SecureCRT for Windows
NRAO Employees: Network access is for use on NRAO-approved machines only. Complete the Permission to Connect non-NRAO Computer to NRAO Network form (PDF) and have it authorized by your local computing division head before attempting any connections except "nraoPUBLIC". Please note that VPN is the preferred remote connection technology.
Visitors: May make use of NRAO public wireless networks where available. For RFI restricted areas, contact the Help Desk.
Secure CRT provides enhanced features that make it more convenient than Putty for those who frequently need a Windows-based SSH client, including:
- Secure access to UNIX and Linux apps
- Configure, manage, and customize up to 5,000 sessions singly or in multiples with full control over scrollback, key mappings, colors, fonts, etc
- Script Recorder automates repetitive tasks by using VBScript, JScript, PerlScript, or Python.
- Transfer files with SFTP or Xmodem, Ymodem, and Zmodem protocols
THE BASICS: SecureCRT Guide
Step 1: Install SecureCRT
For an NRAO computer, ask your local computer support staff to install SecureCRT for you. If need Secure Shell software on a personal computer for work purposes, you may use an NRAO license of SecureCRT. (When you no longer need it for NRAO work, the software must be uninstalled and the license returned to the NRAO.) Media is available from your local computer support staff. Install the software according to its own instructions. Enter the license registration information provided to you exactly as it is shown. Now you are ready to run the program
For predominantly personal use on a home computer or laptop that you own, you may wish to consider either buying a copy of SecureCRT, or if you prefer, using PuTTY, a free secure shell set of programs for Windows. (If you run Linux, Mac OSX, or any of the *BSD variants like FreeBSD, OpenBSD or NetBSD, it's likely you already have OpenSSH installed, and you should go to SSH and SCP Computing Guide pages, not here!)
Step 2: Start SecureCRT
Start up SecureCRT, either by selecting it from the Programs menu or by clicking on its icon. When it starts up, or when you select "Connect" from its File menu, SecureCRT will open a new window.
The very first time you use SecureCRT, only an empty "Sessions" item will be listed. A session is simply the information, or "properties", that SecureCRT uses for connecting to a particular computer or network service. As you create sessions, they will be included in the list. To set up a new connection, click on the "New Session" button; it's the third one from the left up in the top row. (Like many icons in Windows, all of these will pop up labels to say what they do when you move the mouse cursor over them.)
To connect using a session you have already created, double-click on the one you want. If you always use the same one, you can make it the default to automatically initiate the connection when SecureCRT starts.
Step 3: Setting Up SecureCRT Sessions
When you click on the "New Session" button (or, later, when you are making changes to the properties of an existing session).
Here's how to fill out this screen:
- Name:
-
Type in a descriptive name for this session.
- Protocol:
-
Select ssh2 for NRAO connections; our servers support the older ssh1 protocol too, but it has flaws and is not recommended.
Don't use telnet or rlogin!!!
- Hostname:
-
This is the full name, i.e. including the domain part, of the computer you will be connecting to. You can either use a specific computer's name, or one of the service aliases that we have set up, e.g. ssh.<site>.nrao.edu, (where site is one of cv, gb, aoc, or tuc).
- Port:
-
Port numbers identify protocols that are used for various purposes over a TCP/IP network like the Internet. SSH uses port 22; this will be filled in for you already.
- Username:
-
Type in the account name you want to use on the computer you specified.
- Authentication:
-
This tells SecureCRT how to make sure that it's you logging on. For simple logins, tell it to use "Password"; you will then be prompted to enter your password when you connect to the other computer (this is the regular account password that you haven't told anyone else). If you want to be very cautious about making sure that only you can log on this way, you can read about using "public keys" for authentication in the SecureCRT Help. (This is related to "passphrases", which provide an extra [long] password for remote logins).
Next, check the SSH2 settings. When you click on the "SSH2" line in the list of session categories down the left side, the Session Options window will change to look like the dialog box shown on the right.
As a rule, you should leave all of these as the default values unless you really know what you're doing. There are many ways to encrypt data, and SecureCRT supports lots of them. The important thing to check here is that SecureCRT is set to use "Auto Detect" for the "SSH Server" type (this is the default). This setting will work with NRAO SSH servers. If you are setting up sessions for computers somewhere else, you may need a different choice depending on what software they are using. (NRAO is using OpenSSH.)
Try doing some exploring of the other option categories listed down the left side, to see what's available and how you might like to customize SecureCRT's behavior, e.g., colors, fonts, emacs escape-character handling, etc. SecureCRT has extensive clearly-written documentation available through its Help button.
When you're done setting up the session, click on "OK".
If at some point you want to edit the information, i.e. the properties, for a connection that you've already created, either click on the Properties button at the top (the pointing finger symbol), or right-click on the session you want to change. Right-clicking will pop up the menu shown on the right.
Select "Properties" to edit what you've defined for the session you clicked on.
"User Arranged Tree" is an on/off setting that, when selected, allows you to organize your saved session profiles the way you want them. Normally SecureCRT will simply list, alphabetically, all the connection sessions you have ever made, including lots of duplicates. This list will soon become very long and annoying to deal with. With your own arrangement, you can group sessions, remove ones you don't need, etc. simply by dragging and dropping, much as you would do with files in the Windows file "Explorer" tool.
Step 4: Make a SecureCRT Connection
Now you're ready to make a connection.
Double-click on the name of the session you want to use. SecureCRT will contact the computer you told it to in that session's properties.
If you are using your own computer, or an NRAO desktop/laptop assigned to you, choose "Accept & Save". In future when you connect to the same remote system, you won't see a warning like this unless the other system's host key changes. That can happen if the system has been upgraded, or it may be a sign that the system has been tampered with.
For sessions set up on a shared machine, use "Accept Once" so that there is no record of the host key left on it.
If you are an authorized user of NRAO facilities, click on "OK.". (If you aren't, don't proceed any further.)
You will then be prompted to enter your account password.
IMPORTANT NOTE: Please do not tell SecureCRT to remember your password!!! If you do, anyone who sits down in front of this computer can start up SecureCRT and use any of your saved sessions without having to know the passwords. (Cross-platform password saving, e.g. saving the password on a Windows computer to log onto a UNIX system, is against NRAO security policy anyway.) It is especially important never to select this on a shared machine, e.g. on a public PC at a conference.
Step 5: You're logged on!
Assuming you entered the correct account name and password, you will now see a terminal window.
SecureCRT does very standard VT100 terminal emulation, and is smart about things like ANSI colors, adjusting rows and columns if you resize the window, and so on.
This is all you need to know to use SecureCRT for simple logins to NRAO computers.
ONE STEP BEYOND THE BASICS - PORT FORWARDING (a.k.a. TUNNELING)
"Port forwarding" is what happens when you tell SecureCRT to serve as an encrypting channel for other kinds of programs that don't support encryption. This is particularly useful for retrieving your email through POP or IMAP more securely. Your mail reader will talk to SecureCRT, which will encrypt the data (including your password) and send it through SSH to the other system; SSH on that system will then forward the data to its real destination. The same path is used in reverse for any data sent back to your mail reader (i.e. your messages).
To turn on port forwarding through a particular computer (for example, the main ssh login server at an NRAO site, or the POP/IMAP server where your NRAO mail is delivered), first set up a SecureCRT session for that system as described in Step 3 above.
When you have filled in the basic connection information, click on the "Port Forwarding" category down the left side of the window. The window will then change to look like the picture shown here to the right (except that the first time you do this, the "Locally Forwarded Connections" list will be empty).
Click on the "Add" button to create a new forwarding setup; or, to change an existing setup, click on that item and then choose "Edit".
Fill out the information as the screen requests. If you use POP for mail retrieval, enter 110 for the port number; IMAP uses port 143.
Note the section with the box labeled "Destination host is different from the SSH server". This feature is very useful if you can't actually log on to the mail server itself, or if the mail server is not accessible from outside of the NRAO. In this case, set up a session for an NRAO computer that you can log onto, such as ssh.<site>.nrao.edu, tick this box, and after Hostname: enter the name of the real mail server, e.g. mail.<site>.nrao.edu.
When you're all done, click on OK in this window and then also in the Session Options window.
The final step to make port forwarding work for your email is to tell your mail reader to go through SecureCRT to retrieve messages. For Netscape, go to the Edit menu and select Preferences. Under "Mail & Newsgroups", click on Mail Servers. Then click on the "Edit..." button for the incoming mail server, and instead of the Server Name you have now, type in the numeric network address 127.0.0.1. This is a special address that every computer uses to talk to itself. Once you've clicked on OK, Netscape's transmissions to the mail server will be encrypted by SecureCRT, sent to the SSH server, and then forwarded from there to the real mail server.
After this, when you want to retrieve your email from your computer, you must first start up this session in SecureCRT and log on. Then your mail reader can use the secure connection, and neither your password nor the text of your email will be readable by network monitors between your system and the SSH server. NOTE:The traffic between the SSH server and the mail server will not be encrypted, but at that point it is on an internal network and therefore less exposed.
Although this may sound convoluted, it is actually easy to set up by following these instructions (which only has to be done once) and to use, and there is little or no detectable difference in the time it takes to download messages.
Additional SecureCRT Resources
Visit the SecureCRT Frequently Asked Questions page for further user instructions.