ssh (SSH client) is a program for logging into a remote machine and for executing commands on a remote machine. It is intended to provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections, arbitrary TCP ports and UNIX-domain sockets can also be forwarded over the secure channel. ssh connects and logs into the specified destination, which may be specified as either [user@]hostname or a URI of the form ssh://[user@]hostname[:port]. The user must prove his/her identity to the remote machine using one of several methods.
SSH is a protocol (like http or smtp) that allows us to log into a machine remotely. In contrast to older protocols like Telnet, SSH does not send unencrypted traffic (including our passwords) over the network. SSH uses strong cryptography, meaning that it's harder for a bad actor to capture our password and break into our server. SSH comes in two parts: a client and a server. The server listens for requests to connect, waiting indefinitely for someone to try to log in. The client communicates with the server and provides an authentication method. There are many authentication methods supported by ssh including password, public key, host based, and kerberos. For nixphere, we use public key authentication. Key-based authentication is a good balance of pragmatism and paranoia because it requires two things: you must 'unlock' your key with a password (something you know) and then present your key to the server (something you have). This helps prevent bad actors from breaking in.
When we are using SSH, it feels almost exactly like we are sitting in the same room as our server, typing away at one of it's terminals.
Although there can be some caveats, SSH is usually very secure. It prevents our password from being leaked and hides our keystrokes from bad guys who might be listening on our network. SSH also provides rate limiting to prevent brute forcing.
With SSH, we can do more than just log in to a remote system. We can use it for system automation, forwarding a desktop session over the network, running graphical software, and even tunnel our network traffic similarly to a VPN.
Compared to other methods of accessing a remote system, SSH is very simple. We can simple run ssh [user]@[host] , pass the authorization challenge, and we are ready to go.
SSH is very simple and does not require a lot of bandwidth. This means we can use it even over very poor connections. With additional sever configurations, we can even use SSH over a connection that's unstable and frequently drops out without needing to re-authenticate.
On many Linux and UNIX systems, SSH is already installed. To check if it is installed, we can run the following command. It it is installed, you will see it's absolute path.
If SSH is not installed, you will see something like this:
[avery@fedora ~]$ which ssh /usr/bin/ssh
If SSH is not installed, we can simply install it commands:
[avery@fedora ~]$ which ssh /usr/bin/which: no ssh in (/home/avery/.local/bin:/home/avery/bin:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/opt/plan9/bin)
[avery@generic-UNIX ~]$ sudo $pkgmgr install openssh-clients
OpenSSH comes with a program that can generate RSA keys for us. It's very simple to use. You will run ssh-keygen and follow the setup. When it is finished, your public key will be stored at ~/.ssh/id_rsa.pub and your private key will be stored at ~/.ssh/id_rsa. Never ever share the contents of your private key. It's called a 'private key' because you are supposed to keep it private! Only upload and share your public key.
[avery@fedora ~]$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/avery/.ssh/id_rsa): [ leave this blank ] Created directory '/avery/.ssh'. Enter passphrase (empty for no passphrase): [ type a strong password, you will not see keystrokes ] Enter same passphrase again: [ type the password again ] Your identification has been saved in /avery/.ssh/id_rsa Your public key has been saved in /avery/.ssh/id_rsa.pub The key fingerprint is: SHA256:2Pt1ZlefvFeE1JSjnaK1rPyHzwRgZHCIRrCDLbnsUhk avery@fedora The key's randomart image is: +---[RSA 3072]----+ | .o...o+ oo| | + .o .+ .o.| | E +. o .o.o| | . = .o . .+.o.| | = . S +.o..| | o . . oo =| | . . . . o =++| | . . + =ooo| | . ..o+.| +----[SHA256]-----+
At registration time, you will be prompted to paste a password and the contents of your ssh public key. You have a few options when it comes to pasting to Linux or UNIX terminal emulator, you can type Control + Shift + v, Right Click -> paste, or use X11's built in buffer by highlighting the contents of your public key to copy it and Middle Clicking to paste it. Let's walk through the rest of the setup.
[avery@fedora ~]$ ssh firstname.lastname@example.org (email@example.com) Password for firstname.lastname@example.org: [ paste the registration password given to you ] Let's set up an account Enter your username: [ your username ] Enter your real name: [ your real name, can be the same as username ] Username is: yourusername Real name is: yourusername Does this look okay? [y,n]: y Do you want (d)efault configs, (a)very's custom ones, or (n)one? [d,a,n]: a Please add an ssh key. This will help keep you more secure. If you don't already have a key, run 'ssh-keygen' on your local machine, then get ready to copy and paste the contents of ~/.ssh/id_rsa.pub This step is not mandatory, but strongly encouraged. If you *really* don't want to add an ssh key, you can simply save and exit the file without making any changes. Do you want to use Easy Editor, or Vi? [ee,vi]: ee
At this point, we are in a text editor called Easy Editor. We can now open ~/.ssh/id_rsa.pub, copy the contents, then paste it. Once we are done, we will type Escape, then the A key twice.
^[ (escape) menu ^y search prompt ^k delete line ^p prev li ^g prev page ^o ascii code ^x search ^l undelete line ^n next li ^v next page ^u end of file ^a begin of line ^w delete word ^b back 1 char ^z next word ^t top of text ^e end of line ^r restore word ^f forward char ^c command ^d delete char ^j undelete char ESC-Enter: exit =====line 1 col 0 lines from top 1 ============================================ [ paste your ssh public key here ] new file "/yourusername/.ssh/rsa.pub"
The menu shown after pressing the Escape key
+---------------------+ | main menu | | | | a) leave editor | | b) help | | c) file operations | | d) redraw screen | | e) settings | | f) search | | g) miscellaneous | | | | press Esc to cancel | +---------------------+
The submenu shown after choosing option 'a) leave editor'
+---------------------+ | leave menu | | | | a) save changes | | b) no save | | | | press Esc to cancel | +---------------------+
After we are finished adding our key, we are given some information. The information below is used for login. We are provided with a login and a random password. The first time you log in you will paste the random password when prompted, then immediately be forced to change the randomly assigned password. Be sure to choose something strong and different from the password you used to lock your SSH public key.
All done! Your website is available at http://nixphere.org/~yourusername Files in ~/public_html will be served by httpd. You can now connect to this server with 'ssh email@example.com' Your Random Password: a4ea5a5946b78d6a You will be prompted to change the random password on your first login goodbye