SSH Setup Instructions

SSH Connection #

The SSH or Secure Shell Protocol is a network communication protocol that uses encryption to secure the connection over unsecured network. It is typically user for remote login and command-line execution.

How does SSH work? #

The SSH works in a client-server model creating a tunnel between two remote computers. Once the tunnel is established, the remote system shell is visible, and shell commands can be securely transmitted across the connection.

There are several options that can be used for user authentication. The most common ones are passwords and public key authentication the latter one being much more widely used.

Public key authentication method is based on ssh key pairs that consist of:

• public key that is copied to the SSH server(s). Anyone with a copy of the public key can encrypt data which can then only be read by the person who holds the corresponding private key. Once an SSH server receives a public key from a user and considers the key trustworthy, the server marks the key as authorized in its authorized_keys file. Such keys are called authorized keys.
• private key that remains (only) with the user. The possession of this key is proof of the user's identity. Only a user in possession of a private key that corresponds to the public key at the server will be able to authenticate successfully. The private keys need to be stored and handled carefully, and no copies of the private key should be distributed. The private keys used for user authentication are called identity keys.

SSH Commands #

The SSH command consists of 3 distinct parts:

ssh {user}@{host}   

If local and remote username are the same you only need to specify the host:

ssh {host} 

The SSH key command instructs one's system to open an encrypted Secure Shell Connection. {user} represents the account you want to access. For example, you may want to access the root user, which is basically synonymous with the system administrator with complete rights to modify anything on the system. {host} refers to the computer you want to access. This can be an IP Address (e.g. 244.235.23.19) or a domain name (e.g. www.domain.com).

There are other SSH commands besides the client ssh:

ssh-keygen

creates a key pair for public key authentication

ssh-copy-id

configures a public key as authorized on a server

ssh-agent

agent to hold private key for single sign-on

ssh-add

tool to add a key to the agent

scp

file transfer client with RCP-like command interface

sftp

file transfer client with FTP-like command interface

sshd

OpenSSH server

Practical SSH Example #

This example illustrate how to set up SSH keys on a local device and use the generated pair of keys for connecting to a remote server. This method is more convenient and provides a more secure way of connecting to the remote server/machine than simply using a password.

Generate SSH keys #

In the terminal, use the following command to start the key generation:

ssh-keygen -t rsa -f ~/.ssh/simpledigits -b 4096 -C "hello@simpledigits.com" -v

• -t type option specifies encryption algorhythm - rsa, dsa, ecdsa, ed25519
• -f filename option specifies file name in which the key will be stored
• -b bits option specifies key size - 512, 1024, 2048, 4096
• -C comment option provides a new comment
• -v verbose mode prints debugging messages

Once you enter this command, passphrase question will pop up. A passphrase is similar to a password. It's purpose is usually to encrypt the private key. This makes the key file by itself useless to an attacker. It is not uncommon for files to leak from backups or decommissioned hardware, and hackers commonly exfiltrate files from compromised systems.

To use an encrypted key, the passphrase is also needed. In a way, they are two separate factors of authentication.

Copy the Public Key to Host (remote computer) #

After generating the RSA key pair, we have to put our public key to the remote server. There is a simple command which will put your public key directly to the remote server’s authorized_keys file which keeps all the public keys.

Copy all keys to the remote machine.

ssh-copy-id simpledi@simpledigits.com

Copy the given public key to the remote with specific port.

ssh-copy-id -i ~/.ssh/simpledigits.pub -p 22 simpledi@simpledigits.com

• -i option specifies which key (file) to copy to remote server
• -p option specifies port

Connect to SSH server #

To connect to an SSH server, type the following command into the terminal

ssh simpledi@simpledigits.com

This command will connect to the SSH server on port 22, which is the default. To specify a different port, add -p to the end of the command followed by the port number you want to connect on, like so:

ssh simpledi@simpledigits.com -p 2222

To end SSH session and return to your local shell session type exit.

SSH client configuration file #

The ssh command reads its configuration from the SSH client configuration file ~/.ssh/config. There is also a global configuration file /etc/ssh/ssh_config and they both have the same format:

• Empty lines and lines starting with # are comments.
• Each line begins with a keyword, followed by argument(s).
• Configuration options may be separated by whitespace or optional whitespace and exactly one =.
• Arguments may be enclosed in double quotes " in order to specify arguments that contain spaces.

The following keywords can be used in SSH client configuration files. Keywords are case-insensitive and arguments are case-sensitive.

Host

Restricts the following declarations to be only for those hosts that match one of the patterns given after the keyword. The pattern is matched against the host name given on the command line.

Hostname

Specifies the real host name to log into. This can be used to specify nicknames or abbreviations for hosts. The default is the name given on the command line. Numeric IP addresses are also permitted (both on the command line and in HostName specifications).

IdentityFile

Specifies a file from which the user's identity key is read when using public key authentication. The default for protocol version 1 is ~/.ssh/identity; and ~/.ssh/id_rsa or ~/.ssh/id_dsa for protocol version 2.

For list of all options such as ConnectionAttempts, ConnectTimeout, LogLevel and many more visit https://www.ssh.com/academy/ssh/config

Resources #

• SSH Academy
• Package openssh