Header image: Architectural widgetsSociology at Duke
Navigation Bar: Resources

Research and Training

Sociological Sites

Computing Resources

Departmental Publications

University Libraries

Quick Links

  
Home > Resources > Computing Resources > TeraTerm

 

Secure Access to Sociology Systems with TeraTermSSH

TeraTermSSH is a freely available terminal program available as a telnet replacement for remote access of Sociology and OIT UNIX systems. It can be installed on home PCs and laptops. When properly configured, it provides the following functions:

  • Secure Terminal Emulation - TeraTermSSH provides standard terminal services (just like a telnet program) with the added feature that it encrypts the flow of data to and from the remote UNIX computer. This is highly desirable because it prevents the passing of clear text passwords and other sensitive information that can compromise security and undermine privacy.

  • X Forwarding - When working on UNIX systems one may want to run programs that require an X-windows graphical display (such as SAS or Stata). TeraTerm does not have the facility to handle such display functions, but it can be set to forward such requests to a pre-loaded PC X server. When remotely connecting to Duke through services that assign a Duke IP number, the X-Win 32 server distribution available under a Duke site license agreement may be freely used for providing PC X server services. Other types of connections through Internet service providers (ISPs) require the use of a commercial PC X server product similar to the Reflection X product used within the department.

  • Port Forwarding - TeraTerm takes care of the problem of secure terminal emulation, but other major uses of the UNIX system are for email and file transfers. These applications also run, like insecure telnet, through ports that transfer information as clear text. However, your email and ftp clients can be configured to forward their traffic through the secure port used by TeraTermSSH, thus encrypting both of these key Internet uses. Port forwarding is also referred to as "tunneling".

These notes explain how to obtain, install and configure TeraTermSSH to perform these functions. All users should begin moving toward the use of TeraTerm or some other secure shell program for remote access of Sociology systems.

Obtaining TeraTermSSH and X-Win 32

A convenient, Sociology-configured version of TeraTerm may be downloaded from the following Arts and Sciences site, where you should select the "Sociology" link. This will download a self-extracting zip file called ssh_soc.exe that you can simply double-click on to install.

Access to the above site is limited to Duke network connections, so if you experience problems, stop by the Sociology computing office to pick up a copy of ssh_soc.exe on a single floppy disk, which you can keep for any installation you need to do.

The X-Win 32 software can be downloaded from the OIT Site License page, wherein you should go to the "Software Library" and follow the "Micro X-Win 32" link under the X-Windows section. There are built-in licensing restrictions on the use of this software, so depending on how you remotely connect to Duke, this software will not work for you if you have a non-Duke network connection.

Installing the Sociology-configured Version of TeraTermSSH

[These instructions, in similar form, are also found on the Arts and Sciences page from which this version originates.]

  1. Save the downloaded file to a directory on your hard drive.
  2. Open the ssh_soc.exe file by double-clicking it.
  3. You are asked where to install the program. Click OK to install the program in the default location C:\Program Files\ttermpro.
  4. Go to the directory where the program is installed (C:\Program Files\ttermpro) and right-click on the file ttssh.exe.
  5. A drop down menu will appear. Click on Create Shortcut.
  6. Drag the shortcut to your desktop or the desired folder. Double-click on this shortcut to run SSH.
The following sections deal with various aspects of configuring TeraTerm. Some of the configuration settings described will already be set in the Sociology version you have installed. Others will not have been set and are described for your information. In any event, knowledge of how these settings are applied is helpful in understanding how the various functions of TeraTerm work.

Configuring TeraTermSSH for Basic Terminal Emulation

  1. Double-click the icon to start TeraTerm. A terminal window will open followed by an additional "New Connection" window prompting for the desired host. Close this second window.

  2. The standard 80 column by 24 row window can be enlarged by selecting [Setup|Terminal...] and resetting these specifications. I recommend leaving the column setting at 80 and increasing the row setting to a value that suits you and fits your screen. Click OK to close.

  3. Select [Setup|Window...] to set window characteristics. These include the title of the window, cursor shape, number of lines that you can scroll back and the colors of the text and window background. Click OK to close.

  4. Select [Setup|Font...] to choose a font and size that suits you. Click OK to close.

  5. Select [Setup|TCP/IP...] to configure the list of hosts to which you commonly connect. There will be a set of default host specifications, all of which can be removed. Then enter each host specification in the top box and click on "Add" to include it in the list below. The list can be reordered by highlighting an individual entry and using the "Up" or "Down" buttons to shift its placement. The top entry in the list should be set to the host you most frequently access, since this will become the default host when you open TeraTerm. Make sure that "Telnet" is unchecked and the port number setting is 22. This is the port setting used by secure shell connections. Click OK to close.

  6. This completes the basic required configuration. Select [Setup|Save Setup...] to save your configuration. A "Save Setup" dialog box opens in which the default TERATERM.INI config file is saved to the installation directory. Accept this setting by clicking the "Save" option.
Now, when you click the TeraTerm icon, a terminal window will open and the "New Connection" window will prompt for a host selection from the list you entered. You are not restricted to this list. Unlisted hosts may be accessed by replacing what appears in the "Host" box. All connections should default to the preferred SSH type going through port 22, however, this can be changed to a telnet type when necessary. After the connection is specified, a dialog box opens prompting for userid and password. When user authentication is complete a terminal session is established.

Configuring X Forwarding

X window display capability requires that a PC X server be loaded and that TeraTerm be configured to forward such requests to the X server. Failing this, commands that require an X display will abort with an error message indicating inability to open the display.

Configure TeraTerm to forward by selecting [Setup|SSH Forwarding...] and checkmarking the box labeled "Display remote X applications on the local X server." Save this setting to your TERATERM.INI file.

As noted earlier, OIT distributes the X-Win 32 server software from the Site License Software page. This software has a built-in licensing restriction that requires machines using it to have IP addresses in the 152.3.xxx.xxx or 152.16.xxx.xxx ranges. These are the subnets assigned for Duke IPs. If you are using an external Internet service provider, you will not have an IP in these ranges and will be unable to use Duke's X-Win 32 distribution. X-Win 32 should work for you under the following conditions:

  • You are accessing Duke through the public modem pool.
  • You are a subscriber to the Duke ADSL program.
  • You have an ethernet connection directly on the Dukenet backbone, such as through Resnet.
Just to put things in perspective, access to X display services is more of a luxury than a necessity for most. Many of the applications that use X services, can also be run in a batch mode that is preferrable when running remotely. X windows produces considerable network traffic and the degradation in performance is noticable through slow modem connections.

Port Forwarding - The TeraTermSSH Configuration

Port forwarding typically involves running TeraTermSSH in conjunction with an FTP or email client. TeraTerm is run first to establish a secure port connection, then the application is loaded and its data are tunneled through the secure port. If you forget to load TeraTerm, the FTP or email application will fail to connect. For this to work properly, TeraTerm must be configured to tunnel the data sent and received by the client application and the FTP or email client must be configured to redirect its data through the secure TeraTermSSH port. First, we consider TeraTerm configuration.

  1. From a TeraTermSSH window select the [Setup|SSH Forwarding...] option. This will open up the "Forwarding Setup" window like that shown below.

  2. Click on "Add", which opens an "SSH Port Forwarding" window like that below. For our Email client (assuming that it uses an IMAP configuration) we need to forward the IMAP port, through which mail is received, and the SMTP port, through which mail is sent. The figure illustrates the setup for IMAP port forwarding.

    • Select the "Forward local port" radio button.
    • Type "imap" as the port being forwarded (or select it from the pulldown menu).
    • Type "courrier.soc.duke.edu" as the remote machine.
    • Repeat "imap" as the port assignment on remote end.
    • Click OK.

    The window closes and the forwarded port should now be listed in the "Forwarding Setup" window.

  3. Repeat step 2 for the "smtp" port, using the same remote server specification.

  4. Now, to tunnel FTP services, we need to repeat these steps for the "ftp-data" and "ftp" ports. The former carries the data transferred; the latter carries ftp commands that you type or apply through a menu interface. The remote machine in this case is "angst.soc.duke.edu". When complete, your "Forwarding Setup" window should look as follows:

  5. Save these settings to your TERATERM.INI file.
If you are running a POP3 email client, forward to "courrier.soc.duke.edu" the "pop3" port instead of the "imap" port. Forwarding will be available with each subsequent invocation of TeraTermSSH.

Port Forwarding - Configuration of Commonly Used FTP and Email Clients

Now your FTP and email clients must be configured to use the port forwarding setup. The key word for making this happen is localhost. Each client requires the replacement of one or more configuration parameters with the word "localhost". This causes that application to redirect packet flows to TeraTermSSH. TeraTermSSH then receives the packet flow, encrypts it and tunnels it to the appropriate port on the remote host programmed into the forwarding setup. Detailed below are the specifics for various clients. To work properly, all of these setups require prior configuration of port forwarding in TeraTerm and and that a TeraTerm session be open.

WS_FTP - Create a new "Session Profile" for secure FTP:

  1. For "Profile Name" enter something descriptive like "Secure FTP - Sociology".
  2. In the "Host Name" field enter "localhost".
  3. In the "User ID" field enter your userid.
  4. Click the "Advanced..." button, select the "Passive transfers" option and click "OK" to close the "Advanced Profile Parameters" dialog.
  5. Click "Save" to save your profile.
Note regarding FTP clients -- Under the tunnelled configuration, your FTP client must be able to perform "passive" transfers, as configured into WS_FTP above. The command line FTP that is bundled into Windows is not capable of passive transfers, so cannot be used. If a client is not configured to run in passive mode, it will connect to the UNIX server, but at your first attempt to bring data back from the server will fail with the message, "Can't build data connection." Review the client documentation for a passive mode setting. If it has a command line prompt mode, test by typing "help" at the ftp prompt and review the commands listed for PASV or passive. If present, you should be able to enter passive mode by typing that command.

Pegasus Mail - First, attend to the receiving side:

  • For IMAP configurations, select [Tools|IMAP Profiles] to open the IMAP profile manager. Select your Sociology profile for editing and change the "IMAP Server address" setting to "localhost".
  • For POP3 configurations, select [Tools|Internet Options...], select the "Receiving(POP3)" tab and change the "POP3 host" setting to "localhost".
Then configure the sending side:

  • Select [Tools|Internet Options...], select the "Sending(SMTP)" tab and change the "SMTP host" setting to "localhost".
PC Pine Email - Pine configuration is done through the setup menus:

  1. From the main menu select [Setup|Configure].
  2. Change the "smtp-server" setting from "courrier.soc.duke.edu" to "localhost".
  3. Change the "inbox-path" setting from "{courrier.soc.duke.edu}INBOX" to "{localhost}INBOX".
  4. If your "default-fcc" setting is "{courrier.soc.duke.edu}Mail/sent-mail", change it to "{localhost}/Mail/sent-mail".
  5. If you have configured a remote addressbook, select [Setup|AddressBooks], select the remote addressbook configuration and change the "Server Name" from "courrier.soc.duke.edu" to "localhost".
Eudora Pro Email - Eudora is altered through the "personality" configuration:

  1. Select your Sociology personality, right-click on it to bring up the popup menu and select the "Modify" option.
  2. Under the "Generic Properties" tab, change the "SMTP Server" specification to "localhost".
  3. Under the "Incoming Mail" tab, change the "Server" specification to "localhost".
Microsoft Outlook Email - Perform the following steps:

  1. Select [Tools|Accounts...] to open the "Internet Accounts" dialog box.
  2. Select the "Mail" tab, then highlight your Sociology account.
  3. Click on the "Properties" option to open the "Properties" box.
  4. Click on the "Servers" tab.
  5. Change the "Incoming mail (IMAP)" entry from "courrier.soc.duke.edu" to "localhost".
  6. Change the "Outgoing mail (SMTP)" entry from "courrier.soc.duke.edu" to "localhost".
  7. Click "Apply", then "OK".
  8. Click "Close" on "Internet Accounts".
  9. Exit and reload Outlook.
Netscape Communicator (4.61) - Messenger Facility - Configured through the preferences menus.

  1. Select [Edit|Preferences].
  2. Under "Mail & Newsgroups" select "Mail Servers".
  3. In the "Incoming Mail Servers" section, select "Add...".
  4. The "Mail Server Properties" window opens.
    • For the "General" tab:
      • Set "Server Name" to localhost.
      • Set "Username" to your UNIX userid.
      • Select the box to check for mail every 15 minutes.
    • For the "IMAP" tab:
      • Check 'Cleanup("Expunge") INBOX on exit'.
      • Check "Empty Trash on exit".
    • For the "Advanced" tab:
      • Check "Show only subscribed folders".
  5. Click "OK" when done and select the "Set as default" option for the new localhost server.
  6. Under the "Outgoing Mail Server" section:
    • Enter localhost into the "Outgoing mail (SMTP) server" field.
    • Enter your UNIX userid into the "Outgoing mail server user name" field.

Extensions to This Security Model

The purpose of moving to the use of secure shells like TeraTermSSH is to harden the security of our systems and better ensure the privacy and integrity of your account. After opening an SSH session on a Sociology system, one often has need to open a session on another system. For example, you login to angst and now want to telnet to charisma or an acpub machine. Here again, there are better options than opening a "telnet" session.
  • From a Sociology login you can go elsewhere by using the ssh command in place of telnet. Ssh is the UNIX equivalent to TeraTermSSH.

    > ssh charisma > ssh godzilla.acpub The above examples will open secure shell connections from angst to charisma or to one of the godzilla machines respectively. Similarly, from acpub logins you can ssh back to Sociology systems. [Note, when going to godzilla, you probably will get a warning message about host identification problems. Godzilla connections are actually made to one of six different machines. Each time you connect you are going to attach to a different machine, which causes ssh to warn you. Ignore the warning and complete the login.]

  • Alternatively, you may open additional TeraTerm windows to other systems. You will receive messages about the tunnelling aspects not working for these sessions. Not to worry, as this is simply an artifact of port forwarding already being in effect for the first session you opened.
Observing these practices helps to keep secure all of the various network links you have open at one time.

Finally, the emphasis of this discussion is on remote access practices. When you are working within the department, secure shell connections are not critical because the network traffic is confined to local networking channels that are secure. So we continue to use Reflection X for terminal connectivity, even though it is not a secure shell program. When going outside the department to other systems, including acpub, it is a good practice to use a secure shell program. This can be done by logging onto angst and then opening an ssh connection to wherever you need to go. If ssh is not supported by the remote site, then drop back to telnet.


Sociology Home | Arts & Sciences Home | Duke University Home |Webmaster | Contact the Department

© Copyright 2002, Duke University
People Graduate Program Undergraduate Program Resources Home Duke University Home