Differences

This shows you the differences between two versions of the page.

--- tools:ssh [2024/08/06 05:48] – external edit 127.0.0.1
+++ tools:ssh [2025/09/30 22:44] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
-{{wst>fix-stub}}
 ====== Secure Shell (SSH) ======
+**Secure Shell** //(or **SSH**)// is a cryptographic network protocol for operating network services securely over an unsecured network. It is usually used for remote login into [[tools:bash|terminal]] interfaces, which is mainly what this article will be about.
+===== History & Concept =====
+SSH was designed for Unix-like operating systems as a replacement for Telnet and unsecured remote Unix shell protocols, such as the Berkeley Remote Shell (rsh) and the related rlogin and rexec protocols, which all use insecure, plaintext methods of authentication, such as passwords.
+Since mechanisms like Telnet and Remote Shell are designed to access and operate remote computers, sending the authentication tokens //(e.g. username and password)// across a public network in an unsecured way poses a great risk of third parties obtaining the password and achieving the same level of access to the remote system as the telnet user. **Secure Shell** mitigates this risk through the use of encryption mechanisms that are intended to hide the contents of the transmission from an observer, even if the observer has access to the entire data stream.
+===== Implementations =====
+==== Linux, BSD & MacOS ====
+MacOS and most *nix distros come with [[https://www.openssh.com/|OpenSSH]]. To make an SSH connection in your [[tools:bash|terminal]], run the ''ssh'' command against a domain or IP address, and when prompted give your password:
+  $ ssh username@domain.com
+  or
+  $ ssh username@123.123.123.123
+=== Configuration ===
+Your SSH client's configuration is stored in your homedir's ''/.ssh/'' directory, and has several important files & folders:
+  * /home/user/.ssh/
+    * **authorized_keys** //(list of public keys allowed to SSH into your account)//
+    * **config** //(file for storing common SSH servers as macros, see below)//
+    * **keys/** //(optional key directory for sample ''config'' file)//
+    * **known_hosts** //(caches info about servers you connect to, so you can be alerted if something changes)//
+== Key Generation ==
+SSH can be further secured by using **public/private key pairs** instead of plaintext passwords. To generate them, use the ''ssh-keygen'' command:
+  $ ssh-keygen -t ed25519 -C "youremail@domain.com" -f ~/.ssh/keys/name_of_key
+Fill in the prompts, and it will generate a key pair. Use the ''ssh-copy-id'' command to insert the public key into the remote user's ''.ssh/authorized_keys'' file:
+  $ ssh-copy-id -i ~/.ssh/keys/name_of_key.pub username@domain.com
+To do this manually, just use a text editor to copy the contents of the public key (ending in ''.pub'') into your remote user's ''.ssh/authorized_keys'' file.
+Once that is done, insert the path to the private key in your local user's ''.ssh/config'' file, as detailed below.
+== Sample Configuration ==
+To make it easier to connect to servers without having to type a whole lot of bullshit every time, you can store a list of servers and keys in ''.ssh/config'' like so:
+<file txt config>
+Host github
+        Hostname        github.com
+        User            username
+        IdentityFile    ~/.ssh/keys/github
+Host site1
+        Hostname        domain1.com
+        Port            22
+        User            username
+        IdentityFile    ~/.ssh/keys/domain1
+Host site2
+        Hostname        123.123.123.123
+        Port            22
+        User            username
+        IdentityFile    ~/.ssh/keys/domain2
+</file>
+So rather than having to type ''ssh username@domain1'' every time and type in a password, this shortens it to ''ssh site1'' and passes a key automatically. Very useful if you're logging into the same machines a lot!
+==== Windows ====
+To quickly make SSH connections in Windows, install [[https://www.chiark.greenend.org.uk/~sgtatham/putty/|PuTTY]] and point it at the server you want to connect to. To generate public/private key pairs for use in PuTTY, use [[https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html|PuTTYgen]], available from the PuTTY download's page.
+If you want the flexibility of running SSH from a full Linux shell, use the [[https://learn.microsoft.com/en-us/windows/wsl/install|Windows Subsystem for Linux]] and run the ''ssh'' command as detailed above.
+===== Other Key Uses ====
+The same key pairs generated by ''ssh-keygen'' or PuTTYgen can be used for things beyond remote terminals. For example, Github supports the use of key pairs for pushing updates to repos.
+Some services might not support ed25519-based keys. To generate a more widely-compatible 4096 bit RSA key, run:
+  $ ssh-keygen -t rsa -b 4096 -C "youremail@domain.com"
+===== File Transfer over SSH =====
+You can also use SSH to securely transfer files between machines, using the built-in ''sftp'' command. Read our [[tools:sftp|SFTP manual]] for more information on how to do this.
+===== Running SSH Servers =====
+[[https://www.openssh.com/|OpenSSH]], the package that provides MacOS and most Linux distros with their SSH client, also includes a separate SSH server application. Most servers will have this service preconfigured as a daemon, as there would be no way to log in to the machine without it. If you wish to build your own SSH server there are many options, but OpenSSH is the most well-known and widely supported.
+Make sure to install and configure [[tools:ufw|ufw]] and [[tools:fail2ban|fail2ban]] if you have an SSH server that is accessible to the open internet!
-{{tag>Tools Shells Security Tunneling Stubs}}
+{{tag>Tools Shells Tunneling}}

User Tools

Site Tools

Differences