Introduction

SSH ~ SSH (Secure SHell) is a secure method to allow remote access to computers and is often used to remotely manage servers. It uses encryption and replaces older protocols such as rlogin, rsh, and rcp.

SSH is a command line interface, but do not let that fool you. SSH is a very powerful tool and can be used for well beyond a command line interface.

Remote system adminstration.
File transfer vis scp.
Mount a remote file system localy via sshfs.
Forward X (graphical) applications or an entire desktop (to your client).
Port forwarding aka tunneling.
Increase the security of VNC connections by tunneling them through SSH (SSH encrypts the VNC connections and this is one example of port forwarding).

For additional information see : Wikipedia SSH

SSH Basics

How to connect to a ssh server

ssh user@server

"user" = The user name you wish to use to log into the server.

The "user" must have an account on the server.
If no user is specified, ssh will assume the user you are using on the client.

"server" is the ip address or name of the server.

If the server name is "private", ie you are on a LAN, you can add the server name and ip address to /etc/hosts .
If you wish to connect over the Internet you need to use your public ip address (your public ip address is assigned by your Internet provider and you can see your ip address here ). Assuming you are using a router (you do have a router don't you ?), you must also forward your ssh port from your router to your ssh server.

Advanced Topics

Commonly used options

ssh has many options, here is an example of some I find useful.

ssh -p xxxx -i ~/.ssh/key -X -C -c blowfish user@server <command>

-p = port
-i = key
-X = forwards X
-C = use compression (compression of the data speeds the connection).
- compression is not necessary if you are connecting on a LAN, but may help if you are connection over the Internet.
-c = Selects the cipher specification for encrypting the session.
- blowfish is fastest, other options exist, see man ssh .
<command> runs the command on the server.

SCP

scp == Secure copy and is used to transfer files between the guest and host.

Example:

scp file user@server:/home/user/file

Notice the syntax is to add a :/full/path/to/destination.

Linux permissions apply to scp. You must also have permission, as the user you are logging into the server with, to copy a file to the target location on the server.

Options:

-r = used to recursively copy directories.

scp directory user@server:/home/user/directory

-P = used to specify a port (helpful if you changed the default port for your ssh server, see the security section.)

scp -P xxxx file user@server:/home/user/file

KeepAlive

For security proposes, the server will close the connection after two minutes of idle time. As the name applies, the KeepAlive option is used to keep the server from closing and idle connection.

Linux client

Add this to /etc/ssh/ssh_config

ServerAliveInterval 120

Windows (Putty) client

To keep the connection active (alive), before you make the connection, select "Connection" on the left of the PuTTY Configuration window, and type 120 in the "Seconds between keepalives (0 to turn off)" box,

Keys

ssh keys are used to increase security.

Generating keys on a Linux client

rsa : (Key) Protocol 1

ssh-keygen -t rsa -b 4096 -f key_name

-b = size of key (4096 is now default)

dsa : (Key) Protocol 2

ssh-keygen -t dsa -f key_name

Note: FYI - dsa keys are always 1024 bits.

These commands will generate a two files, one with just the name of the key (no . extension, and a key.pub

the -f key_name option specifies the name of the key

.pub == public == placed on the server.

Server

Now that you have a key, you must transfer the key_name.pub to the server, to ~/.ssh/authorized_keys. We can easily do this with ssh or ssh-copy-id.

ssh (scp) ~ useful to copy keys for other users.

scp ~/.ssh/id_dsa.pub user@server:.ssh/authorized_keys
scp ~/.ssh/id_rsa.pub user@server:.ssh/authorized_keys

To add additional keys to an existing ~/.ssh/authorized_keys, first transfer the key_name.pub to the server(as above).

Then add the key to ~/.ssh/authorized_keys

cat id_dsa >> ~/.ssh/authorized_keys
cat id_rsa >> ~/.ssh/authorized_keys
Use "ssh-copy-id" to transfer your key directly.

ssh-copy-id -i ~/.ssh/key_name.pub user@server

Specify a (public) key with the "-i" flag.

user = the username you use to log onto the server.

Known_hosts

The server identifies itself with a ssh key pair as well. The server identification is added your account on the client under "~/.ssh/known_hosts" (you will be asked if you wish to add the server identification to known_hosts the first time you connect to a server).

If you later receive an error message, take care to figure out why. The most common reason for this is that the server keys were changed. Your server administrator should notify you if this is the case.

The most concerning reason for this error message, however, is that someone may be trying to spoof your ssh server. This is sometimes called a "man in the middle" attack.

See the security section below for an example of an error message.

SSH Agent

ssh agent is a command line tool that runs on the CLIENT and keeps your ssh keys in memory. If you use ssh-agent, be sure to log out or Lock your session if you leave the computer !!!

ssh-agent #starts ssh agent
ssh-add ~/.ssh/key_name #adds a key to memory

Note: In most distributions ssh-agent is included and is automatically started when you log in. Most likely you do not need to run this command.

There are also several additional methods of managing keys (not covered here), such as keychain or seahorse.

SSH Agent without X

ssh-agent can be run without X, from a console, by starting a new shell. You may want to run a new session in "screen".

ssh-agent bash
ssh-agent zsh #for those who prefer zsh to bash

This starts a new {bash,zsh} shell and you may now add keys with ssh-add as above.

Port forwarding (tunneling)

ssh -D 1080 user@host
ssh -L [bind_address:]port:host:host_port

Running commands on the server with ssh

example

SSH from windows (windows clients)

Putty (you can run putty on Linux)

Winscp : Uses Putty keys to transfer files over a ssh connection

Cygwin : Cygwin Homepage

Using keys with putty

You must import your keys with putty-gen, then save them in putty format (*.ppk) KEEP THE NAME THE SAME.

Download

Putty
WinSCP

Security

If you run a ssh server, please take the time to learn to secure it.

Quick tips

Use strong passwords
Use keys
Change the default port
Consider using either iptables or a service such as denyhosts or fail2ban

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
f2:92:1d:da:81:2a:d7:16:0a:48:f0:43:20:1c:f4:b5.
Please contact your system administrator.
Add correct host key in /home/novak/.ssh/known_hosts to get rid of this message.
Offending key in /home/novak/.ssh/known_hosts:1

If you see this message, STOP and LOOK.

rm ~/.ssh/known_hosts => NOT IDEAL

Instead try:

ssh-keygen -R hostname

sed -i 5d .ssh/known_hosts # Assuming line 5 is bad

Additional security advice

Change the default port.
Keys only.
DO NOT USE EMPTY KEYS. use ssh-agent
Options on server in /etc/ssh/sshd_config :

Port xxxx
LogLevel VERBOSE
LoginGraceTime 120
PasswordAuthentication no # THIS DISABLES LOGIN w/o KEYS
X11Forwarding yes # Consider changing this to no
Banner /etc/issue.net # I change this to /etc/ssh.login
AllowUsers goodboy1 goodgirl2 # White list by username
DenyUsers badboy1 badgirl2 # Black list by username
AllowGroups sshlogin # White list by groups

Additional references

How to ssh keys
Ubuntu wiki : How to ssh
Ubuntu wiki : ssh security
OpenSSH key management, Part 1
OpenSSH key management, Part 2
OpenSSH key management, Part 3
Debian Admin - SSH Key Authentication Using seahorse (GUI)