SlideShare a Scribd company logo

An introduction to SSH

N
nussbauml

SSH (Secure SHell) is a protocol and program used to securely access remote systems. It allows establishing secure communication channels and relies on cryptography. Basic usage provides shell access or executes commands on remote servers, while advanced uses include transferring data, connecting to services, and creating secure tunnels through the public internet. Authentication can be done with passwords or public-key cryptography for increased security.

1 of 28
Downloaded 85 times
An introduction to SSH Lucas Nussbaum lucas.nussbaum@univ-lorraine.fr Licence professionnelle ASRALL Administration de systèmes, réseaux et applications à base de logiciels libres Lucas Nussbaum An introduction to SSH 1 / 26
Plan 1 SSH basics SSH 101 Public-key authentication Checking the server’s identity Configuring SSH 2 Advanced usage SSH as a communication layer for applications Access remote filesystems over SSH: sshfs SSH tunnels, X11 forwarding, and SOCKS proxy Jumping through hosts with ProxyCommand Triggering remote command execution securely Escape sequences 3 Conclusions Lucas Nussbaum An introduction to SSH 2 / 26
Introduction SSH = Secure SHell Standard network protocol and service (TCP port 22) Many implementations, including: OpenSSH: Linux/Unix, Mac OS X ← this talk, mostly Putty: Windows, client only Dropbear: small systems (routers, embedded) Unix command (ssh); server-side: sshd Establish a secure communication channel between two machines Relies on cryptography Most basic usage: get shell access on a remote machine Many advanced usages: Data transfer (scp, sftp, rsync) Connect to specific services (such as Git or SVN servers) Dig secure tunnels through the public Internet Several authentication schemes: password, public key Lucas Nussbaum An introduction to SSH 3 / 26
Basic usage Connecting to a remote server: $ ssh login@remote-server Provides a shell on remote-server Executing a command on a remote server: $ ssh login@remote-server ls /etc Copying data (with scp, similar to cp): $ scp local-file login@remote-serv:remote-directory/ $ scp login@remote-serv:remote-dir/file local-dir/ Usual cp options work, e.g. -r (recursive) Copying data (with rsync, more efficient than scp with many files): $ rsync -avzP localdir login@server:path-to-rem-dir/ Note: trailing slash on source matters with rsync (not with cp) rsync -a dir1 u@h:dir2 dir1 copied inside dir2 rsync -a dir1/ u@h:dir2 content of dir1 copied to dir2 Lucas Nussbaum An introduction to SSH 4 / 26
Public-key authentication General idea: Asymmetric cryptography (or public-key cryptography): The public key is used to encrypt something Only the private key can decrypt it User owns a private (secret) key, stored on the local machine The server has the public key corresponding to the private key Authentication = <server> prove that you own that private key! Implementation (challenge-response authentication): 1 Server generates a nonce (random value) 2 Server encrypts the nonce with the Client’s public key 3 Server sends the encrypted nonce (= the challenge) to client 4 Client uses the private key to decrypt the challenge 5 Client sends the nonce (= the response) to the Server 6 Server compares the nonce with the response Lucas Nussbaum An introduction to SSH 5 / 26
Public-key authentication (2) Advantages: The password does not need to be sent over the network The private key never leaves the client The process can be automated However, the private key should be protected (what if your laptop gets stolen?) Usually with a passphrase Lucas Nussbaum An introduction to SSH 6 / 26
Key-pair generation $ ssh -keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa ): [ENTER] Enter passphrase (empty for no passphrase ): passphrase Enter same passphrase again: passphrase Your identification has been saved in /home/user/.ssh/id_rsa. Your public key has been saved in /home/user/.ssh/id_rsa.pub. The key fingerprint is: f6 :35:53:71:2f:ff :00:73:59:78: ca:2c:7c:ff:89:7b user@my.hostname.net The key ’s randomart image is: +--[ RSA 2048]----+ ..o (...) .o +-----------------+ $ Creates the key-pair: ~/.ssh/id_rsa (private key) ~/.ssh/id_rsa.pub (public key) Lucas Nussbaum An introduction to SSH 7 / 26
Copying the public key to the server Example public key: ssh-rsa AAAAB3NX[. . . ]hpoR3/PLlXgGcZS4oR user@my.hostname.net On the server, ~user/.ssh/authorized_keys contains the list of public keys authorized to connect to the user account The key can be copied manually there Or use ssh-copy-id to automatically copy the key: client$ ssh-copy-id user@server Sometimes the public key needs to be provided using a web interface (e.g. on GitHub, FusionForge, Redmine, etc.) Lucas Nussbaum An introduction to SSH 8 / 26
Remembering the passphrase If the private key is not protected with a passphrase, the connection is established immediately: *** login@laptop:~$ ssh rlogin@rhost [ENTER] *** rlogin@rhost:~$ Otherwise, ssh asks for the passphrase: *** login@laptop:~$ ssh rlogin@rhost [ENTER] Enter passphrase for key ’/home/login/id_rsa’: [passphrase+ENTER] *** rlogin@rhost:~$ An SSH agent can be used to remember the passphrase Most desktop environments act as SSH agents automatically One can be started with ssh-agent if needed Add keys manually with ssh-add Lucas Nussbaum An introduction to SSH 9 / 26
Checking the server identity: known_hosts Goal: detect hijacked servers What if someone replaced the server to steal passwords? When you connect to a server for the first time, ssh stores the server’s public key in ~/.ssh/known_hosts *** login@laptop:~$ ssh rlogin@server [ENTER] The authenticity of host ’server (10.1.6.2)’ can’t be established. RSA key fingerprint is 94:48:62:18:4b:37:d2:96:67:c9:7f:2f:af:2e:54:a5. Are you sure you want to continue connecting (yes/no)? yes [ENTER] Warning: Permanently added ’server,10.1.6.2’(RSA) to the list of known hosts. rlogin@server’s password: Lucas Nussbaum An introduction to SSH 10 / 26
Checking the server identity: known_hosts (2) During each following connection, ssh ensures that the key still matches, and warns the user otherwise *** login@laptop :~$ ssh rlogin@server [ENTER] @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man -in-the -middle attack )! It is also possible that a host key has just been changed. The fingerprint for the RSA key sent by the remote host is e3 :94:03:90:5d:81:ed:bb:d5:d2:f2:de:ba :31:18: d8. Please contact your system administrator. Add correct host key in /home/login/.ssh/known_hosts to get rid of this message. Offending RSA key in /home/login/.ssh/known_hosts :12 RSA host key for server has changed and you have requested strict checking. Host key verification failed. *** login@laptop :~$ Remove a truly outdated key can be removed with ssh-keygen -R server Lucas Nussbaum An introduction to SSH 11 / 26
Configuring SSH SSH gets configuration data from: 1 command-line options (-o ...) 2 the user’s configuration file: ~/.ssh/config 3 the system-wide configuration file: /etc/ssh/ssh_config Options are documented in the ssh_config(5) man page ~/.ssh/config contains a list of hosts (with wildcards) For each parameter, the first obtained value is used Host-specific declarations are given near the beginning General defaults at the end Lucas Nussbaum An introduction to SSH 12 / 26
Example: ~/.ssh/config Host mail.acme.com User root Host foo # alias/shortcut. ’ssh foo ’ works Hostname very -long -hostname.acme.net Port 2222 Host *.acme.com User jdoe Compression yes # default is no PasswordAuthentication no # only use public key ServerAliveInternal 60 # keep -alives for bad firewall Host * User john Note: bash-completion can auto-complete using ssh_config hosts Lucas Nussbaum An introduction to SSH 13 / 26
Plan 1 SSH basics SSH 101 Public-key authentication Checking the server’s identity Configuring SSH 2 Advanced usage SSH as a communication layer for applications Access remote filesystems over SSH: sshfs SSH tunnels, X11 forwarding, and SOCKS proxy Jumping through hosts with ProxyCommand Triggering remote command execution securely Escape sequences 3 Conclusions Lucas Nussbaum An introduction to SSH 14 / 26
SSH as a communication layer for applications Several applications use SSH as their communication layer Sometimes also authentication layer scp, sftp, rsync (data transfer) unison (synchronization) Subversion: svn checkout svn+ssh://user@rhost/path/to/repo Git: git clone ssh://git@github.com/path-to/repository.git Or: git clone git@github.com:path-to/repository.git Lucas Nussbaum An introduction to SSH 15 / 26
Access remote filesystems over SSH: sshfs sshfs: FUSE-based solution to access remote machines Ideal for remote file editing with a GUI, copying small amounts of data, etc. Mount a remote directory: sshfs root@server:/etc /tmp/local-mountpoint Unmount: fusermount -u /tmp/local-mountpoint Combine with afuse to auto-mount any machine: afuse -o mount_template="sshfs %r:/ %m" -o unmount_template="fusermount -u -z %m" ~/.sshfs/ cd ~/.sshfs/rhost/etc/ssh Lucas Nussbaum An introduction to SSH 16 / 26
SSH tunnels with -L and -R Goal: transport traffic through a secure connection Work-around network filtering (firewalls) Avoid sending unencrypted data on the Internet But only works for TCP connections -L: access a remote service behind a firewall (Intranet server) ssh -L 12345:service:1234 server Still on Client: telnet localhost 12345 Server establishes a TCP connection to Service, port 1234 The traffic is tunnelled inside the SSH connection to Server Client Server TCP Service on port 1234 Internet Private network Lucas Nussbaum An introduction to SSH 17 / 26
SSH tunnels with -L and -R Goal: transport traffic through a secure connection Work-around network filtering (firewalls) Avoid sending unencrypted data on the Internet But only works for TCP connections -L: access a remote service behind a firewall (Intranet server) ssh -L 12345:service:1234 server Still on Client: telnet localhost 12345 Server establishes a TCP connection to Service, port 1234 The traffic is tunnelled inside the SSH connection to Server Client Server TCP Service on port 1234 Internet Private network Lucas Nussbaum An introduction to SSH 17 / 26
SSH tunnels with -L and -R -R: provide remote access to a local private service ssh -R 12345:service:1234 server On Server: telnet localhost 12345 Client establishes a TCP connection to Service, port 1234 The traffic is tunnelled inside the SSH connection to Client Client Server TCP Service on port 1234 Private network Internet Note: SSH tunnels don’t work very well for HTTP, because IP+port are not enough to identify a website (Host: HTTP header) Lucas Nussbaum An introduction to SSH 18 / 26
SSH tunnels with -L and -R -R: provide remote access to a local private service ssh -R 12345:service:1234 server On Server: telnet localhost 12345 Client establishes a TCP connection to Service, port 1234 The traffic is tunnelled inside the SSH connection to Client Client Server TCP Service on port 1234 Private network Internet Note: SSH tunnels don’t work very well for HTTP, because IP+port are not enough to identify a website (Host: HTTP header) Lucas Nussbaum An introduction to SSH 18 / 26
X11 forwarding with -X: GUI apps over SSH Run a graphical application on a remote machine, display locally Similar to VNC, but on a per-application basis ssh -X server $DISPLAY will be set by SSH on the server: $ echo $DISPLAY localhost:10.0 Then start GUI applications on server (e.g. xeyes) Troubleshooting: xauth must be installed on the remote machine The local Xorg server must allow TCP connections pgrep -a Xorg -nolisten must not be included Can be configured in your login manager Does not work very well over slow or high-latency connections Lucas Nussbaum An introduction to SSH 19 / 26
SOCKS proxy with -D SOCKS: protocol to proxy TCP connections via a remote machine SSH can act as a SOCKS server: ssh -D 1080 server Use case similar to tunnelling with -L, but more flexible Set up the proxy once, use for multiple connections Usage: Manual: configure applications to use the SOCKS proxy Transparent: use tsocks to re-route connections via SOCKS $ cat /etc/tsocks.conf server = 127.0.0.1 server_type = 5 server_port = 1080 # then start ssh with -D 1080 $ tsocks pidgin # tunnel application through socks Lucas Nussbaum An introduction to SSH 20 / 26
Jumping through hosts with ProxyCommand Client Server Server2 on private network Private networkInternet Problem: to connect to Server2, you need to connect to Server Can you do that in a single step? (required for data transfer, tunnels, X11 forwarding) Combines two SSH features: ProxyCommand option: command used to connect to host; connection available on standard input & output ssh -W host:port establish a TCP connection, provide it on standard input & output (suitable for ProxyCommand) Lucas Nussbaum An introduction to SSH 21 / 26
Jumping through hosts with ProxyCommand (2) Example configuration: Host server2 # ssh server2 works ProxyCommand ssh -W server2 :22 server Also works with wildcards Host *.priv # ssh host1.priv works ProxyCommand ssh -W $(basename %h .priv ):%p server -W only available since OpenSSH 5.4 (circa 2010), but the same can be achieved with netcat: Host *.priv ProxyCommand ssh serv nc -q 0 $(basename %h .priv) %p Similar solution to connect via a proxy: SOCKS: connect-proxy -4 -S myproxy:1080 rhost 22 HTTP (with CONNECT): corkscrew myproxy 1080 rhost 22 When CONNECT requests are forbidden, set up httptunnel on a remote server, and use htc and hts Lucas Nussbaum An introduction to SSH 22 / 26
Triggering remote command execution securely Goal: notify Server2 that something finished on Server1 But Server1 must not have full shell access on Server2 Method: limit to a single command in authorized_keys Also known as SSH triggers Example authorized_keys on Server2: from=" server1.acme.com",command ="tar czf - /home",no-pty , no-port -forwarding ssh -rsa AAAA [...]oR user@my.host.net Lucas Nussbaum An introduction to SSH 23 / 26
Escape sequences Goal: interact with an already established SSH connection Add tunnels or SOCKS proxy, kill unresponsive connection Escape sequences start with ’~’, at the beginning of a line So press [enter], then ~, then e.g. ’?’ Main sequences (others documented in ssh(1)): ~. – disconnect (for unresponsive connections) ~? – show the list of escape sequences ~C – open SSH command-line. e.g. ~C -D 1080 ~& – logout and background SSH while waiting for forwarded connections or X11 sessions to terminate Lucas Nussbaum An introduction to SSH 24 / 26
Plan 1 SSH basics SSH 101 Public-key authentication Checking the server’s identity Configuring SSH 2 Advanced usage SSH as a communication layer for applications Access remote filesystems over SSH: sshfs SSH tunnels, X11 forwarding, and SOCKS proxy Jumping through hosts with ProxyCommand Triggering remote command execution securely Escape sequences 3 Conclusions Lucas Nussbaum An introduction to SSH 25 / 26
Conclusions The Swiss-army knife of remote administration Very powerful tool, many useful features Practical session: test everything mentioned in this presentation Other topics not covered in this presentation: Built-in support for VPN Other authentication methods (certificates) Managing long executions on a remote machine with screen or tmux Mosh, an SSH alternative suited for Wi-Fi, cellular and long distance links Lucas Nussbaum An introduction to SSH 26 / 26
Ad

Recommended

ssh.ppt
ssh.pptssh.ppt
ssh.ppt
joekr1
 
Ssh (The Secure Shell)
Ssh (The Secure Shell)Ssh (The Secure Shell)
Ssh (The Secure Shell)
Mehedi Farazi
 
Secure SHell
Secure SHellSecure SHell
Secure SHell
Çağrı Çakır
 
Ssh
SshSsh
Ssh
Raghu nath
 
File permissions
File permissionsFile permissions
File permissions
Varnnit Jain
 
NGINX: Basics and Best Practices
NGINX: Basics and Best PracticesNGINX: Basics and Best Practices
NGINX: Basics and Best Practices
NGINX, Inc.
 
Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...
Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...
Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...
Edureka!
 
Linux privilege escalation
Linux privilege escalationLinux privilege escalation
Linux privilege escalation
SongchaiDuangpan
 
Building Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPABuilding Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPA
LDAPCon
 
Ansible - Introduction
Ansible - IntroductionAnsible - Introduction
Ansible - Introduction
Stephane Manciot
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentation
Suresh Kumar
 
Shell scripting
Shell scriptingShell scripting
Shell scripting
Geeks Anonymes
 
HashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesHashiCorp's Vault - The Examples
HashiCorp's Vault - The Examples
Michał Czeraszkiewicz
 
Basic commands of linux
Basic commands of linuxBasic commands of linux
Basic commands of linux
shravan saini
 
Linux basic commands with examples
Linux basic commands with examplesLinux basic commands with examples
Linux basic commands with examples
abclearnn
 
Open vSwitch 패킷 처리 구조
Open vSwitch 패킷 처리 구조Open vSwitch 패킷 처리 구조
Open vSwitch 패킷 처리 구조
Seung-Hoon Baek
 
Ansible
AnsibleAnsible
Ansible
Kamil Lelonek
 
pfSense presentation
pfSense presentationpfSense presentation
pfSense presentation
Simon Vass
 
Linux and DNS Server
Linux and DNS ServerLinux and DNS Server
Linux and DNS Server
Prabhakar Thota
 
Ansible Introduction
Ansible Introduction Ansible Introduction
Ansible Introduction
Robert Reiz
 
Automation with ansible
Automation with ansibleAutomation with ansible
Automation with ansible
Khizer Naeem
 
Introduction to ansible
Introduction to ansibleIntroduction to ansible
Introduction to ansible
Omid Vahdaty
 
DevOps Meetup ansible
DevOps Meetup ansibleDevOps Meetup ansible
DevOps Meetup ansible
sriram_rajan
 
Sa1 chapter-5-managing-local-linux-users-and-groups-v2 (4)
Sa1 chapter-5-managing-local-linux-users-and-groups-v2 (4)Sa1 chapter-5-managing-local-linux-users-and-groups-v2 (4)
Sa1 chapter-5-managing-local-linux-users-and-groups-v2 (4)
Chinthaka Deshapriya (RHCA)
 
[OpenInfra Days Korea 2018] (Track 3) Zuul v3 - OpenStack 인프라 코드로 CI/CD 살펴보기
[OpenInfra Days Korea 2018] (Track 3) Zuul v3 - OpenStack 인프라 코드로 CI/CD 살펴보기[OpenInfra Days Korea 2018] (Track 3) Zuul v3 - OpenStack 인프라 코드로 CI/CD 살펴보기
[OpenInfra Days Korea 2018] (Track 3) Zuul v3 - OpenStack 인프라 코드로 CI/CD 살펴보기
OpenStack Korea Community
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
Thomas Graf
 
macvlan and ipvlan
macvlan and ipvlanmacvlan and ipvlan
macvlan and ipvlan
Suraj Deshmukh
 
TACACS Protocol
TACACS ProtocolTACACS Protocol
TACACS Protocol
Netwax Lab
 
SSH - Secure Shell
SSH - Secure ShellSSH - Secure Shell
SSH - Secure Shell
Peter R. Egli
 
Introduction to SSH
Introduction to SSHIntroduction to SSH
Introduction to SSH
Hemant Shah
 
Ad

More Related Content

What's hot (20)

Building Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPABuilding Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPA
LDAPCon
 
Ansible - Introduction
Ansible - IntroductionAnsible - Introduction
Ansible - Introduction
Stephane Manciot
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentation
Suresh Kumar
 
Shell scripting
Shell scriptingShell scripting
Shell scripting
Geeks Anonymes
 
HashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesHashiCorp's Vault - The Examples
HashiCorp's Vault - The Examples
Michał Czeraszkiewicz
 
Basic commands of linux
Basic commands of linuxBasic commands of linux
Basic commands of linux
shravan saini
 
Linux basic commands with examples
Linux basic commands with examplesLinux basic commands with examples
Linux basic commands with examples
abclearnn
 
Open vSwitch 패킷 처리 구조
Open vSwitch 패킷 처리 구조Open vSwitch 패킷 처리 구조
Open vSwitch 패킷 처리 구조
Seung-Hoon Baek
 
Ansible
AnsibleAnsible
Ansible
Kamil Lelonek
 
pfSense presentation
pfSense presentationpfSense presentation
pfSense presentation
Simon Vass
 
Linux and DNS Server
Linux and DNS ServerLinux and DNS Server
Linux and DNS Server
Prabhakar Thota
 
Ansible Introduction
Ansible Introduction Ansible Introduction
Ansible Introduction
Robert Reiz
 
Automation with ansible
Automation with ansibleAutomation with ansible
Automation with ansible
Khizer Naeem
 
Introduction to ansible
Introduction to ansibleIntroduction to ansible
Introduction to ansible
Omid Vahdaty
 
DevOps Meetup ansible
DevOps Meetup ansibleDevOps Meetup ansible
DevOps Meetup ansible
sriram_rajan
 
Sa1 chapter-5-managing-local-linux-users-and-groups-v2 (4)
Sa1 chapter-5-managing-local-linux-users-and-groups-v2 (4)Sa1 chapter-5-managing-local-linux-users-and-groups-v2 (4)
Sa1 chapter-5-managing-local-linux-users-and-groups-v2 (4)
Chinthaka Deshapriya (RHCA)
 
[OpenInfra Days Korea 2018] (Track 3) Zuul v3 - OpenStack 인프라 코드로 CI/CD 살펴보기
[OpenInfra Days Korea 2018] (Track 3) Zuul v3 - OpenStack 인프라 코드로 CI/CD 살펴보기[OpenInfra Days Korea 2018] (Track 3) Zuul v3 - OpenStack 인프라 코드로 CI/CD 살펴보기
[OpenInfra Days Korea 2018] (Track 3) Zuul v3 - OpenStack 인프라 코드로 CI/CD 살펴보기
OpenStack Korea Community
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
Thomas Graf
 
macvlan and ipvlan
macvlan and ipvlanmacvlan and ipvlan
macvlan and ipvlan
Suraj Deshmukh
 
TACACS Protocol
TACACS ProtocolTACACS Protocol
TACACS Protocol
Netwax Lab
 
Building Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPABuilding Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPA
LDAPCon
 
Ansible - Introduction
Ansible - IntroductionAnsible - Introduction
Ansible - Introduction
Stephane Manciot
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentation
Suresh Kumar
 
Shell scripting
Shell scriptingShell scripting
Shell scripting
Geeks Anonymes
 
HashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesHashiCorp's Vault - The Examples
HashiCorp's Vault - The Examples
Michał Czeraszkiewicz
 
Basic commands of linux
Basic commands of linuxBasic commands of linux
Basic commands of linux
shravan saini
 
Linux basic commands with examples
Linux basic commands with examplesLinux basic commands with examples
Linux basic commands with examples
abclearnn
 
Open vSwitch 패킷 처리 구조
Open vSwitch 패킷 처리 구조Open vSwitch 패킷 처리 구조
Open vSwitch 패킷 처리 구조
Seung-Hoon Baek
 
Ansible
AnsibleAnsible
Ansible
Kamil Lelonek
 
pfSense presentation
pfSense presentationpfSense presentation
pfSense presentation
Simon Vass
 
Linux and DNS Server
Linux and DNS ServerLinux and DNS Server
Linux and DNS Server
Prabhakar Thota
 
Ansible Introduction
Ansible Introduction Ansible Introduction
Ansible Introduction
Robert Reiz
 
Automation with ansible
Automation with ansibleAutomation with ansible
Automation with ansible
Khizer Naeem
 
Introduction to ansible
Introduction to ansibleIntroduction to ansible
Introduction to ansible
Omid Vahdaty
 
DevOps Meetup ansible
DevOps Meetup ansibleDevOps Meetup ansible
DevOps Meetup ansible
sriram_rajan
 
Sa1 chapter-5-managing-local-linux-users-and-groups-v2 (4)
Sa1 chapter-5-managing-local-linux-users-and-groups-v2 (4)Sa1 chapter-5-managing-local-linux-users-and-groups-v2 (4)
Sa1 chapter-5-managing-local-linux-users-and-groups-v2 (4)
Chinthaka Deshapriya (RHCA)
 
[OpenInfra Days Korea 2018] (Track 3) Zuul v3 - OpenStack 인프라 코드로 CI/CD 살펴보기
[OpenInfra Days Korea 2018] (Track 3) Zuul v3 - OpenStack 인프라 코드로 CI/CD 살펴보기[OpenInfra Days Korea 2018] (Track 3) Zuul v3 - OpenStack 인프라 코드로 CI/CD 살펴보기
[OpenInfra Days Korea 2018] (Track 3) Zuul v3 - OpenStack 인프라 코드로 CI/CD 살펴보기
OpenStack Korea Community
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
Thomas Graf
 
macvlan and ipvlan
macvlan and ipvlanmacvlan and ipvlan
macvlan and ipvlan
Suraj Deshmukh
 
TACACS Protocol
TACACS ProtocolTACACS Protocol
TACACS Protocol
Netwax Lab
 

Viewers also liked (20)

SSH - Secure Shell
SSH - Secure ShellSSH - Secure Shell
SSH - Secure Shell
Peter R. Egli
 
Introduction to SSH
Introduction to SSHIntroduction to SSH
Introduction to SSH
Hemant Shah
 
SSH
SSHSSH
SSH
Zach Dennis
 
Secure shell ppt
Secure shell pptSecure shell ppt
Secure shell ppt
sravya raju
 
Secure shell protocol
Secure shell protocolSecure shell protocol
Secure shell protocol
Baspally Sai Anirudh
 
Secure Shell(ssh)
Secure Shell(ssh)Secure Shell(ssh)
Secure Shell(ssh)
Pina Parmar
 
Secure shell
Secure shellSecure shell
Secure shell
Arjun Aj
 
Install SSH Server on Windows 2008 R2
Install SSH Server on Windows 2008 R2Install SSH Server on Windows 2008 R2
Install SSH Server on Windows 2008 R2
VCP Muthukrishna
 
Ssh and sshfp dns records v04
Ssh and sshfp dns records v04Ssh and sshfp dns records v04
Ssh and sshfp dns records v04
Bob Novas
 
How to send files to remote server via ssh in php
How to send files to remote server via ssh in phpHow to send files to remote server via ssh in php
How to send files to remote server via ssh in php
Andolasoft Inc
 
Ch22
Ch22Ch22
Ch22
tejindershami
 
Telnet & SSH
Telnet & SSH Telnet & SSH
Telnet & SSH
NetProtocol Xpert
 
Team 5 presentation
Team 5 presentationTeam 5 presentation
Team 5 presentation
rob420
 
Protocolos; SNMP, TELNET, SSH
Protocolos; SNMP, TELNET, SSHProtocolos; SNMP, TELNET, SSH
Protocolos; SNMP, TELNET, SSH
Petterson Castro
 
Ch11
Ch11Ch11
Ch11
tejindershami
 
Lecture 7 -_ftp,_tftp,_telnet_and_ssh
Lecture 7 -_ftp,_tftp,_telnet_and_sshLecture 7 -_ftp,_tftp,_telnet_and_ssh
Lecture 7 -_ftp,_tftp,_telnet_and_ssh
Serious_SamSoul
 
Electronic mail
Electronic mailElectronic mail
Electronic mail
Harhar Caparida
 
Telnet
TelnetTelnet
Telnet
Odair Soares
 
Chap 19 ftp & tftp
Chap 19 ftp & tftpChap 19 ftp & tftp
Chap 19 ftp & tftp
Noctorous Jamal
 
Ch13
Ch13Ch13
Ch13
tejindershami
 
SSH - Secure Shell
SSH - Secure ShellSSH - Secure Shell
SSH - Secure Shell
Peter R. Egli
 
Introduction to SSH
Introduction to SSHIntroduction to SSH
Introduction to SSH
Hemant Shah
 
SSH
SSHSSH
SSH
Zach Dennis
 
Secure shell ppt
Secure shell pptSecure shell ppt
Secure shell ppt
sravya raju
 
Secure shell protocol
Secure shell protocolSecure shell protocol
Secure shell protocol
Baspally Sai Anirudh
 
Secure Shell(ssh)
Secure Shell(ssh)Secure Shell(ssh)
Secure Shell(ssh)
Pina Parmar
 
Secure shell
Secure shellSecure shell
Secure shell
Arjun Aj
 
Install SSH Server on Windows 2008 R2
Install SSH Server on Windows 2008 R2Install SSH Server on Windows 2008 R2
Install SSH Server on Windows 2008 R2
VCP Muthukrishna
 
Ssh and sshfp dns records v04
Ssh and sshfp dns records v04Ssh and sshfp dns records v04
Ssh and sshfp dns records v04
Bob Novas
 
How to send files to remote server via ssh in php
How to send files to remote server via ssh in phpHow to send files to remote server via ssh in php
How to send files to remote server via ssh in php
Andolasoft Inc
 
Ch22
Ch22Ch22
Ch22
tejindershami
 
Telnet & SSH
Telnet & SSH Telnet & SSH
Telnet & SSH
NetProtocol Xpert
 
Team 5 presentation
Team 5 presentationTeam 5 presentation
Team 5 presentation
rob420
 
Protocolos; SNMP, TELNET, SSH
Protocolos; SNMP, TELNET, SSHProtocolos; SNMP, TELNET, SSH
Protocolos; SNMP, TELNET, SSH
Petterson Castro
 
Ch11
Ch11Ch11
Ch11
tejindershami
 
Lecture 7 -_ftp,_tftp,_telnet_and_ssh
Lecture 7 -_ftp,_tftp,_telnet_and_sshLecture 7 -_ftp,_tftp,_telnet_and_ssh
Lecture 7 -_ftp,_tftp,_telnet_and_ssh
Serious_SamSoul
 
Electronic mail
Electronic mailElectronic mail
Electronic mail
Harhar Caparida
 
Telnet
TelnetTelnet
Telnet
Odair Soares
 
Chap 19 ftp & tftp
Chap 19 ftp & tftpChap 19 ftp & tftp
Chap 19 ftp & tftp
Noctorous Jamal
 
Ch13
Ch13Ch13
Ch13
tejindershami
 
Ad

Similar to An introduction to SSH (20)

tutorial-ssh.pdf
tutorial-ssh.pdftutorial-ssh.pdf
tutorial-ssh.pdf
NigussMehari4
 
SSH.pdf
SSH.pdfSSH.pdf
SSH.pdf
AnisSalhi3
 
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform EnviornmentNagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
Nagios
 
Ssh
SshSsh
Ssh
gh02
 
OpenSSH: keep your secrets safe
OpenSSH: keep your secrets safeOpenSSH: keep your secrets safe
OpenSSH: keep your secrets safe
Giovanni Bechis
 
Unit 13 network client
Unit 13 network clientUnit 13 network client
Unit 13 network client
root_fibo
 
Ssh cookbook
Ssh cookbookSsh cookbook
Ssh cookbook
Jean-Marie Renouard
 
Ssh cookbook v2
Ssh cookbook v2Ssh cookbook v2
Ssh cookbook v2
Jean-Marie Renouard
 
SSH for pen-testers
SSH for pen-testersSSH for pen-testers
SSH for pen-testers
E D Williams
 
Intro to SSH
Intro to SSHIntro to SSH
Intro to SSH
JP Bourget
 
Windowshadoop
WindowshadoopWindowshadoop
Windowshadoop
arunkumar sadhasivam
 
SSH how to 2011
SSH how to 2011SSH how to 2011
SSH how to 2011
Chris Hales
 
Using Secure Shell on Linux: What Everyone Should Know
Using Secure Shell on Linux: What Everyone Should KnowUsing Secure Shell on Linux: What Everyone Should Know
Using Secure Shell on Linux: What Everyone Should Know
Novell
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
fangjiafu
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
fangjiafu
 
Sshstuff
SshstuffSshstuff
Sshstuff
Matt Rae
 
SSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoSSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso Remoto
Tiago Cruz
 
Ssh tunnel
Ssh tunnelSsh tunnel
Ssh tunnel
Amandeep Singh
 
OpenSSH tricks
OpenSSH tricksOpenSSH tricks
OpenSSH tricks
Assem CHELLI
 
Tomáš Čorej - OpenSSH
Tomáš Čorej - OpenSSHTomáš Čorej - OpenSSH
Tomáš Čorej - OpenSSH
webelement
 
tutorial-ssh.pdf
tutorial-ssh.pdftutorial-ssh.pdf
tutorial-ssh.pdf
NigussMehari4
 
SSH.pdf
SSH.pdfSSH.pdf
SSH.pdf
AnisSalhi3
 
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform EnviornmentNagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
Nagios
 
Ssh
SshSsh
Ssh
gh02
 
OpenSSH: keep your secrets safe
OpenSSH: keep your secrets safeOpenSSH: keep your secrets safe
OpenSSH: keep your secrets safe
Giovanni Bechis
 
Unit 13 network client
Unit 13 network clientUnit 13 network client
Unit 13 network client
root_fibo
 
Ssh cookbook
Ssh cookbookSsh cookbook
Ssh cookbook
Jean-Marie Renouard
 
Ssh cookbook v2
Ssh cookbook v2Ssh cookbook v2
Ssh cookbook v2
Jean-Marie Renouard
 
SSH for pen-testers
SSH for pen-testersSSH for pen-testers
SSH for pen-testers
E D Williams
 
Intro to SSH
Intro to SSHIntro to SSH
Intro to SSH
JP Bourget
 
Windowshadoop
WindowshadoopWindowshadoop
Windowshadoop
arunkumar sadhasivam
 
SSH how to 2011
SSH how to 2011SSH how to 2011
SSH how to 2011
Chris Hales
 
Using Secure Shell on Linux: What Everyone Should Know
Using Secure Shell on Linux: What Everyone Should KnowUsing Secure Shell on Linux: What Everyone Should Know
Using Secure Shell on Linux: What Everyone Should Know
Novell
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
fangjiafu
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
fangjiafu
 
Sshstuff
SshstuffSshstuff
Sshstuff
Matt Rae
 
SSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoSSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso Remoto
Tiago Cruz
 
Ssh tunnel
Ssh tunnelSsh tunnel
Ssh tunnel
Amandeep Singh
 
OpenSSH tricks
OpenSSH tricksOpenSSH tricks
OpenSSH tricks
Assem CHELLI
 
Tomáš Čorej - OpenSSH
Tomáš Čorej - OpenSSHTomáš Čorej - OpenSSH
Tomáš Čorej - OpenSSH
webelement
 
Ad

Recently uploaded (20)

Cyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of securityCyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of security
riccardosl1
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath MaestroDev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
UiPathCommunity
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
AI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global TrendsAI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global Trends
InData Labs
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
Cyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of securityCyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of security
riccardosl1
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath MaestroDev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
UiPathCommunity
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
AI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global TrendsAI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global Trends
InData Labs
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 

An introduction to SSH

  • 1. An introduction to SSH Lucas Nussbaum [email protected] Licence professionnelle ASRALL Administration de systèmes, réseaux et applications à base de logiciels libres Lucas Nussbaum An introduction to SSH 1 / 26
  • 2. Plan 1 SSH basics SSH 101 Public-key authentication Checking the server’s identity Configuring SSH 2 Advanced usage SSH as a communication layer for applications Access remote filesystems over SSH: sshfs SSH tunnels, X11 forwarding, and SOCKS proxy Jumping through hosts with ProxyCommand Triggering remote command execution securely Escape sequences 3 Conclusions Lucas Nussbaum An introduction to SSH 2 / 26
  • 3. Introduction SSH = Secure SHell Standard network protocol and service (TCP port 22) Many implementations, including: OpenSSH: Linux/Unix, Mac OS X ← this talk, mostly Putty: Windows, client only Dropbear: small systems (routers, embedded) Unix command (ssh); server-side: sshd Establish a secure communication channel between two machines Relies on cryptography Most basic usage: get shell access on a remote machine Many advanced usages: Data transfer (scp, sftp, rsync) Connect to specific services (such as Git or SVN servers) Dig secure tunnels through the public Internet Several authentication schemes: password, public key Lucas Nussbaum An introduction to SSH 3 / 26
  • 4. Basic usage Connecting to a remote server: $ ssh login@remote-server Provides a shell on remote-server Executing a command on a remote server: $ ssh login@remote-server ls /etc Copying data (with scp, similar to cp): $ scp local-file login@remote-serv:remote-directory/ $ scp login@remote-serv:remote-dir/file local-dir/ Usual cp options work, e.g. -r (recursive) Copying data (with rsync, more efficient than scp with many files): $ rsync -avzP localdir login@server:path-to-rem-dir/ Note: trailing slash on source matters with rsync (not with cp) rsync -a dir1 u@h:dir2 dir1 copied inside dir2 rsync -a dir1/ u@h:dir2 content of dir1 copied to dir2 Lucas Nussbaum An introduction to SSH 4 / 26
  • 5. Public-key authentication General idea: Asymmetric cryptography (or public-key cryptography): The public key is used to encrypt something Only the private key can decrypt it User owns a private (secret) key, stored on the local machine The server has the public key corresponding to the private key Authentication = <server> prove that you own that private key! Implementation (challenge-response authentication): 1 Server generates a nonce (random value) 2 Server encrypts the nonce with the Client’s public key 3 Server sends the encrypted nonce (= the challenge) to client 4 Client uses the private key to decrypt the challenge 5 Client sends the nonce (= the response) to the Server 6 Server compares the nonce with the response Lucas Nussbaum An introduction to SSH 5 / 26
  • 6. Public-key authentication (2) Advantages: The password does not need to be sent over the network The private key never leaves the client The process can be automated However, the private key should be protected (what if your laptop gets stolen?) Usually with a passphrase Lucas Nussbaum An introduction to SSH 6 / 26
  • 7. Key-pair generation $ ssh -keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa ): [ENTER] Enter passphrase (empty for no passphrase ): passphrase Enter same passphrase again: passphrase Your identification has been saved in /home/user/.ssh/id_rsa. Your public key has been saved in /home/user/.ssh/id_rsa.pub. The key fingerprint is: f6 :35:53:71:2f:ff :00:73:59:78: ca:2c:7c:ff:89:7b [email protected] The key ’s randomart image is: +--[ RSA 2048]----+ ..o (...) .o +-----------------+ $ Creates the key-pair: ~/.ssh/id_rsa (private key) ~/.ssh/id_rsa.pub (public key) Lucas Nussbaum An introduction to SSH 7 / 26
  • 8. Copying the public key to the server Example public key: ssh-rsa AAAAB3NX[. . . ]hpoR3/PLlXgGcZS4oR [email protected] On the server, ~user/.ssh/authorized_keys contains the list of public keys authorized to connect to the user account The key can be copied manually there Or use ssh-copy-id to automatically copy the key: client$ ssh-copy-id user@server Sometimes the public key needs to be provided using a web interface (e.g. on GitHub, FusionForge, Redmine, etc.) Lucas Nussbaum An introduction to SSH 8 / 26
  • 9. Remembering the passphrase If the private key is not protected with a passphrase, the connection is established immediately: *** login@laptop:~$ ssh rlogin@rhost [ENTER] *** rlogin@rhost:~$ Otherwise, ssh asks for the passphrase: *** login@laptop:~$ ssh rlogin@rhost [ENTER] Enter passphrase for key ’/home/login/id_rsa’: [passphrase+ENTER] *** rlogin@rhost:~$ An SSH agent can be used to remember the passphrase Most desktop environments act as SSH agents automatically One can be started with ssh-agent if needed Add keys manually with ssh-add Lucas Nussbaum An introduction to SSH 9 / 26
  • 10. Checking the server identity: known_hosts Goal: detect hijacked servers What if someone replaced the server to steal passwords? When you connect to a server for the first time, ssh stores the server’s public key in ~/.ssh/known_hosts *** login@laptop:~$ ssh rlogin@server [ENTER] The authenticity of host ’server (10.1.6.2)’ can’t be established. RSA key fingerprint is 94:48:62:18:4b:37:d2:96:67:c9:7f:2f:af:2e:54:a5. Are you sure you want to continue connecting (yes/no)? yes [ENTER] Warning: Permanently added ’server,10.1.6.2’(RSA) to the list of known hosts. rlogin@server’s password: Lucas Nussbaum An introduction to SSH 10 / 26
  • 11. Checking the server identity: known_hosts (2) During each following connection, ssh ensures that the key still matches, and warns the user otherwise *** login@laptop :~$ ssh rlogin@server [ENTER] @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man -in-the -middle attack )! It is also possible that a host key has just been changed. The fingerprint for the RSA key sent by the remote host is e3 :94:03:90:5d:81:ed:bb:d5:d2:f2:de:ba :31:18: d8. Please contact your system administrator. Add correct host key in /home/login/.ssh/known_hosts to get rid of this message. Offending RSA key in /home/login/.ssh/known_hosts :12 RSA host key for server has changed and you have requested strict checking. Host key verification failed. *** login@laptop :~$ Remove a truly outdated key can be removed with ssh-keygen -R server Lucas Nussbaum An introduction to SSH 11 / 26
  • 12. Configuring SSH SSH gets configuration data from: 1 command-line options (-o ...) 2 the user’s configuration file: ~/.ssh/config 3 the system-wide configuration file: /etc/ssh/ssh_config Options are documented in the ssh_config(5) man page ~/.ssh/config contains a list of hosts (with wildcards) For each parameter, the first obtained value is used Host-specific declarations are given near the beginning General defaults at the end Lucas Nussbaum An introduction to SSH 12 / 26
  • 13. Example: ~/.ssh/config Host mail.acme.com User root Host foo # alias/shortcut. ’ssh foo ’ works Hostname very -long -hostname.acme.net Port 2222 Host *.acme.com User jdoe Compression yes # default is no PasswordAuthentication no # only use public key ServerAliveInternal 60 # keep -alives for bad firewall Host * User john Note: bash-completion can auto-complete using ssh_config hosts Lucas Nussbaum An introduction to SSH 13 / 26
  • 14. Plan 1 SSH basics SSH 101 Public-key authentication Checking the server’s identity Configuring SSH 2 Advanced usage SSH as a communication layer for applications Access remote filesystems over SSH: sshfs SSH tunnels, X11 forwarding, and SOCKS proxy Jumping through hosts with ProxyCommand Triggering remote command execution securely Escape sequences 3 Conclusions Lucas Nussbaum An introduction to SSH 14 / 26
  • 15. SSH as a communication layer for applications Several applications use SSH as their communication layer Sometimes also authentication layer scp, sftp, rsync (data transfer) unison (synchronization) Subversion: svn checkout svn+ssh://user@rhost/path/to/repo Git: git clone ssh://[email protected]/path-to/repository.git Or: git clone [email protected]:path-to/repository.git Lucas Nussbaum An introduction to SSH 15 / 26
  • 16. Access remote filesystems over SSH: sshfs sshfs: FUSE-based solution to access remote machines Ideal for remote file editing with a GUI, copying small amounts of data, etc. Mount a remote directory: sshfs root@server:/etc /tmp/local-mountpoint Unmount: fusermount -u /tmp/local-mountpoint Combine with afuse to auto-mount any machine: afuse -o mount_template="sshfs %r:/ %m" -o unmount_template="fusermount -u -z %m" ~/.sshfs/ cd ~/.sshfs/rhost/etc/ssh Lucas Nussbaum An introduction to SSH 16 / 26
  • 17. SSH tunnels with -L and -R Goal: transport traffic through a secure connection Work-around network filtering (firewalls) Avoid sending unencrypted data on the Internet But only works for TCP connections -L: access a remote service behind a firewall (Intranet server) ssh -L 12345:service:1234 server Still on Client: telnet localhost 12345 Server establishes a TCP connection to Service, port 1234 The traffic is tunnelled inside the SSH connection to Server Client Server TCP Service on port 1234 Internet Private network Lucas Nussbaum An introduction to SSH 17 / 26
  • 18. SSH tunnels with -L and -R Goal: transport traffic through a secure connection Work-around network filtering (firewalls) Avoid sending unencrypted data on the Internet But only works for TCP connections -L: access a remote service behind a firewall (Intranet server) ssh -L 12345:service:1234 server Still on Client: telnet localhost 12345 Server establishes a TCP connection to Service, port 1234 The traffic is tunnelled inside the SSH connection to Server Client Server TCP Service on port 1234 Internet Private network Lucas Nussbaum An introduction to SSH 17 / 26
  • 19. SSH tunnels with -L and -R -R: provide remote access to a local private service ssh -R 12345:service:1234 server On Server: telnet localhost 12345 Client establishes a TCP connection to Service, port 1234 The traffic is tunnelled inside the SSH connection to Client Client Server TCP Service on port 1234 Private network Internet Note: SSH tunnels don’t work very well for HTTP, because IP+port are not enough to identify a website (Host: HTTP header) Lucas Nussbaum An introduction to SSH 18 / 26
  • 20. SSH tunnels with -L and -R -R: provide remote access to a local private service ssh -R 12345:service:1234 server On Server: telnet localhost 12345 Client establishes a TCP connection to Service, port 1234 The traffic is tunnelled inside the SSH connection to Client Client Server TCP Service on port 1234 Private network Internet Note: SSH tunnels don’t work very well for HTTP, because IP+port are not enough to identify a website (Host: HTTP header) Lucas Nussbaum An introduction to SSH 18 / 26
  • 21. X11 forwarding with -X: GUI apps over SSH Run a graphical application on a remote machine, display locally Similar to VNC, but on a per-application basis ssh -X server $DISPLAY will be set by SSH on the server: $ echo $DISPLAY localhost:10.0 Then start GUI applications on server (e.g. xeyes) Troubleshooting: xauth must be installed on the remote machine The local Xorg server must allow TCP connections pgrep -a Xorg -nolisten must not be included Can be configured in your login manager Does not work very well over slow or high-latency connections Lucas Nussbaum An introduction to SSH 19 / 26
  • 22. SOCKS proxy with -D SOCKS: protocol to proxy TCP connections via a remote machine SSH can act as a SOCKS server: ssh -D 1080 server Use case similar to tunnelling with -L, but more flexible Set up the proxy once, use for multiple connections Usage: Manual: configure applications to use the SOCKS proxy Transparent: use tsocks to re-route connections via SOCKS $ cat /etc/tsocks.conf server = 127.0.0.1 server_type = 5 server_port = 1080 # then start ssh with -D 1080 $ tsocks pidgin # tunnel application through socks Lucas Nussbaum An introduction to SSH 20 / 26
  • 23. Jumping through hosts with ProxyCommand Client Server Server2 on private network Private networkInternet Problem: to connect to Server2, you need to connect to Server Can you do that in a single step? (required for data transfer, tunnels, X11 forwarding) Combines two SSH features: ProxyCommand option: command used to connect to host; connection available on standard input & output ssh -W host:port establish a TCP connection, provide it on standard input & output (suitable for ProxyCommand) Lucas Nussbaum An introduction to SSH 21 / 26
  • 24. Jumping through hosts with ProxyCommand (2) Example configuration: Host server2 # ssh server2 works ProxyCommand ssh -W server2 :22 server Also works with wildcards Host *.priv # ssh host1.priv works ProxyCommand ssh -W $(basename %h .priv ):%p server -W only available since OpenSSH 5.4 (circa 2010), but the same can be achieved with netcat: Host *.priv ProxyCommand ssh serv nc -q 0 $(basename %h .priv) %p Similar solution to connect via a proxy: SOCKS: connect-proxy -4 -S myproxy:1080 rhost 22 HTTP (with CONNECT): corkscrew myproxy 1080 rhost 22 When CONNECT requests are forbidden, set up httptunnel on a remote server, and use htc and hts Lucas Nussbaum An introduction to SSH 22 / 26
  • 25. Triggering remote command execution securely Goal: notify Server2 that something finished on Server1 But Server1 must not have full shell access on Server2 Method: limit to a single command in authorized_keys Also known as SSH triggers Example authorized_keys on Server2: from=" server1.acme.com",command ="tar czf - /home",no-pty , no-port -forwarding ssh -rsa AAAA [...]oR [email protected] Lucas Nussbaum An introduction to SSH 23 / 26
  • 26. Escape sequences Goal: interact with an already established SSH connection Add tunnels or SOCKS proxy, kill unresponsive connection Escape sequences start with ’~’, at the beginning of a line So press [enter], then ~, then e.g. ’?’ Main sequences (others documented in ssh(1)): ~. – disconnect (for unresponsive connections) ~? – show the list of escape sequences ~C – open SSH command-line. e.g. ~C -D 1080 ~& – logout and background SSH while waiting for forwarded connections or X11 sessions to terminate Lucas Nussbaum An introduction to SSH 24 / 26
  • 27. Plan 1 SSH basics SSH 101 Public-key authentication Checking the server’s identity Configuring SSH 2 Advanced usage SSH as a communication layer for applications Access remote filesystems over SSH: sshfs SSH tunnels, X11 forwarding, and SOCKS proxy Jumping through hosts with ProxyCommand Triggering remote command execution securely Escape sequences 3 Conclusions Lucas Nussbaum An introduction to SSH 25 / 26
  • 28. Conclusions The Swiss-army knife of remote administration Very powerful tool, many useful features Practical session: test everything mentioned in this presentation Other topics not covered in this presentation: Built-in support for VPN Other authentication methods (certificates) Managing long executions on a remote machine with screen or tmux Mosh, an SSH alternative suited for Wi-Fi, cellular and long distance links Lucas Nussbaum An introduction to SSH 26 / 26