 1.1 SSH?
¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼
It is a modified version of NiftyTelnet 1.1 where support for the SSH (Secure Shell) protocol has been incorporated. SSH is the de-facto standard for secure terminal sessions in the Unix world, and it's now available for free to the Macintosh community as well.
What is new in Release 3 (r3) of the SSH implementation?
The most important additions are Scp (Secure Copy), RSA authentication, and printing. Moreover, a number of other enhancements and bug fixes have been included. Details are available in the Version History section at the end of this document.
How do I use it?
¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼
To enable the SSH protocol for a session, bring up the edit dialog for your connection shortcut. Switch to one of the SSH encryption methods using the popup menu and you're all set!
What features does/doesn't NiftyTelnet 1.1 SSH implement?
NiftyTelnet 1.1 SSH implements a subset of the SSH 1.5 protocol. Supported encryption algorithms are: DES, 3DES and Blowfish. The IDEA algorithm is not available since commercial use requires a license, and the Arcfour algorithm has been disabled since it could introduce security problems when used in the SSH 1.x protocol.
Password and RSA public-key authentication methods are supported. Features still missing include TCP port forwarding and data compression but they will be considered for future versions. Users in need of a full-blown SSH implementation for the Mac should try the Data Fellows, Inc F-Secure SSH client instead. The web page for this company is <http://www.datafellows.com/>. Another Mac client which handles port forwarding is the free Java-based MindTerm client which can be downloaded from <http://www.mindbright.se/>.
In addition to the SSH protocol NiftyTelnet 1.1 SSH includes a couple of changes to the core of NiftyTelnet. The terminal emulation now defaults to the ISO 8859-1 character set, and the user interface has been updated to take advantage of the Appearance Manager in System 8 and later. There have also been some changes to handle printing and keyboard mapping which was requested by a lot of users.
Copying files securely
¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼
Scp stands for Secure Copy and is a protocol for transferring files to or from a remote host. It uses SSH as the low-level communications protocol and therefore benefits from the security present in SSH. The NiftyTelnet 1.1 SSH implementation is limited by the fact that Scp is a very basic protocol which requires entering of file names into a dialog box instead of browsing a list of all available files.
Scp is accessed by clicking the ╥Scp...╙ button in the New Connection dialog box. It opens a new window where the files to send/receive are specified. When receiving files from the remote host one can enter several file names separated by space. The syntax is the same as for the Unix version of Scp which means that wildcards are possible and quoting is needed for special characters.
The dialog window supports drag-and-drop from the Finder to add files or to set the download folder. If Internet Config is installed NiftyTelnet 1.1 SSH will try to match file type/creator and extensions to determine whether the transfer should be done as text (converting character set and linefeeds) or binary (no conversion). This can be overridden by selecting the appropriate radio button. The ╥Copy Contents of Nested Folders╙ checkbox is equivalent to the -r (recursive copy) option in the Unix version.
This is an alternative authentication method which can be used instead of passwords. It requires public/private key files which can be generated on the remote host using the ╥ssh-keygen1╙ (or similar) utility. Add the public key to your ╥~/.ssh/authorized_keys╙ file and copy the private key to the Mac ╤ using Scp of course! ╤ and put it in the same folder as the NiftyTelnet 1.1 SSH application. To enable the key the name of the key file must be entered in the shortcut settings dialog.
Important note: The contents of the private key file is highly sensitive and should not be made available to other people! If the passphrase is set to an empty string it means that anyone who copies the key file can use it to access to your account. Don't use empty passphrases unless you know what you are doing!
How do I use printing?
¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼
There are three ways to print data in NiftyTelnet 1.1 SSH: print screen, print selection, and remote printing. The first two are self-explanatory but the last one deserves special attention. By sending escape sequences to your terminal window you can start and stop capturing of printer output. These sequences are ╥ESC[5i╙ and ╥ESC[4i╙, respectively. As soon as all printer data has been successfully captured you will see the standard printing dialog window where the usual settings are available. In case sending of printing data is interrupted the capturing mode can be aborted by selecting Reset in the Session menu.
The Page Setup command can be used to set the printer font and font size as well as the margins. Note that recent versions of the LaserWriter driver hide these settings in one of the pages accessible from the popup menu so they may not be easy to find at first glance.
When printing NiftyTelnet 1.1 SSH will honor line-feed and form-feed characters; however, lines which extend beyond the right-hand margin will not be wrapped.
What is the purpose of the ╥NiftyTelnet SSH Known Hosts╙ file?
Whenever you connect to a host NiftyTelnet 1.1 SSH receives a public encryption key. If this key is not known before you have the option to add it to the Known Hosts file. The next time you connect NiftyTelnet 1.1 SSH will compare the key to the one found in the file to see if it has changed; a change may indicate a network intrusion attack which means your password is at risk if you don't disconnect immediately. There are other things that can trigger a change of the key so you may want to ask your system administrator for advice.
The Known Hosts file is by default placed in your Preferences folder but can be moved into the same folder as the application itself. You can edit it using any text editor and the format is compatible with the ╥~/.ssh/known_hosts╙ file in the Unix version.
Where do I send feedback?
¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼
Please send bug reports, comments or feature requests to the email address listed at the top of this document. For bug reports it is very helpful if you include detailed information on how to reproduce the bug and the configuration of your computer.
What source code was used to implement the SSH protocol?
I used the public domain library Crypt++ 2.1 for the encryption. All other source code, except as noted in the copyright section, was written by me from scratch. This is not a port of the Unix version and it is therefore not subject to the license limitations of that distribution.
Is the source code available?
¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼
The author of NiftyTelnet, Chris Newman, has requested that the source for NiftyTelnet should no longer be distributed. The source for my additions are not available at this time because of Swedish crypto export legislation.
Why can't this program be used within United States?
The RSA public-key encryption algorithm is patented by RSA Data Security, Inc. This makes it impossible to use other implementations of the RSA algorithm in countries where the patent is valid. A discussion on this patent can be found at <http://www.cyberlaw.com/rsa.html>.
Where can I get more information on NiftyTelnet or SSH in general?
The documentation for NiftyTelnet 1.1 is included in this distribution. Please read it for information on NiftyTelnet in general. There is also an Apple Guide help file which is accessible from inside the application by selecting ╥NiftyTelnet Guide╙ from the Help menu.
The NiftyTelnet home page is <http://andrew2.andrew.cmu.edu/dist/niftytelnet.html>.
There is a SSH FAQ (Frequently Asked Questions) page at <http://www.employees.org/~satch/ssh/faq/>. Another source of information is the ╥man╙ command on a Unix system; ╥man ssh╙ and ╥man scp╙ are good starting points.
Distribution
¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼
NiftyTelnet 1.1 SSH may only be distributed as long as no fee is charged. Also, any distribution must be in accordance to the restrictions listed at the top of this document.
Acknowledgements
¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼
Special thanks to Chris Newman for letting me use his excellent NiftyTelnet as the foundation for my SSH client. Thanks to Ariel Futoransky for granting me permission to include the CORE SDI attack detection patch.
I also want to thank all users who have sent bug reports, suggestions and other feedback. You are far too many to be listed here but your help is very much appreciated!
Copyright
¼¼¼¼¼¼¼¼¼¼¼¼¼¼
SSH implementation:
Copyright ⌐ 1998-1999 Jonas WalldÄn.
MD5 implementation ⌐ 1995 Eric Young.
CRC32 attack detection patch ⌐ 1998 CORE SDI S.A., Buenos Aires, Argentina. All rights reserved.
THIS SOFTWARE COMES WITHOUT WARRANTIES. THE SOFTWARE IS PROVIDED AS IS AND
JONAS WALLDEN AND ALL OTHER COPYRIGHT HOLDERS DISCLAIM WARRANTIES OF ANY KIND,
INCLUDING EXPRESSED AND IMPLIED WARRANTIES. IN NO EVENT SHALL THE COPYRIGHT
HOLDERS BE LIABLE FOR DAMAGES, INCLUDING BUT NOT LIMITED TO GENERAL, SPECIAL,
DIRECT, INDIRECT, EXEMPLARY OR CONSEQUENTIAL DAMAGES, RESULTING FROM USE OR
MISUSE OF THIS SOFTWARE, OR LOSS OF USE, DATA OR PROFITS.
NiftyTelnet 1.1:
Copyright ⌐ 1990-1996 by Christopher J. Newman. All Rights Reserved.
Permission to use, copy, modify, and distribute this software and its
documentation for any purpose is hereby granted without fee, provided that
the above copyright notice appear in all copies and that both that
copyright notice and this permission notice appear in supporting
documentation, and that the name of Christopher J. Newman not be used in
advertising or publicity pertaining to distribution of the software without
specific, written prior permission. Christopher J. Newman makes no
representations about the suitability of this software for any purpose. It
is provided "as is" without express or implied warranty.
CHRISTOPHER J. NEWMAN DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT
SHALL CHRISTOPHER J. NEWMAN BE LIABLE FOR ANY SPECIAL, INDIRECT OR
CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE,
DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
OF THIS SOFTWARE.
Version history
¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼
NiftyTelnet 1.1 SSH r3 ╤ June 7, 1999:
Fixed crash at end of Scp file transfers on Macs running System 7.x.
No more ╥Junk data╙ log messages on host computer after completed Scp operations. This bug was probably also responsible for the infinite error messages bug when running out of disk space while receiving a file.
A bug causing a lockup when connecting to a non-SSHd port is fixed. NiftyTelnet 1.1 SSH used to sit in an infinite loop waiting for a response message which never arrived.
Scp now handles file names containing space characters better than before.
Scp preserves file name extensions when truncating names longer than 31 characters. This makes it easier for Internet Config to determine the best file type and creator for received files.
Provided additional control over what transfer mode (text/binary) is used for Scp.
Improvements to the way memory buffers are used. NiftyTelnet 1.1 SSH will now use temporary memory if needed for large transfers which means that the default memory partition should be sufficient for all but the most extreme cases.
Added some code to prevent annoying white flicker when updating windows with non-white background.
VT100 graphics characters are now shown no matter which font is used.
Printing! This includes print screen, print selection, and remote printing (activated by VT100 escape sequences). Located in the Page Setup window are settings for font, font size and margins. When capturing print data the startup disk is used for spooling to avoid running out of memory.
Rewrote parts of the connection process to retry authentication if the first attempt fails. Note that the user name field is locked since the name has already been sent to the host and cannot be changed at that time.
Complete rewrite of font scanning. The previous code inherited from NiftyTelnet was broken and very slow on Macs with Adobe Type Reunion and a large number of fonts installed. (I don't remember if this fix was included in the public r3 beta, but probably not.)
Passwords are now sent using ISO 8859-1 encoding. (Thanks to my brother Daniel for reporting this bug!)
Updated error message for failed RSA authentication attempts.
RSA passphrases may be cached in RAM until the application quits or they are purged automatically (which happens after a number of hours).
The Meta key, which used to be hardwired to Control+Command, is now customizable. Note that selecting Command only will disable menu shortcuts, and using Option only will make a special characters inaccessible from the keyboard.
Added a setting for sending escape sequences for Insert, Delete, Home, End, Page Up and Page Down keys. By combining with any of Control, Option or Shift keys the behavior opposite to the selected setting can be accessed.
Finder aliases for the Preferences file, the Known Hosts file and RSA private key files are now resolved correctly.
Interpretation of ╥meta characters╙ is avoided when placing shortcut names into menus. Previously characters such as ( and - caused menu items to be disabled or missing.
Added clickable URL to the About window.
NiftyTelnet 1.1 SSH r3 beta ╤ February 8, 1999:
First implementation of Scp.
RSA authentication.
Some screen updating problems fixed, particularly scrollbars which were not redrawn correctly, and areas behind dialog windows.
Disabled any command key shortcuts except Command-A and Command-. in password fields.
Integrated patch for launching on PowerMac computers using MacTCP.
Fixed so forward delete key works in dialog boxes.
NiftyTelnet 1.1 SSH r2 ╤ November 17, 1998:
Fixed a crashing bug in the internal buffering of network data. This would mainly cause trouble when pasting or dragging large amounts of text into a terminal window.
Entering passwords longer than 16 characters should no longer crash the application. The maximum password length has been increased to around 250.
Double-clicking the ╥NiftyTelnet SSH Known Hosts╙ file is no longer causing a crash. Instead an error message tells the user to open the file in a text editor.
Command-. now works as a shortcut for the Cancel button in the password authentication dialog even when the password text field is the current input field.
The about box and documentation have been updated on the RSA patent restrictions. As far as I know only U.S. users are affected, not all North American users as previously stated.
Added a warning to the documentation about the lack of old-style telnet encryption in this application. Users in need of this feature should get the US-only release of NiftyTelnet 1.1.
NiftyTelnet 1.1 SSH ╤ August 20, 1998:
Changed the way disconnect and exit confirmation messages are sent to the server to be more in line with the protocol specification.
Added the CORE SDI crc32 attack detection patch.
Disabled the Arcfour cipher since it's no longer considered secure when used in the SSH 1.x protocol. It may return later on if SSH 2.0 protocol support is added.
Merged the PPC and 68K applications into a single fat binary.
Set the Known Hosts file type to TEXT and changed the line breaks to Mac standard.
More error checking for out of memory conditions.
Moved a handful of hardcoded strings into the resource fork to ease localization.
NiftyTelnet 1.1 SSH beta 1 ╤ July 21, 1998:
First ╥public╙ release. Very limited distribution.
