Posted on 12/19/2019 8:05:28 AM PST by ShadowAce
Secure Shell (SSH) is a cryptographic network protocol used for an encrypted connection between a client and a server. The ssh client creates a secure connection to the SSH server on a remote machine. The encrypted connection can be used to execute commands on the server, X11 tunneling, port forwarding, and more.
There are a number of SSH clients available both free and commercial, with OpenSSH being the most widely used client. It is available on all major platforms, including Linux, OpenBSD, Windows, macOS and others.
In this article, we will explain how to use the OpenSSH command-line client (ssh
) to login to a remote machine and run commands or perform other operations.
The OpenSSH client program is called ssh
and can be invoked from the terminal. The OpenSSH client package also provides other SSH utilities such as scp
and sftp
that are installed alongside the ssh
command.
OpenSSH client is preinstalled on most Linux distributions by default. If your system doesn't have the ssh client installed, you can install it using the package manager of your distribution.
sudo apt update
sudo apt install openssh-client
sudo dnf install openssh-clients
Most Windows users are using Putty to connect to a remote machine over SSH. However, the latest versions of Windows 10 include an OpenSSH client and server. Both packages can be installed via the GUI or PowerShell.
To find the exact name of the OpenSSH package, type the following command:
Get-WindowsCapability -Online | ? Name -like 'OpenSSH*'
The command should return something like this:
Name : OpenSSH.Client~~~~0.0.1.0
State : NotPresent
Name : OpenSSH.Server~~~~0.0.1.0
State : NotPresent
Once you know the package name install it by running:
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
On success the output will look something like this:
Path :
Online : True
RestartNeeded : False
macOS ships with the OpenSSH client installed by default.
ssh
CommandThe following requirements must be met to be able to login into a remote machine via SSH:
The basic syntax of the ssh
command is as follows:
ssh [OPTIONS] [USER@]:HOST
To use the ssh
command open your Terminal or PowerShell and type ssh
followed by the remote hostname:
ssh ssh.linuxize.com
When you connect to a remote machine through SSH for the first time, you will see a message like below.
The authenticity of host 'ssh.linuxize.com (192.168.121.111)' can't be established.
ECDSA key fingerprint is SHA256:Vybt22mVXuNuB5unE++yowF7lgA/9/2bLSiO3qmYWBY.
Are you sure you want to continue connecting (yes/no)?
Each host has a unique fingerprint that is stored in the ~/.ssh/known_hosts
file.
yes
to store the remote fingerprint, and youll be prompted to enter your password.
Warning: Permanently added 'ssh.linuxize.com' (ECDSA) to the list of known hosts.
dev@ssh.linuxize.com's password:
Once you enter the password, you will be logged into the remote machine.
When the username is not given, the ssh
command uses the current system login name.
To log in as a different user, specify the username and the host in the following format:
ssh username@hostname
The username can also be specified with the -l
option:
ssh -l username hostname
By default, when no port is given, the SSH client will try to connect to the remote server on port 22. On some servers, administrators are changing the default SSH port to add an extra layer of security to the server by reducing the risk of automated attacks.
To connect on a non-default port, use the -p
option to specify the port:
ssh -p 5522 username@hostname
If you are experiencing authentication or connection issues, use the -v
option to tell ssh
to print debugging messages:
ssh -v username@hostname
To increase the level of verbosity, use -vv
or -vvv
.
The ssh
command accepts a number of options.
For a complete list of all options read the ssh
man page by typing man ssh
in your terminal.
If you are connecting to multiple remote systems over SSH on a daily basis, you'll find that remembering all of the remote IP addresses, different usernames, non-standard ports, and various command-line options is difficult, if not impossible.
The OpenSSH client reads the options set in the per-user configuration file (~/.ssh/config
). In this file, you can store different SSH options for each remote machine you connect to.
A sample SSH config is shown below:
Host dev
HostName dev.linuxize.com
User mike
Port 4422
When you invoke the ssh client by typing ssh dev
the command will read the ~/.ssh/config
file and use the connection details that are specified for the dev host. In this example, ssh dev
is equivalent to the following:
ssh -p 4422 mike@dev.linuxize.com
For more information, check the article on SSH config file.
The SSH protocol supports various authentication mechanisms.
The public key-based authentication mechanism allows you to log in to the remote server without having to type your password.
This method works by generating a pair of cryptographic keys that are used for authentication. The private key is stored on the client device, and the public key is transferred to each remote server that you want to log in. The remote server must be configured to accept key authentication.
If you already don't have SSH key pair on your local machine you can generate one by typing:
ssh-keygen -t rsa -b 4096 -C "your_email@domain.com"
You will be asked to type a secure passphrase. Whether you want to use passphrase it's up to you.
Once you have your key pair, copy the public key to the remote server:
ssh-copy-id username@hostname
Enter the remote user password, and the public key will be appended to the remote user authorized_keys
file.
Once the key is uploaded, you can log in to the remote server without being prompted for a password.
By setting a key-based authentication, you can simplify the login process and increase the overall server security.
SSH tunneling or SSH port forwarding is a method of creating an encrypted SSH connection between a client and a server machine through which services ports can be relayed.
SSH forwarding is useful for transporting network data of services that use an unencrypted protocol, such as VNC or FTP, accessing geo-restricted content or bypassing intermediate firewalls. Basically, you can forward any TCP port and tunnel the traffic over a secure SSH connection.
There are three types of SSH port forwarding:
Local port forwarding allows you to forward a connection from the client host to the SSH server host and then to the destination host port.
To create a local port forwarding pass the -L
option to the ssh
client:
ssh -L [LOCAL_IP:]LOCAL_PORT:DESTINATION_HOST:DESTINATION_PORT -N -f username@hostname
The -f option tells the ssh
command to run in the background and -N
not to execute a remote command.
Remote port forwarding is the opposite of local port forwarding. It forwards a port from the server host to the client host and then to the destination host port.
The -L
option tells ssh
to create a remote port forwarding:
ssh -R [REMOTE:]REMOTE_PORT:DESTINATION:DESTINATION_PORT -N -f username@hostname
Dynamic port forwarding creates a SOCKS proxy server that allows communication across a range of ports.
To create a dynamic port forwarding (SOCKS) pass the -D
option to the ssh client:
ssh -R [LOCAL_IP:]LOCAL_PORT -N -f username@hostname
For more detailed information and step-by-step instruction, check the article on How to Set up SSH Tunneling (Port Forwarding) .
Tech Ping
Rule 1 - never use passwords. Don’t even think about it. Use the public key encryption option.
In layman terms what is/are the benefits of using SSH?
I manage a couple of thousand linux servers. They all are located in the datacenter several floors below me. In order to manage any single one, I need to log in.
With SSH, I can do that from my desk, without ever having to actually go the physical server.
So this is not something that a plain user would find a real reason to use it, is that an accurate statement? Or is there a reason the average computer user would see a need for this knowledge? 8>)
However, I have posted threads aimed at some of the IT professionals among us in the past. This is one of those.
Groovy! I use Putty quite a bit, so it’s nice to have another option.
In addition to PKI encrypted communications for login sessions there is the scp command which enables you to copy entire file hierarchies from one machine to others with a single command and the use of shell meta characters.
There is also the ability to create encrypted “tunnels” for data stream end points with ssh and so much more.
https://linux.die.net/man/1/ssh
One of the best things Microsoft did in Windows 10 was include the SSH client, and make the server available for installation. Finally, Windows stumbles into the 1990’s.
I used to use port forwarding a lot, mostly to get around firewalls and stuff. It was very cool. Still use SSH daily. It’s a powerful tool. I’d recommend changing that command above to generate a key to use DSA. RSA is pretty much deprecated these days.
Rsync is insanely powerful and efficient. Love, love love it. Makes my life easier when I need to replicate data from one host to another. Since it uses ssh, it's secure, and can also compress to reduce transmission times, among other things.
Thank you for this. I couldn’t figure out how to change the username when using powershell to SSH into my Cisco equipment. I just wanted to use radius auth.
Yup. Good stuff.
Merry Christmas!
(Hmmm ... any chance you could sneak a F@H client onto a few thousand of those servers? Not like they are doing anything except waiting for the next cryptocurrency hijack ... not that anyone could get past your superb security :)
SecureCRT allows you to change the background of a terminal session which is nice if you have multiple servers and you don’t want to confuse them
Ace scares the heck out of the average user with these. lol
I appreciate them very much though, I have learned quite a bit from them.
It doesn’t scare me, I was just wondering if there was ever a need for just plain old users of computers, or even someone like me who is an old mainframe person, what it might be used for if we were not PC oriented. I mean I know PC’s better than most perhaps but I was trying to figure out how I might use the knowledge. 8>)
The mainframe is back, sort of, but it's called the cloud now. You'd use ssh to connect to the cloud server's Linux command prompt, and it's also the gold standard for secure file transfers. It's not flashy software but it's stable and high quality with very few bugs. It's a must learn for cloud computing.
Thanks for the info though. 8>)
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.