DEV Community

Ion
Ion

Posted on • Edited on

All you need to know about SSH

SSH-agent -is a program that keeps private keys in memory and provides authentication services to SSH clients, so you don’t need to use passphrase each time you make a ssh connection. In order to know your ssh-agent type:

ssh-agent $SHELL
Enter fullscreen mode Exit fullscreen mode

Where shell is your shell type(bash, zsh, sh), and if you want to modify or set-up passphrase for your ssh-agent use:

ssh-add
Enter passphrase for /home/johndoe/.ssh/id_rsa: ********
Identity added: /home/johndoe/.ssh/id_rsa (/home/johndoe/.ssh/id_rsa)

Image description

SSH-server - A program that allows incoming SSH connections to a machine, handling authentication, authorization, and so forth.

SSH-client - A program that connects to SSH servers and makes requests, such as “log me in” or “copy this file.” In OpenSSH and Tectia, the major clients are ssh, scp, and sftp.

SSH authentication - can happen using password(which is not always secure) or cryptographic key which implies public and privat keys. A key is like an identity that confirms “This is me and no one else“.
Public key is placed on server machine(or machine that you want to connect via SSH) and private key is kept secretly on client side. During some challenges the connection is established if identity is proven:

Client Request: The client requests SSH access to a server, targeting the 'John' user account.

Server's Challenge: The server challenges the client to prove its identity by sending a cryptographic challenge.

Client's Response: The client responds with an authenticator, created using the server's challenge and its private key, in this way no passwords or other sensitive data are leaving client machine.

Server Verification: The server checks the 'John' account's public keys to see if the authenticator matches. If there's a match, access is granted; otherwise, authentication fails.

Generating key can be done by ssh-keygen program, and specify type of the key:

$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/johndoe/.ssh/id_dsa): press ENTER 
Enter passphrase (empty for no passphrase): ********
Enter same passphrase again: ********
Your identification has been saved in /home/johndoe/.ssh/id_dsa.
Your public key has been saved in /home/johndoe/.ssh/id_dsa.pub.
The key fingerprint is:
ab:cd:ef:01:23:45:67:89:0a:bc:de:f0:12:34:56:78 johndoe@server.example.com
Enter fullscreen mode Exit fullscreen mode

Forwarding or tunneling - means encapsulating another TCP-based service, such as Telnet or IMAP, within an SSH session. This brings the security benefits of SSH (pri- vacy, integrity, authentication, authorization) to other TCP-based services. For example, an ordinary Telnet connection transmits your username, password, and the rest of your login session in the clear. By forwarding telnet through SSH, all of this data is automatically encrypted and integrity-checked, and you may authenticate using SSH credentials.

SSH supports two types of forwarding: local and remote.

TCP port forwarding - SSH can increase the security of other TCP/IP-based applications such as telnet, ftp, and the X Window System. A technique called port forwarding or tunneling reroutes a TCP/IP connection to pass through an SSH connection, transparently encrypting it end to end. Port forwarding can also pass such applications through network firewalls that otherwise prevent their use.

Suppose you are logged into a machine away from work and want to access the internal news server at your office, example.com. The Example network is connected to the Internet, but a network firewall blocks incoming connections to most ports, particularly port 119, the news port. The firewall does allow incoming SSH connections, however, since the SSH protocol is secure enough that even Example’s rabidly paranoid system administrators trust it. SSH can establish a secure tunnel on an arbitrary local TCP port—say, port 3002—to the news port on the remote host. The command might look a bit cryptic at this early stage, but here it is:

 $ ssh -L 3002:localhost:119 example.com
Enter fullscreen mode Exit fullscreen mode

This says “ssh, please establish a secure connection from TCP port 3002 on my local machine to TCP port 119, the news port, on example.com.” So, in order to read news securely, configure your news-reading program to connect to port 3002 on your local machine. The secure tunnel created by ssh automatically communicates with the news server on example.com, and the news traffic passing through the tunnel is protected by encryption

OpenSSH - OpenSSH is a specific free and open-source implementation of the SSH protocol. It was developed as part of the OpenBSD project, which is focused on security and free software. OpenSSH is widely used and has become the de facto standard implementation of SSH, largely replacing other implementations due to its robust security features and being freely available.OpenSSH includes a set of client and server tools that enable secure remote control and file transfer over a network.In summary, SSH is a protocol that provides secure network communication, while OpenSSH is a specific implementation of that protocol, offering tools and utilities for using SSH in practice.

Known hosts -when for the first time you contact unknown remote host, you will receive following message:

$ ssh -l johndoe server.example.com
The authenticity of host 'server.example.com (10.20.30.40)' can't be established.
RSA key fingerprint is 3f:44:5a:5b:6c:7d:8e:9f:a0:b1:c2:d3:e4:f5:06:07.
Are you sure you want to continue connecting (yes/no)?
The message appears only first time when you contact particular remote host and it is a security feature of SSH to prevent man-in-the-middle attack. Known-hosts works on a mutual authentication principle, where both the server and the client authenticate each other.
Enter fullscreen mode Exit fullscreen mode

Each SSH server has a unique secret identifier called a "host key."

When you connect to a server for the first time, the server's public host key is saved in your local account. This happens after you confirm the prompt about the host key by responding "yes."

For subsequent connections to the same server, your SSH client uses this saved public key to verify the server's identity.

If your client detects a mismatch in the server's host key (indicating the key is different from what was saved), it triggers a warning.

A mild warning like "Host key not found from the list of known hosts" might appear if it's just a new server not yet saved in your list.

Host key not found from the list of known hosts.
Are you sure you want to continue connecting (yes/no)?
Enter fullscreen mode Exit fullscreen mode

A more serious warning like "REMOTE HOST IDENTIFICATION HAS CHANGED!" indicates a potential security threat, such as a man-in-the-middle attack and better to contact your administrator to investigate:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
12:34:56:78:9a:bc:de:f0:11:22:33:44:55:66:77:88.
Please contact your system administrator.
Add correct host key in /home/johndoe/.ssh/known_hosts to get rid of this message.
Offending key in /home/johndoe/.ssh/known_hosts:45
following with “yes“ will allow connection, but will disable a lot of features of security.
Enter fullscreen mode Exit fullscreen mode

If commands don’t work as you expect, try adding the –v (“verbose”) command-line option, for example:

$ ssh -v shell.isp.com
Enter fullscreen mode Exit fullscreen mode

This causes the client to print lots of information about its progress, often revealing the source of the discrepancy.

Image description

Architecture of SSH system:

Image description

Key - a relatively small amount of data, generally from tens of to 1,000 or 2,000 bits, used as a parameter to cryptographic algorithms such as encryption or message authentication. The key binds the algorithm operation in some way to the key holder: in encryption, it ensures that only someone else holding that key (or a related one) can decrypt the message; in authentication, it allows you to verify later that the key holder actually signed the message. There are two kinds of keys: symmetric or secret key, and asymmetric or public key.

Image description

User key - A persistent, asymmetric key used by clients as proof of a user’s identity. (A single user may have many keys/identities.)

Host key - a persistent, asymmetric key used by a server as proof of its identity, as well as by a client when proving its host’s identity as part of host-based authentication. If a machine runs a single SSH server, the host key also uniquely identifies the machine. (If a machine is running multiple SSH serv- ers, each may have a different host key, or they may share.)

Session key - a randomly generated, symmetric key for encrypting the communication between an SSH client and server. It is shared by the two parties in a secure manner during the SSH connection setup so that an eavesdropper can’t dis- cover it. Both sides then have the session key, which they use to encrypt their communications. When the SSH session ends, the key is destroyed.

Guidance for setting-up password based authentication for SSH:

On the SSH Server

Install SSH Server:

For Linux systems, the SSH server is typically OpenSSH. You can install it using your system's package manager. For example, on Ubuntu, you would use: sudo apt-get install openssh-server.

Ensure the SSH service is running: sudo systemctl start ssh (or sudo service ssh start on older systems).

Configure SSH Server:

The main configuration file for the SSH server is usually /etc/ssh/sshd_config.

Make sure password authentication is enabled. Look for the line #PasswordAuthentication yes and ensure it is uncommented (remove the #) and set to yes.

After making changes, restart the SSH service to apply them: sudo systemctl restart ssh.

Firewall Settings:

Ensure your firewall allows incoming connections on the SSH port (default is 22). For example, using UFW on Ubuntu: sudo ufw allow ssh.

Create User Accounts (if necessary):

Create user accounts on the server for each user that needs SSH access. Use sudo adduser [username] to create a new user.

On the SSH Client
Install SSH Client:

Most Linux distributions come with an SSH client installed by default. For Windows, you can use clients like PuTTY or the built-in Windows SSH client in newer versions.

Connect to the SSH Server:

Use the SSH command followed by the username and the IP address or hostname of the SSH server: ssh username@server-ip-address.

If it's your first time connecting to the server, you'll be asked to verify the server's fingerprint. Type yes to continue.

Enter the password for the username when prompted.

Resources:
SSH, The Secure Shell: The Definitive Guide 2edition

Top comments (0)