SSH - Secure SHell

Remote access protocol with encrypted communication

What is ssh

SSH, or Secure Shell, is a cryptographic network protocol that facilitates secure communication and remote access between computers over unsecured networks. It provides a secure channel for accessing and managing remote systems, encrypting data transmission to prevent interception and tampering. SSH ensures confidentiality, integrity, and authenticity of transmitted data through encryption techniques, authentication mechanisms, and digital signatures. Its primary use cases include remote command-line login, secure file transfer, and tunneling connections for accessing services securely. By employing robust encryption and authentication methods, SSH enables users to securely interact with remote systems, making it an essential tool for system administrators, developers, and anyone requiring secure remote access to computers and network devices. Runs on port 22 (this can be changed by user)

Replaces telnet (no encryption at all)

Advantages with ssh

  1. Security: SSH encrypts all data transmitted between the client and server, providing a secure channel even over unsecured networks like the internet. This encryption prevents eavesdropping, interception, and tampering of sensitive information, ensuring confidentiality and integrity.
  2. Authentication: SSH supports various authentication methods, including password-based authentication and public-key cryptography. Public-key authentication, in particular, offers stronger security by eliminating the need to transmit passwords over the network and mitigating risks associated with password-based attacks.
  3. Remote Access: SSH allows users to securely access and manage remote systems’ command-line interfaces from anywhere with network connectivity. This enables system administrators to perform tasks such as configuration, troubleshooting, and software updates without physically being present at the remote location.
  4. File Transfer: SSH includes protocols like SCP (Secure Copy Protocol) and SFTP (SSH File Transfer Protocol) for secure file transfer between hosts. These protocols provide encrypted file transfer capabilities similar to traditional FTP but with enhanced security features.
  5. Port Forwarding and Tunneling: SSH supports port forwarding and tunneling, allowing users to securely access services running on remote servers or bypass network restrictions. This feature is valuable for accessing internal resources or securing connections to services like databases or web servers.
  6. Key Management: SSH uses public-key cryptography for authentication, requiring users to generate key pairs consisting of a public key and a private key. Proper key management practices are crucial for maintaining the security of SSH connections, including safeguarding private keys and managing access permissions.

How to Install it - Server side

Do NOT forget to open the correct ports to, ssh uses 22 as standard
——————————————————————————————-

Make sure that the packages are the latest version

sudo apt update && apt upgrade -y
and reboot the server
sudo systemctl reboot

Install OpenSSH Server

1 – Install the package
sudo apt install openssh-server

2 a) Verify that ssh is installed
ssh -V
OR
The status of it
sudo systemctl status ssh

3 – Start and Enable the SSH Service
sudo systemctl start ssh
sudo systemctl enable ssh

4 – Configure the SSH Server. The file is usually located at /etc/ssh/sshd_config
open it with nano
sudo nano /etc/ssh/sshd_config

5 – Here is what we want to do: Set port number for ssh(default is 22), disable root login(for security) and specify which user are allow to ssh into. You will need to add/modify.
Here’s a basic template for SSH config file(SERVER SIDE). If you comment out the line AllowUsers hero superman when ALL will be able to ssh in if entering the right credentials


# This is a comment. Comments start with '#' and are ignored by SSH.

Port 22
PermitRootLogin no
# Enable ssh login for user hero and superman
AllowUsers hero superman

Advanced. You could play around here with these setting. Like

PermitRootLogin: Ensure that other security settings, like PermitRootLogin, are configured as desired. For instance, if you want to allow or disallow root login, adjust this setting accordingly:
PermitRootLogin no

Ensure PasswordAuthentication is set as per your security policy. To allow password-based logins:
PasswordAuthentication yes

Ensure that password can NOT be empty
PermitEmptyPasswords no

Public Key Authentication: For enhanced security, you might want to enforce public key authentication:
PubkeyAuthentication yes

Add or Modify the AllowGroups Directive:
AllowGroups group1 group2

5 – Restart the SSH Service
sudo systemctl restart ssh

6 – Make sure that the firewall (usually ufw) allow SSH traffic otherwise
sudo ufw allow 22/tcp
sudo ufw disable && sudo ufw enable

Example how the file

/etc/ssh/sshd_config
might look

Some tip to test out that the Server is configured correct

Connect a computer into the same subnet as the server. Try log in with a user. If this is successful you now know that this is a user that you can test out with. This will ensure that some other firewall blocks the traffic, e.i the router is not hindering to ssh into the server. Expand later with with different subnet on the LAN and expand this to the WAN if desired.

Configuration (rules of firewall) of the LAN (subnets) is usually done by internal router.
Configuration (rules of firewall) of the WAN is usually done by cable modem(the device that connect you internet). You will also need so set port forwarding here as NAT plays a crucial role here.

Screen shoots

Encryption methods

SSH communication

Termomonlogy and Concept

  1. Secure Shell (SSH): The cryptographic network protocol for secure communication and remote login over an unsecured network.
  2. Encryption: The process of encoding information in such a way that only authorized parties can access it, ensuring confidentiality and integrity.
  3. Authentication: The process of verifying the identity of a user or system, typically using passwords, public-key cryptography, or other authentication methods.
  4. Public-Key Cryptography: A cryptographic system that uses pairs of keys (public and private) to encrypt and decrypt data, providing a secure method for authentication and communication.
  5. Key Pair: A set of cryptographic keys consisting of a public key (shared with others) and a private key (kept secret), used for authentication and encryption in SSH.
  6. Password-Based Authentication: A method of authentication where users provide a password to prove their identity.
  7. Public-Key Authentication: An authentication method that uses cryptographic key pairs for secure login, providing stronger security than password-based authentication.
  8. SSH Client: A software application used to initiate SSH connections to remote servers.
  9. SSH Server: A software application running on a remote system that accepts SSH connections from clients and allows remote access.
  10. SSH Protocol: The set of rules and conventions that govern communication between SSH clients and servers, defining how data is encrypted, authenticated, and transmitted.
  11. SCP (Secure Copy Protocol): A secure file transfer protocol in SSH, used for copying files between hosts over an encrypted connection.
  12. SFTP (SSH File Transfer Protocol): Another secure file transfer protocol in SSH, providing more features and capabilities than SCP, including directory listing and file manipulation.
  13. Port Forwarding: The process of redirecting network traffic from one network port to another, often used in SSH for creating secure tunnels between local and remote systems.
  14. Local Port Forwarding: A type of port forwarding where connections from the local machine are forwarded through an SSH tunnel to a remote server.
  15. Remote Port Forwarding: A type of port forwarding where connections initiated from a remote server are forwarded through an SSH tunnel to a local machine.
  16. Dynamic Port Forwarding: A type of port forwarding that creates a SOCKS proxy on the local machine, allowing any application to use the SSH tunnel as a proxy for accessing the internet or other network services.
  17. Tunneling: The process of encapsulating one network protocol within another, typically for the purpose of creating a secure communication channel over an untrusted network.
  18. SSH Keys: Cryptographic keys used for authentication and encryption in SSH, including public keys (authorized for access) and private keys (kept secret).

SSH tunneling

SSH tunneling, also known as SSH port forwarding, is a technique used to securely route network connections through an encrypted SSH connection. It allows users to create a secure communication channel between a local machine and a remote server, even if the destination service is not directly accessible from the local machine’s network or if there are network restrictions in place.

There are several types of SSH tunneling:

  1. Local Port Forwarding: With local port forwarding, a connection is established from the local machine to a remote server via SSH. Any data sent to a specified local port on the client machine is encrypted and forwarded through the SSH connection to a specified destination host and port on the remote server. This allows the local machine to access services running on the remote server securely.
  2. Remote Port Forwarding: In remote port forwarding, connections are initiated from a remote server to the local machine via SSH. This allows services running on the remote server to be accessed securely from the local machine. Any data sent to a specified port on the remote server is encrypted and forwarded through the SSH connection to a specified destination host and port on the local machine.
  3. Dynamic Port Forwarding: Dynamic port forwarding creates a SOCKS proxy on the local machine, which routes traffic through an SSH connection to the remote server. This allows any application on the local machine to use the SSH tunnel as a proxy to access the internet or other network services securely.

SSH tunneling is commonly used for:

  • Bypassing Firewalls and Network Restrictions: SSH tunneling can bypass network firewalls and restrictions by encrypting traffic and routing it through an SSH connection to a remote server that has access to the desired services.
  • Securing Communication: It provides a secure communication channel for accessing services such as databases, web servers, or remote desktops over untrusted networks like the internet.
  • Encrypting Traffic: Even if the connection between the client and the SSH server is over an untrusted network, SSH tunneling encrypts the data, providing confidentiality and integrity.

Overall, SSH tunneling is a powerful tool for securing network communications and accessing remote services securely, making it indispensable for various use cases in system administration, software development, and network security.

What do i need to use SSH

For SSH to work, you need both an SSH server and an SSH client. Here’s an overview of each:

SSH Server:

  1. Software: You need to install SSH server software on the system that you want to remotely access. Popular SSH server software includes OpenSSH (common on Unix-like systems) and Bitvise SSH Server (common on Windows).
  2. Configuration: Once installed, you typically configure the SSH server to define which users are allowed to connect, which authentication methods to use (e.g., password-based, public-key), and any access restrictions or permissions.
  3. Listening Port: The SSH server needs to be configured to listen for incoming connections on a specific port, commonly port 22 by default. This port should be accessible from the network where the SSH client is located.
  4. Network Accessibility: Ensure that the server has network connectivity and is accessible from the client machine. This may involve configuring firewalls or network routers to allow SSH traffic to reach the server.

SSH Client:

  1. Software: You need SSH client software installed on the system from which you want to initiate SSH connections. Most Unix-like systems come with an SSH client pre-installed. For Windows, popular SSH clients include PuTTY, WinSCP, and OpenSSH (available through optional features).
  2. SSH Key (Optional): While not strictly necessary, using SSH keys for authentication provides enhanced security compared to password-based authentication. If using SSH keys, you’ll need to generate a key pair (public and private keys) and configure the SSH client to use them.
  3. Network Accessibility: Ensure that the client machine has network connectivity and can reach the SSH server. This may involve configuring firewalls or network routers to allow outbound SSH traffic from the client.

Connection Process:

  1. Initiation: To initiate an SSH connection, the SSH client software is used to specify the remote server’s hostname or IP address and the user account to connect as.
  2. Authentication: The SSH client and server negotiate authentication methods, such as password-based authentication or public-key authentication. If using SSH keys, the client presents its public key to the server for authentication.
  3. Encryption: Once authenticated, the SSH client and server establish an encrypted communication channel for the session, ensuring that all data transmitted between them is encrypted and secure.
  4. Session: With the encrypted channel established, the SSH client can interact with the remote server’s command-line interface, transfer files securely, or perform other tasks as allowed by the server’s configuration.

By having both an SSH server and client properly configured and accessible, users can securely access and manage remote systems, transfer files, and perform various tasks over unsecured networks.

Connecting to an SSH server using both username/password authentication and public/private key authentication:

Username/Password Authentication:

  1. Open Terminal or SSH Client: Open your terminal application on Unix-like systems (such as Terminal on macOS or a terminal emulator like PuTTY on Windows) or launch your SSH client software.
  2. Enter SSH Command: Use the ssh command followed by the username and hostname (or IP address) of the SSH server you want to connect to. For example:
  1. ssh username@hostname_or_IP

    Replace username with your actual username on the server and hostname_or_IP with the hostname or IP address of the SSH server.

  2. Enter Password: After executing the ssh command, you’ll be prompted to enter your password for the specified username. Type your password (characters won’t be displayed as you type for security reasons) and press Enter.
  3. Authentication: The SSH client sends the entered username and password to the SSH server for authentication. If the credentials are correct and the server allows password-based authentication, you’ll be granted access to the server’s command-line interface.

Public/Private Key Authentication: (assumes that public/private key are present on computer)

  1. Connect Using SSH Key: Use the ssh command as before, but this time, the SSH client automatically presents your private key to the server for authentication:
    • ssh username@hostname_or_IP

      If you’ve encrypted your private key with a passphrase, you’ll be prompted to enter it.

    • Authentication: The SSH client presents your public key to the server. If the server finds a matching public key in the authorized_keys file for the specified username, and if key-based authentication is allowed, you’ll be granted access to the server without needing to enter a password.

    By following these steps, you can connect to an SSH server using both username/password authentication and public/private key authentication.

Managing multiple ssh connections with config file (Client Side) - Recommended

The SSH config file (~/.ssh/config on Unix-like systems) is used to manage and customize SSH connections, especially when dealing with multiple hosts and complex configurations. It allows you to define connection options, authentication details, port forwarding settings, and more for individual hosts or groups of hosts. Here’s an overview of how the SSH config file is used to manage multiple SSH connections:

1. Simplify Connection Process:

By specifying connection details in the config file, you can avoid typing long and complex SSH commands each time you connect to a host. This simplifies the connection process, especially for hosts with non-standard settings or configurations.

2. Centralized Configuration:

The SSH config file acts as a centralized location for storing SSH configuration options. Instead of configuring each SSH connection separately, you can define global settings and apply them to multiple hosts or groups of hosts as needed.

3. Customization and Organization:

You can customize SSH connections by setting options such as usernames, hostnames, port numbers, identity files, and connection options. The config file allows you to organize these settings logically and efficiently, making it easier to manage multiple SSH connections.

4. Port Forwarding and Tunneling:

SSH config supports port forwarding and tunneling configurations, allowing you to set up local and remote port forwards for individual hosts or groups of hosts. This is useful for accessing services running on remote hosts securely or bypassing network restrictions.

Sample SSH Config Template:

Here’s a basic template for an SSH config file(CLIENT SIDE) with comments explaining each section


 
# This is a comment. Comments start with '#' and are ignored by SSH.

# Host definition
Host example.com
# Hostname or IP address of the remote server
HostName 123.456.789.0

# Port number (optional, default is 22)
Port 22

# User to log in as (optional, uses current user by default)
User your_username

# IdentityFile specifies the private key to use for authentication
IdentityFile ~/.ssh/your_private_key

# Specify other SSH options if needed (optional)
# For example, to enable compression:
# Compression yes

# Define aliases for the host (optional)
# HostAlias alias1 alias2

# Define SSH protocol version (optional, default is 2)
# Protocol 2

# Define custom SSH options specific to this host (optional)
# This can be used to override global options for this host.
# For example:
# RemoteCommand ls -l

# Keep SSH connections alive by sending a packet every 60 seconds
# ServerAliveInterval 60
# Local port forwarding configuration
# LocalForward 8080 localhost:80

# Host definition
Host example.com
HostName 123.456.789.0
Port 22
User your_username
IdentityFile ~/.ssh/your_private_key

Setting Correct Permissions and ownership

Typically you want the permissions to be(chmod):

  • .ssh directory: 700 (drwx------)
    • chmod 700 ~/.ssh
  • public key (.pub file): 644 (-rw-r--r--)
    • chmod 644 ~/.ssh/nameofpublicfile
  • private key (id_rsa): 600 (-rw-------)
    • chmod 600 ~/.ssh/nameofprivatefile
  • lastly your home directory should not be writeable by the group or others (at most 700 (drwx------)).
    • chmod 755 ~/
  • ssh config file (config): 600 (-rw-------)
    • chmod 600 ~/.ssh/config
  • authorized_key needs 644 permissions
    • chmod 644 ~/.ssh/authorized_keys

Check up this
Make sure that user owns the files/folders and not root: chown user:user authorized_keys and chown user:user /home/$USER/.ssh

Also worth mentioning is that when using tools like ssh-key-gen and ssh-id-copy this permission gets set automatically by the tool

Folder structure (mainly Server Side)

  1. /etc/ssh/: This directory contains configuration files and keys related to the SSH server (sshd) and client (ssh).
    • sshd_config: Server side. The main configuration file for the SSH daemon (sshd). This file controls the behavior of the SSH server, including settings like authentication methods, allowed users, and port number.
    • ssh_config: Client side. The configuration file for the SSH client (ssh). This file contains client-side configuration options, such as default settings for connecting to SSH servers.
    • ssh_host_*_key: Server side. These files contain the host keys used by the SSH server for authentication. The *_key files represent different types of keys, such as RSA, DSA, or ECDSA.
    • ssh_host_*_key.pub: Server side. These files contain the public counterparts of the host keys. They are used by SSH clients to verify the authenticity of the SSH server during the connection process.
  2. /etc/ssh/sshd_config.d/(optional): Server side. Some distributions organize SSH server configuration using additional configuration files in this directory. These files are typically included from the main sshd_config file and can help organize complex configurations.
  3. /etc/ssh/ssh_known_hosts: This file contains a list of known host keys for various SSH servers. This mean that the server can connect to others ssh servers(and that is the hosts)
  4. /etc/ssh/sshrc (optional): This file is a script that is executed by the SSH daemon (sshd) when a user logs in. It can be used to perform custom actions or settings for SSH sessions.
  5. /var/log/auth.log (or similar): This is the system log file where SSH-related authentication and authorization messages are typically logged. It can be useful for troubleshooting SSH connection issues or security incidents.

 

The most important file is the configuration file, sshd_config file, this is the server config file

Some of the key settings you might find in the sshd_config file include:

  1. Port: Specifies the port on which the SSH server listens for incoming connections. By default, SSH uses port 22, but you can change it for security reasons.
  2. PermitRootLogin: Determines whether root is allowed to log in directly via SSH. It’s generally recommended to set this to no and use a regular user account to log in, then switch to the root user if necessary.
  3. PubkeyAuthentication: Controls whether public key authentication is allowed. This is often preferred over password authentication for increased security.
  4. PasswordAuthentication: Specifies whether password authentication is allowed. It’s recommended to disable password authentication if you’re using public key authentication.
  5. AllowUsers or AllowGroups: Limits SSH access to specific users or groups. This can be useful for restricting access to certain users or groups of users.
  6. UsePAM: Determines whether the SSH server should use PAM (Pluggable Authentication Modules) for authentication. PAM provides a flexible framework for authentication, which can be integrated with various authentication methods.
  7. HostKey: Specifies the location of the host keys used for SSH server authentication. These keys are used to verify the authenticity of the SSH server to clients.

These are just a few examples of configuration options you might find in

FAQ

Difference between ssh and sshd

  1. SSH (Secure Shell): SSH is a cryptographic network protocol used for secure communication between two computers, typically a client and a server. It provides a secure way to access and manage remote systems over an unsecured network. SSH encrypts data transmitted over the network and provides authentication mechanisms to ensure the integrity and confidentiality of communications.
  2. sshd (SSH daemon): sshd is the SSH server daemon, which runs on the server side and listens for incoming SSH connections from clients. It is responsible for handling authentication requests, establishing encrypted communication channels, and managing SSH sessions. The SSH daemon (sshd) runs continuously in the background, waiting for incoming SSH connections on the server’s designated SSH port (usually port 22 by default).

Commands - Client Side

DESCRIPTION COMMAND
Connect to an SSH server using user and password ssh username@hostname_or_IP
Connect to an SSH server using user and password and PORT number ssh -p port_number username@hostname_or_IP
Connect to an SSH server using keys (public/private) ssh username@hostname_or_IP
Connect to an SSH server using keys (public/private) and PORT number ssh -p port_number username@hostname_or_IP
Connect to an SSH server using a
source ip
and
target ip
with a
portnumber
 ssh -b "source_ip" -p "portnumber" user@"target_ip"
Connect to an SSH server using a specific key and port number ssh -i /path/to/private_key -p port_number username@hostname_or_IP
Connect to an SSH server using a
specific ip
specific key
specific port number
 ssh -b "local_ip_address" -i "path_to_private_key" -p "port_number" user@remote_host

Commands - Server Side

DESCRIPTION COMMAND
Restart the ssh daemon sudo service sshd restart