View on GitHub

networking

Harsh Kapadia's Computer Networking knowledge base.

Secure Shell (SSH)

(Back to Home)

Table of Contents

Introduction

Authentication Methods

The Need for SSH

SSH Commands

ssh

Connect to a remote machine and forward ports. For more on port forwarding and its types, look at the ‘Tunneling and port forwarding’ bullet point in the Resources section below.

Usually provided by the openssh-client package.

ssh man(ual) page

$ ssh username@hostname
$ ssh username@hostname -p 22
$ ssh username@hostname -i ~/.ssh/private_key_file
$ ssh username@hostname -o PasswordAuthentication=yes -o PubkeyAuthentication=no -o PreferredAuthentications=password

# Local port forwarding
$ ssh -L <local_ip_optional>:<local_port>:<remote_ip>:<remote_port> username@hostname

# Remote port forwarding
$ ssh -R <remote_ip_optional>:<remote_port>:<local_or_destination_ip>:<local_or_destination_port>

ssh-keygen

Generate keypairs (public and private keys) and get the fingerprint of keys.

ssh-keygen man(ual) page

$ ssh-keygen

# `-b` is the bit-length of the key (This is NOT the length of the generated text output of the key.)
$ ssh-keygen -t rsa -b 4096 -C "comment/e-mail"

# `-a` is the number of rounds
$ ssh-keygen -t ed25519 -a 32

# Get public key from private key
$ ssh-keygen -y -f /path/to/private/key

# Remove a key from the known_hosts file (which stores public keys of machines previously connected to)
$ ssh-keygen -R "<hostname_or_ip>:<optional_port>" -f /path/to/known_hosts/file

# Get the fingerprint of a key
# NOTE: In a keypair, both keys (the public and private keys) will produce the same fingerprint
$ ssh-keygen -l -E sha256 -f /path/to/public/key
$ ssh-keygen -l -E sha256 -f /path/to/private/key

ssh-copy-id

Appends public keys to the ~/.ssh/authorized_keys file on the server. The client can then log in without a password.

NOTE: Unless a public key was installed on the server during OS installation and that key pair is being used to add more public keys to the server using this command, a password (or some other form of authentication) will be required.

ssh-copy-id man(ual) page

# Copying all local public keys to the server
$ ssh-copy-id username@hostname

# Copying only a specific local public key to the server
$ ssh-copy-id -i /path/to/public/key.pub username@hostname

ssh-import-id

Import public keys from GitHub (gh) or Launchpad (lp) and append them to the ~/.ssh/authorized_keys file on the server. The client can then log in without a password.

Adding a new SSH key to your GitHub account

ssh-import-id man(ual) page

$ ssh-import-id gh:<github_username>
$ ssh-import-id lp:<launchpad_username>

ssh-agent

Stores SSH private keys and if keys have a passphrase, i.e., are password-protected, it remembers that and doesn’t prompt the user for it after the first time.

ssh-agent man(ual) page

# To populate the SSH_AUTH_SOCK env var, so that ssh-add can communicate with ssh-agent
$ eval "$(ssh-agent)"

ssh-add

Adds, lists and removes private keys from the ssh-agent utility. Removing/deleting a key does not delete the actual key file from the system.

ssh-add man(ual) page

# To populate the SSH_AUTH_SOCK env var, so that ssh-add can communicate with ssh-agent
$ eval "$(ssh-agent)"

# List private keys managed by ssh-agent
$ ssh-add -l

# Add a private key to ssh-agent
$ ssh-add /path/to/private/key

# Delete a private key from ssh-agent
# Does not delete private key file from `~/.ssh`
$ ssh-add -d /path/to/private/key

Generating Keys

Sharing Keys with the Server

The authorized_keys file in the .ssh directory on the server usually holds all the public keys from clients that are allowed to connect with the server. How do those public keys get there, though?

There are usually two ways to do this:

Building Blocks of SSH

SSH uses an underlying reliable connection protocol or service over which it enables secure communication and other services. The underlying connection protocol is almost always TCP, but other protocols like WebSocket can theoretically be used as well.

On top of TCP, SSH has three parts, namely the SSH Transport Layer Protocol, the SSH User Authentication Protocol and the SSH Connection Protocol

SSH Config Files

NOTE: If any changes are made to any configuration files, please restart the SSH and/or SSHD service or reboot the machine.

A SSH Connection

Legend:

  • C = Client
  • S = Server
  • -> = Arrow indicating the direction of communication
  • ACK = TCP Acknowledgement flag
  • PSH = TCP Push flag

Initialization

Algorithm Negotiation

Key Exchange Phase

Learn about Elliptic Curve Diffie-Hellman (ECDH).

End of Key Exchange

Subsequent Encrypted Communication

Connection Termination

Resources