Difference between revisions of "SSH"

From CDOT Wiki
Jump to: navigation, search
(Public Key Cryptography)
(Using SSH for File Transfer)
 
(34 intermediate revisions by the same user not shown)
Line 1: Line 1:
[[Category:SBR600]][[Category:Linux]]
+
[[Category:SPO600]][[Category:SBR600]][[Category:DPI908]][[Category:Linux]]
SSH is the Secure Shell tool, a powerful encrypted communication tool.
+
SSH is the ''Secure Shell'', a powerful encrypted communication tool. This page contains some basic information about the use of SSH.
 +
 
 +
 
 +
= SSH Software =
 +
 
 +
SSH client and server programs are included with almost all Linux distributions, Mac OS, and recent versions of Windows (later updates of 10 as well as 11). You can obtain SSH client and server software for most other platforms, including Android.
 +
 
 +
Here are some SSH clients (there are many others available):
 +
{|border="1" width="80%"
 +
|-
 +
!Platform!!Software!!Comments
 +
|-
 +
|Linux||OpenSSH||Included in almost all Linux distributions
 +
|-
 +
|OSX||OpenSSH||Included with OSX
 +
|-
 +
|ChromeOS (Chromebook)||crosh||The CROme SHell (crosh) included with ChromeOS has SSH support - use Ctrl-Alt-T inside Chrome to open a crosh tab. (May not be present in newer non-developer versions of Chrome on ChromeOS -- search the Chrome app store for an SSH app).
 +
|-
 +
|Android||JuiceSSH||Free and premium versions available in the Google Play store.
 +
|-
 +
|Windows||OpenSSH||Included with Windows 10 onward; may not be installed automatically on Windows 10.
 +
|}
 +
 
 +
= Using SSH for a Text-Based Connection =
 +
 
 +
The most basic use of SSH is for a text-based connection used to enter commands and view command output, or execute a text-based application such a menu-driven system.
 +
 
 +
Some SSH clients have a graphical interface. For those used from the command line, the most basic form of invocation is:
 +
 
 +
ssh [''OPTIONS''] [''user''@]''host'' ''command''
 +
 
 +
Note that the ssh command name may vary, depending on the software used.
 +
 
 +
Where:
 +
* ''user'' is the name of the user account on the remote computer (optional, if the user account name is the same on both systems)
 +
* ''host'' is the name or IP address of the remote computer
 +
* ''command'' is the command to be executed on the remote computer (optional - the default is to open whatever shell or application is the default for the specified user)
 +
 
 +
 
 +
Useful options include:
 +
{|border="1" cellspacing="0" cellpadding="2" width="100%"
 +
!Option||Description||Example
 +
|-
 +
| -C||Enable compression (gzip) to enhance performance||ssh -C ''user''@''host''
 +
|-
 +
| -X or -Y||Turn on X11 forwarding (it is recommended that -C also be used) - See X11 Tunnelling, below||ssh -X -C ''user''@''host''
 +
|-
 +
| -L or -R||Turns on tunnelling||(See Tunnelling section)
 +
|-
 +
| -i ''identityfile''||Specifies the private key file to be used (default: all private keys in ~/.ssh)||ssh -i ~/.ssh/id_dsa ''user''@''host''
 +
|-
 +
| -p ''portnumber''||Connect to the TCP/IP port ''portnumber'' rather than the default SSH port 22.||ssh -p 2200 ''user''@''host''
 +
|}
 +
 
 +
 
 +
== Examples ==
 +
* Connect to a shell for account 'kim' on the computer 'winter': <code>ssh kim@winter</code>
 +
* Like above, with compression: <code>ssh -C kim@winter</code>
 +
* Run <code>df -h</code> on the remote system, and display the graphics on the local computer: <code>ssh -XC kim@winter firefox</code>
 +
 
 +
= Using SSH for a Graphical Application (X11 Tunnelling) =
 +
 
 +
SSH is capable of carrying graphical traffic using the X Window System (X11) protocol. This means that if your client system is running the X Window System (most Unix/Linux systems, and any Mac or Windows system on which an X Server has been started), you can run remote graphical programs and display the output (windows) locally.
 +
 
 +
To enable this, add the <code>-X</code> or <code>-Y</code> options to your command line. The difference between -X and -Y is that (ideally) the -X option will prevent certain advanced types of access which are not required by most graphical programs and which may present a security vulnerability, such as taking a screenshot of your desktop.
 +
 
 +
 
 +
== Example ==
 +
* Run Firefox on the remote system, and display the graphics on the local computer: <code>ssh -XC kim@winter firefox</code>
 +
 
 +
 
 +
= Using SSH with Tunnelling =
 +
 
 +
In addition to X11 tunnelling, SSH permits you to set up your own tunnels to carry arbitrary network traffic either from the client system to the server, or from the server to your client. This allows you to encrypt the traffic for security/privacy, and to circumvent firewalls.
 +
 
 +
For local, forward (client to server) tunnels, the syntax is:
 +
 
 +
ssh -L ''listenport'':''destinationhost'':''destinationport'' [''OPTIONS''] [''user''@]''host'' [''command'']
 +
 
 +
Where:
 +
* ''listenport'' is the port on the client machine which will accept connections
 +
* ''destinationhost'' is the remote computer hostname or IP address to which connections will be directed. This is usually <code>localhost</code>, which denotes the SSH server, but it can also be the name of a system which the server can directly reach. Note that communication between the server and the ''destinationhost'' is '''not''' encrypted.
 +
* ''destinationport'' is the port on the ''destinationhost'' to which the connection will be directed
 +
 
 +
For reverse (server to client) tunnels, the syntax is:
 +
 
 +
ssh -R ''listenport'':''destinationhost'':''destinationport'' [''OPTIONS''] [''user''@]''host'' [''command'']
 +
 
 +
The arguments have the same meaning, but are executed one the opposite hosts, so the tunnel listens on the server and communicates to the destination through the client system.
 +
 
 +
 
 +
== Examples ==
 +
 
 +
* To connect port 8080 on the local computer to port 80 on the server ''winter'', using the account ''sam'': <code>ssh -L 8080:localhost:80 sam@winter</code>
 +
** After the tunnel above was put in place, you could access <code>http://localhost:8080/</code> and be connected to the webserver (port 80) on the host ''winter''
 +
* To connect port 2000 on the local computer to port 1234 on the host ''spring'', which is on the same LAN as the SSH server ''winter'': <code>ssh -R 2000:spring:1234 sam@winter</code>
 +
* To connect port 3000 on the server ''winter'' to port 5900 on the local computer: <code>ssh -L 3000:localhost:5900 sam@winter</code>
 +
 
 +
 
 +
= Using SSH for File Transfer =
 +
 
 +
SSH provides two mechanisms for file transfer: ''scp'' and ''sftp''. You can use these from the command line using the OpenSSH software (installed by default in most MacOS, Windows, and Linux systems) or you can use a graphical tool that uses these protocols.
 +
 
 +
The following instructions are for using the OpenSSH version of scp/sftp from the command line:
 +
 
 +
== scp - Secure Copy ==
 +
 
 +
The ''scp'' command functions like the normal Unix/Linux copy (cp) command, but accepts a hostname (and optional user ID) prepended to a filename for copying to/from remote systems:
 +
 
 +
scp [''user''@]''host'':''sourcefilename'' [''user''@]''host'':''destinationfilename''
 +
 
 +
The options are the same as for the ssh command, except that to specify a port number, use <code>-P</code (capital) instead of <code>-p</code> (lowercase).
 +
 
 +
For example:
 +
 
 +
# Copies the file 'test5' from ~/scripts on Matrix to the local directory
 +
scp '''myuserid'''@matrix.senecacollege.ca:scripts/test5 .
 +
 
 +
# Copy the file 'test6' from the current directory to ~ on Matrix
 +
scp test5 '''myuserid'''@matrix.senecacollege.ca:.
 +
 
 +
 
 +
=== Examples ===
 +
 
 +
* Copy the file <code>/etc/hosts</code> from this computer to the <code>/tmp</code> directory on the computer ''ireland'': <code>scp /etc/hosts ireland:/tmp</code>
 +
* Copy the file <code>test.tar</code> from the home directory of the user ''chris'' on the computer ''ireland'' to the current directory: <code>scp chris@ireland:~/test.tar .</code>
 +
 
 +
 
 +
== sftp - Secure FTP ==
 +
 
 +
''sftp'' provides an encrypted version of FTP. The command usage is:
 +
 
 +
sftp [''user''@]''host''
 +
 
 +
At which point you can use any standard FTP command.
 +
 
 +
 
 +
=== Example ===
 +
 
 +
* Open a secure FTP connection to the account ''john.doe'' on the server ''matrix.senecac.on.ca'': <code>sftp john.doe@matrix.senecac.on.ca</code>
 +
 
 +
 
 +
== Graphical File Management over SSH ==
 +
 
 +
Many Linux graphical file managers, such as the GNOME ''Nautilus'' and KDE ''Konqueror'' programs, know how to manage files remotely using the ssh/scp/sftp protocols. For example, on GNOME, you can select the menu option Places>Connect to Server, enter the connection details, and view a file management window on a remote server. You can then rename, copy, move, and delete files using drag-and-drop operations (for example, you can copy a file by dragging it from your desktop to the remote window). You can also create bookmarks for rapid access to remote filesystems at a later date.
  
 
= Using SSH with Public-Key Authentication =
 
= Using SSH with Public-Key Authentication =
  
Although SSH can be used with passwords, a sysadmin may need to use ssh hundreds of times a day, and typing passwords that often can become tedious. SSH therefore permits authentication using public and private keys.
+
Although SSH can be used with passwords, a sysadmin may need to initiate hundreds of SSH connections a day, and typing passwords that often is tedious. SSH therefore permits authentication using public and private keys.
  
== Public Key Cryptography ==
 
  
In a nutshell, public key cryptography works like this:
+
== Background: Public Key Cryptography ==
# A large random number is generated.
 
# That number is used to derive two mathematically-related but different keys. Each key is also a large number.
 
# Data can be encrypted by processing one of the keys and the data to be encrypted using an encryption algorithm. Once encrypted, the data appears to be a meaningless stream of numbers.
 
# The encrypted data cannot be decrypted using the original key, yielding the original data. However, it can be decrypted using the other key, and vice-versa.
 
  
To use public key cryptography:
+
See [[Public Key Cryptography]] for an overview of how this technology works.
# One key is designated as the "public key" and one is designated as the "private key".
 
#* The public key is distributed to all of the parties with whom you will be communicating.
 
#* The private key is ''never'' shared with anyone.
 
# Messages encrypted with your private key can only be decrypted with your public key, proving that the message came from you (authentication)
 
# Messages encrypted with your public key can only be decrypted with your private key, ensuring that only you can read them (privacy).
 
# To both ensure privacy and authentication on messages between you and another party, encrypt the message twice: once with your private key and once with their public key.
 
  
Practical considerations:
 
# The algorithms used in public-key cryptography are very slow. Therefore, it's common to use public key cryptography to exchange a key for a faster, symmetrical cypher, and then use that cypher for the actual data stream.
 
# ''Signing'' a message means authenticating it by taking a checksum (hash) of the message and encrypting that. This is faster than encrypting the entire message.
 
# Public key cryptography is very susceptible to the manipulation of public keys by an attacker interposed between the two parties at the time that the public keys are shared.
 
# Public key cryptography is susceptible to theft of the private key. The private key is therefore often protected with a passphrase.
 
  
 
== Using Public Keys with SSH ==
 
== Using Public Keys with SSH ==
 +
  
 
=== Creating a Public/Private Key Pair ===
 
=== Creating a Public/Private Key Pair ===
# Enter this command: <code>ssh-keygen</code>
+
 
#* Answer the questions asked by ssh-keygen. Use default values for most questions. The use of a passphrase is recommended.
+
{{Admon/note|OpenSSH Assumed|These instructions assume a Linux or Mac OS/X system running OpenSSH. Other SSH clients will have different procedures, and you'll need to check that the key produced is in OpenSSH format (you can convert key types using the <code>ssh-keygen</code> command on a Linux system such as Matrix if needed).}}
 +
 
 +
# Enter this command: <code>ssh-keygen -ted25519</code>
 +
#* Answer the questions asked by ssh-keygen. Use default values for most questions. The use of a passphrase is '''strongly''' recommended. Avoid changing the filename from the default (unless there is a really good reason), because the location, name, and permission of keys is critical.
 
#* ssh-keygen will produce two files:
 
#* ssh-keygen will produce two files:
#** <code>~/.ssh/id_rsa</code> - your private key
+
#** <code>~/.ssh/id_ed25519</code> - your private key
#** <code>~/.ssh/id_rsa.pub</code> - your public key
+
#** <code>~/.ssh/id_ed25519.pub</code> - your public key
 +
{{Admon/tip|Key Type and Length|ssh-keygen can generate multiple types of keys, including rsa, dsa, ecdsa, and ed25519. Any of these types serves the same purpose, and rsa/dsa can be generated with varying key lengths. The longer the key, the more difficult it is to break the key by guessing it (trying successive values until the right key is found) - each bit added to the key doubles the number of possible key values. Key lengths of 1024-4096 bits are considered reasonably secure; as computers become faster, key lengths should be increased. Better yet, use the ed25519 eliptic curve option, which is considered the most secure format supported by the current OpenSSH implementation (8.4 as of the time of writing).}}
  
 
=== Sending the Public Key to a Remote System Administrator ===
 
=== Sending the Public Key to a Remote System Administrator ===
# Mail (or otherwise send) the <code>~/.ssh/id_rsa.pub</code> file to the remote system administrator.
+
# Upload or email (or otherwise send) the <code>~/.ssh/id_rsa.pub</code> file to the remote system administrator. '''Do NOT send your private key!'''
  
 
=== Setting up Public Key Authentication on Two Machines ===
 
=== Setting up Public Key Authentication on Two Machines ===
 +
 +
Automatically (preferred approach):
 +
# Run the command: <code>ssh-copy-id ''user@host''</code>
  
 
Manually:
 
Manually:
Line 49: Line 185:
 
#* Set the permission on <code>~/authorized_keys</code> to 0600
 
#* Set the permission on <code>~/authorized_keys</code> to 0600
  
Automatically:
+
 
# Run the command: <code>ssh-copy-id ''user@host''</code>
+
== Disconnecting from and Reconnecting to a Login Session ==
 +
 
 +
The [[Screen Tutorial|GNU screen]] utility permits you to start a session, disconnect from it (accidentally or intentionally), and then reconnect from the same or another network connection. This is useful when you're using an unstable WiFi connection (e.g., in a coffee shop or mobile link) or want to start a long operation (such as a build or a test suite run) on campus, commute home while it's running, and then check on its status.
 +
 
 +
Note that this approach does not work with graphical applications (ssh -X).

Latest revision as of 18:05, 9 December 2023

SSH is the Secure Shell, a powerful encrypted communication tool. This page contains some basic information about the use of SSH.


SSH Software

SSH client and server programs are included with almost all Linux distributions, Mac OS, and recent versions of Windows (later updates of 10 as well as 11). You can obtain SSH client and server software for most other platforms, including Android.

Here are some SSH clients (there are many others available):

Platform Software Comments
Linux OpenSSH Included in almost all Linux distributions
OSX OpenSSH Included with OSX
ChromeOS (Chromebook) crosh The CROme SHell (crosh) included with ChromeOS has SSH support - use Ctrl-Alt-T inside Chrome to open a crosh tab. (May not be present in newer non-developer versions of Chrome on ChromeOS -- search the Chrome app store for an SSH app).
Android JuiceSSH Free and premium versions available in the Google Play store.
Windows OpenSSH Included with Windows 10 onward; may not be installed automatically on Windows 10.

Using SSH for a Text-Based Connection

The most basic use of SSH is for a text-based connection used to enter commands and view command output, or execute a text-based application such a menu-driven system.

Some SSH clients have a graphical interface. For those used from the command line, the most basic form of invocation is:

ssh [OPTIONS] [user@]host command

Note that the ssh command name may vary, depending on the software used.

Where:

  • user is the name of the user account on the remote computer (optional, if the user account name is the same on both systems)
  • host is the name or IP address of the remote computer
  • command is the command to be executed on the remote computer (optional - the default is to open whatever shell or application is the default for the specified user)


Useful options include:

Option Description Example
-C Enable compression (gzip) to enhance performance ssh -C user@host
-X or -Y Turn on X11 forwarding (it is recommended that -C also be used) - See X11 Tunnelling, below ssh -X -C user@host
-L or -R Turns on tunnelling (See Tunnelling section)
-i identityfile Specifies the private key file to be used (default: all private keys in ~/.ssh) ssh -i ~/.ssh/id_dsa user@host
-p portnumber Connect to the TCP/IP port portnumber rather than the default SSH port 22. ssh -p 2200 user@host


Examples

  • Connect to a shell for account 'kim' on the computer 'winter': ssh kim@winter
  • Like above, with compression: ssh -C kim@winter
  • Run df -h on the remote system, and display the graphics on the local computer: ssh -XC kim@winter firefox

Using SSH for a Graphical Application (X11 Tunnelling)

SSH is capable of carrying graphical traffic using the X Window System (X11) protocol. This means that if your client system is running the X Window System (most Unix/Linux systems, and any Mac or Windows system on which an X Server has been started), you can run remote graphical programs and display the output (windows) locally.

To enable this, add the -X or -Y options to your command line. The difference between -X and -Y is that (ideally) the -X option will prevent certain advanced types of access which are not required by most graphical programs and which may present a security vulnerability, such as taking a screenshot of your desktop.


Example

  • Run Firefox on the remote system, and display the graphics on the local computer: ssh -XC kim@winter firefox


Using SSH with Tunnelling

In addition to X11 tunnelling, SSH permits you to set up your own tunnels to carry arbitrary network traffic either from the client system to the server, or from the server to your client. This allows you to encrypt the traffic for security/privacy, and to circumvent firewalls.

For local, forward (client to server) tunnels, the syntax is:

ssh -L listenport:destinationhost:destinationport [OPTIONS] [user@]host [command]

Where:

  • listenport is the port on the client machine which will accept connections
  • destinationhost is the remote computer hostname or IP address to which connections will be directed. This is usually localhost, which denotes the SSH server, but it can also be the name of a system which the server can directly reach. Note that communication between the server and the destinationhost is not encrypted.
  • destinationport is the port on the destinationhost to which the connection will be directed

For reverse (server to client) tunnels, the syntax is:

ssh -R listenport:destinationhost:destinationport [OPTIONS] [user@]host [command]

The arguments have the same meaning, but are executed one the opposite hosts, so the tunnel listens on the server and communicates to the destination through the client system.


Examples

  • To connect port 8080 on the local computer to port 80 on the server winter, using the account sam: ssh -L 8080:localhost:80 sam@winter
    • After the tunnel above was put in place, you could access http://localhost:8080/ and be connected to the webserver (port 80) on the host winter
  • To connect port 2000 on the local computer to port 1234 on the host spring, which is on the same LAN as the SSH server winter: ssh -R 2000:spring:1234 sam@winter
  • To connect port 3000 on the server winter to port 5900 on the local computer: ssh -L 3000:localhost:5900 sam@winter


Using SSH for File Transfer

SSH provides two mechanisms for file transfer: scp and sftp. You can use these from the command line using the OpenSSH software (installed by default in most MacOS, Windows, and Linux systems) or you can use a graphical tool that uses these protocols.

The following instructions are for using the OpenSSH version of scp/sftp from the command line:

scp - Secure Copy

The scp command functions like the normal Unix/Linux copy (cp) command, but accepts a hostname (and optional user ID) prepended to a filename for copying to/from remote systems:

scp [user@]host:sourcefilename [user@]host:destinationfilename

The options are the same as for the ssh command, except that to specify a port number, use -P</code (capital) instead of <code>-p (lowercase).

For example:

# Copies the file 'test5' from ~/scripts on Matrix to the local directory
scp myuserid@matrix.senecacollege.ca:scripts/test5 .
# Copy the file 'test6' from the current directory to ~ on Matrix
scp test5 myuserid@matrix.senecacollege.ca:.


Examples

  • Copy the file /etc/hosts from this computer to the /tmp directory on the computer ireland: scp /etc/hosts ireland:/tmp
  • Copy the file test.tar from the home directory of the user chris on the computer ireland to the current directory: scp chris@ireland:~/test.tar .


sftp - Secure FTP

sftp provides an encrypted version of FTP. The command usage is:

sftp [user@]host

At which point you can use any standard FTP command.


Example

  • Open a secure FTP connection to the account john.doe on the server matrix.senecac.on.ca: sftp john.doe@matrix.senecac.on.ca


Graphical File Management over SSH

Many Linux graphical file managers, such as the GNOME Nautilus and KDE Konqueror programs, know how to manage files remotely using the ssh/scp/sftp protocols. For example, on GNOME, you can select the menu option Places>Connect to Server, enter the connection details, and view a file management window on a remote server. You can then rename, copy, move, and delete files using drag-and-drop operations (for example, you can copy a file by dragging it from your desktop to the remote window). You can also create bookmarks for rapid access to remote filesystems at a later date.

Using SSH with Public-Key Authentication

Although SSH can be used with passwords, a sysadmin may need to initiate hundreds of SSH connections a day, and typing passwords that often is tedious. SSH therefore permits authentication using public and private keys.


Background: Public Key Cryptography

See Public Key Cryptography for an overview of how this technology works.


Using Public Keys with SSH

Creating a Public/Private Key Pair

Note.png
OpenSSH Assumed
These instructions assume a Linux or Mac OS/X system running OpenSSH. Other SSH clients will have different procedures, and you'll need to check that the key produced is in OpenSSH format (you can convert key types using the ssh-keygen command on a Linux system such as Matrix if needed).
  1. Enter this command: ssh-keygen -ted25519
    • Answer the questions asked by ssh-keygen. Use default values for most questions. The use of a passphrase is strongly recommended. Avoid changing the filename from the default (unless there is a really good reason), because the location, name, and permission of keys is critical.
    • ssh-keygen will produce two files:
      • ~/.ssh/id_ed25519 - your private key
      • ~/.ssh/id_ed25519.pub - your public key
Idea.png
Key Type and Length
ssh-keygen can generate multiple types of keys, including rsa, dsa, ecdsa, and ed25519. Any of these types serves the same purpose, and rsa/dsa can be generated with varying key lengths. The longer the key, the more difficult it is to break the key by guessing it (trying successive values until the right key is found) - each bit added to the key doubles the number of possible key values. Key lengths of 1024-4096 bits are considered reasonably secure; as computers become faster, key lengths should be increased. Better yet, use the ed25519 eliptic curve option, which is considered the most secure format supported by the current OpenSSH implementation (8.4 as of the time of writing).

Sending the Public Key to a Remote System Administrator

  1. Upload or email (or otherwise send) the ~/.ssh/id_rsa.pub file to the remote system administrator. Do NOT send your private key!

Setting up Public Key Authentication on Two Machines

Automatically (preferred approach):

  1. Run the command: ssh-copy-id user@host

Manually:

  1. Copy the public key to the remote system you wish to access.
  2. Create the ~/.ssh directory if it does not exist.
    • Set the permission on ~/.ssh to 0700
  3. Append the public key to the file ~/authorized_keys
    • Set the permission on ~/authorized_keys to 0600


Disconnecting from and Reconnecting to a Login Session

The GNU screen utility permits you to start a session, disconnect from it (accidentally or intentionally), and then reconnect from the same or another network connection. This is useful when you're using an unstable WiFi connection (e.g., in a coffee shop or mobile link) or want to start a long operation (such as a build or a test suite run) on campus, commute home while it's running, and then check on its status.

Note that this approach does not work with graphical applications (ssh -X).