What is SSH?

From the ssh(1) manpage:

ssh (SSH client) is a program for logging into a remote machine and for
executing commands on a remote machine.  It is intended to provide secure
encrypted communications between two untrusted hosts over an insecure
network.  X11 connections, arbitrary TCP ports and UNIX-domain sockets
can also be forwarded over the secure channel.

ssh connects and logs into the specified destination, which may be
specified as either [user@]hostname or a URI of the form
ssh://[user@]hostname[:port].  The user must prove his/her identity to
the remote machine using one of several methods. 
					

In more simple terms:

SSH is a protocol (like http or smtp) that allows us to log into a machine remotely. In contrast to older protocols like Telnet, SSH does not send unencrypted traffic (including our passwords) over the network. SSH uses strong cryptography, meaning that it's harder for a bad actor to capture our password and break into our server. SSH comes in two parts: a client and a server. The server listens for requests to connect, waiting indefinitely for someone to try to log in. The client communicates with the server and provides an authentication method. There are many authentication methods supported by ssh including password, public key, host based, and kerberos. For nixphere, we use public key authentication. Key-based authentication is a good balance of pragmatism and paranoia because it requires two things: you must 'unlock' your key with a password (something you know) and then present your key to the server (something you have). This helps prevent bad actors from breaking in.

When we are using SSH, it feels almost exactly like we are sitting in the same room as our server, typing away at one of it's terminals.

In the most simple terms:

Why use SSH over something else?

  • SSH is secure
  • Although there can be some caveats, SSH is usually very secure. It prevents our password from being leaked and hides our keystrokes from bad guys who might be listening on our network. SSH also provides rate limiting to prevent brute forcing.

  • SSH is configurable and flexible
  • With SSH, we can do more than just log in to a remote system. We can use it for system automation, forwarding a desktop session over the network, running graphical software, and even tunnel our network traffic similarly to a VPN.

  • SSH is easy to use
  • Compared to other methods of accessing a remote system, SSH is very simple. We can simple run ssh [user]@[host] , pass the authorization challenge, and we are ready to go.

  • SSH is fault tolerant
  • SSH is very simple and does not require a lot of bandwidth. This means we can use it even over very poor connections. With additional sever configurations, we can even use SSH over a connection that's unstable and frequently drops out without needing to re-authenticate.

How to use SSH with key-based authentication

Installing SSH

On many Linux and UNIX systems, SSH is already installed. To check if it is installed, we can run the following command. It it is installed, you will see it's absolute path.

[avery@fedora ~]$ which ssh
/usr/bin/ssh

If SSH is not installed, you will see something like this:
[avery@fedora ~]$ which ssh
/usr/bin/which: no ssh in (/home/avery/.local/bin:/home/avery/bin:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/opt/plan9/bin)

If SSH is not installed, we can simply install it commands:
[avery@generic-UNIX ~]$ sudo $pkgmgr install openssh-clients

Generating a Key

OpenSSH comes with a program that can generate RSA keys for us. It's very simple to use. You will run ssh-keygen and follow the setup. When it is finished, your public key will be stored at ~/.ssh/id_rsa.pub and your private key will be stored at ~/.ssh/id_rsa.

Never ever share the contents of your private key. It's called a 'private key' because you are supposed to keep it private! Only upload and share your public key.

[avery@fedora ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/avery/.ssh/id_rsa): [ leave this blank ]
Created directory '/avery/.ssh'.
Enter passphrase (empty for no passphrase): [ type a strong password, you will not see keystrokes ]
Enter same passphrase again: [ type the password again ]
Your identification has been saved in /avery/.ssh/id_rsa
Your public key has been saved in /avery/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:2Pt1ZlefvFeE1JSjnaK1rPyHzwRgZHCIRrCDLbnsUhk avery@fedora
The key's randomart image is:
+---[RSA 3072]----+
|     .o...o+   oo|
|    + .o .+   .o.|
|   E +.    o .o.o|
|  . = .o  . .+.o.|
|   =  . S   +.o..|
|  o      . . oo =|
| . .    . . o =++|
|  .      . + =ooo|
|          . ..o+.|
+----[SHA256]-----+

Registering and uploading your key to Nixphere

At registration time, you will be prompted to paste a password and the contents of your ssh public key. You have a few options when it comes to pasting to Linux or UNIX terminal emulator, you can type Control + Shift + v, Right Click -> paste, or use X11's built in buffer by highlighting the contents of your public key to copy it and Middle Clicking to paste it. Let's walk through the rest of the setup.

[avery@fedora ~]$ ssh register@nixphere.org
(register@nixphere.org) Password for register@nixphere.org:  [ paste the registration password given to you ] 
Let's set up an account

Enter your username: [ your username ]
Enter your real name: [ your real name, can be the same as username ]

Username is: yourusername
Real name is: yourusername
Does this look okay? [y,n]: y 

Do you want (d)efault configs, (a)very's custom ones, or (n)one? [d,a,n]: a

Please add an ssh key. This will help keep you more secure. If you don't
already have a key, run 'ssh-keygen' on your local machine, then get 
ready to copy and paste the contents of ~/.ssh/id_rsa.pub
This step is not mandatory, but strongly encouraged. If you *really* 
don't want to add an ssh key, you can simply save and exit the file 
without making any changes.

Do you want to use Easy Editor, or Vi? [ee,vi]: ee

At this point, we are in a text editor called Easy Editor. We can now open ~/.ssh/id_rsa.pub, copy the contents, then paste it. Once we are done, we will type Escape, then the A key twice.

^[ (escape) menu ^y search prompt ^k delete line   ^p prev li     ^g prev page
^o ascii code    ^x search        ^l undelete line ^n next li     ^v next page
^u end of file   ^a begin of line ^w delete word   ^b back 1 char ^z next word
^t top of text   ^e end of line   ^r restore word  ^f forward char
^c command       ^d delete char   ^j undelete char              ESC-Enter: exit
=====line 1 col 0 lines from top 1 ============================================
 [ paste your ssh public key here ] 
















new file "/yourusername/.ssh/rsa.pub"

The menu shown after pressing the Escape key

+---------------------+
| main menu           |
|                     |
| a) leave editor     |
| b) help             |
| c) file operations  |
| d) redraw screen    |
| e) settings         |
| f) search           |
| g) miscellaneous    |
|                     |
| press Esc to cancel |
+---------------------+

The submenu shown after choosing option 'a) leave editor'

+---------------------+
| leave menu          |
|                     |
| a) save changes     |
| b) no save          |
|                     |
| press Esc to cancel |
+---------------------+

After we are finished adding our key, we are given some information. The information below is used for login. We are provided with a login and a random password. The first time you log in you will paste the random password when prompted, then immediately be forced to change the randomly assigned password. Be sure to choose something strong and different from the password you used to lock your SSH public key.

All done!
Your website is available at http://nixphere.org/~yourusername
Files in ~/public_html will be served by httpd.

You can now connect to this server with 'ssh yourusername@nixphere.org'
Your Random Password: a4ea5a5946b78d6a

You will be prompted to change the random password on your first login

goodbye

Written by Avery. This work is licensed under a CC BY-SA 4.0 License