SSH: Summary, some basic commands (Part 1)

Tram Ho

When using an operating system – Windows, MacOS, especially Linux-based operating systems such as Ubuntu, CentOS, … you must have used a terminal to type extremely cool commands. One day, you have a newly purchased server halfway around the world, how can you access and execute commands, install services, configure a web server, etc.? Is it accompanied by ensuring a secure connection? SSH is exactly what you are looking for.

1. Summary

Secure Shell (SSH) is a network protocol used to establish a secure network connection. SSH creates a secure encrypted connection channel from an insecure network, based on the client-server architecture, connecting an SSH-client to an SSH-server. The default port used by SSH is 22.

To put it simply, SSH gives you the peace of mind of accessing a remote computer thanks to its security!

SSH was born as an alternative to Telnet and other insecure shell control protocols such as Berkeley rsh, rlogin and rexec. These protocols exchange data and passwords in the form of plaintext, making them very vulnerable to analysis and theft.

A special feature of SSH is that this protocol uses asymmetric, symmetric and hashing algorithms to ensure the confidentiality and integrity of data exchanged from client to server and vice versa.

SSH has many ways to authenticate a user, but the two most common are still password-based authentication and public-key authentication.

Authenticate by password?

Password-based authentication is as simple as simply using the password of the user you created to access it, the server stores them, and collates them with your password when you log in. This is not secure enough because you are likely to have your password stolen.

What about authenticating with public-key?

This uses a pair of keys – public-key and private-key – generated based on the public-key encryption algorithm. The key pair after being generated from a computer, we will get the public-key saved to the server, when accessing we will rely on the private-key stored on the local machine and their closely related properties to set up connect. This type of authentication also allows us to establish a secure connection in an automated way (automation).

So where is it more than authenticating with a password?

Back when you use passwords, your human instincts arise, our memory is limited, and you will come up with a password that is easy to remember. And the password is easy to remember, the chances are you will be stolen in some way (Brute-force attack, Dictionary attack, …).

Not only that, this password is also used throughout from one app to another! It is also stored on the server you log into, so it can still be stolen (Man-in-the-middle attack, …). And lots of cases show how unsafe passwords are to use.

And the key pair is different, they are generated by computers – unlike us – computers using extremely complex encryption algorithms, far beyond the capabilities of humans. The keys themselves are long (a few hundred, a few thousand bits), both large … no, both complex and difficult to brute-force attack. Moreover, the private key that you hold is not sent to the server, you only use it to decrypt encrypted messages from the server.

Passwords can be used on many different computers and stored by you, while private keys are only stored on the device you use to access them, so you can use multiple key pairs of public-keys. private-key to access different computers, reducing the possibility of key theft.

In addition, you can also use passphrase for extra security!

1.1 Types of encryption algorithms

SSH supports many types of public-key encryption algorithms:

rsa – the most used algorithm, has been around since 1977 based on the complexity of prime factor analysis. When using, you should include a key size of at least 2048 bits, preferably 4096 bits.

dsa – algorithm based on the complexity of discrete logarithm calculations. Was removed in OpenSSH version 7 for security reasons.

ecdsa – an algorithm based on the coordinates of points based on an elliptic curve. RSA can be replaced by a higher level of safety and processing speed, accompanied by the use of a key that is smaller than the RSA. Thereby increasing the processing speed significantly. Only supported with 3 types of key sizes: 256, 384, and 521 bits. For added security, 521 bits are recommended!

ed25519 – an algorithm added to OpenSSH from version 6.5. An improved version of ECDSA, providing better security with faster performance than DSA or ECDSA. Not really universal worldwide.

2. The basic commands

Note: The commands we will practice on computers running the Linux operating system (Ubuntu, CentOS, …). Here, we will go into details of the commands that will be used to connect to a remote server.

2.1. Use SSH to login with password

On your local machine:

For example:

The host here can be the ip address or domain name of the machine you are accessing

Then enter the password corresponding to your user at that host.

2.2. Generate key pair

The command to generate an SSH authentication key pair.

The simplest command, on the local machine:

During generate, the system will ask you to provide passphrase. The purpose of generating passphrase is to encrypt private key. So when an attacker knows your private key is not necessarily usable, because it is encrypted.

In fact, most people who create SSH keys often do not use passphrases. Because when encountering problems related to automation, this passphrase can not be typed manually, we have to save it in an archive or in a certain script. As a result, you return to the password authentication (lol!), The attacker can still know your passphrase!

So for ease and convenience you just press Enter when this step is okay!

You can further customize the options:


-f is the key name and where will store the key

-t is the encryption algorithm for key generation

-b is the key size

2.3. Add private-key to SSH-agent

On the local machine:

ssh-add is a command to add SSH private-keys to the SSH authentication agent, called ssh-agent to manage access to computers using private keys. Once you have added the key to ssh-agent, you do not need to declare this key when accessing.

The public part of the private key saved in ssh-agent must be placed in

~ / .ssh / authorizedkeys (authorized_keys is a file)

on the server (See step below).

2.4. Add public-key to server

You can use either of the following statements:

Method 1:

Method 2:

Alternatively, you can directly access the device with a password first and then add the key with rice (mkdir, touch, then cat, vim …).

So you can successfully access the server using key authentication on SSH!

You can also add different keys to authorized_keys using the same commands as above.

Which test:

2.5. Removing password authentication on server (Only use SSH keys)

Note: Only do this step after you’ve configured and performed ssh with the key.

For best and safest, after adding the key to the server, you should remove SSH authentication with a password. The reason I mentioned above!

On the server:

Find the line

PermitRootLogin yes

Corrected to

PermitRootLogin no

Save and exit. Then on the terminal:

3. Conclusion

So we went over the outline of SSH and the basic commands to establish a connection between two computers. In the following I will give a few practical examples to give you a better view of it. Thank you for watching ! Visit Sirdev to follow the latest sequel soon!

Share the news now

Source : Viblo