SSH

Secure Shell connects a client with a server via Ethernet. A typical application is open a console and log into a remote machine.

The server configuration is in /etc/ssh/sshd_config

Different ways of authentication are supported:

SSH keys

Typing in continuously passwords is not the the safest way. More safe and convenient is using private and public keys.

There is the client program ssh whereas on the other end the sshd server daemon has to run.

The host could get the clients key by cat <client_>id_rsa.pub >> ~/.ssh/authorized_keys obviously the file needs somehow be transferred from the client to the server for this command. It can be done via an USB stick.

Login is possible via the servers public key and does not require manual typing in user name and password for authentication.

The private key of the client is kept hidden, whereas the public key must be given to the server.

It might be that the ssh client has no keys. ssh-keygen as regular user creates the keys and stores them in ~/.ssh additionally an optional passphrase can be entered. The public key is ~/.ssh/id_rsa.pub and the private key is ~/.ssh/id_rsa

Note

The public key in ~/.ssh/id_rsa.pub start with type of key and ends with username and host name

RSA is not the only option, the key can also be called ~/.ssh/id_ed25519

Important

Since host names can appear in the public key files instead of IP addresses, the server involved needs to know those host names so edit /etc/hosts at the server

If a ssh connection using password logging is possible, then the key of the client can be copied over the network as:

ssh-copy-id <ssh server name or IP> or

ssh-copy-id <user name>@<ssh server name or IP>

After the a connection has been done the first time ~/.ssh/authorized_keys of the server will get an entry holding the <user name>@<client> and the public key.

SSH Passphrase

To make it even safer, a passphrase can be entered when generating the keys with ssh-keygen. The private key can then just be used together with the passphrase.

The drawback is that the passphrase must be entered each time the private key is required.

The ssh_agent daemon and the keychain program make handling of the passhrase easier.

Fingerprint

The fingerprint is a hash of the id_rsa.pub and shown when generating the key with ssh-keygen. It also can be recalculated with ssh-keygen -lf ~/.ssh/id_rsa.pub or ssh-keygen -lf <someones id_rsa.pub>

ssh-keyscan -t rsa <host> gives the public key if exists

ssh-keyscan -t rsa oldraspi | ssh-keygen -lf - pipes the public key (if exist) into ssh-keygen and creates therefore a fingerprint that can then be compared with the expected one.

To make it easier to compare it for human beings there is a randomart image showing the fingerprint when doing ssh-keygen or ssh-keygen -lv -f id_rsa.pub

It is used to compare if the public key really belongs to the expected without requiring the private key for it. The private key can stay private the fingerprint can be used instead. It can therefore be used to detect man in the middle attacks.

When using ssh for new connection, the user is asked to accept. ssh can not know it there is a man in the middle and therefore passes the decision to the user, so the user might step into the trap.

SSH Server

Under gentoo, the server ssh daemon sshd is already installed on the computer

/etc/init.d/sshd start

brings it alive

or to bring it each time alive type rc-update add sshd default.

To copy a file from the local machine to a remote machine you can type

scp <path and file on the local machine><user or root>@<ip address or host name of remote machine>:<path on the remote machine>.

There are different authentication possibilities in ssh, that have a different level of security:

  1. Secure password authentication (default)

  2. RSA (Rivest, Samir, Ademan = 3 mathematicians) authentication (ssh version 1)

  3. DSA (Digital Signature Algorithm) (ssh version 2)

RSA and DSA use two keys:

  1. a public key to encrypt the local message before sent

  2. a private key to decrypt the message on the remote machine

The private key has to get stored secretly and might be stored encrypted on the local machines hard disk.

The public key will be copied to the remote machine.

Many of the following including the keys is done by the command /etc/init.d/sshd start

or at boot when rc-update add sshd default got made.

/etc/ssh holds the configuration data

SSH Client

On the remote machine type into console:

ssh 192.168.1.34

or

ssh <username>@192.168.1.34

then the keys are exchanged and you have to login.

To copy a file from a remote machine to the local machine you can type scp<user or root>@<ip address or host name of remote machine>:<path on the remote machine><path and file on the local machine>The console changes its prompt and it is ready to go.

The command exit quits.

sftp is the ssh ftp version

ssh username@machine makes it running

scp ~/.ssh/identity.pub username@machine copies over the public key in a safe way

ssh username@machine opens the console from the remote machine

The sshd (daemon) can be added to the boot scripts using rc-update. The configuration files are in /etc/ssh and the init script is in /etc/init.d.

SSH troubles

If you get

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ECDSA key sent by the remote host is SHA256:xst06A5oYmr2KleaFzpE8rCVQ672301cYJ6blFoYN0E. Please contact your system administrator. Add correct host key in /home/lindegur/.ssh/known_hosts to get rid of this message. Offending ECDSA key in /home/lindegur/.ssh/known_hosts:6 ECDSA host key for 192.168.1.131 has changed and you have requested strict checking. Host key verification failed.

and you are sure that nothing is wrong then delete the entry in ~/.ssh/known_hosts

SSH and Windows

Get putty from https://www.putty.org/ and select SSH using port 22


Linurs startpage