A Comprehensive Guide to SSH

Andrei Maksimov
Andrei Maksimov

This SSH guide continues our Linux article series and covers many helpful SSH features and tricks to improve your daily productivity. The article describes SSH setup, configuration file management, SSH authentication, using multiple SSH keys, and SSH local and remote port forwarding. Become an SSH master in less than 10 minutes!

What Is SSH

SSH, or secure shell, is a network protocol used to secure communication between devices in the network. It uses a public-key cryptography system to encrypt data being sent over the network. Secure shell protocol is often used to log into remote servers and transfer files between devices. It can also be used to secure other types of network traffic, such as email, web, or FTP. SSH is an important tool for securing communications and should be used whenever possible. In addition to encrypting data, a secure shell protocol can also be used to verify the authenticity of the remote computers that are communicating with each other. This verification process helps to prevent man-in-the-middle attacks, in which a third party intercepts and modifies data as it is being transmitted. By using a secure shell protocol, users can rest assured that their data is safe from eavesdroppers and hackers.

When you establish an SSH connection, the remote server starts a shell session for you. After that, you can type the commands in your SSH client to execute them on the remote server.

SSH Session

System administrators use this protocol to connect and manage remote Linux servers securely.

How Does SSH Work

As a classic network application, SSH consists of two parts:

  • SSH client – an application you install on the computer you will use to connect to the network’s Linux-based computer. The client establishes an encrypted connection between your computer and the remote computer.
  • SSH server (or SSH daemon) – a server application listening on TCP/IP port 22 for the client connections. If the client provides the correct credentials, the server creates a new user session and allows you to execute remote commands.

When the connection is established, the client is having SSH access to the server and the server is providing SSH access to the client.

How does SSH Work

SSH Authentication

SSH allows you to use multiple different authentication methods. The most widely used are:

  • Password Authentication – you’re asked for the username and password to get access to the remote host.
  • SSH Key-Based Authentication – you’re using SSH Public and Private keys for user authentication.

SSH Password Authentication

When it comes to securing a server, SSH password authentication is one of the most popular methods. This authentication process requires that the user provides a valid username and password in order to gain access to the secure shell of the remote server. While this method can be effective in preventing unauthorized access, it also has some drawbacks. One major downside is that if a malicious user discovers a valid username and password, they will be able to login and wreak havoc on the server. Additionally, SSH password authentication can be slow and cumbersome, particularly for users who have to type in their credentials each time they want to log into the server. As a result, many organizations are using alternative methods of authentication, such as SSH key-based authentication.

SSH Key-Based Authentication

SSH key-based authentication is a secure alternative to using password-based authentication when logging into a remote server. When using SSH keys, a public/private key pair is generated. The public key is then added to the remote server, and the private key is kept on the local computer. When logging in, the user provides their private key, which is then verified against the public key on the server. If the keys match, the user is granted access. One benefit of using SSH keys is that they are much more difficult to brute force than passwords. Additionally, SSH keys can be configured to automatically expire, which further increases security. As a result, SSH key-based authentication is a valuable tool for securing remote servers.

SSH Key Based Authentication

SSH key-based authentication algorithm:

  • The client initiates an SSH connection to the remote server.
  • The remote server sends a random message to the client.
  • The client encrypts the received message using a private SSH key and sends it back to the server.
  • The server decrypts the client’s message using a public SSH key. If the received message is the same, the server authenticates the client.

Using password authentication in SSH is not secure. If you’re still using password authentication, you need to change it to SSH key-based authentication ASAP.

How To Install An SSH Client

In most Linux systems and macOS, the SSH server is already installed and available for you by default. But if you’re playing with Linux on your virtual machine, you may require to install it.

Ubuntu

For deb-based Linux distributions, you can install the client using the following commands:

sudo apt-get update
sudo apt-get -y install openssh-client

CentOS, Fedora, RedHat

For yum-based Linux distributions, you can install the client using the following commands:

sudo yum -y install openssh-clients
sudo systemctl enable sshd
sudo systemctl start sshd

Windows

For the Windows operation system, PuTTY became a standard de-facto client. To install it, download the MSI installer from the link above and follow the instructions from How to Install PuTTY on Windows.

Here’s an automated installation process using Chocolatey. Open PowerShell console in “Run as Administrator” mode and execute the following commands:

Set-ExecutionPolicy RemoteSigned

Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))

choco install putty -y
Windows 10 PuTTY

How To Install An SSH Server

In most Linux systems and macOS, the SSH client is already installed and available for you by default. But if you’re playing with Linux on your virtual machine, you may require to install it.

Ubuntu Server

For deb-based Linux distributions, you can install the SSH server using the following commands:

sudo apt-get update
sudo apt-get -y install openssh-server
sudo systemctl enable sshd
sudo systemctl start sshd

CentOS, Fedora, or RedHat Server

For yum-based Linux distributions, you can install the SSH server using the following commands:

sudo yum -y install openssh
sudo systemctl enable sshd
sudo systemctl start sshd

Windows Server

You can’t install an SSH server on the Windows system. You have to use Remote Desktop and WinRM to control remote Windows servers in the Microsoft world.

Create SSH Key

Let’s create private and public SSH keys used for SSH Key-Based Authentication. To generate SSH keys, run the following command in the terminal:

ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

This command will create a 4 Kb RSA keypair:

  • ~/.ssh/id_rsa – SSH Private Key.
  • ~/.ssh/id_rsa.pub – SSH Public Key.

Important: you must never show or send the SSH Private Key file.

Set Up SSH Key-Based Authentication

To set up SSH Key-Based Authentication on the remote server, you need to complete the following steps:

  • Login to the server.
  • Go to the user home directory.
  • Edit file ~/.ssh/authorized_keys and paste the content of the public key file there.
  • Save changes.

~/.ssh/authorized_keys may contain as many public keys’ records as needed. So, you can authorize connections to the same user on the remote server using different private keys belonging to different users.

How To Connect Using SSH

You can connect to a remote Linux server using the following command:

ssh remote_username@host_ip_address
SSH Session

Use Different SSH Keys For Different Remote Servers

There are several options available allowing you can use different private SSH key files to access multiple remote servers. Let’s review each of these options one by one.

Specify SSH Key In Connection Command

To specify a required private key as a part of the SSH connection command use -i flag:

ssh -i ~/.ssh/another_private_key remote_username@host_ip_address

Use An SSH Agent

If you have to use many private keys, you can use an SSH Agent – a program that runs on your computer and stores your SSH keys. When you want to connect to a remote server using SSH, the agent will provide your keys to the server. This allows you to use SSH without having to enter your passphrase every time. The agent can also be used to store other sensitive information, such as passwords. By using an SSH agent, you can reduce the risk of your private data being compromised by keeping it off of servers and computers that are not under your control.

Linux

Start the ssh-agent in the background:

eval "$(ssh-agent -s)"

To add your SSH keys to the agent, use the following commands:

ssh-add -K ~/.ssh/id_rsa
ssh-add -K ~/.ssh/another_private_key

Windows

The PuTTY distribution contains Pagent, which sits in the system tray and plays the same role. Right-click on Pagent and add your SSH key.

Pagent Tray Add Key

The SSH client will use all loaded private keys one by one to pass authentication during the SSH connection.

SSH Configuration File

The SSH configuration file is a file used by the SSH client to configure various options that affect the connection to the SSH server. The file is typically located in the user’s home directory, and it is usually named ~/.ssh/config. The format of the file is relatively simple, and it supports a wide range of options. Some of the most commonly used options include specifying the SSH port, disabling compression, and changing the identity file. The SSH configuration file can be a powerful tool for customizing the SSH connection, and it is often used by system administrators to improve security or performance.

Host *
  AddKeysToAgent yes
  UseKeychain yes
  IdentityFile ~/.ssh/id_rsa

# Specific remote server SSH configuration
Host exceptional.com
  AddKeysToAgent yes
  UseKeychain yes
  IdentityFile ~/.ssh/another_private_key

In the example above, we are using the default ~/.ssh/id_rsa private key file for all remote servers, except the exceptional.com server. For the exceptional.com server, we’ll use ~/.ssh/another_private_key file.

SSH Key Forwarding

Another favorite SSH feature I’m using daily is SSH key forwarding. SSH Key forwarding is a technique used to securely connect to a remote server using an SSH key. The SSH key is forwarded to the remote server, which can then use to authenticate the user. This allows the user to connect to the server without having to store the SSH key on the server. This is particularly useful when connecting to a remote server over an untrusted network, such as the Internet. SSH Key forwarding can also be used to connect to a remote server that does not have a direct connection to the Internet. In this case, the SSH key is forwarded through an intermediary server that does have a direct connection. This intermediary server is known as a ‘gateway’. SSH Key forwarding is a very powerful and flexible technique that can be used in a variety of situations. It is important to understand how it works before using it, as it can be misused if not properly understood.

You can enable SSH key forwarding for your SSH session by specifying -T flag in the SSH command:

ssh -T remote_username@host_ip_address

Or you can save this configuration at you ~/.ssh/config file by specifying ForwardAgent yes:

Host *
  AddKeysToAgent yes
  UseKeychain yes
  IdentityFile ~/.ssh/id_rsa
  ForwardAgent yes
How does SSH ForwardAgent Work

SSH Port Forwarding

SSH port forwarding is a way to tunnel network traffic through an SSH connection. This can be used to forward traffic from one machine to another, or to allow access to a server that is behind a firewall. There are two types of SSH port forwarding: local and remote. Local forwarding tunnels traffic from the client machine to the server, while remote forwarding tunnels traffic from the server to the client.

In order for SSH port forwarding to work, the SSH client and server must be configured properly. On the client-side, the ssh_config file must be edited to specify the desired forwarding rules. On the server-side, the sshd_config file must be edited to allow port forwarding. Once both files have been updated, the SSH connection can be established and traffic will be routed as desired.

If you need to forward UDP traffic, use nc in combination with SSH.

Local Port Forwarding

SSH local port forwarding is a technique that can be used to allow traffic from a local port to be forwarded to a remote machine. This can be useful in a number of scenarios, such as when you want to allow access to a local server that is behind a firewall. To set up SSH local port forwarding, you will need to have an SSH client installed on your local machine. Once you have the SSH client installed, you can specify the port that you want to forward traffic to by using the -L flag.

Once the connection has been established, any traffic that is sent to port 15432 on your local machine will be forwarded to port 5432 on the remote machine.

The best way to explain SSH local port forwarding is by looking at the following diagram.

SSH Local Port Forwarding

In this diagram, the Jump Host server has private connectivity to the Amazon RDS PostgreSQL server.

The client laptop can connect to the Jump Host server using the SSH protocol.

The owner of the client’s laptop is looking for a way to connect to the Amazon RDS instance.

SSH local port forwarding feature allows binding a port on the client laptop. The traffic from the bound port is forwarded through the Jump Host server to an Amazon RDS instance.

As a result, you to connect to the RDS instance from the client laptop, you need to configure pgsql at the computer to connect to localhost:15432.

If you need to establish a connection to the Jump Host from the Linux or macOS client laptop, use the following SSH command:

ssh -L 127.0.0.1:15432:rds-endpoint-url:5432 ec2-user@jump_host_ip

If you’re using PuTTY, you need to change the Connections – SSH – Tunnels configuration section before connecting to the Jump Host.

PuTTY - SSH Local Port Forwarding

Remote Port Forwarding

SSH remote port forwarding is a more exciting feature that solves the opposite problem. It allows you to bind the port on the remote computer and forward traffic coming from that port to the networks behind the SSH client host.

Here’s an example.

SSH Remote Port Forwarding

In our example, we have an Isolated Server, which does not have access to the internet, and the client laptop we’re using to connect to the Jump Host.

Traffic between Jump Host and Isolated Server is not restricted.

We need to allow the Isolated Server to connect to the internet. How can we do that?

For example, we can launch a Docker container with Squid proxy on the client laptop on port 8080. Then we can connect to Jump Host using SSH. The remote port forwarding feature is to bind the port 8081 on the Jump Host to forward traffic to the client’s laptop port 8080.

As a result, the Isolated Server will be able to use http://jump_host_ip:8081 as a proxy server.

To enable remote port forwarding during SSH connection on the Linux or macOS, use the following SSH command:

ssh -R 8081:localhost:8080 ec2-user@jump_host_ip

For PuTTY and Windows hosts:

PuTTY - SSH Remote Port Forwarding

Summary

This article covered many useful SSH features, which I’m using in my daily work. I hope you’ll start using them too. If something is not clear, please, reach out in the comments section below. I’ll be more than happy to assist.

If you found this article helpful, feel free to help me spread it to the world!

Like this article?

Share on Facebook
Share on Twitter
Share on Linkdin
Share on Pinterest

Want to be an author of another post?

We’re looking for skilled technical authors for our blog!

Leave a comment

If you’d like to ask a question about the code or piece of configuration, feel free to use https://codeshare.io/ or a similar tool as Facebook comments are breaking code formatting.