Ssh - basics

From Juneday education
Jump to: navigation, search

ssh, short for Secure shell, is a protocol for cryptographic network. Ssh is useful over insecure networks such as the internet. Typically you want to login (using an ssh client) on a remote host (running a ssh server) and execute commands in a secure way.

This page does not deal with ssh servers but focus entirely on ssh clients.

Videos

Ssh - basics (Full playlist) | Ssh - basics - 1 - login, transfer key | Ssh - basics - 2 - using keys, non-interactive

Introduction

You can authenticate in different ways but we will focus on public key encryption and password. Trying to sum up public-key encryption on a page is hard so we will link an introduction (24 pages pages) below. In short you have a public and a private key on your computer. If the remote host (the computer you want to log in on) has your public key you can safely log in. The sketch below will be a starting point for the coming examples. We have a laptop called scarlatti and we would like to connect to the computer remote.juneday.se, like this:

 +-----------+             +------------+           +------------+
 |           |    ssh      |            |   ssh     |            |
 |   laptop  |<------------|  insecure  |---------->| remote.    |
 | scarlatti |             |  internet  |           |   juneday. |
 |           |             |            |           |     se     |
 +-----------+             +------------+           +------------+


Want to read more about? Here's a wikipedia article: Public-key cryptography.

Install a ssh client

MacOs, GNU/linux comes with the ssh client called OpenSSH so no need to install any extra stuff here.

Under cygwin you may need to install the ssh client.

Create a key pair

To create a new pair of keys (one public and one private key) type ssh-keygen and answer as follows:

  • Enter file in which to save the key: chose the suggested so press Enter
  • Enter passphrase: chose empty passphrase so press Enter
  • Enter same passphrase again: gor empty again, so press Enter

An example session would look like this (user is called juneday):

$ ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/home/juneday/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/juneday/.ssh/id_rsa.
Your public key has been saved in /home/juneday/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:4IdhPq2h4+yGAe7mJpyandnWN7DJw2r2Hp9AGQ8v5b8 juneday@scarlatti
The key's randomart image is:
+---[RSA 2048]----+
|                 |
|                 |
|      * .        |
|.    + &         |
|..    X S        |
| ..  o.* .       |
|o .oo+++  .      |
|.O.*=.B+o. .     |
|O.+**+ooo.E      |
+----[SHA256]-----+

Et voila, you should have a pair of keys in your user's home directory. You can check what keys you have by simple using ls:

$ ls -al ~/.ssh/
total 16
drwx------. 2 juneday juneday 4096 Dec  4 11:45 .
drwx------. 4 juneday juneday 4096 Dec  4 11:42 ..
-rw-------. 1 juneday juneday 1675 Dec  4 11:45 id_rsa
-rw-r--r--. 1 juneday juneday  399 Dec  4 11:45 id_rsa.pub

Remote login

In the example below we use a computer called remote.juneday.se. The computer actually do exists but the domain name for it is spoofed as is the IP address. We've done this to not encourage crackers.

To login to a computer called remote.juneday.se you type:

$ ssh remote.juneday.se

You will need to confirm that you trust that this computer remote.juneday.se is the one you believe it is. In case you wonder why someone may have fiddled with the DNS you're using so instead of the expected computer you may be logging into a computer set up to "crack you". Here's an example of how it may look like, assuming we trust the user we answer yes:

$ ssh remote.juneday.se
The authenticity of host '[127.0.0.2]:22100 ([127.0.0.2]:22100)' can't be established.
ECDSA key fingerprint is SHA256:0GzhkE9kI5KA+U8vhpuw9lbMUURFQMZp6f7dTj12Df8.
ECDSA key fingerprint is MD5:af:a2:df:cc:2c:d6:7a:33:c6:7f:4f:6d:94:8d:93:50.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[127.0.0.2]' (ECDSA) to the list of known hosts.
hesa@127.0.0.2's password: 
Linux remote.juneday.se 4.9.0-4-arm64 #1 SMP Debian 4.9.65-3+deb9u1 (2017-12-23) aarch64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Dec  4 02:58:38 2018 from 127.0.0.2
hesa@remote:~$

Using password

Here's a sample session of loggin in to the same computer (as above) again. But this time we need to confirm that we trust the computer.

$ ssh remote.junedaylabs.com 
hesa@127.0.0.2's password: 
Linux remote.junedaylabs.com 4.9.0-4-arm64 #1 SMP Debian 4.9.65-3+deb9u1 (2017-12-23) aarch64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Dec  4 02:59:09 2018 from 127.0.0.1
hesa@remote:~$

Using keys

In order to use keys to log in we need to transfer our public key to the remote host. We can do this is on several ways, but we recommend using the command ssh-copy-id. Here's a sample session:

$ logout
Connection to 127.0.0.2 closed.
[hesa@scarlatti ~]$ ssh-copy-id remote.junedaylabs.com 
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
hesa@127.0.0.2's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'remote.junedaylabs.com'"
and check to make sure that only the key(s) you wanted were added.

Now the remote host has your public (NOT the private!) key and you should be able to login in swiftly with no password:

$ ssh remote.junedaylabs.com 
Linux remote.junedaylabs.com 4.9.0-4-arm64 #1 SMP Debian 4.9.65-3+deb9u1 (2017-12-23) aarch64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Dec  4 03:09:49 2018 from 127.0.0.1

Remotely execute commands

Once you're logged in to a computer you can use bash as if you we're sitting logged in in front of the host. You can't use graphical programs though. Here's a sample session where we login from the computer scarlatti to the computer remote.juneday.se and then logout (using exit).

 
[hesa@scarlatti ~]$ ssh remote.juneday.se 
Linux remote.juneday.se 4.9.0-4-arm64 #1 SMP Debian 4.9.65-3+deb9u1 (2017-12-23) aarch64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Dec  4 03:16:37 2018 from 127.0.0.2
hesa@remote:~$ uname -a
Linux remote.juneday.se 4.9.0-4-arm64 #1 SMP Debian 4.9.65-3+deb9u1 (2017-12-23) aarch64 GNU/Linux
hesa@remote:~$ ls -al
total 32
drwxr-xr-x 3 hesa hesa 4096 Sep 25 03:20 .
drwxr-xr-x 5 root root 4096 Sep 24 07:24 ..
-rw------- 1 hesa hesa  236 Sep 25 03:20 .bash_history
-rw-r--r-- 1 hesa hesa  220 Sep 20 07:37 .bash_logout
-rw-r--r-- 1 hesa hesa 3526 Sep 20 07:37 .bashrc
-rw-r--r-- 1 hesa hesa  675 Sep 20 07:37 .profile
drwxr-xr-x 2 hesa hesa 4096 Sep 20 14:42 .ssh
-rw------- 1 hesa hesa   56 Sep 25 03:20 .Xauthority
hesa@remote:~$ date
Tue Dec  4 03:22:09 PST 2018
hesa@remote:~$ exit
logout
Connection to 127.0.0.2 closed.
[hesa@scarlatti ~]$

Note: if you're using X window system (GNU/Linux does and MacOs and cygwin can be setup to use it) you can start graphical applications on the remote host and have them displayed on your computer.

Remotely execute commands non-interactively

If you, for example in a script, would like to execute the command uname -a on the computer remote.juneday.se we can add an argument to ssh, like this:

 
$ ssh remote.juneday.se uname -a 
Linux remote.junedaylabs.com 4.9.0-4-arm64 #1 SMP Debian 4.9.65-3+deb9u1 (2017-12-23) aarch64 GNU/Linux

or print the names of the computers (first the client, then the remote and finally the client again):

 
$ hostname ; ssh remote.juneday.se hostname; hostname
scarlatti
remote.junedaylabs.com
scarlatti

Using ssh with other tools

Git is used to transfer data with commands such as:

  • rsync
  • git

and many more.

If you would like to add your (public) ssh key to github.com you can watch this video: