Introduction to OpenSSH

SSH stands for Secure Shell. It is a network protocol which is used to access a remote system. SSH offers utilities like scp & Slogin to remotely login & copy data on a remote system, which are a secure versions of rcp & rlogin. It is the only network service which is enabled by default. SSH is replacement of Telnet, which does not support encryption, where everything goes in plain text. Thats is why for the security reason, SSH has become the most trustworthy and used protocol. SSH is available for most of the operating systems, including Microsoft Windows.

SSH supports encryption which make it a very secured and trustworthy protocol. Unencrypted Communication on a network can be dangerous, because a hacker can trace your user name & password and can easily steal your important data. SSH uses two keys to do encryption:

1] Private key: This key is always stores on the ssh server
2] Public key: This key is distribute between ssh clients.

These key are usually generated only once. But you can re-generate it. In order to take access of remote system, the receiver system should have the public key of the sender machine. When you try to access a remote system for the very first time, ssh server sends you the public key. Take a look at the below example:

[root@localhost ~]# ssh 192.168.1.3
The authenticity of host ‘192.168.1.3 (192.168.1.3)’ can’t be established.
RSA key fingerprint is 79:67:7a:e4:61:29:5a:5b:1b:79:2b:b1:34:72:42:d8.
Are you sure you want to continue connecting (yes/no)?

Now as you can see,When you tried to access the remote server, it easily sent you its public key. It can be a loop hole in the system security. But on the other hand, ssh is also telling you that it doesn’t know the host you are trying to connect. It send you the fingerprint. If these fingerprint doesn’t match with the fingerprint, that it should be match with, you can disallow the remote connection. On the same time, when server send its public key to client system,clients public key is also uploaded to the ssh server. When both end receives public key of each-other, they starts decrypting the data of each-other.

There are two kind of algorithms, that can be used to generated public and private keys:

1] RSA[Rivest-Shamir-Adleman]: It offers encryption and signing on the data.
2] DSA[Digital signature algorithms]:- It offers only signing on the data which is faster than RSA.

In order to generate these keys, run the ‘ssh-keygen’ command. Have a look:

[root@localhost ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
7d:bb:de:d7:fa:99:7f:b2:13:65:d9:60:86:35:99:78

In the above example, we have generated rsa key. When you entered the above command,it ask you where you want to store rsa keys. By default, it create two files ‘id_rsa’ and ‘id_rsa.pub’ in ‘.ssh/’ directory, which is a hidden file. Then it will ask you to set passphrase

Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):

To take access of a remote system, we need to run simply the below command:

[root@localhost ~]# ssh www.server.com

OR
[root@localhost ~]# ssh 172.24.25.254

When you run the above command, you login with the root account, which can be dangerous for the server. To avoid this kind of situation, you can restrict the root user to access the server with the root privilege and allow any other user to access the ssh server. In our case, i am going to allow user1 to access ssh server. If i need to allow other users as well, i can write there name separated by comma’s.
Take a look at the below example:

[root@localhost ~]# vim /etc/ssh/sshd_config

Go to line no 37

AllowUsers user1

Go to line no 39 and change this line

PermitRootLogin no

:wq! [write & quit]

[root@localhost ~]# service sshd restart

Now whenever ssh client will try to login into ssh server with the root account, he will not be able to login. On the other hand, if he tries to login with user1@172.24.25.254 he will be able to login.
SSH by default listens on port number 22. If you want to change this port number for security reasons, you can easily do it by editing ‘sshd_config’. The default entry will look like this:

#port 22

Now suppose i want to change this port, i will just have to remove hash{#} from the begining of this line and change the port number. In my case, i am changing it to 222. Now the entry will look like this:

port 222

So now if a ssh client want to take access of ssh server, he will need to be known with the port number of ssh server and that adds additional security for ssh server. Next time when a ssh client will try to connect with the ssh server with the below command, he will get error which is mention below:

[root@localhost ~]# ssh user@172.24.25.254
ssh: connect to host 172.24.25.254 port 22:Connection refused

As you can see, the above command shows error of connection refused. If you want to take the access of ssh server, you will have to run the following command:

[root@localhost ~]# ssh user@172.24.25.254 -p 222

Here above ‘p’ is reference for port number and ‘222’ is the port number.

If you want to copy files to a remote system, you can use scp command which is a secure copy command. In the below example, i am going to copy a file named ‘file1’ from ssh client system to remote ssh server’s desktop which has ip address of 172.24.25.254.

[root@localhost ~]# scp file1 172.24.25.254:/root/Desktop/

But if you want to copy a file from ssh server to your local ssh client system,you will need to know the location of the file on ssh server which you want to copy. In the following example, i know the location of file named ‘backup.tar’ and i am going to copy it into my desktop.

[root@localhost ~]# scp 172.24.25.254:/root/backup.tar /root/Desktop/

You can leave a response, or trackback from your own site.

Leave a Reply