SSH Essentials Guide

The most common way of connecting to a remote Linux server is through SSH.

SSH stands for Secure Shell and provides a safe and secure way of executing commands, making changes, and configuring services remotely. When you connect through SSH, you log in using an account that exists on the remote server

How SSH Works

When you connect through SSH, you will be dropped into a shell session, which is a text-based interface where you can interact with your server.

For the duration of your SSH session, any commands that you type into your local terminal are sent through an encrypted SSH tunnel and executed on your server.

The SSH connection is implemented using a client-server model.

This means that for an SSH connection to be established, the remote machine must be running a piece of software called an SSH daemon.

This software listens for connections on a specific network port, authenticates connection requests, and spawns the appropriate environment if the user provides the correct credentials.

The user’s computer must have an SSH client.

This is a piece of software that knows how to communicate using the SSH protocol and can be given information about the remote host to connect to, the username to use, and the credentials that should be passed to authenticate. The client can also specify certain details about the connection type they would like to establish.

How SSH Authenticates Users

Clients generally authenticate either using passwords (less secure and not recommended) or SSH keys, which are very secure.

Password logins are encrypted and are easy to understand for new users.

However, automated bots and malicious users will often repeatedly try to authenticate to accounts that allow password-based logins, which can lead to security compromises.

For this reason, we recommend always setting up SSH key-based authentication for most configurations.

SSH keys are a matching set of cryptographic keys which can be used for authentication. Each set contains a public and a private key. The public key can be shared freely without concern, while the private key must be vigilantly guarded and never exposed to anyone.

To authenticate using SSH keys, a user must have an SSH key pair on their local computer.

On the remote server, the public key must be copied to a file within the user’s home directory at ~/.ssh/authorized_keys.

This file contains a list of public keys, one-per-line, that are authorized to log into this account.

When a client connects to the host, wishing to use SSH key authentication, it will inform the server of this intent and will tell the server which public key to use.

The server then checks its authorized_keys file for the public key, generates a random string, and encrypts it using the public key.

This encrypted message can only be decrypted with the associated private key. The server will send this encrypted message to the client to test whether they actually have the associated private key.

Upon receipt of this message, the client will decrypt it using the private key and combine the random string that is revealed with a previously negotiated session ID.

It then generates an MD5 hash of this value and transmits it back to the server. The server already had the original message and the session ID, so it can compare an MD5 hash generated by those values and determine that the client must have the private key.

Naming SSH Keys

By default, the SSH key generation process names keys as id_rsa for the private key and id_rsa.pub for the public key.

However, when dealing with multiple keys, it’s beneficial to use descriptive names that reflect their purpose or the server they connect to. Here’s how you can do that:

Generate Keys with Custom Names

When generating a new key pair, you can specify a filename by using the -f option with ssh-keygen.

For example, to create a key pair for accessing your GitHub account:

ssh-keygen -t rsa -b 4096 -f ~/.ssh/github_rsa

This command generates a private key named github_rsa and a public key named github_rsa.pub in your ~/.ssh directory.

Specify the Key When Using SSH

When connecting to a remote server, use the -i option to specify which private key the SSH client should use. For example:

ssh -i ~/.ssh/github_rsa username@hostname

Configuring SSH for Automatic Key Selection

You can simplify SSH connections by setting up a config file in your ~/.ssh directory.

This allows SSH to automatically select the appropriate key based on the hostname. Here’s how you can set this up:

Create or edit your SSH config file:

nano ~/.ssh/config

Add a host block for each server or service, specifying which key to use:

Host github.com
    HostName github.com
    User git
    IdentityFile ~/.ssh/github_rsa
    IdentitiesOnly yes

• This configuration tells SSH to use the github_rsa key when connecting to github.com under the user git.

Permission Settings for Keys

• Private Key: Should have permissions set to 600 to ensure that only the owner can read and write the file, preventing other users from accessing it.

chmod 600 ~/.ssh/github_rsa

• Public Key: Can have permissions set to 644, allowing others to read but not modify it. This is safe because public keys can be shared without compromising the private key.

chmod 644 ~/.ssh/github_rsa.pub

Best Practices

• Passphrase Protection: Always use a strong passphrase when generating SSH keys. This adds an additional layer of encryption to your private key, protecting it even if it is somehow accessed by unauthorized users.

• Backup and Security: Regularly back up your SSH keys to a secure location and use tools like SSH agents to manage keys securely in memory when in use.

By following these steps and recommendations, you can effectively manage multiple SSH keys, ensuring each connection is securely and conveniently handled.