Join the club discord: urlsl.me/ClubDiscord
What is SSH?
Secure SHell, because many protocols at the time of inception were unsecure. Nowadays, the most popular SSH implementation by far is OpenSSH. Basically, its main function is to provide secure, remote terminal access.
These scenarios include:
- Connecting to a remote host.
- Backing up, copying, and mirroring files using SFTP.
- Mapping a client’s port to the server’s port to secure TCP/IP and other network protocols.
- Forwarding X Window System from the server to clients.
- Tunneling sensitive data through a secure channel.
- Using a Virtual Private Network.
We will focus on remote shell, tunneling and file transfer.
OpenSSH 9 released last week. The scp utility now uses sftp instead of the less secure scp/rcp protocol. Forward-thinking authentication and encryption methods enable “quantum-resistant” protections.
The config is typically in
/etc/ssh/sshd_config. Edit with superuser.
Look up “SSH hardening”. This should give you some good ideas for what to manipulate here.
Here’s a decent page about it.
This webpage has a nearly exhaustive list of options
Here’s a basic ssh connection command:
It will ask you for a password and you can then login.
But there are better authentication methods!
There is this concept of using cryptographic keys for authentication instead of passwords. There are many benefits to this some of which are discussed
here. I will put in my 2 cents and say that they also enable strict permissions and managing multiple authorized users via the
An example is if a sysadmin leaves an organization, and all the other sysadmins were using the same user on every machine for simplicity. Then you only have to remove the key instead of worrying about resetting passwords everywhere. Another example is ssh tunnels, where you can specify a connection is not allowed shell access and only allowed certain ports.
To generate keys use the
ssh-keygen command. It has many options, but for most uses the defaults and onscreen prompts are fine.
Then, copy your new key with the
ssh-copy-id command (and disable password authentication server side). You can instead copy over your key (
keyname.pub) on a newline manually into
~/.ssh/authorized_keys if you know what you’re doing.
There are many types of keys including some cool ones like those appended with
-sk (for “Security Key”) and some OpenPGP-based options.
Client config is typically in
~/.ssh/config. This makes it easier to connect with a shorthand instead of remembering all your options:
Now you can use
Connect with sftp:
The basic commands in sftp are:
- lcd change local directory
- cd change remote directory
- get download remote file
- put upload remote file
You can find more commands with
help. The best way to transfer entire directories is just to tar and zip, then grab that file instead of messing with directory structures and such.
I didn’t have time to prepare this so here’s a webpage. I’ll demonstrate it at the meeting.