How SSH works | 2 ways to authenticate SSH(What is an SSH Key )
Learn SSH and How SSH works
It uses Public-Key secure way to access a computer over an unsecured network. Or we can say it is a cryptographic network protocol to access a computer or operating network services securely over an unsecured network.
SSH provides a secure channel over an unsecured network by using a client-server architecture(strong password authentication and public key authentication over an open network, such as the internet), connecting an SSH client application with an SSH server. SSH is used to access the server remotely to execute commands and move files from one computer to another.
Encrypts the connection between client and server
Usually runs on TCP port 22 but we can change it manually
SSH Clients for Different Operating Systems
Mac OS X & Linux: built-in, available in the terminal
Windows: putty, others
Android: JuiceSSH, others
iOS: Prompt, others
What is an SSH Key
Authentication
Ways to provide authentication in SSH
- Using Password
username & password
Specified on the server - Using Keys
Key Pair
Generated by user
Public Key shared to server and private key on users end.
Usually key authentication is marked as more secure over password authentication
SSH keys pair is Widely used on AWS, Azure.
Using a key for Secure Access is more secure than Password access
Key pair: Public Key and Private Key
Server Holds the Public Key, user keep the private Key.
SSH key setup can be of one or many Keys
One key for each computer: More setup, more resilient.
One Key for all computers: less setup, single point failure.
How SSH works and what is an SSH key(configure ssh in linux)
Generating a key pair on Mac OS X or Linux on user system
ssh-keygen -t rsa
(rsa is very popular encryption algorithm type)
Remember to enter the passphrase as this is the pass phrase to unlock the key which will not allow log directly into te remote server, image your key get stolen then anyone can log into that sever as you. Setting up the key will add one more layer of security and harder for an attacker to do this.
techouse@techousesolution:~$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/techouse/.ssh/id_rsa):
Created directory '/home/techouse/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/techouse/.ssh/id_rsa
Your public key has been saved in /home/techouse/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:f2Dhst0ZoJ0fLsDbwkfamdG0Hup/hTe2LmNq27qjTWU techouse@techousesolution
The key's randomart image is:
+---[RSA 3072]----+
| |
| |
| o . |
| . + * . |
| S O *E . |
| . & @o=.oo|
| * @.B .oo|
| +o=.+.. |
| .+BOo+. |
+----[SHA256]-----+
After this, 2 files will be created id_rsa ad id_rsa.pub
techouse@techousesolution:~$ cd ~/.ssh/
techouse@techousesolution:~/.ssh$ ls
id_rsa id_rsa.pub
techouse@techousesolution:~/.ssh$ cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCYPZrBO2YHN6nL/7zDGJODiVg8wfPy1sLDl2McGV9p7vh+sSAa2AnkgCeGMBo7++71URADhz6SChp7/iD+baYCqAH1KNco0USIWTp1rcMuQODkodLIFkvngF7xf8Oam9WvFi1NL+KaTNF2n2hAM2EZFHz54uVBc= techouse@techousesolution
techouse@techousesolution:~/.ssh$ ssh-copy-id [email protected]
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/techouse/.ssh/id_rsa.pub"
The authenticity of host '192.168.1.5 (192.168.1.5)' can't be established.
ECDSA key fingerprint is SHA256:hvcUxvb2IbZlBCc4hmJwziSuCrib9R0Tcj7hK4zHy0U.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Number of key(s) added: 1
Now try logging into the machine, with: “ssh ‘[email protected]′”
and check to make sure that only the key(s) you wanted were added.
techouse@techousesolution:~/.ssh$ cat known_hosts
|1|+DRaJw7s2ph951vkJOuOE6H5B+o=|mQHk7bNachhNln7j0Mn1aroCDBM= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBH9N6omdafp0Tw0t+qx0fL1BBb91MYTiyElBiLoRlpf9QnaWUU2j6OkgXy2c8jwRXZy5wp8WRmebQXlCkK/dV04=
techouse@techousesolution:~/.ssh$
On Server
chirag@chirag-MacBookAir:~/.ssh$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCYPZrBO2YHN6nL/7zDGJODiVg8wfPy1sLDl2McGV9p7vh+sS45K2l6J8HZ3h7TU9+Uv3DY5PMvM7VAUl1kJ9E5I+8GbxFzW0r7twvLF+8fjDjsQpBXq4nV9xjb4FIOVSBu3CUDm8GYTsfRY/ZvUEpn4ELwFeBYBF4uMAX74FrfVXw+5gudKNwKV/mDWK8Ljmsmf+zKO4UbABrs2ktS8k6Jd9WvSrs1kzAtvanY8xEQjJ0D2UO2PbSm4d9F6RKxnbQnU+oeSjjuPiWGURWOLtPNcRlGVQam5wNR9NgAu/s4tXgh2q0iZR2G9ml70UYNpG6gJrJN4ryf+W+suSDtYed8pnJTVlIy1nIH3qGpUMLkY7LIl0Vx8FICYCzYPDqkzoc9B+2YEPVfDfgxTrgYAa2AnkgCeGMBo7++71URADhz6SChp7/iD+baYCqAH1KNco0USIWTp1rcMuQODkodLIFkvngF7xf8Oam9WvFi1NL+KaTNF2n2hAM2EZFHz54uVBc= techouse@techousesolution
Or Just copy public-key manually to your server
techouse@techousesolution:~/.ssh$ cat id_rsa.pub
And it on server under the file name authorized_keys
chirag@chirag-:~/ cd ~/.ssh
chirag@chirag-:~/.ssh$ vim authorized_keys
SFTP – SSH File Tranfer Protocol
Features
Encrypted
One Port
Well-Supported
Tools to access SFTP GUI: FileZilla
Command to login :- sftp [email protected] techouse@techousesolution:~$ sftp [email protected] Enter passphrase for key '/home/techouse/.ssh/id_rsa': Connected to 192.168.1.5. sftp> ? Available commands: bye Quit sftp cd path Change remote directory to 'path' chgrp [-h] grp path Change group of file 'path' to 'grp' chmod [-h] mode path Change permissions of file 'path' to 'mode' chown [-h] own path Change owner of file 'path' to 'own' df [-hi] [path] Display statistics for current directory or filesystem containing 'path' exit Quit sftp get [-afpR] remote [local] Download file help Display this help text lcd path Change local directory to 'path' lls [ls-options [path]] Display local directory listing lmkdir path Create local directory ln [-s] oldpath newpath Link remote file (-s for symlink) lpwd Print local working directory ls [-1afhlnrSt] [path] Display remote directory listing lumask umask Set local umask to 'umask' mkdir path Create remote directory progress Toggle display of progress meter put [-afpR] local [remote] Upload file pwd Display remote working directory quit Quit sftp reget [-fpR] remote [local] Resume download file rename oldpath newpath Rename remote file reput [-fpR] local [remote] Resume upload file rm path Delete remote file rmdir path Remove remote directory symlink oldpath newpath Symlink remote file version Show SFTP version !command Execute 'command' in local shell ! Escape to local shell ? Synonym for help sftp>
How to create an SSH Tunnel
Creating a SSH Tunnel includes port forwarding.
I will show you how to setup SSH tunnel using MysQl example.
Let’s create a tunnel for accessing Mysql server
techouse@techousesolution:~$ ssh -L 9000:localhost:3306 [email protected]
or
techouse@techousesolution:~$ ssh -L 9000:localhost:3306 [email protected] -N
This command will forward 3306 port to 9000
While accessing mysQl using SSH tunnel. Use same mysql details but change the port to 9000
Host: localhost
Username:
Password:
Databse:
Port: 9000
Important:- Practice setup key base login and also enable
chirag@chirag-MacBookAir:~$ vim /etc/ssh/sshd_config
PasswordAuthentication yes
Uncomment and Change this to NO as it will disable password login only permit key base login
References
https://en.wikipedia.org/wiki/SSH_(Secure_Shell)
https://www.linkedin.com/learning/learning-ssh/windows-and-ssh-servers
