Secure Shell (SSH)

Secure Shell (or SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. It is usually used for remote login into terminal interfaces, which is mainly what this article will be about.

SSH was designed for Unix-like operating systems as a replacement for Telnet and unsecured remote Unix shell protocols, such as the Berkeley Remote Shell (rsh) and the related rlogin and rexec protocols, which all use insecure, plaintext methods of authentication, such as passwords.

Since mechanisms like Telnet and Remote Shell are designed to access and operate remote computers, sending the authentication tokens (e.g. username and password) across a public network in an unsecured way poses a great risk of third parties obtaining the password and achieving the same level of access to the remote system as the telnet user. Secure Shell mitigates this risk through the use of encryption mechanisms that are intended to hide the contents of the transmission from an observer, even if the observer has access to the entire data stream.

MacOS and most *nix distros come with OpenSSH. To make an SSH connection in your terminal, run the ssh command against a domain or IP address, and when prompted give your password:

$ ssh username@domain.com

or

$ ssh username@123.123.123.123

Your SSH client's configuration is stored in your homedir's /.ssh/ directory, and has several important files & folders:

• /home/user/.ssh/
  • authorized_keys (list of public keys allowed to SSH into your account)
  • config (file for storing common SSH servers as macros, see below)
  • keys/ (optional key directory for sample config file)
  • known_hosts (caches info about servers you connect to, so you can be alerted if something changes)

SSH can be further secured by using public/private key pairs instead of plaintext passwords. To generate them, use the ssh-keygen command:

$ ssh-keygen -t ed25519 -C "youremail@domain.com" -f ~/.ssh/keys/name_of_key

Fill in the prompts, and it will generate a key pair. Use the ssh-copy-id command to insert the public key into the remote user's .ssh/authorized_keys file:

$ ssh-copy-id -i ~/.ssh/keys/name_of_key.pub username@domain.com

To do this manually, just use a text editor to copy the contents of the public key (ending in .pub) into your remote user's .ssh/authorized_keys file.

Once that is done, insert the path to the private key in your local user's .ssh/config file, as detailed below.

To make it easier to connect to servers without having to type a whole lot of bullshit every time, you can store a list of servers and keys in .ssh/config like so:

config

Host github
        Hostname        github.com
        User            username
        IdentityFile    ~/.ssh/keys/github
 
Host site1
        Hostname        domain1.com
        Port            22
        User            username
        IdentityFile    ~/.ssh/keys/domain1
 
Host site2
        Hostname        123.123.123.123
        Port            22
        User            username
        IdentityFile    ~/.ssh/keys/domain2

So rather than having to type ssh username@domain1 every time and type in a password, this shortens it to ssh site1 and passes a key automatically. Very useful if you're logging into the same machines a lot!

To quickly make SSH connections in Windows, install PuTTY and point it at the server you want to connect to. To generate public/private key pairs for use in PuTTY, use PuTTYgen, available from the PuTTY download's page.

If you want the flexibility of running SSH from a full Linux shell, use the Windows Subsystem for Linux and run the ssh command as detailed above.

The same key pairs generated by ssh-keygen or PuTTYgen can be used for things beyond remote terminals. For example, Github supports the use of key pairs for pushing updates to repos. Some services might not support ed25519-based keys. To generate a 4096 bit RSA key with ssh-keygen, run:

$ ssh-keygen -t rsa -b 4096 -C "youremail@domain.com"

OpenSSH, the package that provides MacOS and most Linux distros with their SSH client, also includes a separate SSH server application. Most servers will have this service preconfigured as a daemon, as there would be no way to log in to the machine without it. If you wish to build your own SSH server there are many options, but OpenSSH is the most well-known and widely supported.