A foundational advantage of Linux is easy access to the Secure Shell daemon, known as
sshd. This service allows a user to establish an encrypted shell session from anywhere in the world. On top of basic remote shell access,
sshd provides a few nice perks:
- Secure file transfer over the same encrypted protocol.
- An encrypted tunnel for passing traffic to and from a remote client (similar to a VPN)
- X11 Forwarding, which isn’t as useful for a server, allows you to run a graphical user interface (GUI) program on a remote machine despite all the computing occurring on the server.
From here on, I’ll use
ssh to refer to the client and service interchangeably. You need both, so being pedantic isn’t very useful.
Using SSH for a Remote Shell
ssh command is quite simple. It takes the form
- The default port for
22, so it is often omitted.
addresscan be an IP address, a host alias, or a fully qualified domain name. These differences will be covered later, TO-DO REMINDER)
Ubuntu installs the
sshclient by default, but not the service, so let’s do that now. Open a terminal and follow along:
devil@ubuntuVM:~$ sudo apt install ssh [output trimmed] devil@ubuntuVM:~$ ssh devil@localhost The authenticity of host 'localhost (127.0.0.1)' can't be established. ECDSA key fingerprint is SHA256:IczfUohbcMaJ09KIZk6v/FGXhhHOT70DLVwhaGeW/zM. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts. devil@localhost's password: ***************** Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.8.0-59-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 0 updates can be applied immediately. Your Hardware Enablement Stack (HWE) is supported until April 2025. The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. devil@ubuntuVM:~$
Seems a bit anti-climactic, right? It certainly looks that way, but consider this. You have started the
sshd service, then used the
ssh client to establish a remote shell connection to your own machine.
Cue the Inception sound.
Once you’ve done this, you’ll be presented with an identical CLI prompt, and that’s completely expected. If you were halfway across the world, you’d see the same thing. Using
ssh, you can interact with your machine remotely and just as if you were sitting at the keyboard directly.
You can exit a remote shell at any time using
d on an empty prompt.
Passwords and Keys
The traditional method of authentication on most machines (and thus
ssh) is a password. By default,
ssh is configured to accept password authentication for the specific user.
A more secure way, especially if you’re prone to reusing passwords, is to use authentication keys. SSH configured in this way will do a private-public key exchange in lieu of a password. This approach is better if you can maintain secure access to a particular machine, since the private and public key are stored on the file system directly.
To generate a private-public key pair, open a shell and do the following:
devil@ubuntuVM:~$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/devil/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/devil/.ssh/id_rsa Your public key has been saved in /home/devil/.ssh/id_rsa.pub The key fingerprint is: SHA256:8PH1JcJSqQVA5kvT1F7ywv47zfCTLqP/EfQ4lKoPDH0 devil@ubuntuVM The key's randomart image is: +---[RSA 3072]----+ | .+.oo.. | | o o o= .. | | . = o=+++..| | + *.o+=o+.| | S o.E.+..| | o o. ...| | + . *.| | o ooo=| | .+.*=.| +----[SHA256]-----+
You can choose to protect the key with an additional password, which does not have to match your user’s password. Up to you!
This key will be saved in a special hidden directory named
.ssh in your home directory. For future reference, directories and files starting with a period will be hidden by default using
ls and similar tools.
Let’s take a look at the key:
devil@ubuntuVM:~$ cat .ssh/id_rsa -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn NhAAAAAwEAAQAAAYEAyKzugBeO+gpUL2PRePgylCz24N4PMqcbA8uwhv4RjctS3UkZDSCW IPGNaFu+k+8TaZOpew9uy/jqwbuSop42RJJ4VJ1Cs++VOS0c2NrZXE60U5kqgBVck72T2I lbo2KKeRhbxPWVe2yeiAMm1oTc3NfVoJ18aXYDOTPfHMnfN3eTSaEryIBNfqxK5ycGDbhB xF2mM/in2s/2PuRt4Uokg4GZfEmUUOPL2byuXRuSvvvTkbFVhezNVtjDbQ79Jz5jfmhCsP ktZBqczPCZwz9L2X0zhQctQTO641Fypj3Q4eIrOdwiQbrSFYSCFZJnyJ7wcGBVynuR3kI8 YOHxTGaaNXIVrPbPTYtLGNlIJPxlruqeDxkEg2AxR6UmifIUIPNTMR9Fdlj701l18g8Hje Atx2mtEtkn/vW/EeZw5YQym+EQP3JW40GsG59JFcsKGDdhTRUxyYkY2RLyQXwE8yXyPNAH eLAp8wCYpz3pJ7J+hpiNJRH2YIXWSOvG3B6RCbaxAAAFiLcMCNW3DAjVAAAAB3NzaC1yc2 EAAAGBAMis7oAXjvoKVC9j0Xj4MpQs9uDeDzKnGwPLsIb+EY3LUt1JGQ0gliDxjWhbvpPv E2mTqXsPbsv46sG7kqKeNkSSeFSdQrPvlTktHNja2VxOtFOZKoAVXJO9k9iJW6NiinkYW8 T1lXtsnogDJtaE3NzX1aCdfGl2Azkz3xzJ3zd3k0mhK8iATX6sSucnBg24QcRdpjP4p9rP 9j7kbeFKJIOBmXxJlFDjy9m8rl0bkr7705GxVYXszVbYw20O/Sc+Y35oQrD5LWQanMzwmc M/S9l9M4UHLUEzuuNRcqY90OHiKzncIkG60hWEghWSZ8ie8HBgVcp7kd5CPGDh8UxmmjVy Faz2z02LSxjZSCT8Za7qng8ZBINgMUelJonyFCDzUzEfRXZY+9NZdfIPB43gLcdprRLZJ/ 71vxHmcOWEMpvhED9yVuNBrBufSRXLChg3YU0VMcmJGNkS8kF8BPMl8jzQB3iwKfMAmKc9 6SeyfoaYjSUR9mCF1kjrxtwekQm2sQAAAAMBAAEAAAGBAKlPrpKITeuM12Z8c3n6/sGiBl HHSU9VSiezrabXqfvWdn2ZdPdsbP4yjzpjXbH23owPN8lKRhL2WytFlPx7PBIy+i9515N1 KpPpChO04ftNtDtsWT1jyI4mPx1NFvIM7AQrlxHgmlReWosrDZOk2avCts0i0pswJJwYtb /WWuyziKNwxj4OclPUDgZlGGhu85433UiwHP8ywvJhTIvuQExsBhGlCuwMpit5VCveXbuh QOoFksDCAKWrkYbsRI7dxRlSaE3pUCNANxbvRxAgbODwPIQFqZy4KjLK28OlvUA43UVPDV NJWHifdZXZX2Oi3z/eWivC43omLGEzrfLS9tywCCkzrRDxG2qLMKBLRKtUEyAnPoeLbpo0 UJSdY7/KciTJNI1vMBnqPCIAM/wcwObVoWDAoka5SWlfqQZJ6JbQ76QrGfnClrn7JO8BYL JO/DUu140etp6/6ql8pVo7XyAQoYBBfD87Zjz6d/S40rcGj2s6QN4X5ouXnkKXyG20IQAA AMEAjeLsgDseiNXeK79gP+UEmjHus24BD2griHvliYYJslcmlvpEw5Ok7EcoQTh1WxSm/c +fYJZicAeddvGypPEoc1tokqyU9je9MgTDSoZANRqzUQRbDB7KxSn83cqirr7A3iAqNHNW lZIUWotKyAXyUXSsM8e76XrPODsHo9VLk7k6b9PQbyjjmSvgALYok2ZlVw5Gf40CgMXcd4 zfurFrm2L3e89lj7eYa++yQcvOBKJ/4wlnVCfx0rHAUt1Ze/0gAAAAwQDsGjwFMZh12PXY D5jd0HrSnYkukZ8mSMNqXOZv+ZkkzTnOqd0PTuiKNJmySteb3TiT4NcS6fL7jBK6gmWyZf GuVfpwtr1ZPTV0Lab/RdxM4Jq33N0GLgWmxFMqNB6FaLYb7YWT++VduMYff4z+LwubdxES h4JC8D4Bd2wCyXjzwAuAtDoxqZyT5/sSCL7aun5rwdQLj31LDqd/LJ2WzwWM2ibREqfDs6 CaQANCN+J9UVQi+NEMaY248M9/JL4Hgp0AAADBANmWYdunSxeSNYVtwjPH2iQoGLE/qnvp wjmytZv55WSpUjVebSaJ0meUZmei6aCJl3oinKAB7K4NywUNY40u3XnKVLtSCFJMYQ4ULv N9TtKRSMvBiRmb9epLFcxK2glLZg578MM+St94+OEuB+X1zEW29UVut79R54l9F4HG8Z5O hv6jv9Wjk80BlLrBP7th/Bfg2XDxeDtc9vGl/t8SiUKrrFV8w6fyD4pkJbxc3G2b+UQhQb xCQ2qbnJTGJEhOJQAAAA5kZXZpbEB1YnVudHVWTQECAw== -----END OPENSSH PRIVATE KEY-----
IMPORTANT NOTE — I have copied and pasted the private key, which lives in
/home/devil/.ssh/id_rsa. This key should NEVER EVER EVER be shared. I will throw this keypair away immediately after writing this post. In any case, it lives in a VM with no exposure to the Internet. I provide it here only for illustration purposes. You are free to share the
id_rsa.pub key, but never expose the private key.
Now let’s take a look at the public key:
devil@ubuntuVM:~$ cat .ssh/id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIrO6AF476ClQvY9F4+DKULPbg3g8ypxsDy7CG/hGNy1LdSRkNIJYg8Y1oW76T7xNpk6l7D27L+OrBu5KinjZEknhUnUKz75U5LRzY2tlcTrRTmSqAFVyTvZPYiVujYop5GFvE9ZV7bJ6IAybWhNzc19WgnXxpdgM5M98cyd83d5NJoSvIgE1+rErnJwYNuEHEXaYz+Kfaz/Y+5G3hSiSDgZl8SZRQ48vZvK5dG5K++9ORsVWF7M1W2MNtDv0nPmN+aEKw+S1kGpzM8JnDP0vZfTOFBy1BM7rjUXKmPdDh4is53CJButIVhIIVkmfInvBwYFXKe5HeQjxg4fFMZpo1chWs9s9Ni0sY2Ugk/GWu6p4PGQSDYDFHpSaJ8hQg81MxH0V2WPvTWXXyDweN4C3Haa0S2Sf+9b8R5nDlhDKb4RA/clbjQawbn0kVywoYN2FNFTHJiRjZEvJBfATzJfI80Ad4sCnzAJinPeknsn6GmI0lEfZghdZI68bcHpEJtrE= devil@ubuntuVM
Note that it has the format
[ssh-rsa] [long string of text] [user@hostname]. Here’s what it all means:
ssh-rsastring signifies the type of hashing algorithm (RSA in this case).
- The long string is the RSA hash of your private key
user@hostnamewill match the user and hostname associated with the system that generated the keypair.
Using the Key on Other Servers
Now that we have a private-public key pair, we can copy it to other hosts.
Let’s pretend that we have another server on
example.com, and we want to copy our new credentials to it for easy access.
ssh has a built-in mechanism for this called
ssh-copy-id. It takes a very similar format to
devil@ubuntuVM:~$ ssh-copy-id email@example.com The authenticity of host '192.168.1.2 (192.168.1.2)' can't be established. ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe. Are you sure you want to continue connecting (yes/no)? yes Number of key(s) added: 1
From there, you can simply use
ssh firstname.lastname@example.org to connect.
ssh will automatically use the private-public key to authenticate against the stored credentials on
Copying Files using SSH
We can use
scp (short for “secure copy”) to copy files in much the same way. Even better, it will use the public-private key authentication from
ssh that we already generated!
Here’s the format:
devil@ubuntuVM:~$ scp filename.txt email@example.com:/home/devil/newfilename.txt firstname.lastname@example.org's password: ********* filename.txt 100% 41 0.9KB/s 00:00
example.com is a fake address and will not work, but that’s what the command looks like when it completes successfully.