Secure Shell is used to connect via Ethernet to an other computer using the console. It is similar to telnet and rsh but more safe. Using telnet is easy, but the password required to login will be sent unencrypted. This might be acceptable on a local lan but is obviously too dangerous over Internet.
Login is possible via password or/and keys. Login via password takes place after having a encrypted connection, so password and username can not be seen.
An other authentication method that does not require manual typing in user name and password for authentication makes use of two keys the public and the private. However it ends up often that you have to type in manually a passphrase instead. The private is kept hidden, whereas the public must be given to the clients.
ssh-keygen creates the keys and stores them in ~/.ssh
additionally a passphrase needs to be entered,
Later during use, some pop up window ask for the password, but mean the passphrase
The public key is ~/.ssh/id_rsa.pub
and the private key is ~/.ssh/id_rsa
To login at the ssh server without password the public key id_rsa.pub must be known by the ssh server. This depends on the ssh server implementation but is usually done by appending the servers public key file to the clients authorized_keys file as:
cat id_rsa.pub >> ~/.ssh/authorized_keys obviously the file needs somehow be transferred from server to the client machine. In the simplest case this is done via an USB stick. A more elegant way is using a authorized SSH connection.
After the a connection has been done the first time ~/.ssh/known_host
will get an entry holding the address and the public key.
There is the client program ssh whereas on the other end the sshd server daemon has to run.
Under gentoo, the server ssh daemon sshd is already installed on the computer
/etc/init.d/sshd start
brings it alive and generates the first time the keys
* Generating Hostkey...
Generating public/private rsa1 key pair.
Your identification has been saved in /etc/ssh/ssh_host_key.
Your public key has been saved in /etc/ssh/ssh_host_key.pub.
The key fingerprint is:
09:30:4b:8c:7c:b6:c9:57:da:d4:73:35:98:f2:a4:ab root@geode
* Generating DSA-Hostkey...
Generating public/private dsa key pair.
Your identification has been saved in /etc/ssh/ssh_host_dsa_key.
Your public key has been saved in /etc/ssh/ssh_host_dsa_key.pub.
The key fingerprint is:
54:84:b5:06:16:c2:c1:6f:e7:ae:ad:25:a1:00:24:ec root@geode
* Generating RSA-Hostkey...
Generating public/private rsa key pair.
Your identification has been saved in /etc/ssh/ssh_host_rsa_key.
Your public key has been saved in /etc/ssh/ssh_host_rsa_key.pub.
The key fingerprint is:
aa:30:45:f3:86:22:15:a3:2d:d6:ac:7e:21:23:6d:a9 root@geode
* Starting sshd ...
or to bring it each time alive type rc-update add sshd default.
To copy a file from the local machine to a remote machine you can type scp<path and file on the local machine>
<user or root>
@<ip address or host name of remote machine>
:<path on the remote machine>
.
.
There are different authentication possibilities in ssh, that have a different level of security:
Secure password authentication (default)
RSA (Rivest, Samir, Ademan = 3 mathematicians) authentication (ssh version 1)
DSA (Digital Signature Algorithm) (ssh version 2)
RSA and DSA use two keys:
a public key to encrypt the local message before sent
a private key to decrypt the message on the remote machine
The private key has to get stored secretly and might be stored encrypted on the local machines hard disk. A passphrase is used to encrypt it.
The public key will be copied to the remote machine.
Many of the following including the keys is done by the command /etc/init.d/sshd start
or at boot when rc-update add sshd default got made.
~/.ssh/known_hosts
holds the fingerprints
/etc/ssh
holds the configuration data
On the remote machine type into console:
ssh 192.168.1.34
or
ssh <username>
@192.168.1.34
then the keys are exchanged and you have to login.
To copy a file from a remote machine to the local machine you can type
scp<user or root>
@<ip address or host name of remote machine>
:<path on the remote machine>
<path and file on the local machine>
The console changes its prompt and it is ready to go.
The command exit quits.
sftp is the ssh ftp version
ssh username@machine makes it running
scp ~/.ssh/identity.pub username@machine copies over the public key in a safe way
ssh username@machine opens the console from the remote machine
If next time ssh username@machine asks for the passphrase RSA authentication is enabled.
The ssh_agent daemon and the keychain program make authentication easier.
The sshd (daemon) can be added to the boot scripts using rc-update. The configuration files are
in /etc/ssh
and the init script is in
/etc/init.d
.
If you get @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ECDSA key sent by the remote host is SHA256:xst06A5oYmr2KleaFzpE8rCVQ672301cYJ6blFoYN0E. Please contact your system administrator. Add correct host key in /home/lindegur/.ssh/known_hosts to get rid of this message. Offending ECDSA key in /home/lindegur/.ssh/known_hosts:6 ECDSA host key for 192.168.1.131 has changed and you have requested strict checking. Host key verification failed.
and you are sure that nothing is wrong then delete the entry in ~/.ssh/known_hosts