This document is merely a "how to set this up" document, and has no explaination for what you're actually doing. Those explainations can be found on the SSH and (vs.) VPN page.

This document has instructions for configuring both the Macintosh SSH client and a Macintosh FTP client. If you only want to install and configure the SSH client, simply follow the MacSSH instructions below. Even if you don't want to set up FTP client right away, it would be prudent to configure the MacSSH to support FTP port forwarding, since you'll probably want to use it eventually. Installation instructions for the software come with them, when you download them.

FTP stands for File Transfer Protocol. Fetch is merely a common version of FTP with a nice user interface for Macs. So where it says FTP, read Fetch, if you're using Fetch. 

• Open the tunnel with MacSSH (connecting with MacSSH)
• Open your FTP (Fetch) conenction and transfer the files.
• Close your FTP connection.
• CLOSE your tunnel (the MacSSH session). If you leave it open, you're leaving the server vulnerable to attack.
• Never, Ever, save your password in a shortcut or alias. Anyone with access to your computer can then use that shortcut without having to guess your password. And, applications don't save them securely, so if someone broke into (cracked) your computer, your password would be available.

Prerequisites:

• Mac OS 8.1 or newer, I believe.
• Valid Unix account on the machine you're accessing.
• A Mac SSH client that supports Port Forwarding. I recommend MacSSH. More options for ssh-enabled clients are below, but only MacSSH, as far as I know, supports Port Forwarding.
• An FTP client. I recommend Fetch, but others work too.

Download MacSSH from www.macssh.com, or if you're into such things, the source is at SourceForge. At MacSSH, most computers use the MacSSH PPC version. PPC = Power PC, which is G3 and newer.

Clicking on the link will download the software to your system. If you have stuffit expander, it will automatically unstuff the application and create a folder, probably on your desktop. You can move this MacSSH PPC folder anywhere.

Fetch: Fetch 4, the newest version, is free from Fetch Softworks. I also have a copy which I can install for you. I have not used version 4 much. Fetch 3 is much more common, is free without registration, and can be found here.

If you would like to access the Unix machines in the department via ssh, there are a number of different clients you can use, including:
 

• NiftyTelnet 1.1 SSH. NiftyTelnet 1.1 SSH implements a subset of the SSH 1.5 protocol. Supported encryption algorithms are: DES, 3DES and Blowfish. this program can be used to access the Web server (tmp or www), or the other SGI machines (agate, geolab, bif) etc. It can also be used to access the U. e-mail servers. It can not be used to access the file server, or be used as a port forwarding program.
• BetterTelnet is an enhancement of NCSAtelnet, the most common telnet program on the macs. the version I downloaded doesn't allow ssh because of export issues. This issue has actually been resolved but the software I tested wasn't yet up to date.
• MacSFTP is an SFTP client for macs. SFTP is similar in usage to FTP, but runs on a completely different protocol. It will secure the entire data stream, and will usually work through a firewall. Check the page above for more info. This product is a fine product, but is not free. Last I checked, (Jan '03) it cost $25. But it is easier to use than MacSSH + Fetch. It is available for Classic MacOS (8.1-9.2.2) and also for OS X.
• MacSSH is based on Bettertelnet, but has the export things fixed, and it also supports Port forwarding. however it only works on SSH2 enabled servers. The new fileserver and webserver are SSH2 enabled, however the old ones (geolab, agate, etc) are not.

You need to set an Alias, which is a nickname you'll see in the list of aliases.
Hostname, which is the Unix machine to which you're connecting.
Port number (See the  SSH and (vs) VPN page).

Alias: Can be anything, but make it easy to remember, such as ftp_www for an ftp tunnel to the webserver
Host Name: Can also be the IP address. Contact your System Administrator if you're unsure what to use.
Port: You can either type in 22,  or select SSH from the picklist. Anything else won't work.

Leave the Netwrok and Terminal tabs unchaged, unless you like things on Terminal to be different, for emacs, or anything like that.

Next, click on the Security tab:

Protocol: needs to be changed to SSH (Secure Shell).

For simplicity's sake, you can add in your username below, if you're doing this in your office or at home. Don't do it on a shared computer if someone else is going to use the shortcut.

Do NOT do this in the lab. and under NO CIRCUMSTANCES whatsoever put your password here. That's the equivilent of giving a thief a key to your house. Saving your passwords anywhere but your head is a VERY BAD IDEA. Don't even do it if you're at home, because if someone cracked (broke into) your computer at home, they could get access to the departmental machines as well.

Leave the OTP tab unchanged, unless your site uses One Time Passwords.

Next, click on the SSH2 Tab:
There are lots of things that have to be set on this tab.

Alias will be carried across from when you set it on the General tab.

You can leave the Encryption and Authentication picklists alone.

Choose <none> as the Compression method.
This defaults to zlib, but zlib compression has been disabled on the server, due to security issues. See the note at the top of this page.

Choose as your Method: LocalTCP port forwarding

Local port: 21    Remote Host: server name or IP address    Remote port: 21

Port 21 is the FTP (Fetch) Port. The Remote Host will be the same information that you put on the General Tab, under Hostname.

Do NOT click on the Enable Guests checkbox. This woud allow other people  from other computers to use your ssh tunnel to connect to the server using your username and password. Again, equiv. to giving your keys to a thief, and opens up a huge hole in the server's security.

Leave firewall tab unchanged.

When you're done with all of that, click OK, this will create  a new shortcut with all of the properties you just set, saved with the Alias name you gave it.

This will put you back to the Favorites  windows. Click OK.

You can now run this shortcut from the Favorites menu to log into the Server and create your tunnel. You must do this prior to any Fetch connection to the server.

Just type in your username and password, and a window will open up similar to your other Telnet sessions: This has opened your SSH port forwarded FTP tunnel.

The Lock in the upper right hand corner tells you that everything you send across this connection is encrypted.

The Netscape Composer Publish utilty is simply a different way to use FTP. You create the MacSSH tunnel just as you would for Fetch.

In your Netscape Publish settings, replace the server name (something@geo.umn.edu) with username@localhost where username is your username on the Unix server. Actually use the word localhost. (yes, localhost. This is telling fetch to use your tunnel. Your tunnel is listening for this connection on Local Port 21, which you set in MacSSH. If Localhost doesn't work, try 127.0.0.1, but this shouldn't be necessary.)

Nothing else changes from your old settings. Ask if you need more help. 

If you have been savng your password in the past, UNCHECK the box. This is a huge security hole, see the top of this page.

UPenn has some good instuctions on how to port forward with MacSSH

There is excellent documentation at the U. Penn Biology Computing site on how to use MacSSH to port forward FETCH. 

Other Resources

Using the commercial F-Secure product. See Setting Up SSH and FTP Port Forwarding (MACINTOSH VERSION) at UW for details.

Also, Niftytelnet has SCP, so if you are familiar with that, niftytelnet is a great way to go.

Some nifty-telnet instructions. Nifty telnet can also be downloaded from http://www.lysator.liu.se/~jonasw/freeware/niftyssh/.