SSH / OpenSSH basics

Secure remote shell sessions with SSH

view on github

SSH

✔️ SSH (Secure Shell Protocol) is a cryptographic network protocol for operating network services securely over an unsecured network.

✔️ Its most notable applications are remote login and command-line execution.

✔️ SSH uses public-key cryptography to authenticate the remote computer and allow it to authenticate the user :

  1. Password based SSH sessions create an encrypted network connection using automatically generated public-private key pairs, and then use a password to authenticate the user.

  2. Public key based SSH sessions perform authentication "from the start" when the key pair is created. The public key is placed on all computers that the owner of the private key must access. Authentication then happens when SSH verifies that the user owning the public key also owns the matching private key (no password is needed, and the private key is never transferred through the network).

OpenSSH

✔️ OpenSSH is the OpenBSD implementation of the SSH standard

✔️ It supports the following encryption algorithms :

  1. DSA
  2. ECDSA
  3. Ed25519
  4. RSA (default)

OpenSSH server basic commands and files

# SSH server configuration options, man page
/etc/ssh/sshd_config
man "sshd_config(5)"

# SSH server private keys, used by clients to identify the server
/etc/ssh/ssh_host_ecdsa_key
/etc/ssh/ssh_host_ed25519_key
/etc/ssh/ssh_host_rsa_key

# SSH server accepted public keys list for remote connections by user
~/.ssh/authorized_keys

OpenSSH client basic commands and files

# SSH client configuration options, man page
/etc/ssh/ssh_config
man "ssh_config(5)"

# system-wide list of known remote server identities
/etc/ssh/ssh_known_hosts

# SSH client mapping file between remote hosts and local private keys
~/.ssh/config

# SSH client list of known remote server identities (ip addresses, hostnames and fingerprints)
~/.ssh/known_hosts

Manage the key pairs with ssh-keygen

# creates an ed25519 key pair with an empty passphrase (comment appears in the public key file)
ssh-keygen -C <comment> -f <private-key-file> -N "" -t ed25519

# creates an rsa 3072 key pair (using md5 hash algorithm when producing fingerprint) 
ssh-keygen -C <comment> -f <private-key-file> -t rsa -b 3072 -E md5

# prints a public key's algorithm, fingerprint and visual ASCII representation
ssh-keygen -lv -f <public-key-file>

# prints a public key's algorithm as well as a string representation its fingerprint
ssh-keygen -B -f <public-key-file>

# searches for <hostname> among remote server's identities known to SSH client, outputs server's fingerprint
ssh-keygen -F <hostname> -lv -f <known-hosts-file>

# output all fingerprints in known_hosts file
ssh-keygen -lv -f <known-hosts-file>

Access remote hosts using secure shell with ssh CLI

# opens an SSH connection to server using <client-config-file> and aes256-ctr for traffic encryption
ssh <server-ip-or-hostname> -F <client-config-file> -c aes256-ctr

# opens an SSH connection to server as <user> (will either prompt for password or use default config file) 
ssh <user>@<server-ip-or-hostname>

# copy public key (server must accept password authentication) to remote host ~/.ssh/authorized_keys for <user>   :
ssh-copy-id -i <public-key-file> <user>@<server-ip-or-hostname>

# copy file to remote host :
scp <source-file> <user>@<server-ip-or-hostname><destination-file>

# list of accepted public key types (authentication), symmetric ciphers (traffic encryption), key exchange protocols, certificate key types
ssh -Q key
ssh -Q cipher
ssh -Q kex
ssh -Q key-cert

Use ssh-agent with ssh CLI to store the private key passphrases in memory

# start SSH agent, prints PID
eval "$(ssh-agent -s)"

# adds identity to the agent
ssh-add <private-key-file>

# lists all identities (private keys) known to the agent
ssh-add -L

# kills current agent, erase identities
ssh-agent -k