Introduction to Secure Shell ssh
Secure Shell (SSH) is a protocol used to login to remote servers from the command line. SSH includes secure features that encrypt data transmitted through the network so that snoopers may not access your data. In this series, we'll go over how to set up SSH as a client, and explain what public/private keys are, and explain all related commands to SSH.
SSH gives you access to the command line of another computer. As we have seen throughout this tutorial series, the command line grants us power to do almost anything we'd like. The ability to control such remote computers gives you the power and flexibility to achieve a variety of tasks.
Here are just two examples of how SSH can help aid in your productivity:
- As a data scientist, you may need to crunch some numbers or processes on a supercomputer with system resources far greater than your home PC.
- As a webmaster, you'll need to rent out a server that runs 24/7. Oftentimes these computers' physical locations are several hundred miles away. To conveniently maintain and update your website you'll need to log into the server with SSH.
Security features of SSH
In the early days of Linux, different protocols were used instead of
ssh. Two examples are
telnet and Virtual Network Computer (VNC). These early protocols worked, but were very insecure since they transferred data in cleartext.
The advantages of using SSH over the legacy alternatives include:
- Allows for authentication features such as SCP (for file transfers), X session forwarding and port forwarding.
- Allows users to confidently perform root tasks, and ensures connection is secure and valid.
- SSH allows for tunneling, which is the process of packaging other unsecure network connections with SSH in order to encrypt its data.
- Avalability on all UNIX-like systems.
One drawback of SSH is the amount of lag due to CPU time being consumed for encryption and decryption. Another more obvious drawback is the learning curve necessary for setup and configuration - but have no fear! This tutorial will explain everything in easy-to-understand terms!
Basic commands and options
The basic command used to secure shell into a computer is simple. We can use
ssh, followed by either the IP address or hostname of the computer you want to log into.
$ ssh 188.8.131.52 # You can use a host name instead $ ssh ex.amplwebsite.com
Specifying a Username
ssh assumes that you are trying to log-in with the same username as your local machine. However, your username on the remote server will sometimes be different from your local computer.
To specify your username, you can use the
-l option or type your username before the IP address/hostname followed by an
$ ssh -l user 184.108.40.206 $ ssh email@example.com
The authenticity of host '220.127.116.11 (18.104.22.168)' can't be established. RSA key fingerprint is c5:23:23:52:00:49:08:04:f9:50:f5:34:7f:aa:ef:27. Are you sure you want to continue connecting (yes/no)?
Upon first logging into a remote computer, you'll be asked a question of whether the authenticity of the host is OK. This is to ensure that you're not the target of a man-in-the-middle attack. Once you've verified the RSA fingerprint, type "yes."
Another handy option used frequently is to specify the port number. The port number identifies to which process a network message should be directed to when it arrives at a server. The default port number for secure shell is 22, and for FTP data transfer it's 20.
Sometimes you'll run into some errors, and
ssh will quit with very little information as to what went wrong. To activate verbose mode, use
-vvv, each one increasing in verbosity.
If you have successfully connected, you should notice the .ssh directory in your local home folder.
The ~/.ssh Folder
The .ssh folder located in your home directory (~), and contains all user configurations for secure shell login.
ssh for the first time, you should notice a known_hosts file. This file contains a list of all hash keys for all approved host computers, but won't explicitly indicate which ones. This is an added security measure so that even if hackers access the file, they won't be able to know which servers to compromise.
If you have specific parameters you'd like to save for a connection, you can set up a shortcut name, hostname, user, and port number all in the config file.
For example, if you're a bioinformaticist and work on a bioinformatics server, you can input the following data:
Host binf_server HostName binf.bfx.sju.edu User student Port 50433
Now that you have a specific server set up, you may simply type
ssh binf_server to log in, and SSH will load all your default parameters.
On the host server, you'll see a file called authorized_keys. This is a list of public keys that will allow the corresponding private key to login via key authorization instead of password authorization.
$ cat authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCh9aQwyrJJbKiQaKGHDGIUEU1rIfHO6zvsjn+kBzC/xLyxwDUTGsMmwhF0aSgDKW6riCXGP+3Sn23doai3RAsaCMPh1aTo5oOXFQIhhKOZK44MJdA3rypzxq3o0emlcRLA8p/5CzS+EscCUVCmbK9fIbH57jQzxROtCS5nsmoZzawVBz4CN4kaJbtYLf4y7R8BQZHsRV51plmLuazIsd7Ate8HYVVuHM/xQHr9R1MCiFfDUxhH4veHOmw2u2pYp0OAfQALQUtNpzbS7NSWGI7X5lFuSfMrVwfhRUSbpkk1UdMXX7FCMiFOq7pD3lCj/ScQsr7FPBm+/PlH3FhrRkLR example
The random letters, numbers and characters of a key are what makes SSH secure. Let's learn about SSH keys and their types next.
SSH Keys and Uploading onto the Server RSA, DSA
Let's now discuss SSH keys, which are essential to how SSH establishes a connection. Using SSH keys are far more secure than inputting passwords, as the keys are much longer and cannot be cracked with brute force alone.
Why use keys?
Keys serve several advantages over regular passwords:
- The key never leaves the local machine, unlike passwords and passphrases. Every time you type in your password there's a chance it gets stolen (e.g. by a keylogger).
- With the SSH tools introduced shortly, there will be no need to type in a password every time you login to a remote server.
- With a key, a man in the middle cannot hijack your session.
Generating SSH Keys
ssh-keygen command, we can easily generate and review keys to be used with remote hosts. Keys come in pairs, and have different types.
DSA and RSA
Digital Signature Algorithm (DSA) is based on discrete logarithms, while RSA is based on large-number factorization. Both DSA and RSA encryptions are computationally difficult, which allows them to be used for security measures. DSA is considered easier to decrypt with a brute-force attempt than RSA since RSA utilizes a more random key hash generator.
DSA is faster than RSA upon encryption, but slower for decryption. RSA is the opposite.
There are other types of keys, but most SSH keys are based on DSA and RSA. You may look up other keytypes in
man page. To specify the type when creating the keys, pass in the
-t option. The default key type is RSA.
Another option you may specify is
-b. With this, you may specify the number of bits are used in the key. The greater the number of bits, the stronger your key is.
When creating new SSH keypairs, remember two things:
- If you've already created SSH keys, there is no need to run the following command again unless you want different keys for different servers. The key generator will complain and you could end up overwriting your current settings, clearing all previously-established SSH connections.
- Remember to input a passphrase! The longer the passphrase, the better. However, don't use well-known quotes or sayings, which are easily cracked by brute-force attempts.
Generating public/private rsa key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa): Created directory '/home/user/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_rsa. Your public key has been saved in /home/user/.ssh/id_rsa.pub. The key fingerprint is: cc:ac:8e:22:70:dd:67:97:a9:e4:de:f6:27:ea:37:c1 firstname.lastname@example.org The key's randomart image is: +--[ RSA 2048]----+ | | | | | | | + | | . . S + | |. . . ..+ + E | |.. .= o . | |. . o o.. + . | | . .. ...o++.+ | +-----------------+
Congratulations! You have just created your first SSH keypairs. They will be located in your ~/.ssh directory.
$ ls ~/.ssh id_rsa id_rsa.pub
id_rsa is your private key. This stays on your local system, and you should never share it with anyone - not even your own mother! id_rsa.pub is the public key, which is uploaded to remote servers.
For fun, let's also generate the dsa type. Then you'll end up with two additional files in your .ssh directory.
$ ssh-keygen -t dsa
Generating public/private dsa key pair. Enter file in which to save the key (/home/user/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_dsa. Your public key has been saved in /home/user/.ssh/id_dsa.pub. The key fingerprint is: e4:97:ff:00:03:0b:25:d5:cc:64:c4:66:96:d8:b0:53 email@example.com The key's randomart image is: +--[ DSA 1024]----+ | ..+@E. | | o.+@ | | . =+ | | + + . | | S = | | . + | | o | | o | | . | +-----------------+ $ ls ~/.ssh id_dsa id_dsa.pub id_rsa id_rsa.pub
Remember that by default, SSH uses the more complex keypair when more than one pair exists. Thus, id_rsa would be used here.
How Public/Private keys are used to Encrypt/Decrypt data
The private key is stored on your local computer, and should never be shared with anyone. A public key, on the other hand, is copied to all remote servers you wish to access. We'll see how to do this shortly.
So what's the use of having a private and public key? The private and public keys are used to establish a secure connection and generate what's known as symmetric session keys. These keys are then then used to encrypt and decrypt messages across the network.
Now that we've generated keys and understood their purpose, let's learn how to copy our public keys to the remote server we wish to access.
The manual method
You may manually copy the public key by appending the contents of the public key to the end of ~/.ssh/authorized_keys, located on the server you wish to access.
$ cat ~/.ssh/id_rsa.pub | ssh firstname.lastname@example.org "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
Notice that we simply issued a command after the
ssh command. With this, we can run a single line of commands on the server without having to login.
This command will write out the public key to the authorized_keys file. This holds all machines with public keys that should be accepted.
The more automated method
An easier way to perform the same function is with the
ssh-copy-id command, which is only available on Linux distributions (sorry Mac OS X users). If you have more than one type of key within your ~/.ssh directory, the more secure one will be transferred (this usually means RSA).
$ ssh-copy-id email@example.com
Without a passphrase, you could access the server without a password! Great...but kind of insecure, no?
However, if you decided to follow this guide and inputted a passphrase, you'll be prompted for the passphrase. Secure? Yes. Convenient? No. To learn how to avoid inputting the passphrase every time, we'll need to learn how to use
Using SSH Agent to Automate Login ssh-agent, ssh-add
ssh-agent program is a daemon (a process that runs in the background) which stores your passphrases in memory, allowing you to easily access remote servers without typing a passphrase each time.
For our case, we have already created SSH keypairs with
ssh-keygen and used
ssh-copy-id to upload our private keys onto the authorized_keys file on our server. The only problem now is that we must input our passphrase upon every connection. Let's see how
ssh-agent can help automate this task.
Running the SSH Agent and adding keys
To start the
ssh-agent, input the command followed by
$ ssh-agent bash
This will spawn a new bash process, in which
ssh-agent runs in the background and stores the keys in memory. Now we can add our actual keys with
Enter passphrase for /home/user/.ssh/id_rsa: Identity added: /home/user/.ssh/id_rsa (/home/user/.ssh/id_rsa)
If your key is not in the canonical ~/.ssh directory, or has a different filename, type its path directly after the
ssh-add command (e.g.
Congratulations! Now your passphrase has been added to the
ssh-agent, and you will no longer need to input the passphrase. Now try logging into your server.
$ ssh firstname.lastname@example.org
Last login: Mon Dec 21 05:19:49 2015 from 22.214.171.124 [email@example.com ~]$
Remember that once you exit out of the bash terminal spawned with
ssh-agent, your passphrases will be lost and you'll have to run
Checking if SSH agent is running
Sometimes you'll need to check whether the
ssh-agent is running or not. We can do so by checking our processes.
$ ps aux | grep ssh-agent user 2411 0.0 0.0 10616 524 ? Ss 05:35 0:00 ssh-agent bash
Listing all keys added
To view the keys that have been successfully added to the ssh-agent, use the
$ ssh-add -l 2048 ec:39:69:3d:c4:8b:63:fd:57:a3:78:51:6d:cd:cd:46 /home/user/.ssh/id_rsa (RSA)
Secure Copying Files scp
Perhaps you only need to upload or download a file from a host, and want the added security features of SSH. We can do so with the
Transferring Simple Files
To upload a file, type the command, followed by the file to transfer, then the location.
$ scp sample.txt firstname.lastname@example.org:
Remember to tack on the colon at the end - otherwise you'll find that you simply made a copy of sample.txt in your current directory called email@example.com!
To copy it back to your current directory, simply swap the targets around.
$ scp firstname.lastname@example.org:sample.txt sample.txt
You'll notice that the path following the colon is relative to the home directory (since that's where you are logged in when you
ssh into a host).
$ scp sample.txt email@example.com:Documents/sample.txt
If you want to copy somewhere other than within your home directory, pass an absolute path after the colon.
$ scp init.d firstname.lastname@example.org:/etc/init.d
Copying entire directories
To copy entire directories, pass the
-r option. Additionally, you can pass in the
-p option to preserve the timestamps and permission settings.
$ scp -rp mail email@example.com