User Tools

Site Tools


linux:secure-shell-ssh

SSH: Secure Shell

Date: Thu 15 Nov 2018

OpenSSH

OpenSSH is the open source version of the SSH service and associated programs. It was created by the OpenBSD team.

SSH is commonly used a way to login to remote computer systems. But it's also often used more simply to establish a connection between remote servers. E.g., people use the SSH technology to:

  • connect to remote shells: ssh
  • establish VPN-like (encrypted) connections with port-forwarding: ssh
  • transfer files: scp
  • establish ftp-like connections: sftp
  • mount remote files systems: sshfs

There's more. To get a list of some of the relevant manual pages, do:

$ apropos ssh

SSH: Remote login

To establish a connection to a remote machine from a Unix-like terminal emulator:

$ ssh user@remoteserver.com

Where user is the user account and remoteserver.com is the name of the remote server.

We can also use ssh-keygen to generate public and private keys. This will allow us to connect to remote machines without using passwords. This is generally more secure since it's considered that the encryption technologies used are more robust than the technologies used to encrypt passwords. Also, it becomes more secure if you disable remote password logins altogether and only allow key based connections.

The way it works is that you generate public and private keys, and then copy or send your public key to the remote machine. Then when you initiate a connection to that remote machine, the remote machine will check to see if the public key matches your private key. If it does, you're in. You can share your public key with anyone or anywhere, but the trick is to protect your private key. If for some reason the private key becomes compromised, then you have to revoke it. Thus, although this method is generally considered to be more secure than password logins, the major weakness lies with keeping the private key safe.

To generate your public and private keys and transfer the public key to a remote server, we first use the ssh-keygen command along with the -t option to specify the RSA encryption algorithm.

$ ssh-keygen -t rsa

You'll be asked a series of questions. It's not necessary to generate a passphrase, but you can. The keys will be generated and saved in your home directory. For example, here's the listing for my keys. Note the file permissions:

$ ls -l $HOME/.ssh/id_rsa*
-rw------- 1 sean sean 1679 Dec 22  2016 .ssh/id_rsa
-rw-r--r-- 1 sean sean  395 Dec 22  2016 .ssh/id_rsa.pub

Now that you have a public key, you can send it to the remote server using ssh. Detailed instructions are here:

SSH login without password

And other detailed instructions are here:

How to Set Up SSH Keys | Digital Ocean

One nice benefit of passwordless entry is the easy ability to issue commands on the remote server without having to login to the remote server. For example, here I run the ls command on the remote server and then create a directory called newfiles on the remote server:

$ ssh user@remoteserver.com ls
bin
public_html
Documents
document.txt
$ ssh user@remoteserver.com mkdir newfiles

SSH: (Local) Port Forwarding

SSH port forwarding is often used to encrypt traffic that might not normally be encrypted and to access sites that might not normally be accessible. It works by connecting two computers together and tunneling traffic from a source port to a remote or destination port. For example, the site located at www.uky.edu is served on port 80 and the connection is not encrypted. Let's visit that site in our browser but encrypt the connection using ssh. We'll name the remote server (www.uky.edu) and the local server (localhost) that we're connecting, and we'll use the local port 8080 and remote port 80.

$ ssh -L 8080:www.uky.edu:80 localhost
sean@localhost's password:
...

Now, in my browser, e.g., in Firefox, if I visit the following URL: http://localhost:8080, I'll be directed to http://www.uky.edu and all traffic will now be encrypted.

Additional information and well as a description of other types of port forwarding can be found here:

SSH/OpenSSH/PortForwarding -- Community Help Wiki

SCP: Secure Copy

SCP makes it easy to copy files between servers. It can be used to copy single files or entire directories, and the latter makes it a viable option for scripting backups, especially if you have passwordless logins configured. To use scp to send a file on my local system to my home directory on the remote system:

$ scp document.txt user@remoteserver.com:~/

For example, let's say I have a directory called tmp and it contains sub-directories and files, then:

$ scp -pr tmp/ user@remoteserver.com:~/backup/

You can also use scp to copy files in reverse -- from remote locations to your current location by reversing the server names:

$ scp user@remoteserver.com:~/somefile.txt ./

SFTP: Secure File Transfer Program

We've already acquired some experience using the regular ftp client and server software. sftp works much the same way and is useful for connecting to remote machines in the same manner that ftp does. To connect to a remote server. Once you have the sftp prompt, type a question mark to get a list of commands:

$ sftp user@remoteserver.com
sftp> ?
...
sftp> get index.html
sftp> bye

SSHFS: Mount remote filesystem using SSH

This one is cool. It's not part of the OpenSSH system, so to speak, but is rather built on the technology. In short, we can use sshfs to mount a remote filesystem on our local filesystem, and then access that filesystem locally as we would any other part of our system. First, I'll create the local directory to mount the remote filesystem, and then I'll create the mount:

$ mkdir $HOME/mountpoint
$ sshfs user@remoteserver.com:/home/user/public_html mountpoint
$ cd mountpoint ; ls
$ cd ..
$ sudo umount mountpoint

SSHFS may not be installed by default and you may have to create a fuse group and add your account to that group. For more info, this is a nice tutorial:

Using SSHFS to Mount Remote Directories

$HOME/.ssh/config

When we normally connect to a remote system using ssh, we use the following syntax: ssh user@remotesystem.com, but a number of times in class you've seen me connect to a remote system using a shorthand method, like ssh remotesystem. I am able to do this because I've created a personal config file that allows me to assign nicknames to remote servers and use that nickname as the connection point. The basic syntax of a config file looks like this:

$ cat $HOME/.ssh/config
Host sweb
HostName sweb.uky.edu
User csbu225

By assigning term sweb to the Host line, I am able to use that term to connect to the remove server, and ssh knows, because of the HostName and User lines, that I mean ssh csbu225@sweb.uky.edu.

There are many more configuration options, and I've only shown you a small part of my config file. For more details, do man ssh_config.

And More

There are entire books that cover SSH because there's a lot more that you can do with it. Also, be mindful that the SSH server is also managed by systemctl (check status, restart, enable) and that there are global configuration files in /etc/sshd.

linux/secure-shell-ssh.txt · Last modified: 2019/01/21 11:26 by seanburns