SSH

From /tech/ Wiki
Jump to navigationJump to search
File:SSH.gif
SSH: Making unsafe networks safer since 1995.

SSH (Secure Shell) is a network protocol for secure communications between two devices. SSH is a standard utility on Linux distributions and BSD, typically OpenSSH.

Warning: If not configured properly, SSH can be insecure. Three things that should be done:
  • Change the default port (22) to anything else.
  • Disable root login.
  • Use key-pairs instead of passwords.

Uses

  • Browse and remotely execute commands on another device, i.e. a server or a micro-computer such as a Raspberry Pi.
  • Transfer files between devices securely using the scp or sftp utilities.
  • Use another device as a personal proxy using a technique called SSH tunneling.

Clientside

Tip: There is online documentation available.

To connect to an SSH server run ssh user@example.com. If user is not specified, the name of the local logged-in user will be used in place. You may be asked to enter a password.

Warning: Connection information can be saved in ~/.netrc but this is insecure.

Serverside

To setup SSH on a server make sure the sshd daemon is running. If using systemd run systemctl enable sshd --now. Check the local article on doing so securely.

Generating an SSH key-pair

Instead of using a password to login to remote systems, you should use a key pair which is more secure.

It works by generating a public and a private key, optionally protected by a strong passphrase. The public keep is then placed on the remote system and the private key is stored somewhere safe, where unauthorized people can't access it. When the client tries to establish a connection it uses the private key to sign a message which the server then verifies against the public key.

You can generate a keypair using the ssh-keygen utility. The key should be saved under the ~/.ssh directory (note: this location is not XDG compliant).

Then copy the generated public key to the server using the ssh-copy-id utility.

Ex: ssh-copy-id -i ~/.ssh/mykey.pub user@host