POST
Securing Connections with SSH - A Comprehensive Guide
Introduction
Secure Shell (SSH) is a cryptographic network protocol widely used for secure communication over an unsecured network. I used it almost everyday, this article will delve into the encryption principles and applications of SSH, followed by a guide on installing and utilizing SSH on Linux systems, and finally, exploring methods to enable passwordless login for remote hosts.
Chapter 1: Encryption Principles and Applications of SSH
1.1 Symmetric Encryption:
- SSH utilizes symmetric encryption algorithms like AES (Advanced Encryption Standard) to encrypt data during transmission.
- Symmetric encryption ensures that the data exchanged between the client and server remains confidential and cannot be intercepted by malicious actors.
1.2 Asymmetric Encryption:
- Asymmetric encryption, based on public-private key pairs, is employed for authentication and key exchange.
- SSH uses algorithms like RSA or ECDSA to generate key pairs, with the client possessing the public key and the server holding the private key.
- This asymmetric encryption ensures secure authentication and protection against man-in-the-middle attacks.
1.3 Use Cases of SSH:
- Remote login: SSH enables users to securely log in to remote systems over the network.
- Secure file transfer: It facilitates the secure transfer of files between systems using utilities like SCP (Secure Copy) or SFTP (SSH File Transfer Protocol).
- Tunneling: SSH tunneling allows for secure communication between two devices by encapsulating data within SSH connections, useful for accessing services behind firewalls or bypassing censorship.
Chapter 2: Installing and Using SSH on Linux
2.1 Installation:
-
Most Linux distributions come pre-installed with SSH packages. However, if not available, SSH can be easily installed using package managers like apt, yum, or dnf.
-
For example, on Debian-based systems:
sudo apt update sudo atp install openssh-server sudo apt install openssh-client
-
check SSH status
sudo systemctl status ssh
-
start SSH service
sudo systemctl start ssh
-
stop SSH service
sudo systemctl stop ssh sudo systemctl disable ssh
2.2 Configuration:
-
SSH configuration files are located in /etc/ssh/ directory.
-
Users can customize SSH settings such as port number, authentication methods, and access control through the sshd_config file.
ssh username@hostname
-
Replace ‘username’ with the remote user’s username and ‘hostname’ with the IP address or domain name of the remote server.
Chapter 3: Implementing Passwordless Login for Remote Hosts
3.1 Generating SSH Key Pair:
- To enable passwordless login, first, generate an SSH key pair on the local machine using the ssh-keygen command.
ssh-keygen -t rsa -b 4096 -C "username@user.com"
- This command will create a public key (id_rsa.pub) and a private key (id_rsa) in the ~/.ssh/ directory.
3.2 Copying Public Key to Remote Host:
-
Next, copy the public key to the ~/.ssh/authorized_keys file on the remote host using the ssh-copy-id command or manually.
ssh-copy-id username@hostname
3.3 Passwordless Login:
- Once the public key is added to the authorized_keys file on the remote host, SSH will authenticate the user using the private key without requiring a password.
- Users can now log in to the remote host securely without entering a password.
A common example is to use this method to push commits to github repository, the workflow is similiar.
ssh-keygen -t rsa -b 4096 -C "xxx@xxx.com"
#write the private key to ssh agent
ssh-add ~/.ssh/id_rsa
# then login the github accounts,
# add the public key id_rsa_pub into github ->settings->SSH and GPG keys
# check the connecting status
ssh -T git@github.com
# check the local branch status,
# if binding to remote branch
git branch -vv
# looking for the remote url information.
git remote -v
# if the url is using https format, switch to ssh link
# the link informaion can be found the github repository page
git remote set-url origin git@github.com:username/repository_name.git
# push to remote without inputing password
git push origin
3.4 Known Host
known_hosts
is a text file that stores the host keys of remote servers your computer has connected to in the past. Each time you connect to a new remote server, the SSH client will ask you to confirm the host key and then save it to the ~/.ssh/known_hosts file.
The purpose of this file is to help detect man-in-the-middle attacks. If the host key of a server you’ve previously connected to changes (for example, due to the server being reinstalled or tampered with by a man-in-the-middle attacker), the SSH client will issue a warning, indicating a potential security risk.
However, there are situations where you might encounter issues, such as when the host key changes for legitimate reasons or when you switch between different connection methods (e.g., connecting via IP address versus domain name). In such cases, you may need to manually edit the ~/.ssh/known_hosts file to remove or update the old host key.
In summary, ~/.ssh/known_hosts is a file that stores the known host keys for SSH clients, helping ensure that the remote servers you connect to are the ones you expect, and providing a level of security against unauthorized access
Conclusion
SSH stands as a cornerstone of secure communication, offering robust encryption and authentication mechanisms for remote access and data transfer. Understanding its encryption principles, installation, and utilization on Linux systems, along with implementing advanced features like passwordless login, empowers users to establish and maintain secure connections in today’s interconnected digital landscape.