SSH (Secure Shell) is a protocol to securely connect or execute commands over an insecure network. Mostly we use it to connect our remote servers for administration. We can use it for authorisation (eg. github) and file transfer from local to remote machine.

SSH works with public/private key pair. Once generated public key can be distributed and used to encrypt messages that only associate private key can decrypt.

Generate key pair

To create public/private key pair we can run following command:

ssh-keygen

The default cryptosystem will be rsa and will ask for path to store the key pair. During this generation it will also ask for `passphrase` which is just a password to access the file, which helps to add extra layer of security. Just press enter if you don't want to add passphrase.

Followings are the few variations of the keygen command:

ssh-keygen -t rsa
# we can tell which cryptosystem to use, rsa, dsa, ecdsa
# ~/.ssh (default location and file name)
# |- id_rsa
# |- id_rsa.pub

ssh-keygen -f ~/.ssh/github
# ~/.ssh
# |- github
# |- github.pub

.pub is the public key here which we distribute or copy to server we want to access from our machine.

Add public key to server

There are two ways to add public key to the server.

Manual setup:

Copy the content of .pub key you want use. Login to server and then save it to ~/.ssh/authorized_keys file. You have to create the file if it doesn't exist.

authorized_keys file (usually with permission 600) resides in /home/<username>/.ssh/authorized_keys path which stores all the client's public ssh key who wants to log into the server as <username>

Using command:

You can also do this using following command which will add the public key to server:

ssh-copy-id user@remote-server-ip

By default it will add the default key, which is ~/.ssh/id_rsa.pub to server. You can specify another key like this:

ssh-copy-id -i ~/.ssh/github user@remote-server-ip

And this will add the ~/.ssh/github.pub key to server

SSH (login) into a remote server

If all the above are done this part is simple. Just type the following command:

ssh user@remote-ip

# eampple
ssh root@10.51.109.203

Public key Fingerprint

When we try to ssh into a remote server for the first time we may see something like this:

ssh user@remote-server
The authenticity of host 'remote-server (134.2.14.48)' can't be established.
RSA key fingerprint is 9e:1a:5e:27:16:4d:2a:13:90:2c:64:41:bd:25:fd:35.
Are you sure you want to continue connecting (yes/no)?

It means that ssh client can't recognise `remote-server` and wants to add it's host public key to ~/.ssh/known_hosts file as trusted party.

known_hosts file (usually with permission 644) stores host public key of all the servers that this client/pc has logged in before. known_hosts file helps to prevent man-in-the-middle attack except the very first it adds the public key.

Host public key is servers ssh public key which can be found in /etc/ssh/ location

ls /etc/ssh/*key*
/etc/ssh/ssh_host_dsa_key      /etc/ssh/ssh_host_key.pub
/etc/ssh/ssh_host_dsa_key.pub  /etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_key          /etc/ssh/ssh_host_rsa_key.pub

RSA key fingerprint is 9e:1a:5e:27:16:4d:2a:13:90:2c:64:41:bd:25:fd:35. Here it used `RSA` rsa key pair from above listing to generate this fingerprint. And you can check fingerprint by this command:

ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
2048 SHA256:Uk4xc2+w52wcFmFKyrJulFkuX/ATYEMA+8Uz/mAps9g user@server (RSA)

# or md5 hash
ssh-keygen -l -E md5 -f /etc/ssh/ssh_host_rsa_key.pub
2048 MD5:9e:1a:5e:27:16:4d:2a:13:90:2c:64:41:bd:25:fd:35 user@server (RSA)

[more soon]

  • ssh agent
  • sshd configuration, disable / enable ssh & password
  • removing ssh key