OpenSSH

SSH

by

What is SSH?

SSH (Secure Shell) is a protocol (like HTTP or FTP) that lets us connect to a remote server. After connecting to a remote server via SSH, all the commands that we run on the terminal get executed on the remote server. When we connect to a server via SSH, we always log in using a user account that exists on that remote server.

We use the OpenSSH tool to use the SSH protocol. OpenSSH provides a suite of utilities (not just one binary) that let us work with SSH. You can see a list of these utilities here, and the main ones we use are:

  • ssh
  • ssh-keygen
  • scp

To connect to a remote server via SSH we need 3 things:

  • The address of the remote server (IP or domain name)
  • The port that it’s listening for SSH connections (if it’s not the default 22)
  • A username on that server
  • The password of that user account or the SSH key

Basic Usage

This is the basic syntax:

ssh username@remote_host

For instance, if we wanna login as the user “ali” to the remote server at 184.107.41.83 we can enter

ssh ali@184.107.41.83

There are two methods to authenticate when connecting to a server via SSH.

  • Password
  • SSH keys

Using a password is the less secure way of connecting to a server. The recommended and more secure way of authentication is to use an SSH key.

To close an SSH connection and return to your local command prompt you can either type exit and hit enter or use Ctrl+D.

Useful Flags

-p

By default, SSH uses port 22 on the remote server. If the server is configured to use any other port, we need to include that port when we wanna connect to it. We specify the port using the -p flag.

ssh -p 44 ali@184.107.41.83

-i

If you wanna use a private SSH key other than the default ones (~/.ssh/id_rsa, ~/.ssh/id_ecdsa, …) in order to authenticate, you can use the -i flag to specify the location of the key. For instance

ssh -i ~/my_private_key ali@184.107.41.83

Config File

In order to make our life easier, you have the option to create a file called config in the ~/.ssh/ directory and store the information about an SSH connection (like the IP of the server, the username, port and the SSH key) in it and also choose a name for that connection, so when you wanna connect to that server, you can just type the connection name instead of the user and IP.

This is what the config file may look like:

Now that we have this info in the config file, to connect to the server we can just type

ssh dev

instead of typing the full command:

ssh -p 2322 ali@dev.parsifar.com

As you can, using a config file can be very convenient, especially if you SSH into different servers regularly.

Note that the config file isn’t required and also isn’t created by default, so if you wanna use it you should create it yourself.

How SSH keys work?

An SSH key has two components, a private key and a public key. It all starts on your local machine. First, you can generate a new SSH key (both components). To create a new SSH key you can use another binary from the OpenSSH suite called ssh-keygen.

ssh-keygen Command

This command generates both components of a new SSH key.

ssh-keygen

After running this command, it’ll prompt you to enter the file name and location of the key that’s being generated. By default, the filename for two components of the key are id_rsa and id_rsa.pub and the default location for storing them is ~/.ssh/ directory. i.e. a hidden directory called .ssh in the home directory of the current user. You can accept these default filename and location by pressing enter when it prompts.

Note that if you already have the SSH key with the default name and in the default location (~/.ssh/id_rsa) it’ll be overwritten.

Alternatively, you can choose a different filename and/or location for the new SSH key, so it won’t overwrite the existing one.

-f Flag

You also have the option to specify the filename and location of the new key using the -f flag in the ssh-keygen command. For instance, if you want the name of the new SSH key to be github_key you can use

ssh-keygen -f ~/.ssh/github_key

This command will create the private and public keys with the names github_key and github_key.pub.

-t Flag

You can also specify the type of the SSH key, you wanna generate. Some common SSH key types are:

  • RSA
  • DSA
  • ECDSA
  • EdDSA
  • Ed25519

The default SSH key type is RSA. If you wanna generate an Ed25519 and store it in a file called my_key you can run

ssh-keygen -t ed25519 -f ~/.ssh/my_key

-b Flag

If you want to generate a key with a specific number of bits, you can use the -b flag. For instance, if you wanna generate a 4096 bit RSA key, you can type:

ssh-keygen -t rsa -b 4096

-C Flag

Every public key ends with a comment. By default it is your_local_username@your_hostname but you can change it with the -C flag.

ssh-keygen -C “this key is for the ABC company”

This comment doesn’t have any affect on the authentication process. You can use it to store info about the key for yourself. For instance if you’re generating the key for a client, it might be a good idea to use the client’s name as the comment.

How to Copy the Public Key to the Server

Ok, now that we generated the private and public keys on our local machine, we need to copy the public key to the remote server before we can use it to authenticate. Note that the private key only exists on our local machine and we never share it.

We need to copy the public key to the remote server and store it in /.ssh/authorized_keys meaning a file called authorized_keys in the ~/.ssh/ directory on the remote server.

If you currently have password-based SSH access to the remote server, and you have the ssh-copy-id utility installed on your local machine (it’s most likely installed by default) you can easily type:

ssh-copy-id username@remote_host

This command will connect to the server via SSH and prompts you for the password. After authenticating with password, the contents of your ~/.ssh/id_rsa.pub key will be appended to the end of the user account’s ~/.ssh/authorized_keys

And if you wanna copy a non-default key to the server, you can use the -i flag (input file)

ssh-copy-id -i ~/.ssh/my_key username@remote_host

Now you can SSH into the remote server without entering any passwords.

In case you don’t have password-based SSH access to the remote server, again you have to somehow create the ~/.ssh/authorized_keys file on the server and copy the public key to it.

the ~/.ssh/authorized_keys file on the server is a text file that can contain one or more public keys. Each public key is stored on one line, so if we need to have multiple public keys in the file, we can simply put each one on a new line.

Do You Need Separate Keys for Separate Servers?

No! If you prefer, you can use one SSH key for all servers you wanna connect to. In this case, you just need to copy the same public key to all of the servers, and then you’ll be able to login to all of them using your private key.

On the other hand, you can generate a new SSH key pair for each server and use separate key pairs to connect to separate servers. The choice is yours!

You can learn more about SSH here.