Secure Shell connects a client with a server via Ethernet. A typical application is open a console and log into a remote machine.
The server configuration is in /etc/ssh/sshd_config
Different ways of authentication are supported:
Login via user name and password. It takes place after having a encrypted connection, so password and user name are transmitted encrypted.
SSH keys
Typing in continuously passwords is not the the safest way. More safe and convenient is using private and public keys.
There is the client program ssh whereas on the other end the sshd server daemon has to run.
The host could get the clients key by cat <client_>
id_rsa.pub >> ~/.ssh/authorized_keys obviously the file needs somehow be transferred from the client to the server for this command. It can be done via an USB stick.
Login is possible via the servers public key and does not require manual typing in user name and password for authentication.
The private key of the client is kept hidden, whereas the public key must be given to the server.
It might be that the ssh client has no keys. ssh-keygen as regular user creates the keys and stores them in ~/.ssh
additionally an optional passphrase can be entered. The public key is ~/.ssh/id_rsa.pub
and the private key is ~/.ssh/id_rsa
The public key in ~/.ssh/id_rsa.pub
start with type of key and ends with username and host name
RSA is not the only option, the key can also be called ~/.ssh/id_ed25519
Since host names can appear in the public key files instead of IP addresses, the server involved needs to know those host names so edit /etc/hosts
at the server
If a ssh connection using password logging is possible, then the key of the client can be copied over the network as:
ssh-copy-id <ssh server name or IP>
or
ssh-copy-id <user name>
@<ssh server name or IP>
After the a connection has been done the first time ~/.ssh/authorized_keys
of the server will get an entry holding the <user name>
@<client>
and the public key.
To make it even safer, a passphrase can be entered when generating the keys with ssh-keygen. The private key can then just be used together with the passphrase.
The drawback is that the passphrase must be entered each time the private key is required.
The ssh_agent daemon and the keychain program make handling of the passhrase easier.
The fingerprint is a hash of the id_rsa.pub
and shown when generating the key with ssh-keygen. It also can be recalculated with ssh-keygen -lf ~/.ssh/id_rsa.pub or ssh-keygen -lf <someones id_rsa.pub>
ssh-keyscan -t rsa <host>
gives the public key if exists
ssh-keyscan -t rsa oldraspi | ssh-keygen -lf - pipes the public key (if exist) into ssh-keygen and creates therefore a fingerprint that can then be compared with the expected one.
To make it easier to compare it for human beings there is a randomart image showing the fingerprint when doing ssh-keygen or ssh-keygen -lv -f id_rsa.pub
It is used to compare if the public key really belongs to the expected without requiring the private key for it. The private key can stay private the fingerprint can be used instead. It can therefore be used to detect man in the middle attacks.
When using ssh for new connection, the user is asked to accept. ssh can not know it there is a man in the middle and therefore passes the decision to the user, so the user might step into the trap.
Under gentoo, the server ssh daemon sshd is already installed on the computer
/etc/init.d/sshd start
brings it alive
or to bring it each time alive type rc-update add sshd default.
To copy a file from the local machine to a remote machine you can type
scp <path and file on the local machine>
<user or root>
@<ip address or host name of remote machine>
:<path on the remote machine>
.
There are different authentication possibilities in ssh, that have a different level of security:
Secure password authentication (default)
RSA (Rivest, Samir, Ademan = 3 mathematicians) authentication (ssh version 1)
DSA (Digital Signature Algorithm) (ssh version 2)
RSA and DSA use two keys:
a public key to encrypt the local message before sent
a private key to decrypt the message on the remote machine
The private key has to get stored secretly and might be stored encrypted on the local machines hard disk.
The public key will be copied to the remote machine.
Many of the following including the keys is done by the command /etc/init.d/sshd start
or at boot when rc-update add sshd default got made.
/etc/ssh
holds the configuration data
On the remote machine type into console:
ssh 192.168.1.34
or
ssh <username>
@192.168.1.34
then the keys are exchanged and you have to login.
To copy a file from a remote machine to the local machine you can type
scp<user or root>
@<ip address or host name of remote machine>
:<path on the remote machine>
<path and file on the local machine>
The console changes its prompt and it is ready to go.
The command exit quits.
sftp is the ssh ftp version
ssh username@machine makes it running
scp ~/.ssh/identity.pub username@machine copies over the public key in a safe way
ssh username@machine opens the console from the remote machine
The sshd (daemon) can be added to the boot scripts using rc-update. The configuration files are
in /etc/ssh
and the init script is in
/etc/init.d
.
If you get
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ECDSA key sent by the remote host is SHA256:xst06A5oYmr2KleaFzpE8rCVQ672301cYJ6blFoYN0E. Please contact your system administrator. Add correct host key in /home/lindegur/.ssh/known_hosts to get rid of this message. Offending ECDSA key in /home/lindegur/.ssh/known_hosts:6 ECDSA host key for 192.168.1.131 has changed and you have requested strict checking. Host key verification failed.
and you are sure that nothing is wrong then delete the entry in ~/.ssh/known_hosts
Get putty from https://www.putty.org/ and select SSH using port 22