SSH is used to access the command line on a different (remote) computer.
The only required argument for the ssh command is the IP (or domain name) of the computer we want to access.
ssh 192.168.1.13
ssh will use the same username you are logged in as on your computer. If you want to use a different username you can specify it before the IP address with @ sign in between, just like an email address.
ssh username@192.168.1.13
After running the command, ssh will connect to the computer and ask you for your password. SSH always uses the same credentials for logging in as system users on the remote machine. So if there is a user on that computer, you can log in with it’s username and password. There is no way to change ssh login credentials without changing the user’s passwords as well. To change the user password you can run passwd once logged in.
By default you can’t log in as root. You can log in as another user and use su command, or run privledged commands with sudo, if that user is in the sudo group.
To log in to root user directly, you need to setup ssh keys.
At first, encryption was made to hide information by using a secret key. The person encrypting the data knew the key that was needed for decryption. This is called symetric encryption, since the same key was used for both encrypting and decrypting.
This is how it was for thousands of years and that was no problem, since the person encrypting the data knew the data they where encrypting anyway and shared the encryption key prior to sending the data. However, with the invention of Internet, we needed a new way to encrypt data between people that don’t know each other. This is achived by encrypting the data with one key, that is publicly shared and known to all, while decrypted with another key that is kept private by the person decrypting it. This is called asymetic encryption and is basis for secure communiaction on the Internet.
We can also use the private key to encrypt as well, and public key to decrypt the data, but since everyone knows the public key anyone can decrypt it. However this can be used as a proof of owning the private key. We do this by sending unencrypted data with the data encrypted with private key. Anyone can decrypt the data and check if it matches the unencrypted data. If it does, we know it was encrypted with the private key related to the public key we used to decrypt it.
We call this “digital signatures” and is what we can use in ssh for authentification.
When connecting to a computer over ssh for the first time, ssh will show us the public key of the server and ask us if that is the correct key. To be honest, no body verifies if the key is correct the first time, so everyone just types yess. However if it changes something might be wrong and it might be dangerous to continue connecting if you are not also using ssh keys to connect, otherwise if you type your password a server pretending to be yours could steal that password.
We can transfer files between computers using ssh, by running scp and sftp commands.
sftp takes the same arguments as ssh, for example:
sftp user@192.168.1.13
It asks for password and logs in to the remote machine, but instead of giving asa shell (command line) it displays a special command enviroment.
sftp command line allows the use of some of the regular linux commands, like cd , mkdir , ls , rm , etc. All of these commands are run on the remote machine you are connected to.
sftp cli (command line interface) also supports running commands on the local machine, by prefixing them with letter “l” (local). For example, lcd , lmkdir , lls , etc.
scp only copies files from one computer to the next (or even on the same computer). It takes arguments like the cp command, but it also supports prefixing the file paths with the IP addresses and :.
Example:
scp file.txt 192.168.1.13:/etc/file.txt
The IP address can also be prefixed with the username. Example:
scp user@192.168.1.13:/etc/hosts hosts.backup
scp is useful for scripting, you can copy files in one command.
sftp is more useful for manual file transfer, since you can run multiple commands once you log in.
Both use ssh config files and some common ssh arguemnts as well.
We can generate public and private ssh keys with by running ssh-keygen.
ssh-keygen will ask where to store public and private keys. It will create a private key (also called identity file) in specified location.
Public key will be placed in the same directory as private key, with added .pub to the end of the name of the file.
It will also asks you for a password with which it will encrypt the private key so that it isn’t stored on your computer in plain text. It is a security feature in case your computer gets hacked/stolen. This is optional and you don’t need to set any password if you want to log in quicker, otherwise you will need to type your password every time you ssh into a remote machine (there are some ways around this).
We can place the public key in authorized_keys file in .ssh directory in users home folder on the remote computer. This will allow us to log in with the private ssh key as that user. .ssh folder is not created by default, you will need to create it yourself or simply try to log in to some server and it will be created for you.
Note: Don’t be confused by the known_hosts file in the .ssh folder. It just stores public keys of ssh servers you previosly connected to.
If the keys are generated in the default location ssh will try to use them when conecting to any remote server. Otherwise you can specify the key location with -i argument. For example,
ssh -i ~/.ssh/mykey root@192.168.1.12
By default, root can login with the ssh key, but not with the password. This can be changed in /etc/ssh/sshd_config file by editing PermitRootLogin value to yes (or no if you want to disable it completly).
On some linux distros, like Arch, you need to also run ssh-add command, before logging in with the key and specify the path of your key. For example, ssh-add ~/.ssh/mykey.
You can also use ssh-add -t 3600 ~/.ssh/mykey command to load your private key into RAM for 3600 seconds (1 hour). This is useful if your private key is password protected and you don’t want to type it everytime you log in to a server during that hour. It is even more useful when using proxy jump so that you don’t have to type your password twice while connecting to a single server.
Sometimes we have multiple servers on one network and we can only access one from outside. This is commonly the case, since in order to be able to ssh into a server we need to port forward to port 22 on which ssh server is listening on by default. If we have multiple servers, we would need to port forward all of them and use different ports to access them from the Internet. Instead, we can log in to one machine and jump to other ones from inside the network.
Since we get a shell we can just run ssh from one server to log in to the other, but this is not secure. One server could be hacked and by typing our password to log in to the other server, we can leak our password or private key from the first server.
This is why ssh has an option to pass through one server and use it as a simple proxy, kind of like a port forward, just to establish a connection to the other server. This way we can keep all the credentials confidential while jumping through different servers.
To use proxy jump option we use -J argument.
For example ssh -J user@example.org root@192.168.1.3. In this example we are connecting first to the ssh server on example.org domain and are proxing our connection through it so that we connect to the root at 192.168.1.3 inside the same network.
Note that if using -i argument to specify your private key, it will only be applied to the second server. To use an ssh key to log into the first server we either need to store the key file under default path in our .ssh folder or setup specific configuration for that key.
ssh has different files where it stores configurations. System wide configuration is in /etc/ssh/ssh_config, but there is also user specific configuration file in .ssh folder in your home directory.
Config file is not created in .ssh by default, you can create it yourself.Config file needs to be called config.
Note: Don’t be confused by the sshd_config file in /etc/ssh, it stores configuration for the ssh server, while ssh_config file for ssh client.
We can configure how ssh connects to remote servers by adding Host servername for every server we want to configure and add configuration options for that server bellow that line.
All options are prefixed with two spaces, in other words, they are idented by two spaces. For example:
Host server1
Hostname example.org
User root
IdentityFile /home/user/.ssh/mykey
Host server2
Hostname 192.168.1.3
User bob
IdentityFile /home/user/.ssh/mykey
ProxyJump server1
In this example, ssh is configured so that we can connect to ssh server at domain example.org by typing ssh server1. Typing the name specified in the Host line triggers the configuration written in the block bellow it, so we will log in as root and use the private key in /home/user/.ssh/mykey.
In some distros for the path of your key file in the IdentityFile option you will need to write the full path like in the example. Using ~ as a refrence to the home folder might not work.
When we type ssh server2 with this configuration example, we will jump through server host, as defiend by the ProxyJump option.
ssh port 22 by default, you can specify different ports to log into with -p option or Port option in the config file. To change the port the server is listening on you need to change Port option in the sshd_config file. Some people change the ports for security reasons, but it this is just secuirty though obscurity, which is usualy quite pointless and adds unnecessary complexity. Regular port scan will reveal any open ssh server ports anyway.
ssh uses TCP transfer protocol and it works well with Tor. You can run torsocks ssh user@example.org to proxy your ssh connection over tor. This is often useful when you setup a tor onion service, in case your router or port forwarding settings fail and you get locked out. Onion services are outgoing connections as far as your router is concerned, as they connect to the tor network.