Dhammapada

In the same way that rain breaks into a house with a bad roof, desire breaks into the mind that has not been practising meditation. While in the same way that rain cannot break into a well-roofed house, desire cannot break into a mind that has been practising meditation well.


Introduction

SSH (Secure SHell) is a secure method to allow remote access to computers and is often used to remotely manage servers. It uses encryption and replaces older protocols such as rlogin, rsh, and rcp.

SSH is a command line interface, but do not let that fool you. SSH is a very powerful tool and can be used for well beyond a command line interface.

For additional information see : Wikipedia SSH


SSH Basics

How to connect to a ssh server

ssh user@server

"user" = The user name you wish to use to log into the server.

"server" is the ip address or name of the server.

Advanced Topics

Commonly used options

ssh has many options, here is an example of some I find useful.

ssh -p xxxx -i ~/.ssh/key -X -C -c blowfish user@server <command>

SCP

SCP, or Secure CoPy and is used to transfer files between the guest and host.

Example:

scp file user@server:/home/user/file

Notice the syntax is to add a :/full/path/to/destination.

Linux permissions apply to scp. You must also have permission, as the user on the server, in order to copy a file to the target location on the server.

Options:

-r = used to recursively copy directories.

scp -r directory user@server:/home/user/directory

-P = used to specify a port (helpful if you changed the default port for your ssh server, see the security section.)

scp -P xxxx file user@server:/home/user/file

KeepAlive

For security proposes, the server will close the connection after two minutes of idle time. As the name applies, the KeepAlive option is used to keep the server from closing and idle connection.

Server Configuration

If you have root access, add this to /etc/ssh/ssh_config

KeepAlive yes
ServerAliveInterval 120

If you do not have root access, or to enable KeepAlive for a single user,
add those options to ~/.ssh/config

Linux client

If you do not wish to configure the server to enable KeepAlive, or in the event you do not have root access to the server, you can configure your clients by adding the following lines to add the following to your ~/.ssh/config file:

Windows (Putty) client

To keep the connection active (alive), before you make the connection, select "Connection" on the left of the PuTTY Configuration window, and type 120 in the "Seconds between keepalives (0 to turn off)" box.

Keys

ssh keys are used to increase security.

Generating keys on a Linux client

rsa : (Key) Protocol 1

ssh-keygen -t rsa -b 4096 -f key_name

-b = size of key (4096 is now default)

dsa : (Key) Protocol 2

ssh-keygen -t dsa -f key_name

Note: FYI - dsa keys are always 1024 bits.

These commands will generate a two files, one with just the name of the key (no . extension), and a key.pub

the -f key_name option specifies the name of the key

.pub == public == placed on the server.

Server

Now that you have a key, you must transfer the key_name.pub to the server, to ~/.ssh/authorized_keys. We can easily do this with ssh or ssh-copy-id.

  1. ssh (scp) ~ useful to copy keys for other users.

    scp ~/.ssh/id_dsa.pub user@server:.ssh/authorized_keys
    scp ~/.ssh/id_rsa.pub user@server:.ssh/authorized_keys

    To add additional keys to an existing ~/.ssh/authorized_keys, first transfer the key_name.pub to the server(as above).

    Then add the key to ~/.ssh/authorized_keys

    cat id_dsa >> ~/.ssh/authorized_keys
    cat id_rsa >> ~/.ssh/authorized_keys

  2. Use "ssh-copy-id" to transfer your key directly.

    ssh-copy-id -i ~/.ssh/key_name.pub user@server

    Specify a (public) key with the "-i" flag.

    user = the username you use to log onto the server.

For additional information on using ssh keys see: SSH Keys

Known_hosts

The server identifies itself with a ssh key pair as well. The server identification is added your account on the client under "~/.ssh/known_hosts" (you will be asked if you wish to add the server identification to known_hosts the first time you connect to a server).

If you later receive an error message, take care to figure out why. The most common reason for this is that the server keys were changed. Your server administrator should notify you if this is the case.

The most concerning reason for this error message, however, is that someone may be trying to spoof your ssh server. This is sometimes called a "man in the middle" attack.

See the security section below for an example of an error message.

SSH Agent

ssh agent is a command line tool that runs on the CLIENT and keeps your ssh keys in memory. If you use ssh-agent, be sure to log out or Lock your session if you leave the computer !!!

ssh-add ~/.ssh/key_name #adds a key to memory

There are also several additional methods of managing keys (not covered here), such as keychain or seahorse.

SSH Agent without X

ssh-agent can be run without X, from a console, by starting a new shell. You may want to run a new session in "screen".

ssh-agent bash
ssh-agent zsh #for those who prefer zsh to bash

This starts a new {bash,zsh} shell and you may now add keys with ssh-add as above.

Port forwarding (tunneling)

Two user case examples would be using ssh to tunnel http traffic over an insecure network and tunneling VNC over ssh.

ssh -D 1080 user@host
ssh -L [bind_address:]port:host:host_port user@host

External references:

Running commands on the server with ssh

You can use ssh to run a command on the server.

ssh user@server "sudo service apache2 start"

SSH from windows (windows clients)

PuTTY (you can run PuTTY on Linux).

Winscp : Is a graphical client for Windows to transfer files over a ssh connection.

Cygwin : Cygwin is a tool to provide many Linux commands in a Windows terminal. See: Cygwin Homepage

Using keys with PuTTY

You must import your keys with puttygen.exe, then save them in putty format (*.ppk) KEEP THE NAME THE SAME.

Download

PuTTY
WinSCP

Security

If you run a ssh server, please take the time to learn to secure it.

Quick tips:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
f2:92:1d:da:81:2a:d7:16:0a:48:f0:43:20:1c:f4:b5.
Please contact your system administrator.
Add correct host key in /home/bodhi/.ssh/known_hosts to get rid of this message.
Offending key in /home/bodhi/.ssh/known_hosts:1

If you see this message, STOP and INVESTIGATE the situation.

All too often I see the advice to remove know_hosts. Although effective, IMO this is not the best of ideas.

rm ~/.ssh/known_hosts => NOT IDEAL

You should first contact the server administrator and confirm the host ssh keys have been changed. Then remove the old keys with ssh-keygen.

Instead use ssh-keygen:

ssh-keygen -R hostname

or

sed -i 1d .ssh/known_hosts # Assuming line 1 is bad, see the error message above.

Additional security advice

For additional SSH security advice see: SSH Security

Additional references

How to ssh keys
Ubuntu wiki : How to ssh
Ubuntu wiki : ssh security
OpenSSH key management, Part 1
OpenSSH key management, Part 2
OpenSSH key management, Part 3
Debian Admin - SSH Key Authentication Using seahorse (GUI)