Secure SHell (SSH) is the most common communication protocol used between Linux machines. It is based on constructing a fully encrypted tunnel from client to server, and typically provides access to a shell on the remote machine.
In former times, Remote SHell (RSH) and telnet was popular, but it explicitly doesn't allow encryption, so is falling more and more out of favour. If you're using either of these protocols, be aware that everything you transmit across this is completely exposed, and quite able to be not only captured, but spoofed under certain circumstances.
SSH is based on the concept of asymmetric key encryption. Assuming the keys are long enough, this allows you to be sure that not only your connection is secure, but you're talking to the right machine with no interception. Let's look at how to use it.
On a Linux machine, an ssh client is typically already installed. Bring up a terminal and type 'ssh'. You should see a usage screen - if not, something's wrong, and you probably need to install it. I'd suggest something using repos. On Windows, you're best off using PuTTY as a client, and finding a different howto - this will only cover Linux connections.
Once you have a machine to connect to, you can merely:
And if this is the first time you've connected to this machine, you'll be asked if you want to accept the fingerprint of it. This fingerprint is coming from the servers private key, and uniquely identifies it - should this ever fail, be very suspicious - you might have someone trying to spoof your machine.
Now you should be presented with a password prompt. Already by this point the connection is encrypted (typically via Diffie-Hellmann key exchange), and so your password is safe to transmit. Once you've got it right, you should be presented with a shell on the remote machine, something like:
Congratulations, you've made your first connection.
To speed this up, you can elect to create a private key that can be used in place of your password. This is often substantially more secure as passwords are more easy to break, but a private key is much longer and more technically challenging. On some systems (e.g. using Git) you may not have a password that you can log in with, so you must create a private/public key pair.
Thankfully, on most modern OSes this is relatively painless. Use the command:
To get a guided tour of creating a key. It's usually a good idea to password lock keys that might fall out of your hands at any point, otherwise you'll be running around and revoking them everywhere.
Once you've created a key, you should now have two new files:
- ~/.ssh/id_rsa (or ecdsa, or ed25519)
- ~/.ssh/id_rsa.pub (or ecdsa, or ed25519)
(where ~ is your home directory) These files are stored in base64, so it's possible to read them as text files. The id_rsa file is very important to keep safe, but the id_rsa.pub file is your pubkey - this can be shared freely, and uniquely identifies that you control the associated private key.
We can use this to do passwordless ssh. Use:
And your pubkey will get copied in to a special file called ~/.ssh/authorized_keys in your remote home directory. This is the default location that sshd looks to see if you can do pubkey auth. Now, your ssh connections will instantly connect and give you a shell, no password needed.
The SSH protocol is useful for more than just remote shells - you can also use it to transfer files. SFTP is an FTP-like interface for SSH, and SCP is Secure Copy, a replacement for RCP (from RSH). rsync is a great tool for copying files, and defaultly uses SSH as its backend protocol. Also, git can use SSH for its connections to remote repos.
SSHfs is a FUSE filesystem for Linux that allows you to mount a remote filesystem over SSH onto your local one. Install it using your preferred repo manager, and then use it like so:
sshfs myid001@remote_machine.example.com:/path-to-mount/ /path/to/my-mount-point/
It will then prompt you for your password (Or, if you're using private keys, your key password), and then exit to the background, presenting you with a remotely accessible mount. Note that the folder must already exist on the filesystem before you can attempt to mount there, and it will fail (by default) if it is not empty. As you've provided your username when logging in, all file access is performed by default as that user, but there are options for adjusting this if desired as noted in the man page.
To remove the remote filesystem:
fusermount -u /path/to/my-mount-point/
And the folder will return to normal.
Tired of typing 'firstname.lastname@example.org' all the time? There's a special file to automate this - ~/.ssh/config. Edit or create this file, and you can automate all SSH connections (even for Git and rsync!). For example:
Host * ConnectTimeout 5 User myid001 Host myfavouritemachine Hostname machine.wurnet.nl
Now you never need to specify 'myid001@' before your connections - all outgoing SSH calls automatically will be made as that user. Also, you can now 'ssh myfavoutitemachine' and get connected to machine.wurnet.nl.