ssh tutorial

Introduction

SSH is a secure protocol used as a means of connecting to Linux servers remotely. It provides a text-based interface by opening a remote shell. After connecting, all commands you type in your local terminal are sent to the remote server and executed there.

This guide, we will cover some common ways of setting up and connecting with SSH. This can be used as a quick reference when you need to know how to do connect to or configure your server in different ways

Overview

Items that will be covered

1. Generating and working with keys
   
   • Determine current keys in use
   • Generating a set of keys
   • Adding/Changing/Removing key passphrase
2. Copying your keys to a server
   
   • Using ssh-copy-id
   • Without ssh-copy-id
   • Manually transferring your keys
3. Client Side Configuration
   
   • The /home/user/config file
4. Server Side Configuration
   • disable password authentication
   • disable root access
5. Upgrading / Replacing Keys
6. Advanced Commands

1. Generating and working with keys

Before generating a new set of keys you should determine your currently active keys, do this with the command:

for keyfile in ~/.ssh/id_*; do ssh-keygen -l -f "${keyfile}"; done | uniq

• DSA or RSA 1024 bits: Deprecated – update.
• RSA 2048: Older cipher recommended to upgrade.
• RSA 3072/4096: Use if ed25519 is not available on server.
• ECDSA: Recommended change. (Probably compromised by the NSA)
• Ed25519: Elliptic curve fast and strong – Recommended.

If you already have a key then you can skip the key generation for now.  below you can find information on upgrading your keys to more secure cyphers.

If you do not already have a set of keys then you will have to generate some.  First we will generate a set of RSA keys.  The reason for generating RSA keys is that some servers do not support the use of ed25519 elliptic curve and we can generate a set of those after we establish a connection to the server and then upgrade the keys.

The default RSA keys are 2048 by default (1024 having been deprecated) you can generate a new key pair with the command:

ssh-keygen

or generate an RSA key with more bits!

ssh-keygen -b 4096

You will be given several options for your new keys:

Generating public/private key pair.
Enter file in which to save the key (home/demo/.ssh/id_rsa):

This will allow you to choose the location to store your RSA key.  Press ENTER to use the default .ssh hidden directory in your user’s home directory, this will allow your SSH client to find the keys automatically.

Enter passphrase (empty for no passphrase):
Enter same passphrase again:

If your keys are on a computer such as a work computer that others may have access to you will want to protect your keys with a passphrase. This can be done when generating the keys. You also have the option of changing or removing the passphrase later.  This is done with the -p switch

ssh-keygen -p

Enter file in which the key is (/root/.ssh/id_rsa):

press ENTER to accept the default or path to key

Enter old passphrase:

Enter new passphrase (empty for no passphrase): 
Enter same passphrase again:

If you skipped step Step one above you will be asked if you want to overwrite the current key.  If you choose “yes” your previous key will be overwritten and you will no longer be able to log into servers using that key.  PROCEED WITH CAUTION.

Overwrite (y/n)?

Copying your keys to a server

Using ssh-copy-id (difficultly level 0)

If you are currently connecting to a server using password authentication copying your keys to the server is a simple procedure.

ssh-copy-id username@remote_host

You will be prompted for your password, after successful authentication the contents of your ~/.ssh/id_rsa.pub key will be appended to the end of the users ~/.ssh/authorized_keys file AUTOMAGICALLY!

The system will then log you out and ask you to log back in with your new keys:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'username@remote_IP_host'"
and check to make sure that only the key(s) you wanted were added.

log back in with the command:

ssh username@remote_IP_host

Not using ssh-copy-id (difficulty level 1)

If you do not have the ssh-copy-id utility available, but still have password-based SSH access to the remote server, you can copy the contents of your public key in a different way.

You can output the contents of the key and pipe it into the ssh command. On the remote side, you can ensure that the ~/.ssh directory exists, and then append the piped contents into the ~/.ssh/authorized_keys file:

cat ~/.ssh/id_rsa.pub | ssh username@remote_IP_host "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

This is exactly the same as using ssh-copy-idin case that utility is not available.  The final option for moving your keys in to do it manually

Manually installing keys (difficulty level > 1)

On your local machine, find the contents of your public key file:

cat ~/.ssh/id_rsa.pub

Output will look like this:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqql6MzstZYh1TmWWv11q5O3pISj2ZFl9HgH1JLknLLx44+tXfJ7mIrKNxOOwxIxvcBF8PXSYvobFYEZjGIVCEAjrUzLiIxbyCoxVyle7Q+bqgZ8SeeM8wzytsY+dVGcBxF6N4JS+zVk5eMcV385gG3Y6ON3EG112n6d+SMXY0OEBIcO6x+PnUSGHrSgpBgX7Ks1r7xqFa7heJLLt2wWwkARptX7udSq05paBhcpB0pHtA1Rfz3K2B+ZVIpSDfki9UVKzT8JUmwW6NNzSgxUfQHGwnW7kj4jp4AT0VZk3ADw497M2G/12N0PPB5CnhHf7ovgy6nL1ikrygTKRFmNZISvAcywB9GVqNAVE+ZHDSCuURNsAInVzgYo9xgJDW8wUw2o8U77+xiFxgI5QSZX3Iq7YLMgeksaO4rBJEa54k8m5wEiEE1nUhLuJ0X/vh2xPff6SQ1BL/zkOhvJCACK6Vb15mDOeCSq54Cr7kvS46itMosi/uS66+PujOO+xt/2FWYepz6ZlN70bRly57Q06J+ZJoc9FfBCbCyYH7U/ASsmY095ywPsBo1XQ9PqhnN1/YOorJ068foQDNVpm146mUpILVxmq41Cj55YKHEazXGsdBIbXWhcrRf4G2fJLRcGUr9q8/lERo9oxRm5JFX6TCmj6kmiFqv+Ow9gI0x8GvaQ== username@localhost

You can copy this value, and manually paste it into the appropriate location on the remote server.  Add it to the end of your ~/.ssh/authorized_keys file either by opening it with a text editor or by appending it to the file with a command like:

echo public_key_string >> ~/.ssh/authorized_keys

You should now be able to log into the server by typing:

ssh username@remote_IP_host

Client Side Configuration

The first thing you should do now that you can connect to the server is setup some client side customizations to make connecting a little easier.  First create or edit this file on your local (client) computer:

~/.ssh/config

Add configuration settings like this:

Host testhost
    HostName remote_IP_hostname
    Port 4444
    User demo

You can now connect by simply typing:

ssh testhost

And you can find more configuration settings by typing:

man ssh_config

Server Side Configuration

There are a few things we should do on the server side in order to harden security, the first of which is disabling password authentication.  First log into the server and then edit the file:

/etc/ssh/sshd_config

Inside of the file, search for the PasswordAuthentication directive. If it is commented out, uncomment it. Set it to “no” to disable password logins:

PasswordAuthentication no

Disable root login:

PermitRootLogin no

You can change the port that ssh runs on.

#Port 22
Port 4444

Limit Users who can connect through SSH by username

AllowUsers user1 user2

Limit Users who can connect through SSH by group

AllowGroups sshmembers

Create the group:

sudo groupadd -r sshmembers

Add user accounts to the group:

sudo usermod -a -G sshmembers user1
sudo usermod -a -G sshmembers user2

Restart the  SSH daemon for changes to go into effect:

sudo service ssh restart

5. Upgrading / Replacing Keys

SSH clients can handle multiple keys so upgrading the RSA key to either a stronger bit length (2048/4096 bits) or to a stronger cipher Ed25519 is relatively simple.

Back up your current RSA key and generate a 4096 bit key with 100 bcrypt KDF rounds:

mv ~/.ssh/id_rsa ~/.ssh/id_rsa_legacy
mv ~/.ssh/id_rsa.pub ~/.ssh/id_rsa_legacy.pub
ssh-keygen -t rsa -b 4096 -o -a 100

Let’s go ahead and generate an ED25519 key as well, your SSH client will use this if possible.

ssh-keygen -o -a 100 -t ed25519

Advanced Commands

This could probably be more accurately title other/more commands.  If you have succesfully made it this far down this document, you could probably figure out whatever else you want on your own but here is a list of at least useful commands you can do in SSH.

Test that passwords have been disabled: If password authentication has been turned off you will not be able to log in this way.

ssh router -o PubKeyAuthentication=no

Switch between SSH sessions: While connected to a server.

~[ctrl-z]
[1]+  Stopped                 ssh remote_IP_hostname

to list the current sessions or jobs that are running type:

jobs

to reconnect to a job:  fg and the number

fg 2