How SSH works
Expectations
To learn what SSH is
To learn the uses of SSH
To learn about public and private keys
Learn how to connect to a remote terminal using SSH
Learn how to copy files from a remote machine using SSH
The Reader Should:
Know what the terminal is
Be aware of some basic Linux commands
Overview
SSH stands for Secure Shell or Secure Socket Shell. It is used to encrypt messages transmitted between two computers on a network, a secure way to access another computer over an unsecured network. A network consists of two or more computers linked together sharing resources and communicating with each other.
In addition to providing strong encryption, SSH is widely used by network administrators to manage systems and applications remotely, enabling them to log in to another computer over a network, execute commands and move files from one computer to another. That is, it allows a user to navigate a remote computer's command line.
SSH uses the client-server model, connecting a Secure Shell client application, which is the end where the session is displayed, your local system, with an SSH server, which is the end where the session runs, the remote system you are connected to.
To secure the transmission of information, SSH employs several different types of data manipulation techniques at various points in the transaction. These include forms of symmetrical encryption, asymmetrical encryption, and hashing.
I will be talking about asymmetrical encryption using public and private keys in detail in this article.
Private and Public Keys
A public-key cryptography, also known as asymmetric cryptography, is a class of cryptographic algorithms that requires two separate keys, one of which is secret (or private) and one of which is public. Together they are known as a key-pair. In SSH, the public key cryptography is used in both directions (client to server and server to client), so two key pairs are used. One key pair is known as a host (server) key, and the other is a user (client) key.
Though SSH supports password-based authentication, it is generally recommended that you use SSH keys instead. SSH keys are a more secure method of logging into an SSH server because they are not vulnerable to common brute-force password hacking attacks. Each SSH key pair includes two keys that work together:
A public key that is copied to the SSH server(s). Anyone with a copy of the public key can encrypt data which can then only be read by the person who holds the corresponding private key. Once an SSH server receives a public key from a user and considers the key trustworthy, the server marks the key as authorized in its authorized_keys file. Such keys are called authorized keys.
A private key that remains (only) with the user. The possession of this key is proof of the user's identity. Only a user in possession of a private key that corresponds to the public key on the server will be able to authenticate successfully. The private keys need to be stored and handled carefully, and no copies of the private key should be distributed. The private keys used for user authentication are called identity keys.
The most common mathematical algorithms used to generate the keys are Rivest–Shamir–Adleman (RSA) and Elliptic Curve Digital Signature Algorithm (ECDSA).
How to Create an SSH Key Pair
Before using SSH keys, a key pair needs to be generated. Generating and storing keys manually can be accomplished on the most common operating systems. On Windows systems, they can be generated using the command line or an SSH client, like PuTTy. On macOS and Linux systems, they are generated using a terminal window.
Here are the command line steps to generate an SSH key:
- Enter the keygen command:
ssh-keygen -t rsa
or
ssh-keygen -t ed25519
Enter the file in which to save the keys. Typically, the keys stored in the home directory or ~/.ssh/ directory (e.g. /home/foldername/.ssh/id_rsa or /c/Users/username/.ssh/id_rsa). Press
Enter
to save it in this default folder.Enter an optional passphrase or leave it empty for no passphrase. Note: The passphrase provides an additional layer of password protection for the key pair, but you must type in the passphrase each time the key pair is used.
Once the key pair is generated, it’s time to place the public key on the server that you want to connect to.
ssh-copy-id username@your_server_address
Once the command completes, you will be able to log into the server via SSH without being prompted for a password. However, if you set a passphrase when creating your SSH key, you will be asked to enter the passphrase at that time. This is your local ssh client asking you to decrypt the private key, it is not the remote server asking for a password.
How Authentication Happens
The SSH key pair is used to authenticate the identity of a user or process that wants to access a remote system using the SSH protocol. The public key is used by both the user and the remote server to encrypt messages.
On the remote server side, it is saved in a file that contains a list of all authorized public keys. On the user’s side, it is stored in SSH key management software or a file on their computer.
The private key remains only on the system being used to access the remote server and is used to decrypt messages.
When a user or process requests a connection to the remote server using the SSH client, a challenge-response sequence is initiated to complete authentication.
The SSH server recognizes that a connection is being requested and sends an encrypted challenge request using the shared public key information. The SSH client then decrypts the challenge message and responds to the server.
The user or process must respond correctly to the challenge to be granted access. This challenge-response sequence happens automatically between the SSH client and server without any manual action by the user.
Uses of SSH
To connect to a remote terminal session
This involves installing an OpenSSH client on your local system and an OpenSSH server on the remote system. After this installation, a connection set up between the two systems will allow you to navigate the terminal of the remote machine.
To install OpenSSH client
Confirm if the OpenSSH client is already installed on your system. In your terminal, type
ssh
If you get something like this:
usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface]
[-b bind_address] [-c cipher_spec] [-D [bind_address:]port]
[-E log_file] [-e escape_char] [-F configfile] [-I pkcs11]
[-i identity_file] [-J [user@]host[:port]] [-L address]
[-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
[-Q query_option] [-R address] [-S ctl_path] [-W host:port]
[-w local_tun[:remote_tun]] destination [command [argument ...]]
Then it is already installed. Otherwise, install using:
sudo apt-get install OpenSSH-client
Install Openssh Server on the Remote Machine
Confirm that an OpenSSH server is installed in your remote server. That is the system you want to connect to. On that system, in the terminal, type
ssh localhost
If the OpenSSH server is installed it will show you the last login date, if not it will give a response like this:
ssh: connect to host localhost port 22: Connection refused
To install, use:
sudo apt-get install OpenSSH-server
To confirm it is installed properly, sudo service ssh status
Establishing a connection
To connect to the remote server, In the terminal of your local machine type:
ssh your_username@host_ip_address
Congratulations, you have set up a secure connection between two computers.
To transfer files
SSH or Secure Shell allows secure access to remote computers. SSH also comes with scp
utility for transferring files between remote computers. It uses the SSH protocol and has a syntax almost similar to the cp
command which is used to copy files.
Other file transfer applications such as sftp
which replaced File Transfer Protocol (FTP) and rsync
- used to synchronize files between a remote machine and a local machine so, that at the end of the synchronization, the files on the two machines will be identical. These all utilize SSH to secure their file transfers. These applications allow us to copy our files from local to remote servers and to copy files from remote servers to our local machine.
Using SCP to Transfer files
While cp is for copying local files, scp is for remote file transfer. The main difference between cp and scp is that you'll have to specify the remote host's DNS name or IP address and provide a login credential for the command to work when using scp. You can scp files from local to remote and from remote to local.
- Copying a single file from a local machine to a remote machine, assuming the file name is
myfile.txt
scp myfile.txt remoteuser@remoteserver:/remote/folder/
- Copying a single file, named
remotefile.txt
from the remote machine to your local machine assuming you want to save the file name aslocalfile.txt
scp remoteuser@remoteserver:/remote/folder/remotefile.txt localfile.txt
If you want the file to be saved as the same name as it is on the remote machine, replace the filename with .
as such
scp remoteuser@remoteserver:/remote/folder/remotefile.txt .
- To copy multiple files from local to remote using scp
scp myfile.txt myfile2.txt remoteuser@remoteserver:/remote/folder/
- To copy all the files from a local machine to a remote machine using scp
scp * remoteuser@remoteserver:/remote/folder/
To connect to a service behind a firewall
SSH can also be used to connect to a service behind a firewall which can be done by tunneling the service through the ssh connection. This will be discussed in detail in another article.
Conclusion
In this article, we have learned what Secure Shell is, what private and public keys are, and how to use them to secure connections over a network.
Subscribe to my newsletter
Read articles from Mfon directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Mfon
Mfon
I am a DevOps Engineer, I enjoy writing about tools I use. Interested in Open Source | Open Science Projects.