Basic Knowledge Of SSH

Even if you are not an infrastructure engineer that you want to keep this knowledge :)

Introduction

Recently, the use of servers on the cloud has increased. The infrastructure department handles the preparation of the server and the settings around the network, but since the developers often deploy the apps, even engineers who are mainly involved in development need at least SSH knowledge.

Also, since VMs are sometimes created in the local environment with Vagrant etc., there are increasing cases where SSH is used in the local environment.

That’s why even if you’re not an infrastructure engineer, knowledge of SSH clients is becoming essential, so I decided to relearn SSH again.

What exactly is SSH ???

This is a protocol for securely communicating with remote computers using cryptographic and authentication technologies. SSH enables more secure communication than conventional Telnet

SSH features:

  • Communicate by encrypting passwords and data.
  • When a client connects to a server, it strictly checks that the destination is not directed to an unintended server.

SSH authentication method

The main authentication methods for SSH are password authentication and public key authentication.

Password authentication method

The password authentication method is the default authentication method, which is a method of logging in with a user name and password. For the user name and password, the information of the user account of the connection destination OS is used.

Public key authentication method

The public key authentication method is a connection method that uses two keys (key pairs), a public key and a private key. Use the public key on the server and the private key on the client. Public key authentication allows you to log in without entering a password. The password authentication method can be used unless it is explicitly disabled on the server side, but it is often disabled because it is vulnerable in terms of security.

OpenSSH

Software for using the SSH protocol, which includes both an SSH client and an SSH server. It is the de facto standard on Linux and is installed by default.
You can also install Cygwin on Windows or use it with Git Bash, which comes with Git.

OpenSSH commands:

  • ssh — Connect to the remote host with SSH and execute the command.ssh user@hostname some-command

The ssh command is used to connect to a remote host and execute commands. If the user name is omitted, the current user of the client is used. If you specify a command, after connecting to the remote host, only the specified command is executed to log out. If you omit the command, the command prompt is displayed while you are logged in to the remote host, so you can execute any command. When you want to log out exit.

Options which we can use :

  1. -i identity_file With this we Specify the private key file used for public key authentication. By default, ~/.ssh/id_rsa
  2. -F configfile With this we specify the configuration file. By default ~ /.ssh/config
  3. -p With this we specify the port number. By default is 22
  • scp — Transfer files to and from a remote host using SSH.

The scp command is a command that uses SSH to transfer files to and from a remote host.

Example:

  1. Copy file from Client to remote host scp example-file1 user@hostname:/tmp/example
  2. Copy file from the remote host to temp dir on the client scp user@hostname:/tmp/example-file1 user@hostname:example-file2 /tmp
  • ssh-keygen — Generate a key pair to be used in public key authentication method.

Example:

vagrant@vagrant:~$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/vagrant/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/vagrant/.ssh/id_rsa.
Your public key has been saved in /home/vagrant/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:c/9hFymYOr/jvTgL6a3XceUqky5sMdPpoRLxYKRLdFs vagrant@vagrant
The key's randomart image is:
+---[RSA 2048]----+
| |
| . o E |
| . + o |
| o = o o|
| . oS+.+ o +.|
| . .oB.+...o|
| B *oo=..|
| o X+B+.o |
| =+X*=o |
+----[SHA256]-----+
  • ssh-copy-id — A command to register a public key with a remote host. It may not be installed depending on the environment.

Example:

vagrant@vagrant:~$ ssh-copy-id -i /home/vagrant/.ssh/id_rsa vagrant@192.168.123.124
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/vagrant/.ssh/id_rsa.pub"
The authenticity of host '192.168.123.124 (192.168.123.124)' can't be established.
ECDSA key fingerprint is SHA256:noT+k/x3K1OapP+ggWtZ1NR8jiBpg/z9/N/R7ArJo2s.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
vagrant@192.168.123.124's password:
Number of key(s) added: 1Now try logging into the machine, with: "ssh 'vagrant@192.168.123.124'"
and check to make sure that only the key(s) you wanted were added.

If you cannot use ssh-copy-id, use the ssh command to connect to the remote host and add the public key to authorized_keys

Example:

vagrant@vagrant:~$ cat /home/vagrant/.ssh/id_rsa.pub | ssh vagrant2 'cat >> /home/vagrant/.ssh/authorized_keys; chmod 600 /home/vagrant/.ssh/authorized_keys'
The authenticity of host 'vagrant2 (192.168.123.124)' can't be established.
ECDSA key fingerprint is SHA256:noT+k/x3K1OapP+ggWtZ1NR8jiBpg/z9/N/R7ArJo2s.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'vagrant2' (ECDSA) to the list of known hosts.
vagrant@vagrant2's password:

⚠️ authorized_keys is a file that registers multiple public keys, so write it in additional mode so as not to erase the existing information. If you connect with the ssh command after registering the public key on the server, you will be able to log in without being asked for the password, but If you have set a passphrase, you will be asked for the passphrase.

Files in ./ssh directory

  • authorized_keys -A server-side file that registers the public key that allows the connection.
  • config — A file to write SSH connection information.
  • id_rsa — Private key generated by ssh-keygen.
  • id_rsa.pub — Public key generated by ssh-keygen.
  • known_hosts — A server that you have connected to in the past.

If we use OpenSSH, the files inside .ssh/ can only be used in mode 600 (read/write only by the user).

SSH config

Since SSH connection information can be defined in, you can omit the ssh command option or set information that cannot be specified by the command line option.

Example:

Multi-stage SSH connection

Sometimes we need to connect to the work target machine from the machine you are currently using, there are cases where you have to go through a certain server.

Such servers that must be routed are called like:

  • Stepping stone servers,
  • SSH gateways,
  • SSH proxies.

In typical way when connecting to the work target server via SSH via the bastion server first connect to the bastion server with the ssh command, and then connect to the work target server with the ssh command just like below:

Example:

vagrant@vagrant:~/ ssh vagrant@vagrant2
vagrant@vagrant2:~/ ssh vagrant@vagrant3
vagrant@vagrant3:~/

We can say so this connection method is troublesome because the command is executed twice, and the private key is placed on the bastion server, which is not very preferable in terms of security.

In this case, if you set the multi-stage SSH connection information inside /.ssh/config, you can connect with a single command without having to put the private key on the bastion server.

Example:

If we need more bastion servers, we can add them no problem :)

Source: https://giphy.com/

DevOps Consultant. I’m strongly focused on automation, security, and reliability.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store