What is SSH?
Secure shell (SSH) is a transfer protocol that allows users to remotely control a device or server via an internet connection
You can use the SSH command to create a secure connection to a remote system, authenticate as a specific user, and get an interactive shell session on the remote system as that user. You may also use the SSH command to run an individual command on the remote system without running an interactive shell.
SSH has 3 encryption technologies such as symmetric, asymmetric, and hashing. These three technologies are cryptographic techniques that ensure that all data involved in the transfer is encrypted.
Secure Shell Examples
The following ssh command would log you in on the remote server remotehost using the same user name as the current local user. In this example, the remote system prompts you to authenticate with that user's password.
ssh SSHserver.example.com
The next SSH command would log you in on the remote server remotehost using the user name user02. Again, you are prompted by the remote system to authenticate with that user's password.
ssh UserName@SSHserver.example.com
If this is the first time negotiating a connection between the local host and the server, the user will be prompted with the remote host's public key fingerprint and prompted to connect, despite there having been no prior connection
The authenticity of host 'sample.ssh.com' cannot be established.
DSA key fingerprint is 01:23:45:67:89:ab:cd:fg:gg:gf:dc:ba:98:76:54:32:10.
Are you sure you want to continue connecting (yes/no)?
Answering yes to the prompt will cause the session to continue, and the host key is stored in the local system's known_hosts file.
This ssh command would run the hostname command on the remotehost remote system as the UserName user without accessing the remote interactive shell.
[User@host ~]$ ssh UserName@SSHserver.example.com hostname
UserName@SSHserver.example.com's password: _paswdexample_
SSHserver.example.com
[User@host ~]$
exit is a command to exit the remote system
[UserName@SSHserver.example.com ~]$ exit
logout
Connection to SSHserver.example.com closed.
[User@host ~]$
identifying Remote Users
Command W is a command to find out who is entering the server. This command is very important because we can know what they are doing
[UserName01@SSHserver.example.com ~]$ w
12:13:38 up 36 min, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
UserName02 pts/0 172.21.250.15 12:13 7:30 0.01s 0.01s -bash
UserName01 pts/1 172.21.250.15 12:24 3.00s 0.01s 0.00s w
[UserName01@SSHserver.example.com ~]$
SSH Key-based Authentication
You can configure an SSH server to allow you to authenticate without a password by using key-based authentication. This is based on a private-public key scheme.
- Generating SSH Keys
To create a private key and matching public key for authentication, use the ssh-keygen command.
[UserName@SSHserver.example.com ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa): Enter
Created directory '/home/user/.ssh'.
Enter passphrase (empty for no passphrase): Enter
Enter same passphrase again: Enter
Your identification has been saved in /home/UserName/.ssh/id_rsa.
Your public key has been saved in /home/UserName/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:vxutUNPio3QDCyvkYm1oIx35hmMrHpPKWFdIYu3HV+w
The key's randomart image is:
+---[RSA 2048]----+
| |
| . . |
| o o o |
| . = o o . |
| o + = S E . |
| ..O o + * + |
|.+% O . + B . |
|=*oO . . + * |
|++. . +. |
+----[SHA256]-----+
You can run a helper program called ssh-agent which can temporarily cache your private key passphrase in memory at the start of your session to get true passwordless authentication. This will be discussed later in this section.
The following example of the ssh-keygen command shows the creation of the passphrase-protected private key alongside the public key.
[UserName@SSHserver.example.com ~]$ ssh-keygen -f .ssh/key-with-pass
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in .ssh/key-with-pass.
Your public key has been saved in .ssh/key-with-pass.pub.
The key fingerprint is:
SHA256:w3GGB7EyHUry4aOcNPKmhNKS7dl1YsMVLvFZJ77VxAo
The key's randomart image is:
+---[RSA 2048]----+
| . + =.o ... |
| = B XEo o. |
| . o O X =.... |
| = = = B = o. |
|= + * * S . |
|.+ = o + . |
| + . |
| |
| |
+----[SHA256]-----+
WARNING:
During further SSH keypair generation, unless you specify a unique file name, you are prompted for permission to overwrite the existing id_rsa and id_rsa.pub files. If you overwrite the existing id_rsa and id_rsa.pub files, then you must replace the old public key with the new one on all the SSH servers that have your old public key.
- Sharing the Public Key
Before key-based authentication can be used, the public key needs to be copied to the destination system. The ssh-copy-id command copies the public key of the SSH keypair to the destination system. If you omit the path to the public key file while running ssh-copy-id, it uses the default /home/user/.ssh/id_rsa.pub file.
[User@host ~]$ ssh-copy-id -i .ssh/key-with-pass.pub UserName@SSHserver.example.com
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/user/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
user@remotehost's password: paswd.example
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'user@remotehost'"
and check to make sure that only the key(s) you wanted were added.
After the public key is successfully transferred to a remote system, you can authenticate to the remote system using the corresponding private key while logging in to the remote system over SSH. If you omit the path to the private key file while running the ssh command, it uses the default /home/user/.ssh/id_rsa file.
[User@host ~]$ ssh -i .ssh/key-with-pass UserName@SSHserver.example.com
Enter passphrase for key '.ssh/key-with-pass': redhatpass
...output omitted...
[UserName@SSHserver.example.com ~]$ exit
logout
Connection to SSHserver.example.com closed.
[User@host ~]$
- Using ssh-agent for Non-interactive Authentication
you can use a program called ssh-agent to temporarily cache the passphrase in memory. Then any time that you use SSH to log in to another system with the private key, ssh-agent will automatically provide the passphrase for you.
If you log in on a text console, log in using ssh, or use sudo or su, you will probably need to start ssh-agent manually for that session. You can do this with the following command
[User@host ~]$ eval $(ssh-agent)
Agent pid 10155
[User@host ~]$
Once ssh-agent is running, you need to tell it the passphrase for your private key or keys. You can do this with the ssh-add command.
[User@host ~]$ ssh-add
Identity added: /home/User/.ssh/id_rsa (UserName@SSHserver.example.com)
[User@host ~]$ ssh-add .ssh/key-with-pass
Enter passphrase for .ssh/key-with-pass: redhatpass
Identity added: .ssh/key-with-pass (UserName@SSHserver.example.com)
Configuring the OpenSSH Server
- Prohibit the Superuser From Logging in Using SSH
The OpenSSH server uses the PermitRootLogin configuration setting in the /etc/ssh/sshd_config configuration file to allow or prohibit users logging in to the system as root.
PermitRootLogin yes
With the PermitRootLogin parameter to yes, as it is by default, people are permitted to log in as root. To prevent this, set the value to no. Alternatively, to prevent password-based authentication but allow private key-based authentication for root, set the PermitRootLogin parameter to without-password.
- Prohibiting Password-Based Authentication for SSH
The OpenSSH server uses the PasswordAuthentication parameter in the /etc/ssh/sshd_config configuration file to control whether users can use password-based authentication to log in to the system.
PasswordAuthentication yes
The default value of yes for the PasswordAuthentication parameter in the /etc/ssh/sshd_config configuration file causes the SSH server to allow users to use password-based authentication while logging in. The value of no for PasswordAuthentication prevents users from using password-based authentication.
The SSH server (sshd) must be reloaded for any changes to take effect.
[root@host ~]# systemctl reload sshd
THANKS FOR READING
Top comments (0)