Secure Shell

Now that we have a good understanding of users and the shell, we’re ready to tackle the concept of a remote terminal.

A foundational advantage of Linux is easy access to the Secure Shell daemon, known as sshd. This service allows a user to establish an encrypted shell session from anywhere in the world. On top of basic remote shell access, sshd provides a few nice perks:

  • Secure file transfer over the same encrypted protocol.
  • An encrypted tunnel for passing traffic to and from a remote client (similar to a VPN)
  • X11 Forwarding, which isn’t as useful for a server, allows you to run a graphical user interface (GUI) program on a remote machine despite all the computing occurring on the server.

From here on, I’ll use ssh to refer to the client and service interchangeably. You need both, so being pedantic isn’t very useful.

Using SSH for a Remote Shell

The ssh command is quite simple. It takes the form ssh user@address:port.

  • The default port for ssh is 22, so it is often omitted.
  • address can be an IP address, a host alias, or a fully qualified domain name. These differences will be covered later, TO-DO REMINDER)

Ubuntu installs the sshclient by default, but not the service, so let’s do that now. Open a terminal and follow along:

devil@ubuntuVM:~$ sudo apt install ssh
[output trimmed]
devil@ubuntuVM:~$ ssh devil@localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:IczfUohbcMaJ09KIZk6v/FGXhhHOT70DLVwhaGeW/zM.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
devil@localhost's password: *****************
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.8.0-59-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

0 updates can be applied immediately.

Your Hardware Enablement Stack (HWE) is supported until April 2025.

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
devil@ubuntuVM:~$ 

Seems a bit anti-climactic, right? It certainly looks that way, but consider this. You have started the sshd service, then used the ssh client to establish a remote shell connection to your own machine.

Cue the Inception sound.

Once you’ve done this, you’ll be presented with an identical CLI prompt, and that’s completely expected. If you were halfway across the world, you’d see the same thing. Using ssh, you can interact with your machine remotely and just as if you were sitting at the keyboard directly.

You can exit a remote shell at any time using exit or CTRL + d on an empty prompt.

Passwords and Keys

The traditional method of authentication on most machines (and thus ssh) is a password. By default, ssh is configured to accept password authentication for the specific user.

A more secure way, especially if you’re prone to reusing passwords, is to use authentication keys. SSH configured in this way will do a private-public key exchange in lieu of a password. This approach is better if you can maintain secure access to a particular machine, since the private and public key are stored on the file system directly.

To generate a private-public key pair, open a shell and do the following:

devil@ubuntuVM:~$ ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/home/devil/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/devil/.ssh/id_rsa
Your public key has been saved in /home/devil/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:8PH1JcJSqQVA5kvT1F7ywv47zfCTLqP/EfQ4lKoPDH0 devil@ubuntuVM
The key's randomart image is:
+---[RSA 3072]----+
|       .+.oo..   |
|       o o o= .. |
|      . = o=+++..|
|       + *.o+=o+.|
|        S o.E.+..|
|         o o. ...|
|          +  . *.|
|           o ooo=|
|           .+.*=.|
+----[SHA256]-----+

You can choose to protect the key with an additional password, which does not have to match your user’s password. Up to you!

This key will be saved in a special hidden directory named .ssh in your home directory. For future reference, directories and files starting with a period will be hidden by default using ls and similar tools.

Let’s take a look at the key:

devil@ubuntuVM:~$ cat .ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAyKzugBeO+gpUL2PRePgylCz24N4PMqcbA8uwhv4RjctS3UkZDSCW
IPGNaFu+k+8TaZOpew9uy/jqwbuSop42RJJ4VJ1Cs++VOS0c2NrZXE60U5kqgBVck72T2I
lbo2KKeRhbxPWVe2yeiAMm1oTc3NfVoJ18aXYDOTPfHMnfN3eTSaEryIBNfqxK5ycGDbhB
xF2mM/in2s/2PuRt4Uokg4GZfEmUUOPL2byuXRuSvvvTkbFVhezNVtjDbQ79Jz5jfmhCsP
ktZBqczPCZwz9L2X0zhQctQTO641Fypj3Q4eIrOdwiQbrSFYSCFZJnyJ7wcGBVynuR3kI8
YOHxTGaaNXIVrPbPTYtLGNlIJPxlruqeDxkEg2AxR6UmifIUIPNTMR9Fdlj701l18g8Hje
Atx2mtEtkn/vW/EeZw5YQym+EQP3JW40GsG59JFcsKGDdhTRUxyYkY2RLyQXwE8yXyPNAH
eLAp8wCYpz3pJ7J+hpiNJRH2YIXWSOvG3B6RCbaxAAAFiLcMCNW3DAjVAAAAB3NzaC1yc2
EAAAGBAMis7oAXjvoKVC9j0Xj4MpQs9uDeDzKnGwPLsIb+EY3LUt1JGQ0gliDxjWhbvpPv
E2mTqXsPbsv46sG7kqKeNkSSeFSdQrPvlTktHNja2VxOtFOZKoAVXJO9k9iJW6NiinkYW8
T1lXtsnogDJtaE3NzX1aCdfGl2Azkz3xzJ3zd3k0mhK8iATX6sSucnBg24QcRdpjP4p9rP
9j7kbeFKJIOBmXxJlFDjy9m8rl0bkr7705GxVYXszVbYw20O/Sc+Y35oQrD5LWQanMzwmc
M/S9l9M4UHLUEzuuNRcqY90OHiKzncIkG60hWEghWSZ8ie8HBgVcp7kd5CPGDh8UxmmjVy
Faz2z02LSxjZSCT8Za7qng8ZBINgMUelJonyFCDzUzEfRXZY+9NZdfIPB43gLcdprRLZJ/
71vxHmcOWEMpvhED9yVuNBrBufSRXLChg3YU0VMcmJGNkS8kF8BPMl8jzQB3iwKfMAmKc9
6SeyfoaYjSUR9mCF1kjrxtwekQm2sQAAAAMBAAEAAAGBAKlPrpKITeuM12Z8c3n6/sGiBl
HHSU9VSiezrabXqfvWdn2ZdPdsbP4yjzpjXbH23owPN8lKRhL2WytFlPx7PBIy+i9515N1
KpPpChO04ftNtDtsWT1jyI4mPx1NFvIM7AQrlxHgmlReWosrDZOk2avCts0i0pswJJwYtb
/WWuyziKNwxj4OclPUDgZlGGhu85433UiwHP8ywvJhTIvuQExsBhGlCuwMpit5VCveXbuh
QOoFksDCAKWrkYbsRI7dxRlSaE3pUCNANxbvRxAgbODwPIQFqZy4KjLK28OlvUA43UVPDV
NJWHifdZXZX2Oi3z/eWivC43omLGEzrfLS9tywCCkzrRDxG2qLMKBLRKtUEyAnPoeLbpo0
UJSdY7/KciTJNI1vMBnqPCIAM/wcwObVoWDAoka5SWlfqQZJ6JbQ76QrGfnClrn7JO8BYL
JO/DUu140etp6/6ql8pVo7XyAQoYBBfD87Zjz6d/S40rcGj2s6QN4X5ouXnkKXyG20IQAA
AMEAjeLsgDseiNXeK79gP+UEmjHus24BD2griHvliYYJslcmlvpEw5Ok7EcoQTh1WxSm/c
+fYJZicAeddvGypPEoc1tokqyU9je9MgTDSoZANRqzUQRbDB7KxSn83cqirr7A3iAqNHNW
lZIUWotKyAXyUXSsM8e76XrPODsHo9VLk7k6b9PQbyjjmSvgALYok2ZlVw5Gf40CgMXcd4
zfurFrm2L3e89lj7eYa++yQcvOBKJ/4wlnVCfx0rHAUt1Ze/0gAAAAwQDsGjwFMZh12PXY
D5jd0HrSnYkukZ8mSMNqXOZv+ZkkzTnOqd0PTuiKNJmySteb3TiT4NcS6fL7jBK6gmWyZf
GuVfpwtr1ZPTV0Lab/RdxM4Jq33N0GLgWmxFMqNB6FaLYb7YWT++VduMYff4z+LwubdxES
h4JC8D4Bd2wCyXjzwAuAtDoxqZyT5/sSCL7aun5rwdQLj31LDqd/LJ2WzwWM2ibREqfDs6
CaQANCN+J9UVQi+NEMaY248M9/JL4Hgp0AAADBANmWYdunSxeSNYVtwjPH2iQoGLE/qnvp
wjmytZv55WSpUjVebSaJ0meUZmei6aCJl3oinKAB7K4NywUNY40u3XnKVLtSCFJMYQ4ULv
N9TtKRSMvBiRmb9epLFcxK2glLZg578MM+St94+OEuB+X1zEW29UVut79R54l9F4HG8Z5O
hv6jv9Wjk80BlLrBP7th/Bfg2XDxeDtc9vGl/t8SiUKrrFV8w6fyD4pkJbxc3G2b+UQhQb
xCQ2qbnJTGJEhOJQAAAA5kZXZpbEB1YnVudHVWTQECAw==
-----END OPENSSH PRIVATE KEY-----

IMPORTANT NOTE — I have copied and pasted the private key, which lives in /home/devil/.ssh/id_rsa. This key should NEVER EVER EVER be shared. I will throw this keypair away immediately after writing this post. In any case, it lives in a VM with no exposure to the Internet. I provide it here only for illustration purposes. You are free to share the id_rsa.pub key, but never expose the private key.

Now let’s take a look at the public key:

devil@ubuntuVM:~$ cat .ssh/id_rsa.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIrO6AF476ClQvY9F4+DKULPbg3g8ypxsDy7CG/hGNy1LdSRkNIJYg8Y1oW76T7xNpk6l7D27L+OrBu5KinjZEknhUnUKz75U5LRzY2tlcTrRTmSqAFVyTvZPYiVujYop5GFvE9ZV7bJ6IAybWhNzc19WgnXxpdgM5M98cyd83d5NJoSvIgE1+rErnJwYNuEHEXaYz+Kfaz/Y+5G3hSiSDgZl8SZRQ48vZvK5dG5K++9ORsVWF7M1W2MNtDv0nPmN+aEKw+S1kGpzM8JnDP0vZfTOFBy1BM7rjUXKmPdDh4is53CJButIVhIIVkmfInvBwYFXKe5HeQjxg4fFMZpo1chWs9s9Ni0sY2Ugk/GWu6p4PGQSDYDFHpSaJ8hQg81MxH0V2WPvTWXXyDweN4C3Haa0S2Sf+9b8R5nDlhDKb4RA/clbjQawbn0kVywoYN2FNFTHJiRjZEvJBfATzJfI80Ad4sCnzAJinPeknsn6GmI0lEfZghdZI68bcHpEJtrE= devil@ubuntuVM

Note that it has the format [ssh-rsa] [long string of text] [user@hostname]. Here’s what it all means:

  • The ssh-rsa string signifies the type of hashing algorithm (RSA in this case).
  • The long string is the RSA hash of your private key
  • user@hostname will match the user and hostname associated with the system that generated the keypair.

Using the Key on Other Servers

Now that we have a private-public key pair, we can copy it to other hosts.

Let’s pretend that we have another server on example.com, and we want to copy our new credentials to it for easy access. ssh has a built-in mechanism for this called ssh-copy-id. It takes a very similar format to ssh:

devil@ubuntuVM:~$ ssh-copy-id devil@example.com
The authenticity of host '192.168.1.2 (192.168.1.2)' can't be established. ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe. Are you sure you want to continue connecting (yes/no)? yes
Number of key(s) added: 1

From there, you can simply use ssh devil@example.com to connect. ssh will automatically use the private-public key to authenticate against the stored credentials on example.com.

Copying Files using SSH

We can use scp (short for “secure copy”) to copy files in much the same way. Even better, it will use the public-private key authentication from ssh that we already generated!

Here’s the format:

devil@ubuntuVM:~$ scp filename.txt devil@example.com:/home/devil/newfilename.txt
devil@example.com's password: *********
filename.txt                      100%   41     0.9KB/s   00:00

Note that example.com is a fake address and will not work, but that’s what the command looks like when it completes successfully.

Newsletter

Tip Jar

If you're getting value from my writing, please support my efforts with a donation. You can donate directly using my public Ethereum address bowtieddevil.eth. Or you can use the donation button below, which works through my self-hosted BTCPay Server.
linux 

See also