SSH / OpenSSH basics
Secure remote shell sessions with SSH
- SSH (Secure Shell Protocol) is a cryptographic network protocol for operating network services securely over an unsecured network.
- Its most notable applications are remote login, command-line execution and secure file transfer.
- SSH uses public-key cryptography to authenticate the remote computer and allow it to authenticate the user.
- User authentication
- OpenSSH
- SSH server config files
- SSH client config files
- Key pairs management
- Open a remote shell
- Manage private keys with
ssh-agent
- Create an encrypted client-to-server network connection using automatically generated key pairs.
- The user then authenticates to the server over the network using their own password.
- Authentication is performed "from the start" when the key pair is created.
- The public key is placed on all servers that the user (who owns the private key) must access.
- Authentication happens when SSH verifies that the user's public key on the server matches the client's private key.
- Once it is done, the client is authenticated to the server as the user owning the public key.
- No password is needed, and the private key is never transferred through the network.
- OpenSSH is the OpenBSD implementation of the SSH protocol.
- It supports the following encryption algorithms :
- DSA
- ECDSA
- Ed25519
- RSA (default)
- It is bundled as 3 distinct packages :
openssh-clientopenssh-serveropenssh-sftp-server
# print SSH server configuration options, man page
cat /etc/ssh/sshd_config
man sshd_config
# print SSH server private keys, used by clients to identify the server
cat /etc/ssh/ssh_host_ecdsa_key
cat /etc/ssh/ssh_host_ed25519_key
cat /etc/ssh/ssh_host_rsa_key
# print SSH server accepted public keys list for remote connections by user
cat ~/.ssh/authorized_keys# print SSH client configuration options, man page
cat /etc/ssh/ssh_config
man ssh_config
# print system-wide list of known remote server identities
cat /etc/ssh/ssh_known_hosts
# print SSH client mapping file between remote hosts and local private keys
cat ~/.ssh/config
# print SSH client list of known remote server identities (ip addresses, hostnames and fingerprints)
cat ~/.ssh/known_hosts-
ssh-keygenis used to perform operations on key pairs. - When creating a key pair, the public key is gene
# creates an ed25519 key pair with an empty passphrase
# public key is created along private key with suffix *.pub
# the comment appears inside the public key file
ssh-keygen -C "$comment" -f "$private_key" -N "" -t ed25519
# creates an rsa 3072 key pair, uses md5 hash algorithm to produce fingerprint
ssh-keygen -C "$comment" -f "$private_key" -t rsa -b 3072 -E md5
# print a public key's algorithm, fingerprint and visual ASCII representation
ssh-keygen -lv -f "$public_key.pub"
# print a public key's algorithm and a string representation of its fingerprint
ssh-keygen -B -f "$public_key.pub"
# searches for $hostname among remote server identities known to SSH client and print matching server fingerprint
ssh-keygen -F "$hostname" -lv -f ~/.ssh/known_hosts
# print all fingerprints in known_hosts file
ssh-keygen -lv -f ~/.ssh/known_hosts# opens an SSH connection to server using client config file and aes256-ctr for traffic encryption
ssh 192.168.1.10 -F ~/.ssh/config -c aes256-ctr
# opens an SSH connection to server as user admin (will either prompt for password or use default config file)
ssh admin@192.168.1.10
# copy user public key to remote host (server must accept password authentication)
# key will be saved to ~/.ssh/authorized_keys for user admin on the server
ssh-copy-id -i "$public_key.pub" admin@192.168.1.10
# copy file to user home directory on the remote host
scp "$source_file" admin@192.168.1.10:/home/admin
# print supported public key types (authentication), symmetric ciphers (traffic encryption), key exchange protocols, certificate key types
ssh -Q key
ssh -Q cipher
ssh -Q kex
ssh -Q key-certManage private keys with ssh-agent
# start SSH agent, print PID
eval "$(ssh-agent -s)"
# adds identity to the agent
ssh-add "$private_key"
# lists all identities (private keys) known to the agent
ssh-add -L
# kills current agent, erase identities
ssh-agent -k