All you need to know about SSH

Introduction

SSH stands for Secure SHell, a tool developed by SSH Communication Security Ltd, for secure remote log-in and command execution. It’s a secure alternative of it’s predecessors rlogin, rsh, etc. SSH has become industry de-facto for securely communicating with remote machines i.e. the entire session is encrypted.
The SSH is based on public-key cryptography (also known as asymmetric cryptography), a cryptography system employing key pair i.e. a public key which is meant to be shared, and private key which has to be kept safe and secret, only known to the owner. This pair serves two purpose 1. authentication, the public key verifies the owner of the paired private key, and 2. encryption, the public key encrypts the message, and only the paired private key can decrypt it. In simple words, you can share your public key (content of ~/.ssh/id_rsa.pub) with anyone via email, for example: to access a remote machine securely and without password, all you need to do is copy your public key to authorized_keys (default – ~/.ssh/authorized_keys) file.

SSH offers to select from various encryption algorithms:
  • RSA: is the widely used algorithm, developed by Rivest, Shamir Adlema, hence the name. A key size of 2048 is recommended, or 4096 bits is better.
  • DSA: is the old Digital Signature Algorithm, was being used by the US government.
  • ECDSA: a new Digital Signature Algorithm standarized by the US government, using elliptic curves. This is probably a good algorithm for current applications. Only three key sizes are supported: 256, 384, and 521 (sic!) bits. We would recommend always using it with 521 bits, since the keys are still small and probably more secure than the smaller keys (even though they should be safe as well). Most SSH clients now support this algorithm.

Logging into remote machine

SSH-ing into any machine requires password, every time you need to login. Below we’re attempting to login (via SSH) from our system (localhost), in to a remote machine (anaconda-ks).
[ahmed@localhost ~]$ ssh ahmed@anaconda-ks
The authenticity of host 'anaconda-ks (192.168.137.133)' can't be established.
ECDSA key fingerprint is d8:46:dc:63:f1:96:46:66:34:48:b6:a9:3b:39:42:bd.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'anaconda-ks' (ECDSA) to the list of known hosts.
ahmed@anaconda-ks's password:
Last login: Mon Feb 19 22:55:34 2018
[ahmed@anaconda-ks ~]$
Output:
ssh_1

Step 1 – Generate SSH key Pair

$ ssh-keygen -t <algo> -b <key-size>

Commonly used flags

-b bits:  Is used to specify the number of bits in the key to create. Generally, 2048 bits is considered sufficient for RSA,
-t type: Specifies the algorithm to use to create the key pair. The possible values are rsa, dsa, or ecdsa, etc.

Example

By default keys are created at ~/.ssh/ directory, unless specified using -f (filename) flag. You have to press Enter three times
[ahmed@localhost ~]$ ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/home/ahmed/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/ahmed/.ssh/id_rsa.
Your public key has been saved in /home/ahmed/.ssh/id_rsa.pub.
The key fingerprint is:
0f:da:83:ae:d7:bb:05:17:1a:23:0d:5a:3e:3d:97:6b ahmed@localhost
The key's randomart image is:
+--[ RSA 4096]----+
|      o          |
|     + +   .     |
|    . + * +      |
|       o * o     |
|        S E      |
|       + *       |
|      o.o o      |
|     .. .o       |
|    .o. oo       |
+-----------------+
[ahmed@localhost ~]$
Verify:
Ssh keys

Step 2 – Copy the public key

Once the key pair is generated, it’s time to place the public key on the virtual server that we want to use.
You can copy the public key into the new machine’s authorized_keys file with the ssh-copy-id command. Make sure to replace the example username and IP address below.
ssh-copy-id -i <path-to-public-key> <username>@<hostname/IP-addr>
Example:
[ahmed@localhost ~]$ ssh-copy-id -i ~/.ssh/id_rsa.pub ahmed@anaconda-ks
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
ahmed@anaconda-ks's password:Number of key(s) added: 1Now try logging into the machine, with:   "ssh 'ahmed@anaconda-ks'"
and check to make sure that only the key(s) you wanted were added.[ahmed@localhost ~]$
Alternatively, you can copy the public key at the client (machine you use to access the remote machine), and paste it in the authorized_keys file using SSH:
$ cat ~/.ssh/id_rsa.pub | ssh <user>@<hostname> "mkdir -p ~/.ssh && cat >>  ~/.ssh/authorized_keys"

Step 3 – Attempt password-less login via SSH

[ahmed@localhost ~]$ ssh ahmed@anaconda-ks
Last failed login: Tue Feb 20 00:14:20 PST 2018 from :0 on :0
There was 1 failed login attempt since the last successful login.
Last login: Mon Feb 19 23:04:56 2018 from 192.168.137.129
[ahmed@anaconda-ks ~]$

Leave a Reply

Your email address will not be published. Required fields are marked *