SSH (Secure Shell) is a protocol to securely connect or execute commands over an insecure network. Mostly we use it to connect our remote servers for administration. We can use it for authorisation (eg. github) and file transfer from local to remote machine.
SSH works with public/private key pair. Once generated public key can be distributed and used to encrypt messages that only associate private key can decrypt.
Generate key pair
To create public/private key pair we can run following command:
The default cryptosystem will be
rsa and will ask for path to store the key pair. During this generation it will also ask for `passphrase` which is just a password to access the file, which helps to add extra layer of security. Just press enter if you don't want to add passphrase.
Followings are the few variations of the keygen command:
ssh-keygen -t rsa # we can tell which cryptosystem to use, rsa, dsa, ecdsa # ~/.ssh (default location and file name) # |- id_rsa # |- id_rsa.pub ssh-keygen -f ~/.ssh/github # ~/.ssh # |- github # |- github.pub
.pub is the public key here which we distribute or copy to server we want to access from our machine.
Add public key to server
There are two ways to add public key to the server.
Copy the content of
.pub key you want use. Login to server and then save it to
~/.ssh/authorized_keys file. You have to create the file if it doesn't exist.
authorized_keysfile (usually with permission 600) resides in
/home/<username>/.ssh/authorized_keyspath which stores all the client's public ssh key who wants to log into the server as
You can also do this using following command which will add the public key to server:
By default it will add the default key, which is
~/.ssh/id_rsa.pub to server. You can specify another key like this:
ssh-copy-id -i ~/.ssh/github user@remote-server-ip
And this will add the
~/.ssh/github.pub key to server
SSH (login) into a remote server
If all the above are done this part is simple. Just type the following command:
ssh user@remote-ip # eampple ssh firstname.lastname@example.org
Public key Fingerprint
When we try to ssh into a remote server for the first time we may see something like this:
ssh user@remote-server The authenticity of host 'remote-server (220.127.116.11)' can't be established. RSA key fingerprint is 9e:1a:5e:27:16:4d:2a:13:90:2c:64:41:bd:25:fd:35. Are you sure you want to continue connecting (yes/no)?
It means that ssh client can't recognise `remote-server` and wants to add it's host public key to ~/.ssh/known_hosts file as trusted party.
known_hostsfile (usually with permission 644) stores host public key of all the servers that this client/pc has logged in before. known_hosts file helps to prevent man-in-the-middle attack except the very first it adds the public key.
Host public key is servers ssh public key which can be found in
ls /etc/ssh/*key* /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_dsa_key.pub /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_key /etc/ssh/ssh_host_rsa_key.pub
RSA key fingerprint is 9e:1a:5e:27:16:4d:2a:13:90:2c:64:41:bd:25:fd:35. Here it used `RSA` rsa key pair from above listing to generate this fingerprint. And you can check fingerprint by this command:
ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub 2048 SHA256:Uk4xc2+w52wcFmFKyrJulFkuX/ATYEMA+8Uz/mAps9g user@server (RSA) # or md5 hash ssh-keygen -l -E md5 -f /etc/ssh/ssh_host_rsa_key.pub 2048 MD5:9e:1a:5e:27:16:4d:2a:13:90:2c:64:41:bd:25:fd:35 user@server (RSA)
- ssh agent
- sshd configuration, disable / enable ssh & password
- removing ssh key