User Tools

Site Tools


linux:secure-shell-ssh

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

linux:secure-shell-ssh [2019/01/21 11:26] (current)
seanburns created
Line 1: Line 1:
 +<​markdown>​
 +# SSH: Secure Shell
 +## Date: Thu 15 Nov 2018 
  
 +## OpenSSH
 +
 +OpenSSH is the open source version of the SSH service and associated programs.
 +It was created by the [OpenBSD][5] team.
 +
 +SSH is commonly used a way to login to remote computer systems. But it's also
 +often used more simply to establish a connection between remote servers. E.g.,
 +people use the SSH technology to:
 +
 +- connect to remote shells: `ssh`
 +- establish VPN-like (encrypted) connections with port-forwarding:​ `ssh`
 +- transfer files: `scp`
 +- establish ftp-like connections:​ `sftp`
 +- mount remote files systems: `sshfs`
 +
 +There'​s more. To get a list of some of the relevant manual pages, do:
 +
 +```
 +$ apropos ssh
 +```
 +
 +## SSH: Remote login
 +
 +To establish a connection to a remote machine from a Unix-like terminal
 +emulator:
 +
 +```
 +$ ssh user@remoteserver.com
 +```
 +
 +Where *user* is the user account and *remoteserver.com* is the name of the
 +remote server.
 +
 +We can also use `ssh-keygen` to generate public and private keys. This will
 +allow us to connect to remote machines without using passwords. This is
 +generally more secure since it's considered that the encryption technologies
 +used are more robust than the technologies used to encrypt passwords. Also, it
 +becomes more secure if you disable remote password logins altogether and only
 +allow key based connections.
 +
 +The way it works is that you generate public and private keys, and then copy or
 +send your public key to the remote machine. Then when you initiate a connection
 +to that remote machine, the remote machine will check to see if the public key
 +matches your private key. If it does, you're in. You can share your public key
 +with anyone or anywhere, but the trick is to protect your private key. If for
 +some reason the private key becomes compromised,​ then you have to revoke it.
 +Thus, although this method is generally considered to be more secure than
 +password logins, the major weakness lies with keeping the private key safe.
 +
 +To generate your public and private keys and transfer the public key to a
 +remote server, we first use the `ssh-keygen` command along with the `-t` option
 +to specify the RSA encryption algorithm.
 +
 +```
 +$ ssh-keygen -t rsa
 +```
 +
 +You'll be asked a series of questions. It's not necessary to generate a
 +passphrase, but you can. The keys will be generated and saved in your home
 +directory. For example, here's the listing for my keys. Note the file
 +permissions:​
 +
 +```
 +$ ls -l $HOME/​.ssh/​id_rsa*
 +-rw------- 1 sean sean 1679 Dec 22  2016 .ssh/id_rsa
 +-rw-r--r-- 1 sean sean  395 Dec 22  2016 .ssh/​id_rsa.pub
 +```
 +
 +Now that you have a public key, you can send it to the remote server using
 +`ssh`. Detailed instructions are here:
 +
 +[SSH login without password][1]
 +
 +And other detailed instructions are here:
 +
 +[How to Set Up SSH Keys | Digital Ocean][2]
 +
 +One nice benefit of passwordless entry is the easy ability to issue commands on
 +the remote server without having to login to the remote server. For example,
 +here I run the `ls` command on the remote server and then create a directory
 +called **newfiles** on the remote server:
 +
 +```
 +$ ssh user@remoteserver.com ls
 +bin
 +public_html
 +Documents
 +document.txt
 +$ ssh user@remoteserver.com mkdir newfiles
 +```
 +
 +## SSH: (Local) Port Forwarding
 +
 +SSH port forwarding is often used to encrypt traffic that might not normally be
 +encrypted and to access sites that might not normally be accessible. It works
 +by connecting two computers together and tunneling traffic from a source port
 +to a remote or destination port. For example, the site located at
 +**www.uky.edu** is served on port 80 and the connection is not encrypted. Let's
 +visit that site in our browser but encrypt the connection using `ssh`. We'll
 +name the remote server (www.uky.edu) and the local server (localhost) that
 +we're connecting, and we'll use the local port 8080 and remote port 80. 
 +
 +```
 +$ ssh -L 8080:​www.uky.edu:​80 localhost
 +sean@localhost'​s password:
 +...
 +```
 +
 +Now, in my browser, e.g., in Firefox, if I visit the following URL:
 +**http://​localhost:​8080**,​ I'll be directed to **http://​www.uky.edu** and all
 +traffic will now be encrypted.
 +
 +Additional information and well as a description of other types of port
 +forwarding can be found here:
 +
 +[SSH/​OpenSSH/​PortForwarding -- Community Help Wiki][3]
 +
 +## SCP: Secure Copy
 +
 +SCP makes it easy to copy files between servers. It can be used to copy single
 +files or entire directories,​ and the latter makes it a viable option for
 +scripting backups, especially if you have passwordless logins configured. To
 +use `scp` to send a file on my local system to my home directory on the remote
 +system:
 +
 +```
 +$ scp document.txt user@remoteserver.com:​~/​
 +```
 +
 +For example, let's say I have a directory called **tmp** and it contains
 +sub-directories and files, then:
 +
 +```
 +$ scp -pr tmp/ user@remoteserver.com:​~/​backup/​
 +```
 +
 +You can also use `scp` to copy files in reverse -- from remote locations to
 +your current location by reversing the server names:
 +
 +```
 +$ scp user@remoteserver.com:​~/​somefile.txt ./
 +```
 +
 +## SFTP: Secure File Transfer Program
 +
 +We've already acquired some experience using the regular `ftp` client and
 +server software. `sftp` works much the same way and is useful for connecting to
 +remote machines in the same manner that `ftp` does. To connect to a remote
 +server. Once you have the `sftp` prompt, type a question mark to get a list of
 +commands:
 +
 +```
 +$ sftp user@remoteserver.com
 +sftp> ?
 +...
 +sftp> get index.html
 +sftp> bye
 +```
 +
 +## SSHFS: Mount remote filesystem using SSH
 +
 +This one is cool. It's not part of the OpenSSH system, so to speak, but is
 +rather built on the technology. In short, we can use `sshfs` to mount a remote
 +filesystem on our local filesystem, and then access that filesystem locally as
 +we would any other part of our system. First, I'll create the local directory
 +to mount the remote filesystem, and then I'll create the mount:
 +
 +```
 +$ mkdir $HOME/​mountpoint
 +$ sshfs user@remoteserver.com:/​home/​user/​public_html mountpoint
 +$ cd mountpoint ; ls
 +$ cd ..
 +$ sudo umount mountpoint
 +```
 +
 +SSHFS may not be installed by default and you may have to create a *fuse* group
 +and add your account to that group. For more info, this is a nice tutorial:
 +
 +[Using SSHFS to Mount Remote Directories][4]
 +
 +## $HOME/​.ssh/​config
 +
 +When we normally connect to a remote system using `ssh`, we use the following
 +syntax: `ssh user@remotesystem.com`,​ but a number of times in class you've seen
 +me connect to a remote system using a shorthand method, like `ssh
 +remotesystem`. I am able to do this because I've created a personal config file
 +that allows me to assign nicknames to remote servers and use that nickname as
 +the connection point. The basic syntax of a config file looks like this:
 +
 +```
 +$ cat $HOME/​.ssh/​config
 +Host sweb
 +HostName sweb.uky.edu
 +User csbu225
 +```
 +
 +By assigning term `sweb` to the `Host` line, I am able to use that term to
 +connect to the remove server, and `ssh` knows, because of the `HostName` and
 +`User` lines, that I mean `ssh csbu225@sweb.uky.edu`.
 +
 +There are many more configuration options, and I've only shown you a small part
 +of my config file. For more details, do `man ssh_config`.
 +
 +## And More
 +
 +There are entire books that cover SSH because there'​s a lot more that you can
 +do with it. Also, be mindful that the SSH server is also managed by
 +`systemctl` (check status, restart, enable) and that there are global
 +configuration files in `/​etc/​sshd`.
 +
 +[1]:​http://​www.linuxproblem.org/​art_9.html
 +[2]:​https://​www.digitalocean.com/​community/​tutorials/​how-to-set-up-ssh-keys-on-ubuntu-1804
 +[3]:​https://​help.ubuntu.com/​community/​SSH/​OpenSSH/​PortForwarding
 +[4]:​https://​www.linode.com/​docs/​networking/​ssh/​using-sshfs-on-linux/​
 +[5]:​https://​www.openbsd.org/​
 +</​markdown>​
linux/secure-shell-ssh.txt ยท Last modified: 2019/01/21 11:26 by seanburns