SSH

From Linux 101, The beginner's guide to all things Linux.

Jump to: navigation, search

Contents

[edit] The Basics

The ssh stands for Secure SHell. It is used primarily to securely login to a remote machine. The traffic between you and the host is encrypted and optionally compressed, to cut down on bandwidth. This makes remote machine management a breeze even on the smallest of Internet connections. You can consider it a much more secure form of telnet.

To connect, simply issue the command:

ssh <host>

It will then ask you to put in your password on that machine. By default, it will have sent your username as the one you are currently logged in as on your local machine. To log in as a different user, simply use:

ssh <user>@<host>

To use compression, add the -C option before the <user>@<host> when connecting. To be able to suspend/resume sessions if you disconnect, look into screen.

[edit] Security

The first time you connect to a host, ssh will tell you that the host identity has not yet been established before and will then ask if you want to connect. This is a security precaution to prevent a "man-in-the-middle" attack. The first time you connect to a host it is usually safe to accept this. If you are worried about security, you can compare the "fingerprint" it tells you via another medium. Later, if ssh asks or warns you about a host's identity when you have already connected to it before, you should ensure you are connecting to the system you intend to. If ssh throws up this warning to you, then there are two possibilities:

  • The server administrator may have simply regenerate the SSH server's keys.
  • Or, somebody could be attempting to intercept your connection.

There are two versions of the SSH protocol, SSH1 and SSH2. SSH1 was found to be susceptible to those man-in-the-middle attacks, so it is always much wiser to use SSH2 protocol for all SSH transmissions.

[edit] Advanced Topics

[edit] Tunnels

Tunneling can be used to take inherently insecure protocols and add a layer of security. SSH can also be used to overcome strict firewalls that allow port 22 through, but not others.

An example of an insecure protocol is VNC, the remote desktop sharing utility. However, it can be made secure by tunneling it through a SSH connection. The tunnel is established on connection. To forward a remote port to your machine, use the following:

ssh -L <local port>:<remote host>:<remote port> <host>

For VNC on port 5900, this would translate to:

ssh -L 5900:localhost:5900 user@example.com

This is saying by connectiong to port 5900 on our machine, you will connect to port 5900 on "localhost" of the remote machine you're connected to. So, the tunnel is to the very machine you're SSH'ing to. The tunnel could have been to another host on the network, instead.

<local port> could be any unused port over 1024 you wish to use. It doesn't have to be the same port number that you are tunneling to.

[edit] Key Authentication

In this crazy world, it seems there is a password for everything... and no two are the same! Well, that does not have to be the case with SSH -- thanks to SSH key authentication. With SSH, you can create a private key (with its own password) and then use it to securely connect to any machine you wish--all with only knowing a single password!

Here's how it works.

First, generate your private key:

ssh-keygen -t dsa -b 4096 (DSA is the encryption algorithm; 4096 bits in the key about to be generated. 1024 is the default and considered effective, but 4096 is more secure.)

and enter a strong passphrase. Just hitting enter will create one without a passphrase, which is a bad idea.

In the ~/.ssh folder you should see two files:

  • id_dsa is your private key. Keep it safe and never distribute it!
  • id_dsa.pub is your public key, which is what you will put on the remote machines.

Now, copy your public key to the account that you wish to login to using your key. Keep in mind this will overwrite this file if it exists already!:

scp ~/.ssh/id_dsa.pub <user>@<host>:.ssh/authorized_keys2

Now, on your local machine, each time you login you should start the ssh-agent. After you start it, it will fork into the background, and stay running even if you close your terminal. This program remembers passwords for your whole session that you tell it to. So, finally do:

ssh-agent && ssh-add

and enter your passphrase when it asks. Now ssh into the machine you just copied your public key to. You will not have to enter a single password for all the machines you copy your public identity to!

Note: Users of gdm (the GNOME login manager), gdm will automatically start ssh-agent for you. You will, however, need to run ssh-add each time you login for the ssh agent to use the keypair.

Should you forget to run ssh-add before using ssh to connect to a machine, ssh will still see the keypair and ask you to type in the passphrase, but the ssh agent will not remember it for future connections. Hence, you will have to use your passphrase again and again until you run ssh-add.

Retrieved from "http://learn.clemsonlinux.org/wiki/SSH"
Personal tools