Introduction to Secure Shell ssh
Secure Shell (SSH) is a protocol used to login to remote servers from the command line. SSH includes secure features that encrypt data transmitted through the network so that snoopers may not access your data. In this series, we'll go over how to set up SSH as a client, and explain what public/private keys are, and explain all related commands to SSH.
SSH gives you access to the command line of another computer. As we have seen throughout this tutorial series, the command line grants us power to do almost anything we'd like. The ability to control such remote computers gives you the power and flexibility to achieve a variety of tasks.
Here are just two examples of how SSH can help aid in your productivity:
- As a data scientist, you may need to crunch some numbers or processes on a supercomputer with system resources far greater than your home PC.
- As a webmaster, you'll need to rent out a server that runs 24/7. Oftentimes these computers' physical locations are several hundred miles away. To conveniently maintain and update your website you'll need to log into the server with SSH.
Security features of SSH
In the early days of Linux, different protocols were used instead of ssh
. Two examples are telnet
and Virtual Network Computer (VNC). These early protocols worked, but were very insecure since they transferred data in cleartext.
The advantages of using SSH over the legacy alternatives include:
- Allows for authentication features such as SCP (for file transfers), X session forwarding and port forwarding.
- Allows users to confidently perform root tasks, and ensures connection is secure and valid.
- SSH allows for tunneling, which is the process of packaging other unsecure network connections with SSH in order to encrypt its data.
- Avalability on all UNIX-like systems.
One drawback of SSH is the amount of lag due to CPU time being consumed for encryption and decryption. Another more obvious drawback is the learning curve necessary for setup and configuration - but have no fear! This tutorial will explain everything in easy-to-understand terms!
Basic commands and options
The basic command used to secure shell into a computer is simple. We can use ssh
, followed by either the IP address or hostname of the computer you want to log into.
$ ssh 54.201.157.251
# You can use a host name instead
$ ssh ex.amplwebsite.com
Specifying a Username
By default, ssh
assumes that you are trying to log-in with the same username as your local machine. However, your username on the remote server will sometimes be different from your local computer.
To specify your username, you can use the -l
option or type your username before the IP address/hostname followed by an @
symbol.
$ ssh -l user 54.201.157.251 $ ssh user@54.201.157.251
The authenticity of host '54.201.36.76 (54.201.36.76)' can't be established. RSA key fingerprint is c5:23:23:52:00:49:08:04:f9:50:f5:34:7f:aa:ef:27. Are you sure you want to continue connecting (yes/no)?
Upon first logging into a remote computer, you'll be asked a question of whether the authenticity of the host is OK. This is to ensure that you're not the target of a man-in-the-middle attack. Once you've verified the RSA fingerprint, type "yes."
Another handy option used frequently is to specify the port number. The port number identifies to which process a network message should be directed to when it arrives at a server. The default port number for secure shell is 22, and for FTP data transfer it's 20.
Verbose Mode
Sometimes you'll run into some errors, and ssh
will quit with very little information as to what went wrong. To activate verbose mode, use -v
, -vv
, -vvv
, each one increasing in verbosity.
If you have successfully connected, you should notice the .ssh directory in your local home folder.
The ~/.ssh Folder
The .ssh folder located in your home directory (~), and contains all user configurations for secure shell login.
known_hosts
After using ssh
for the first time, you should notice a known_hosts file. This file contains a list of all hash keys for all approved host computers, but won't explicitly indicate which ones. This is an added security measure so that even if hackers access the file, they won't be able to know which servers to compromise.
config
If you have specific parameters you'd like to save for a connection, you can set up a shortcut name, hostname, user, and port number all in the config file.
For example, if you're a bioinformaticist and work on a bioinformatics server, you can input the following data:
Host binf_server
HostName binf.bfx.sju.edu
User student
Port 50433
Now that you have a specific server set up, you may simply type ssh binf_server
to log in, and SSH will load all your default parameters.
authorized_keys
On the host server, you'll see a file called authorized_keys. This is a list of public keys that will allow the corresponding private key to login via key authorization instead of password authorization.
$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCh9aQwyrJJbKiQaKGHDGIUEU1rIfHO6zvsjn+kBzC/xLyxwDUTGsMmwhF0aSgDKW6riCXGP+3Sn23doai3RAsaCMPh1aTo5oOXFQIhhKOZK44MJdA3rypzxq3o0emlcRLA8p/5CzS+EscCUVCmbK9fIbH57jQzxROtCS5nsmoZzawVBz4CN4kaJbtYLf4y7R8BQZHsRV51plmLuazIsd7Ate8HYVVuHM/xQHr9R1MCiFfDUxhH4veHOmw2u2pYp0OAfQALQUtNpzbS7NSWGI7X5lFuSfMrVwfhRUSbpkk1UdMXX7FCMiFOq7pD3lCj/ScQsr7FPBm+/PlH3FhrRkLR example
The random letters, numbers and characters of a key are what makes SSH secure. Let's learn about SSH keys and their types next.
SSH Keys and Uploading onto the Server RSA, DSA
Let's now discuss SSH keys, which are essential to how SSH establishes a connection. Using SSH keys are far more secure than inputting passwords, as the keys are much longer and cannot be cracked with brute force alone.
Why use keys?
Keys serve several advantages over regular passwords:
- The key never leaves the local machine, unlike passwords and passphrases. Every time you type in your password there's a chance it gets stolen (e.g. by a keylogger).
- With the SSH tools introduced shortly, there will be no need to type in a password every time you login to a remote server.
- With a key, a man in the middle cannot hijack your session.
Generating SSH Keys
With the ssh-keygen
command, we can easily generate and review keys to be used with remote hosts. Keys come in pairs, and have different types.
DSA and RSA
Digital Signature Algorithm (DSA) is based on discrete logarithms, while RSA is based on large-number factorization. Both DSA and RSA encryptions are computationally difficult, which allows them to be used for security measures. DSA is considered easier to decrypt with a brute-force attempt than RSA since RSA utilizes a more random key hash generator.
DSA is faster than RSA upon encryption, but slower for decryption. RSA is the opposite.
There are other types of keys, but most SSH keys are based on DSA and RSA. You may look up other keytypes in ssh-keygen
's man
page. To specify the type when creating the keys, pass in the -t
option. The default key type is RSA.
Another option you may specify is -b
. With this, you may specify the number of bits are used in the key. The greater the number of bits, the stronger your key is.
When creating new SSH keypairs, remember two things:
- If you've already created SSH keys, there is no need to run the following command again unless you want different keys for different servers. The key generator will complain and you could end up overwriting your current settings, clearing all previously-established SSH connections.
- Remember to input a passphrase! The longer the passphrase, the better. However, don't use well-known quotes or sayings, which are easily cracked by brute-force attempts.
$ ssh-keygen
Generating public/private rsa key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa): Created directory '/home/user/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_rsa. Your public key has been saved in /home/user/.ssh/id_rsa.pub. The key fingerprint is: cc:ac:8e:22:70:dd:67:97:a9:e4:de:f6:27:ea:37:c1 user@sscho1.mylabserver.com The key's randomart image is: +--[ RSA 2048]----+ | | | | | | | + | | . . S + | |. . . ..+ + E | |.. .= o . | |. . o o.. + . | | . .. ...o++.+ | +-----------------+
Congratulations! You have just created your first SSH keypairs. They will be located in your ~/.ssh directory.
$ ls ~/.ssh
id_rsa id_rsa.pub
id_rsa is your private key. This stays on your local system, and you should never share it with anyone - not even your own mother! id_rsa.pub is the public key, which is uploaded to remote servers.
For fun, let's also generate the dsa type. Then you'll end up with two additional files in your .ssh directory.
$ ssh-keygen -t dsa
Generating public/private dsa key pair. Enter file in which to save the key (/home/user/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_dsa. Your public key has been saved in /home/user/.ssh/id_dsa.pub. The key fingerprint is: e4:97:ff:00:03:0b:25:d5:cc:64:c4:66:96:d8:b0:53 user@sscho2.mylabserver.com The key's randomart image is: +--[ DSA 1024]----+ | ..+@E. | | o.+@ | | . =+ | | + + . | | S = | | . + | | o | | o | | . | +-----------------+ $ ls ~/.ssh id_dsa id_dsa.pub id_rsa id_rsa.pub
Remember that by default, SSH uses the more complex keypair when more than one pair exists. Thus, id_rsa would be used here.
How Public/Private keys are used to Encrypt/Decrypt data
The private key is stored on your local computer, and should never be shared with anyone. A public key, on the other hand, is copied to all remote servers you wish to access. We'll see how to do this shortly.
So what's the use of having a private and public key? The private and public keys are used to establish a secure connection and generate what's known as symmetric session keys. These keys are then then used to encrypt and decrypt messages across the network.
Now that we've generated keys and understood their purpose, let's learn how to copy our public keys to the remote server we wish to access.
The manual method
You may manually copy the public key by appending the contents of the public key to the end of ~/.ssh/authorized_keys, located on the server you wish to access.
$ cat ~/.ssh/id_rsa.pub | ssh user@54.201.157.251 "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
Notice that we simply issued a command after the ssh
command. With this, we can run a single line of commands on the server without having to login.
This command will write out the public key to the authorized_keys file. This holds all machines with public keys that should be accepted.
The more automated method
An easier way to perform the same function is with the ssh-copy-id
command, which is only available on Linux distributions (sorry Mac OS X users). If you have more than one type of key within your ~/.ssh directory, the more secure one will be transferred (this usually means RSA).
$ ssh-copy-id user@54.201.157.251
Without a passphrase, you could access the server without a password! Great...but kind of insecure, no?
However, if you decided to follow this guide and inputted a passphrase, you'll be prompted for the passphrase. Secure? Yes. Convenient? No. To learn how to avoid inputting the passphrase every time, we'll need to learn how to use ssh-agent
.
Using SSH Agent to Automate Login ssh-agent, ssh-add
The ssh-agent
program is a daemon (a process that runs in the background) which stores your passphrases in memory, allowing you to easily access remote servers without typing a passphrase each time.
For our case, we have already created SSH keypairs with ssh-keygen
and used ssh-copy-id
to upload our private keys onto the authorized_keys file on our server. The only problem now is that we must input our passphrase upon every connection. Let's see how ssh-agent
can help automate this task.
Running the SSH Agent and adding keys
To start the ssh-agent
, input the command followed by bash
.
$ ssh-agent bash
This will spawn a new bash process, in which ssh-agent
runs in the background and stores the keys in memory. Now we can add our actual keys with ssh-add
.
$ ssh-add
Enter passphrase for /home/user/.ssh/id_rsa: Identity added: /home/user/.ssh/id_rsa (/home/user/.ssh/id_rsa)
If your key is not in the canonical ~/.ssh directory, or has a different filename, type its path directly after the ssh-add
command (e.g. ssh-add /path/to/file
)
Congratulations! Now your passphrase has been added to the ssh-agent
, and you will no longer need to input the passphrase. Now try logging into your server.
$ ssh user@54.201.157.251
Last login: Mon Dec 21 05:19:49 2015 from 104.36.30.122 [user@54.201.157.251 ~]$
Remember that once you exit out of the bash terminal spawned with ssh-agent
, your passphrases will be lost and you'll have to run ssh-agent
and ssh-add
again.
Checking if SSH agent is running
Sometimes you'll need to check whether the ssh-agent
is running or not. We can do so by checking our processes.
$ ps aux | grep ssh-agent
user 2411 0.0 0.0 10616 524 ? Ss 05:35 0:00 ssh-agent bash
Listing all keys added
To view the keys that have been successfully added to the ssh-agent, use the -l
option.
$ ssh-add -l
2048 ec:39:69:3d:c4:8b:63:fd:57:a3:78:51:6d:cd:cd:46 /home/user/.ssh/id_rsa (RSA)
Secure Copying Files scp
Perhaps you only need to upload or download a file from a host, and want the added security features of SSH. We can do so with the scp
command.
Transferring Simple Files
To upload a file, type the command, followed by the file to transfer, then the location.
$ scp sample.txt user@host.edu:
Remember to tack on the colon at the end - otherwise you'll find that you simply made a copy of sample.txt in your current directory called user@host.edu!
To copy it back to your current directory, simply swap the targets around.
$ scp user@host.edu:sample.txt sample.txt
You'll notice that the path following the colon is relative to the home directory (since that's where you are logged in when you ssh
into a host).
$ scp sample.txt user@host.edu:Documents/sample.txt
If you want to copy somewhere other than within your home directory, pass an absolute path after the colon.
$ scp init.d user@host.edu:/etc/init.d
Copying entire directories
To copy entire directories, pass the -r
option. Additionally, you can pass in the -p
option to preserve the timestamps and permission settings.
$ scp -rp mail user@host.edu