SSH basic task
nurfitri •
SSH
SSH (Secure Shell) is a network protocol that allow us to operate over the network securely. It allows us to remote login to a server thru a secure encrypted network tunnel. It also can be use as remote command-line execution and remote file transfer. It is the replacement for the less secure Telnet protocol which use plaintext transmission.
Shell
A shell is a computer program, text-based environment that provide an interface for user to execute commands to the operating system and returned operating system output. Bash and z-sh are few of the shells interface that allows us to use text based command to interact with our system.
jun@b:~$ bash --version GNU bash, version 5.0.17(1)-release (x86_64-pc-linux-gnu) Copyright (C) 2019 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software; you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.
Shell is a very efficient way of managing remote system, as it requires less data transfer due to its text-base nature. To securely manage remote headless server, we need a SSH service running on the remote server, and a SSH client program on our machine. Commonly used SSH program is OpenSSH.
Installing OpenSSH
Most cloud base linux OS probably had a ssh services intalled, if not we can install it using package manaeger in our Linux Server.
In ubuntu base OS we can use the following command.
jun@server:~$ sudo apt update && sudo apt install openssh-server
In other linux system like red hat, centos or fedora we can use dnf package manager. On arch linux we can use pacman.
Managing SSHd aemon
We can manage our ssh service using systemctl. To check if the service is running, we use
jun@server:~$ systemctl status sshd
To start our services we use,
jun@server:~$ systemctl start sshd
To stop our service we use,
jun@server:~$ systemctl stop sshd
To enabe ssh service on system boot we can use enable or disable to disable it.
jun@server:~$ systemctl enable sshd
By default, ssh service running on port 22. We might need to update our firewall rules to allow access to TCP port 22. In ubuntu based system, we can use ufw to manage our firewall.
We can check if our firewall is up and running using,
jun@server:~$ sudo ufw status
If our firewall is inactive, we can just let it be, because It will not block any connection including our ssh connection.
Doing this make our server be less secure. So in this example, I will enable firewall and open port 22 for our ssh connection.
To enable firewall in our server we write,
jun@server:~$ sudo ufw enable
Then, we can allow shh using following command.
jun@server:~$ sudo ufw allow ssh
we can check the status again using
jun@server:~$ sudo ufw status Status: active To Action From -- ------ ---- 22/tcp ALLOW Anywhere 22/tcp (v6) ALLOW Anywhere (v6)
SSH config
The default config file for our ssh server can be found in
/etc/ssh/sshd_config
For ssh client the default config file is in
/etc/ssh/ssh_config
To configure our ssh server, we can make change to the sshd_config file or we can create a new config files inside the /etc/ssh/sshd_config.d/ directory.
We can name our file anything, but it is advisable to name it using the <number><string>.conf combination as sshd will include these files based on the sorting of the filename.
By naming our file to 01portsetting.conf will include this file first, if we also have 02portsetting.conf and both of these files contains configuration for Port .
Because only the top most included setting will be applied which is from 01portsetting.conf and the second will be ignore. So it is importand to name our file based on the priority.
We can perform various other configuration by looking at the sshd_config man page.
jun@server:~$ man sshd_config
Authentication config basic
Few authentication config we can change for our sshd server
#LoginGraceTime 2m #PermitRootLogin prohibit-password #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #PasswordAuthentication yes #PubKeyAuthentication yes #AllowUser jun user2 amir amal #DenyUser james john weirduser #AllowGroup admins developers #DenyGroup finance sales
-
LoginGraceTime is the time we can set, on how long the time a client have to give their password, started when asked by the server.
-
PermitRootLogin, if uncommented, will use the prohibit-password value which allow root login via ssh, but prohibit the usage of password. This can be achieved by other login method such as using ssh_pub key. Most system will probably set this to no.
-
MaxAuthTries is the number of bad password tries a client can re-enter.
-
MaxSessions is max number of sessions, a user can create at the same time.
-
PasswordAuthentication by changing this value to no, we can block password base authentication to our server.
-
PubKeyAuthentication by uncommenting this, we can use public_key authentication instead of a password based authentication.
-
AllowUser will allow us to allowed specific user to authenticate via ssh to our server.
-
DenyUser will deny specific user from authenticate via ssh.
-
AllowGroup will allow user from specific user group.
-
DenyGroup will deny user from specific user group.
Users access
We can also change our configuration file to only allow specific Ip address to authenticate to our ssh server. We can achieved this using the Match property
Match Address 192.168.1.0/24 PermitRootLogin prohibit-password PasswordAuthentication yes # password auth only allowed in local 192.168.1.0/24 address only.
We can set a authentication configuration for specific user
Match User jun nur Address * # only Jun and Nur can log in from any address PasswordAuthentication no # but not using the password PubKeyAuthentication yes # only using the public key method.
After we made changes to our config file, we can restart our sshd service to apply the changes.
jun@server:~$ systemctl restart sshd
Basic SSH client
To connect to SSH server from our client machine, we use ssh <username>@<address> command. let say in our SSH server, there is a user with username nur and our server address 192.168.1.3.
jun@client:~$ ssh nur@192.168.1.3 nur@192.168.1.3's password:
If PasswordAuthentication is enabled, then we will be prompted asking for a password. We can start typing our password, but the password will not appear on the screen. After we confident with our password, we can press <Enter> and noticed that our shell prompt changed from jun@client:~$ to nur@server:~$, which means we successfully created a session.
To close the ssh connection, we cam simply close our terminal or write exit in the terminal.
Tho, ssh is more secure that telnet, IT is advisable to not use PasswordAuthentication and instead use PubKeyAuthentication anytime we want to authenticate with our server.
PubKeyAuthentication Explain
This authentication method use a cryptographic key pair that made up of private key and a public key. Public key is usually the key we sent to other people to encrypt information, and we use our Private key to decrypt the information.
With this authentication method, we on the client machine, will generate our keys, and then copy our Public key to the server and kept our Private key. Whenever we try to authenticate to the server, the server check if it already had our Public key in its list.
If we are indeed in the list, the server will then challenge us by encrypting a key generated by the server using our public key. If we indeed the owner of the public key, we will own the private key pair that will decrypt the challenge sent by the server. We can decrypt the key sent by the server, and then re-send it to the server to verified that we are able to decrypt the challenge given by the server.
This happen automatically thus provide more security and convenient to us, as we don't need to re-typing our password whenever we want to authenticate to our server.
Generate our Authentication Key
In our client machine, we first need to generate our key-pair using ssh-keygen. And press enter for default options.
jun@client:~$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/jun/.ssh/id_rsa):
If we want to have more than one ssh key, we can rename the default id_rsa file to our own liking, in this examlpe I named it as jun_ssh_vm_server_rsa and click <Enter>.
jun@client:~$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/jun/.ssh/id_rsa): /home/jun/.ssh/jun_ssh_vm_server_rsa
It will then ask for a passphrase for our key. we can left it to default (none) if we want. If we set a passphrase, we might be asked to enter the passphare whenever we want to use our private key to decrypt.
Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/jun/.ssh/jun_ssh_vm_server_rsa Your public key has been saved in /home/jun/.ssh/jun_ssh_vm_server_rsa.pub The key fingerprint is: SHA256:zxrk0IqzlZIDzjlBrWsEmgkAq0Ix5P2prNzdYWzORkB jun@client The key's randomart image is: +---[RSA 3072]----+ |=+ E | |o.=. | |+o.o. | |==... . | |* =. o S | |.+.=o. = | | B++++ = | | .+.**o* | | ..+=*o.o | +----[SHA256]-----+
After we hits <Enter> and generated our keys, we get presented that our public key has been saved in /home/jun/.ssh/jun_ssh_vm_server_rsa.pub, with the .pub extension on the file.
Sharing Our Public Key.
If we already had access to our server using PasswordAuthentication, we can simply copy the key into the server using the ssh-copy-id command. This command will automate copying our public key into a file on the server ~/.ssh/authorized_keys.
jun@client:~$ ssh-copy-id -i ~/.ssh/jun_ssh_vm_server_rsa.pub nur@192.168.1.3
Then after we transfered our key, we can change the PasswordAuthentication configuration to no to only use PublicKeyAuthentication method.
If we dont have access to the server, we can contact the server administrator, and sent them our public .pub key to be added to the authorized_keys list. Never share your private key and only share the public key as it is meant to be share with other.
Security notes.
If somehow our client machine was hacked, or our Private key get stolen, we need to generate a new key pair and remove the old Public Key from the server authorized_keys list.
Make sure the authorized_keys file have proper permission. In case of malicious attack, an attacker can jump between user by editing authorized_keys file of other user, and simply login to a user by simply adding their own public key to the authorized_keys file. Image if root user's authorized_keys permission are not set properly.
SSH client
Previously, we learn that we can transfer our public key to our server via ssh-copy-id using the -i options to specify the identity (key) file.
Using the ssh client program, we can also specify the identity file we want to authenticate with using the -i option. There are also other options that we can learn thru the ssh man page.
As example to change the default port we use -p options
jun@client:~$ ssh -p 2345 nur@192.168.1.3
we can also permenantly change the default port by adding a config file to our ~/.ssh/ directory.
jun@client:~$ vim ~/.ssh/config
Inside the config file, we can add and save the following
Port 2345
using this configuration, we just change our client default ssh port to connect to port 2345. We can also ommit the username when using ssh client by adding our User to the config file, tho this is weird, because we don't always use the same username on different server.
# these will be use as default Port 2345 User nur
We can also add configuration for specific host to our client ~/.ssh/config file.
Host 192.168.1.3 # ssh -p2345 nur@192.168/.1.3 User nur Port 2345 Host cs.nurbxfit.com # ssh -p22 jun@cs.nurbxfit.com User jun Port 22 Host myalias # provide alias for our hostname/address Hostname cs.usm.my # the actual address User nur Port 22 # we can connect using simple 'ssh myalias' IdentityFile ~/.ssh/jun_usm_server_rsa
After we save our configuration, we need to set permission for our config file to only allow our user to read and write to it.
jun@client:~$ chmod 600 ~/.ssh/config
So now we can ssh into our server with just this command.
jun@client:~$ ssh 192.168.1.3