OpenSSH is the open source version of the SSH service and associated programs. It was created by the OpenBSD team.
SSH is commonly used a way to login to remote computer systems. But it's also often used more simply to establish a connection between remote servers. E.g., people use the SSH technology to:
ssh
ssh
scp
sftp
sshfs
There's more. To get a list of some of the relevant manual pages, do:
$ apropos ssh
To establish a connection to a remote machine from a Unix-like terminal emulator:
$ ssh user@remoteserver.com
Where user is the user account and remoteserver.com is the name of the remote server.
We can also use ssh-keygen
to generate public and private keys. This will
allow us to connect to remote machines without using passwords. This is
generally more secure since it's considered that the encryption technologies
used are more robust than the technologies used to encrypt passwords. Also, it
becomes more secure if you disable remote password logins altogether and only
allow key based connections.
The way it works is that you generate public and private keys, and then copy or send your public key to the remote machine. Then when you initiate a connection to that remote machine, the remote machine will check to see if the public key matches your private key. If it does, you're in. You can share your public key with anyone or anywhere, but the trick is to protect your private key. If for some reason the private key becomes compromised, then you have to revoke it. Thus, although this method is generally considered to be more secure than password logins, the major weakness lies with keeping the private key safe.
To generate your public and private keys and transfer the public key to a
remote server, we first use the ssh-keygen
command along with the -t
option
to specify the RSA encryption algorithm.
$ ssh-keygen -t rsa
You'll be asked a series of questions. It's not necessary to generate a passphrase, but you can. The keys will be generated and saved in your home directory. For example, here's the listing for my keys. Note the file permissions:
$ ls -l $HOME/.ssh/id_rsa*
-rw------- 1 sean sean 1679 Dec 22 2016 .ssh/id_rsa
-rw-r--r-- 1 sean sean 395 Dec 22 2016 .ssh/id_rsa.pub
Now that you have a public key, you can send it to the remote server using
ssh
. Detailed instructions are here:
And other detailed instructions are here:
How to Set Up SSH Keys | Digital Ocean
One nice benefit of passwordless entry is the easy ability to issue commands on
the remote server without having to login to the remote server. For example,
here I run the ls
command on the remote server and then create a directory
called newfiles on the remote server:
$ ssh user@remoteserver.com ls
bin
public_html
Documents
document.txt
$ ssh user@remoteserver.com mkdir newfiles
SSH port forwarding is often used to encrypt traffic that might not normally be
encrypted and to access sites that might not normally be accessible. It works
by connecting two computers together and tunneling traffic from a source port
to a remote or destination port. For example, the site located at
www.uky.edu is served on port 80 and the connection is not encrypted. Let's
visit that site in our browser but encrypt the connection using ssh
. We'll
name the remote server (www.uky.edu) and the local server (localhost) that
we're connecting, and we'll use the local port 8080 and remote port 80.
$ ssh -L 8080:www.uky.edu:80 localhost
sean@localhost's password:
...
Now, in my browser, e.g., in Firefox, if I visit the following URL: http://localhost:8080, I'll be directed to http://www.uky.edu and all traffic will now be encrypted.
Additional information and well as a description of other types of port forwarding can be found here:
SSH/OpenSSH/PortForwarding -- Community Help Wiki
SCP makes it easy to copy files between servers. It can be used to copy single
files or entire directories, and the latter makes it a viable option for
scripting backups, especially if you have passwordless logins configured. To
use scp
to send a file on my local system to my home directory on the remote
system:
$ scp document.txt user@remoteserver.com:~/
For example, let's say I have a directory called tmp and it contains sub-directories and files, then:
$ scp -pr tmp/ user@remoteserver.com:~/backup/
You can also use scp
to copy files in reverse -- from remote locations to
your current location by reversing the server names:
$ scp user@remoteserver.com:~/somefile.txt ./
We've already acquired some experience using the regular ftp
client and
server software. sftp
works much the same way and is useful for connecting to
remote machines in the same manner that ftp
does. To connect to a remote
server. Once you have the sftp
prompt, type a question mark to get a list of
commands:
$ sftp user@remoteserver.com
sftp> ?
...
sftp> get index.html
sftp> bye
This one is cool. It's not part of the OpenSSH system, so to speak, but is
rather built on the technology. In short, we can use sshfs
to mount a remote
filesystem on our local filesystem, and then access that filesystem locally as
we would any other part of our system. First, I'll create the local directory
to mount the remote filesystem, and then I'll create the mount:
$ mkdir $HOME/mountpoint
$ sshfs user@remoteserver.com:/home/user/public_html mountpoint
$ cd mountpoint ; ls
$ cd ..
$ sudo umount mountpoint
SSHFS may not be installed by default and you may have to create a fuse group and add your account to that group. For more info, this is a nice tutorial:
Using SSHFS to Mount Remote Directories
When we normally connect to a remote system using ssh
, we use the following
syntax: ssh user@remotesystem.com
, but a number of times in class you've seen
me connect to a remote system using a shorthand method, like ssh
remotesystem
. I am able to do this because I've created a personal config file
that allows me to assign nicknames to remote servers and use that nickname as
the connection point. The basic syntax of a config file looks like this:
$ cat $HOME/.ssh/config
Host sweb
HostName sweb.uky.edu
User csbu225
By assigning term sweb
to the Host
line, I am able to use that term to
connect to the remove server, and ssh
knows, because of the HostName
and
User
lines, that I mean ssh csbu225@sweb.uky.edu
.
There are many more configuration options, and I've only shown you a small part
of my config file. For more details, do man ssh_config
.
There are entire books that cover SSH because there's a lot more that you can
do with it. Also, be mindful that the SSH server is also managed by
systemctl
(check status, restart, enable) and that there are global
configuration files in /etc/sshd
.