A nice welcome everyone, it’s gutsytechster !!
I am here with a new topic of SSH .
What is SSH ?
If you haven’t heard about this, nothing to worry, I am here to explain. SSH is an acronym of Secure Shell or sometimes called as Secure Socket Shell. It is a program to log into another computer over a network to execute commands in a remote machine and not only commands but you can transfer files from one machine to another. It provides strong authentication and secure encrypted data communication between two network connecting over an insecure network such as Internet. SSH is widely used by network administrators for managing systems and applications remotely.
The SSH suite comprises three utilities — slogin, ssh and scp — that are secure versions of the earlier insecure UNIX utilities, rlogin, rsh, and rcp. SSH uses public-key cryptography to authenticate the remote computer and allow the remote computer to authenticate the user, if necessary. Now the question comes, what is public-key cryptography?
Let’s have a look on it . Asymmetric cryptography, also known as public key cryptography, uses a key pair -public key and private key – to encrypt and decrypt data. The keys are simply large numbers that have been paired together but are not identical (asymmetric). One key in the pair can be shared with everyone; it is called the public key. The other key in the pair is kept secret; it is called the private key. Either of the keys can be used to encrypt a message; the opposite key from the one used to encrypt the message is used for decryption. In asymmetric cryptography, whatever is encrypted with a public key may only be decrypted by its corresponding private key and vice versa. Though the former is preferrable .The pictures below show a simplified version of what is written above.
Why SSH ?
There are a couple of ways by which we can access the shell remotely on most Linux/unix system. It is a secure alternative to non-protected login alternative such as telnet and rlogin and insecure file transfer method such as FTP. The data transfer through telnet is not encrypted which makes it unsuitable for transferring data over insecure network , here comes the SSH , which provides a secure data transmission over insecure network . For more details about telnet refer to this link.
There are so many use cases which you will need when you start working with ssh. Well I am not much into it ,but you can refer those here.
Generation Of SSH keys
Generating SSH keys is very simple,open your linux terminal and follow the steps below:
1. Write the command and press enter
ssh-keygen -t rsa
For a more secure 4096-bit key, run
ssh-keygen -t rsa -b 4096 -C "firstname.lastname@example.org"
2. Press enter when asked where you want to save the key (this will use the default location).
3. It will ask you for a passphrase, a passphrase is a sequence of words or other text used to control access to a computer system, program or data. A passphrase is similar to a password in usage, but is generally longer for added security. It’s upto you if you want to add a passphrase or not. Having a passphrase has its own advantage.
The entire key generation will look like this
ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/demo/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/demo/.ssh/id_rsa. Your public key has been saved in /home/demo/.ssh/id_rsa.pub. The key fingerprint is: 4a:dd:0a:c6:35:4e:3f:ed:27:38:8c:74:44:4d:93:67 demo@test The key's randomart image is: +--[ RSA 2048]----+ | .oo. | | . o.E | | + . o | | . = = . | | = S = . | | o + = + | | . o + o . | | . o | | | +-----------------+
The public key is now located in /home/demo/.ssh/id_rsa.pub The private key (identification) is now located in /home/demo/.ssh/id_rsa (here user is demo). Don’t share your private key with anyone.
cat ~/.ssh/id_rsa.pub – this will give you the key in the proper format to paste into the remote server.
So as you have seen, it is easy to generate a ssh keys.
Working with SSH keys
Removing or changing the passphrase of the Private key
To alter the existing passphrase, you must remember it, else you won’t have any other option but to generate a new key pair. This will affect your transmissions with existing key pair.
To remove or change the passphrase , type
Then it will ask your location of key, you can give the location or press ENTER to accept the default value
Enter file in which the key is (/root/.ssh/id_rsa):
Then it will prompt you to enter the old passphrase and after that , the new passphrase.
Enter old passphrase: Enter new passphrase (empty for no passphrase): Enter same passphrase again:
Displaying the SSH key fingerprint
Each SSH key pair has a cryptographic fingerprint which uniquely distinguishes the keys.
To find out the fingerprint of an SSH key:
Then it will ask you to enter the file location. Press ENTER to select the default file location.
Enter file in which the key is (/root/.ssh/id_rsa):
As an output , you will see a string like this
4096 4a:dd:0a:c6:35:4e:3f:ed:27:38:8c:74:44:4d:93:67 demo@test (RSA)
where “4096” is the bit length.
“4a:dd:0a:c6:35:4e:3f:ed:27:38:8c:74:44:4d:93:67” is the required fingerprint.
“demo@test” , here “demo” is the account and “test” is the host .
“(RSA)” is the algorithm used to generate the keys.
Copying your Public SSH key to the Server
1. Using SSH-Copy-ID
SSH-Copy-ID is the utility included in the Linux Distribution’s OpenSSH packages. It is very likely to be installed by default. You can check it by looking for all the installed packages (in Ubuntu) by the command given below:
apt list --installed
For older versions , you have to use :
dpkg --get-selections | grep -v deinstall
You will get all the installed packages on your linux distributions, where you have to look for the following packages :
If you don’t have these packages you can install them by using the command:
sudo apt-get install openssh-client sudo apt-get install openssh-server
When you have this option available, you can easily transfer your public key to the server by typing:
It will ask you for the user’s account password on the remote server as:
The authenticity of host '220.127.116.11 (18.104.22.168)' can't be established. ECDSA key fingerprint is 4a:dd:0a:c6:35:4e:3f:ed:27:38:8c:74:44:4d:93:67. Are you sure you want to continue connecting (yes/no)? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys email@example.com's password:
After entering the password, the user’s public key will be appended in the “~/.ssh/authorized_keys” folder of the remote server.
Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'firstname.lastname@example.org'" and check to make sure that only the key(s) you wanted were added.
Now you can log into that account without a password by typing:
2. Without using SSH-Copy-ID
If you do not have SSH-Copy-ID available , but have a password based SSH access to the server, you can copy the contents of your public key into a different way as:
cat ~/.ssh/id_rsa.pub | ssh username@remote_host "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
It is ensuring that on the remote server, “~/.ssh” directory exists, and appending the contents of your public key into the “~/.ssh/authorized_keys” file. As soon as your public key will be in its place on the remote server , you can log into your account on the remote server just as in the previous method.
3. Copying the public key manually
If you don’t have password based access to the remote server, you have to enter you public key manually. You can find the contents of your public key manually by typing:
You can then paste the contents appeared on the screen into your remote server’s “~/.ssh/authorized_keys” file.
Connecting to the remote server
As soon as you copy your public key into the above said folder , you can log into your account and connect to your remote server .
If you have same username on your local machine and on your remote server then you can connect using:
And if your username is different ,you have to give the username of your local machine also by typing:
If you are logging for the first time , on the remote server ,you will find a message like this:
The authenticity of host '22.214.171.124 (126.96.36.199)' can't be established. ECDSA key fingerprint is 4a:dd:0a:c6:35:4e:3f:ed:27:38:8c:74:44:4d:93:67. Are you sure you want to continue connecting (yes/no)? yes
Type “yes” and then ENTER. If you are using password authenticity , you will be asked to enter the password or if you are using SSH keys , then it will prompt you for the passphrase if you have entered any, else it will log into directly.
Concept of SSH Agent
If you have entered the passphrase for the security of your private key, you will be prompt to enter it every time you log into the remote server. So, to avoid this tiresome work, SSH Agent is used. It actually stores your private key after you have entered the passphrase for the first time. This will be active throughout your session and allow you to connect in future without re-entering the passphrase.
To start a SSH Agent you need to type:
eval $(ssh-agent) Agent pid 10891
This will start the SSH Agent in the background . Now you need to add your key to the agent, you can do this by typing:
Then it will ask you to enter the passphrase, just enter your passphrase and then you are good to go.
Enter passphrase for /home/demo/.ssh/id_rsa: Identity added: /home/demo/.ssh/id_rsa (/home/demo/.ssh/id_rsa)
With this , this blog has come to an end. I hope this would be useful . Well, this is not the end with SSH. There is a lot more to explore. I’ll be updating you with it. Meet you in the next blog .