Kermit 95 1.1.21 and later (Windows version only) include a Secure Shell (SSH) client. Initially both SSHv1 and SSHv2 were supported, but SSHv1 support was dropped in Kermit 95 version 3.0.
1. K95 SSH OVERVIEW
2. TYPICAL SSH SESSION
3. SSH AUTHENTICATION OPTIONS
3.1. Host Authentication
3.2. User Authentication
4. KNOWN BUGS
5. THINGS TO WATCH OUT FOR
6. NOT IMPLEMENTED YET
7. COMMANDS FOR SSH
7.1. The SSH Command
7.2. The SET SSH Command
7.3. The SKERMIT Command
8. LOADABLE SSH SUPPORT
SSH was originally added to Kermit 95 because many sites began to refuse Telnet connections (clear-text or secure) and accept only SSH connections. K95 v1.1.21 introduced SSH v1 and v2 clients based on OpenSSH 3.0.2p1, and Kermit 95 version 3.0 switched the implementation to one based on libssh.
The OS/2 version of Kermit 95 does not include an SSH client because the libssh and OpenSSL libraries are not available for Open Watcom, the compiler used to build Kermit 95 for OS/2.
Kermit's SSH connections are configured and controlled by the SSH and SET SSH commands. These are described by HELP SSH and HELP SET SSH (the HELP text is reproduced below).
At the K-95> prompt, simply type "ssh somehost", where somehost is the IP host name or address of the host you want to connect to or, if your user ID on the destination host is different from your local user ID, "ssh somehost /user:remoteuserid" or "ssh remoteuserid@somehost". You might get some messages or questions about the hostname the first time you make a connection, for example:
[C:\K95] K-95> ssh xyzcorp.com The authenticity of host 'xyzcorp.com' can't be established. DSA key fingerprint is 85:f9:8b:cd:23:12:01:d9:cf:7a:12:cf:b5:5d:ab:60. Are you sure you want to continue connecting (yes/no)?
but that's normal for any SSH client. Unless you have reason to believe the host is an imposter, say "yes" (more about this in the next section). Now K95 asks you for your password, you type it into the box, K95 sends it over the encrypted connection, and off you go.
From this point, an SSH session is like any other K95 terminal session. You can escape back to the prompt with Alt-X, return to the terminal screen with C or Alt-X, transfer files, whatever you want. When you log out from the host, K95 should pop back to its command screen automatically, but that depends on the SSH server.
A single instance of K95 presently can not manage multiple terminal sessions, SSH, Telnet, modem, or otherwise, but of course you can run multiple instances of K95. You can, however, have an FTP session and/or an HTTP session at the same time as a terminal session in a single K95 instance.
SECTION CONTENTS
3.1. Host Authentication 3.2. User Authentication
SSH provides security by encrypting the session. SSH can work in the absence of authentication, but it also offers several options for authentication.
In its simplest form, SSH lets the user make encrypted connections without setting up any kind of keys or other special authentication procedures or files, and all the host administrator has to do is install the ssh server and generate host keys. No alteration of the host login system is required. This is why SSH is so popular compared to authentication methods that are more secure and manageable: it's easy to get started. However, this kind of SSH connection does not authenticate the host to the client.
The most important command to know about before you try to make an SSH connection is SET SSH STRICT-HOST-KEY-CHECK. The values are ON, OFF, and ASK.
There are two known-hosts files. A user file is stored in the \v(appdata)ssh directory and is automatically updated based upon the connections you make. The system-wide known-host file is (optionally) stored in the \v(common)ssh directory for the operating system and is never updated by Kermit 95. It is there to be maintained by the system administrator.
Your global known-hosts files are kept in a directory common to all users:
\v(common)ssh\known_hosts2
and your user-specific (and K95-specific) known-hosts files are:
\v(appdata)ssh\known_hosts2
(\v(appdata) is Kermit's User Application Data Directory variable. The user's application data directory is located in a system dependent manner. Windows 95/98/98SE/ME/NT store the application data with the user's profile. Windows 2000/XP store the application data in the Documents and Settings directory, and later Windows releases use the Users directory. Tell K95 to "show var appdata" to see its definition.) Thus, on Windows XP these files are in the SSH subdirectory of your Windows APPDATA directory, e.g.:
c:\Documents and Settings\username\Application Data\Kermit 95\ssh\known_hosts2
And on Windows 11:
C:\Users\username\AppData\Roaming\Kermit 95\ssh\known_hosts2
(\v(common) is Kermit's Common Data Directory variable. The common data directory is located in a system dependent manner. Windows 95/98/98SE/ME/NT store the common application data in the WINDOWS directory. Windows 2000/XP stores the application data in the Documents and Settings\All Users directory. Later windows releases use ProgramData. Tell K95 to "show var common" to see its definition.)
Each file contains a series of (long) "lines", one per host, each line containing the hostname and aliases and then the key in Base 64; this is the host's public key. Adding a host key means appending such a line to the appropriate file.
SSH STRICT-HOST-KEY-CHECK ON gives you some assurrance that the host you have connected to is the one you meant to connect to. But it also means your first connection to a particular host is likely to be refused. It's the classic chicken-and-egg situation. You're supposed to get host keys from a trusted source such as a disk or CDROM from your host administrators, but if you didn't, how do you get a key when it's on the very host you can't connect to because you don't have its key? The possibilities include:
SET SSH STRICT-HOST-KEY-CHECK OFF (or ASK)
and then make an SSH connection to the host, authenticate with your password, and then the host key is automatically retrieved and added to your known-hosts file, and then future connections to that host can be made with SSH STRICT-HOST-KEY-CHECK ON. But of course since you have bypassed the host authentication process to obtain the key, future authentication using this key is worthless and you might as well not have have bothered if it turns out the host you connected to was not the one you were meant to.
You might wonder if keeping host keys is a good idea. The advantage is the protection they offer against man-in-the-middle attacks and DNS spoofing (but not compromised hosts). The disadvantage is that anybody who can access your host keys (legitimately or not) knows which hosts you access, which in itself might be information you'd rather not reveal, but also tells hackers which hosts to attack in your name. As noted, Kermit 95 (like all other SSH clients) appends new host keys to your user host-key file(s). You can delete these files if you wish; for example, in your K95 ON_EXIT macro definition.
The method of client authentication depends on both the configuration of the server (it might not be configured to allow password authentication, especially for privileged accounts), and the order in which Kermit 95 is configured to attempt authentication methods. Which method is used is ultimately up to the server, but for Servers that accept multiple methods Kermit 95 can be configured to try them in a partiular order. By default, this is: GSSAPI, Public/Private Key pair, Keyboard-Interactive, Password.
Password authentication involves Kermit 95 prompting you for your password, then transmitting it (encrypted) to the remote host. This may be disabled by server configuration for privileged (or all) accounts to prevent brute-force attacks, especially on hosts exposed to the public internet.
You can also use public/private key pairs to authenticate. This has a few advantages over password authentication:
The primary down-side is that your private key is normally stored on your hard disk where anyone with access to your computer can get it. If someone manages to steal your private key, then it provides no better security than a regular password provided you encrypted your private key with a string passphrase. If you don't encrypt your private key, then anyone who manages steal a copy of it from your computer will be able to log in as you, no password required.
To use public/private key pairs you must have each host's public key in your PC's \v(APPDATA)\ssh\known_hosts2 file, and you must also upload your own public key to each host and put it in the appropriate place, such as ~/.ssh/authorized_keys when OpenSSH is the daemon. When all the right files and keys are in the right places in the appropriate formats, when you log in you'll be prompted for your private key passphrase (if you set one for your private key) and then login using your public/private key pair. In order to determine the correct type of key to use you must know the configuration of the SSH daemon. If you are not the host administrator, contact the appropriate administrator for assistance. (A common error is to leave the permissions on the ~/.ssh/ directory and the files it contains world or group accessible. SSH daemons refuse to use identity files that are accessible to anyone other than the account owner.
Here's an example. I have a guest ID on a Linux machine at a remote site. If I want to be able to connect using public key authentication, then (1) my end is already done, since K95 added the host's public key to my known_hosts2 file the first time I made an SSH connection to it; but (2) I must add my PC's public key to my:
~/.ssh/authorized_keys
file on the host. In this case there happened to be no such file. So all I had to do was upload my public key to the host as ~/.ssh/authorized_keys. But which public key? That depends on your SSH server. If at all possible, you should use an ED25519 key as the rest have varying levels of security issues. DSA keys are now deprecated and will be removed in a future release of Kermit 95. The required OpenSSH version for some supported key types is listed below:
Key Type Public Key File OpenSSH Version ED25519 key id_ed25519.pub 6.5 or newer (released 2014-01-29) ECDSA key id_ecdsa.pub 5.7 or newer (released 2011-01-24) RSA key id_rsa.pub DSA key id_dsa.pub 7.0 or older
For other SSH servers, you'll have to look up the specifications of the SSH server software in use, or try them one after another until you find one that works.
For GSSAPI authentication to work you need MIT Kerberos for Windows (available here) installed and configured on your PC, and the SSH server you're connecting to must also have Kerberos configured. If everything is set up correctly you should be able to log in automatically with no password required thanks to Kerberos single sign-on.
Keyboard Interactive authentication is entirely up to the server. The server sends one or more prompts to Kermit 95 to have you fill out. These prompts could be for almost anything, but usually it's just a single prompt for your password (equivalent to regular password authentication), or two prompts - one for your password and one for a two-factor authentication token.
The complete list of K95's SSH v2 authentication methods is:
[C:\K95\] K-95> Connection to blah closed.
SECTION CONTENTS
7.1. The SSH Command 7.2. The SET SSH Command 7.3. The SKERMIT Command
The remainder of this document lists K95's SSH-related commands. You can also find most of this information with K95's HELP commmand (HELP SSH, HELP SET SSH, etc). Notation:
Approximate Synonym: SET HOST /NETWORK:SSH. This is exactly like SSH OPEN, except it does not enter the Terminal screen (unless you include the /CONNECT switch). This allows SSH connections to be made in scripts, in which interactions with the host are to be automated. To see how to set up an SSH-based Kermit file-transfer and -management service (similar to SFTP but with greater flexibility, functionality, friendliness, and scriptability), CLICK HERE.
If your username on the host is not the same as K95's \v(userid) value, you must include the /USER: switch to specify the username on the host, or alternatively you can supply your username as part of the host (username@host). You can find out K95's \(userid) value by typing SHOW VAR USERID at the K95 prompt. You can set this variable globally with the SET LOGIN USERID command, in which case it is used for all future network logins until you EXIT from K95. The /USER: switch, on the other hand, applies only to the command with which it is given, and leaves the global USERID setting alone.
Here are the rest of the SSH commands in alphabetical order:
Key Type Private Key File Public Key File RSA keys \v(appdata)ssh/id_rsa \v(appdata)ssh/id_rsa.pub DSA keys \v(appdata)ssh/id_dsa \v(appdata)ssh/id_dsa.pub ECDSA Keys \v(appdata)ssh/id_ecdsa \v(appdata)ssh/id_ecdsa.pub ED25519 Keys \v(appdata)ssh/id_ed25519 \v(appdata)ssh/id_ed25519.pub
Keys are stored using the OpenSSH keyfile format. The private key files can be (optionally) protected by specifying a passphrase. A passphrase is a longer version of a password. English text provides no more than 2 bits of key data per character. 56-bit keys can be broken by a brute force attack in approximately 24 hours. When used, private key files should therefore be protected by a passphrase of at least 40 characters (about 80 bits).
The number of bits allowed depends on the key type. For ED25519, this setting is not relevant so is always 0. DSS can have either 1024 or 2048 bits (default 1024). RSA supports 1024, 2048, 3072, and 4096 or 82192 (default 3072). ECDSA supports 256, 384 or 521 (default 256).
ED25519 is the most modern and secure of the key types supported and should be used whenever the host supports it (most should at this point, as it has been around since the mid-2000s).
This command takes one or more DLL filenames separated by a semicolon (;) which will attempted in order. The first DLL that loads successfully will enable all SSH commands and be used for all SSH operations until Kermit is restarted. When a DLL loads successfully, the SSH LOAD command becomes unavailable.
On some platforms, Kermit 95 might not have this command either because there exists only one compatible SSH backend and its built-in to the .exe file, or because no compatible backend exists for that platform whether built in or in DLL form.
This setting also affects the default name of the user known hosts file. When this setting is unchanged from its default, the default user known hosts filename is known_hosts2 (\v(appdata)ssh/known_hosts2) for compatibility with previous versions of Kermit 95. If you set a different SSH directory (or even the same SSH directory) with the SET SSH DIRECTORY command, then the default user known hosts file will be known_hosts (eg, \v(home).ssh/known_hosts) for compatibility with OpenSSH and other clients.
RSA: \v(appdata)ssh/id_rsa DSA: \v(appdata)ssh/id_dsa ECDSA: \v(appdata)ssh/id_ecdsa ED25519: \v(appdata)ssh/id_ed25519
gssapi publickey keyboard-interactive password
aes256-gcm@openssh.com aes128-gcm@openssh.com aes256-ctr aes192-ctr aes128-ctr aes256-cbc aes192-cbc aes128-cbc 3des-cbc
\v(common)ssh\ssh_known_hosts2
ssh-ed25519 ecdsa-sha2-nistp521 ecdsa-sha2-nistp384 ecdsa-sha2-nistp256 rsa-sha2-512 rsa--256 ssh-rsa
curve25519-sha256 curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group18-sha512 diffie-hellman-group16-sha512 diffie-hellman-group-exchange-sha256 diffie-hellman-group14-sha256 diffie-hellman-group14-sha1 diffie-hellman-group1-sha1 ext-info-c
hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com hmac-sha1-etm@openssh.com hmac-sha2-256 hmac-sha2-512 hmac-sha1
\v(appdata)ssh/known_hosts2
SSH OPEN host port /USER:username /PASSWORD:pwd /SUBSYSTEM:kermit
Which opens an SSH connection to the host using the kermit subsystem. This requires kermit to be registered as a subsystem with the remote SSH server. For more details on this, see: https://kermitproject.org/skermit.html
Kermit 95 built for certain combinations of Windows versions or OS/2 may support dynamically loadable SSH backends. Rather than SSH being built-in to Kermit 95, it lives in a DLL that is loaded on startup. This allows multiple different backends to be included with the correct one loaded automatically.
At this time the ability to load different SSH backends is primarily used on x86 and x86-64 versions of Kermit 95 for Windows XP and newer where four backends provided:
DLL Description k95ssh.dll For Windows Vista or newer k95sshg.dll For Windows Vista or newer with MIT Kerberos for Windows installed k95sshx.dll For Windows XP/Server 2003 k95sshgx.dll For Windows XP/Server 2003 with MIT Kerberos for Windows installed
If all available SSH backends fail to load when Kermit 95 is started, there are no SSH backends available, or if you instructed Kermit 95 not to load optional network DLLs on startup via command line arguments, you can at any time load an SSH backend using the SSH LOAD command specifying the DLL to load.
This feature, where enabled, also allows 3rd-party SSH backends to be supported. This may be to use a custom build of libssh with different features selected, or an entirely different SSH implementation that allows SSH connections to be made on older Windows releases or IBM OS/2.
[ Top ] [ Contents ] [ K95 Home ] [ Kermit Home ]