How SSH works | 2 ways to authenticate SSH(What is an SSH Key )

Learn SSH and How SSH works

It uses Public-Key secure way to access a computer over an unsecured network. Or we can say it is a cryptographic network protocol to access a computer or operating network services securely over an unsecured network.
SSH provides a secure channel over an unsecured network by using a client-server architecture(strong password authentication and public key authentication over an open network, such as the internet), connecting an SSH client application with an SSH server. SSH is used to access the server remotely to execute commands and move files from one computer to another.

Encrypts the connection between client and server
Usually runs on TCP port 22 but we can change it manually

SSH Clients for Different Operating Systems


Mac OS X & Linux: built-in, available in the terminal
Windows: putty, others
Android: JuiceSSH, others
iOS: Prompt, others

What is an SSH Key

Authentication

Ways to provide authentication in SSH

  1. Using Password
    username & password
    Specified on the server
  2. Using Keys
    Key Pair
    Generated by user
    Public Key shared to server and private key on users end.
    Usually key authentication is marked as more secure over password authentication
    SSH keys pair is Widely used on AWS, Azure.

Using a key for Secure Access is more secure than Password access
Key pair: Public Key and Private Key
Server Holds the Public Key, user keep the private Key.

SSH key setup can be of one or many Keys
One key for each computer: More setup, more resilient.
One Key for all computers: less setup, single point failure.

How SSH works and what is an SSH key(configure ssh in linux)

Generating a key pair on Mac OS X or Linux on user system

ssh-keygen -t rsa
(rsa is very popular encryption algorithm type)
Remember to enter the passphrase as this is the pass phrase to unlock the key which will not allow log directly into te remote server, image your key get stolen then anyone can log into that sever as you. Setting up the key will add one more layer of security and harder for an attacker to do this.

techouse@techousesolution:~$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/techouse/.ssh/id_rsa):
Created directory '/home/techouse/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/techouse/.ssh/id_rsa
Your public key has been saved in /home/techouse/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:f2Dhst0ZoJ0fLsDbwkfamdG0Hup/hTe2LmNq27qjTWU techouse@techousesolution
The key's randomart image is:
+---[RSA 3072]----+
| |
| |
| o . |
| . + * . |
| S O *E . |
| . & @o=.oo|
| * @.B .oo|
| +o=.+.. |
| .+BOo+. |
+----[SHA256]-----+

After this, 2 files will be created id_rsa ad id_rsa.pub

techouse@techousesolution:~$ cd ~/.ssh/
techouse@techousesolution:~/.ssh$ ls
id_rsa id_rsa.pub

techouse@techousesolution:~/.ssh$ cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCYPZrBO2YHN6nL/7zDGJODiVg8wfPy1sLDl2McGV9p7vh+sSAa2AnkgCeGMBo7++71URADhz6SChp7/iD+baYCqAH1KNco0USIWTp1rcMuQODkodLIFkvngF7xf8Oam9WvFi1NL+KaTNF2n2hAM2EZFHz54uVBc= techouse@techousesolution
techouse@techousesolution:~/.ssh$ ssh-copy-id [email protected]
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/techouse/.ssh/id_rsa.pub"
The authenticity of host '192.168.1.5 (192.168.1.5)' can't be established.
ECDSA key fingerprint is SHA256:hvcUxvb2IbZlBCc4hmJwziSuCrib9R0Tcj7hK4zHy0U.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:

Number of key(s) added: 1

Now try logging into the machine, with: “ssh ‘[email protected]′”
and check to make sure that only the key(s) you wanted were added.

techouse@techousesolution:~/.ssh$ cat known_hosts
|1|+DRaJw7s2ph951vkJOuOE6H5B+o=|mQHk7bNachhNln7j0Mn1aroCDBM= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBH9N6omdafp0Tw0t+qx0fL1BBb91MYTiyElBiLoRlpf9QnaWUU2j6OkgXy2c8jwRXZy5wp8WRmebQXlCkK/dV04=
techouse@techousesolution:~/.ssh$

On Server


chirag@chirag-MacBookAir:~/.ssh$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCYPZrBO2YHN6nL/7zDGJODiVg8wfPy1sLDl2McGV9p7vh+sS45K2l6J8HZ3h7TU9+Uv3DY5PMvM7VAUl1kJ9E5I+8GbxFzW0r7twvLF+8fjDjsQpBXq4nV9xjb4FIOVSBu3CUDm8GYTsfRY/ZvUEpn4ELwFeBYBF4uMAX74FrfVXw+5gudKNwKV/mDWK8Ljmsmf+zKO4UbABrs2ktS8k6Jd9WvSrs1kzAtvanY8xEQjJ0D2UO2PbSm4d9F6RKxnbQnU+oeSjjuPiWGURWOLtPNcRlGVQam5wNR9NgAu/s4tXgh2q0iZR2G9ml70UYNpG6gJrJN4ryf+W+suSDtYed8pnJTVlIy1nIH3qGpUMLkY7LIl0Vx8FICYCzYPDqkzoc9B+2YEPVfDfgxTrgYAa2AnkgCeGMBo7++71URADhz6SChp7/iD+baYCqAH1KNco0USIWTp1rcMuQODkodLIFkvngF7xf8Oam9WvFi1NL+KaTNF2n2hAM2EZFHz54uVBc= techouse@techousesolution

Or Just copy public-key manually to your server

techouse@techousesolution:~/.ssh$ cat id_rsa.pub
And it on server under the file name authorized_keys
chirag@chirag-:~/ cd ~/.ssh
chirag@chirag-:~/.ssh$ vim authorized_keys

SFTP – SSH File Tranfer Protocol

Features

Encrypted
One Port
Well-Supported
Tools to access SFTP GUI: FileZilla

Command to login :- sftp [email protected]
techouse@techousesolution:~$ sftp [email protected]
Enter passphrase for key '/home/techouse/.ssh/id_rsa':
Connected to 192.168.1.5.
sftp> ?
Available commands:
bye Quit sftp
cd path Change remote directory to 'path'
chgrp [-h] grp path Change group of file 'path' to 'grp'
chmod [-h] mode path Change permissions of file 'path' to 'mode'
chown [-h] own path Change owner of file 'path' to 'own'
df [-hi] [path] Display statistics for current directory or
filesystem containing 'path'
exit Quit sftp
get [-afpR] remote [local] Download file
help Display this help text
lcd path Change local directory to 'path'
lls [ls-options [path]] Display local directory listing
lmkdir path Create local directory
ln [-s] oldpath newpath Link remote file (-s for symlink)
lpwd Print local working directory
ls [-1afhlnrSt] [path] Display remote directory listing
lumask umask Set local umask to 'umask'
mkdir path Create remote directory
progress Toggle display of progress meter
put [-afpR] local [remote] Upload file
pwd Display remote working directory
quit Quit sftp
reget [-fpR] remote [local] Resume download file
rename oldpath newpath Rename remote file
reput [-fpR] local [remote] Resume upload file
rm path Delete remote file
rmdir path Remove remote directory
symlink oldpath newpath Symlink remote file
version Show SFTP version
!command Execute 'command' in local shell
! Escape to local shell
? Synonym for help
sftp>

How to create an SSH Tunnel

Creating a SSH Tunnel includes port forwarding.
I will show you how to setup SSH tunnel using MysQl example.
Let’s create a tunnel for accessing Mysql server

techouse@techousesolution:~$ ssh -L 9000:localhost:3306 [email protected]
or
techouse@techousesolution:~$ ssh -L 9000:localhost:3306 [email protected] -N

This command will forward 3306 port to 9000

While accessing mysQl using SSH tunnel. Use same mysql details but change the port to 9000
Host: localhost
Username:
Password:
Databse:
Port: 9000

Important:- Practice setup key base login and also enable


chirag@chirag-MacBookAir:~$ vim /etc/ssh/sshd_config
PasswordAuthentication yes

Uncomment and Change this to NO as it will disable password login only permit key base login

References

https://en.wikipedia.org/wiki/SSH_(Secure_Shell)

https://www.linkedin.com/learning/learning-ssh/windows-and-ssh-servers

techouse

I love helping beautiful people like you. I love hanging out with my dogs.

You may also like...

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

× How can I help you?