The Secure Shell (ssh)
The Secure Shell (ssh) enables users to securely access a remote system over an unsecure network. You’ll use the secure shell to do the following:
Log into a remote system (ssh).
Copy files over the network between hosts (scp).
Run commands on a remote host (sftp).
Before the secure shell was available, remote connections were—and still can be—handled via rlogin, rsh, and rcp. These commands create unsecure connections and are prone to security risks.
With the secure shell, you establish communication between two hosts on an unsecure network. The two hosts are referred to as the client (the host requesting the connection) and the server (the host you are connecting to). The secure shell daemon, sshd, starts up on each host at system boot when the /etc/init.d/sshd script is run. The sshd daemon listens for connections, and the daemon handles the encrypted authentication exchange between both hosts. When authentication is complete, the user can execute commands and copy files remotely.
The sshd on the client side is controlled by keywords in the /etc/ssh/sshd_config file and by sshd options used when the daemon was started. The sshd_config file controls which types of authentication are permitted for accessing the server. Optionally, a user can also provide sshd settings in his own $HOME/ssh/.config file.
The sshd on the server side is controlled by keywords in the /etc/ssh/ sshd_config file, which is controlled by the system administrator.
Before you can use the secure shell, you must create a public/private key pair using the ssh-keygen command. The public/private key pair is stored in the user’s home directory under the .ssh subdirectory and is required to complete the authentication process. The client maintains the private key, and the server is provided with the public key that is needed to complete authentication. Public key authentication is a stronger type of authentication than the typical password authentication because the private key never travels over the network. To create the public/private key, type this line:
ssh-keygen
The system responds with this:
Enter file in which to save the key(/export/home/bcalkins/.ssh/id_rsa):
Press Enter. The system responds with this:
Created directory '/export/home/bcalkins/.ssh'. Generating public/private rsa key pair. Enter passphrase(empty for no passphrase):
This passphrase is used for encrypting your private key. A good passphrase is 10–30 characters long, mixes alphabetic and numeric characters, and avoids simple English prose and English names. A carriage return entry means that no passphrase is used and is strongly discouraged for user accounts. The passphrase is not displayed when you type it in.
Enter same passphrase again:
Enter in the passphrase again to confirm it. The system responds with this:
Your identification has been saved in /export/home/bcalkins/.ssh/id_rsa. Your public key has been saved in /export/home/bcalkins/.ssh/id_rsa.pub. The key fingerprint is: md5 1024 90:39:24:41:4d:f2:3b:6e:8f:83:86:f9:f7:20:0c:d5 bcalkins@zeus
The key fingerprint is displayed as a colon-separated series of two-digit hexadecimal values. Check that the path to the key is correct. In the example, the path is /export/home/bcalkins/.ssh/id_rsa.pub. At this point, you have created a public/private key pair. Now you either copy the public key and append the key to the $HOME/.ssh/authorized_keys file in your home directory on the remote host, or you issue the ssh-keygen on the remote host, as I’ve already described.
When the public/private key pair has been created on both the local and the remote systems, you can start using the secure shell to log into the remote system by typing this line:
ssh hostname
hostname is the name of the host that you want to connect to.
The first time you run ssh, you’re prompted with questions regarding the authenticity of the remote host, as follows:
ssh 192.168.0.252
The system responds with this:
The authenticity of host '192.168.0.252' can't be established.
RSA key fingerprint in md5 is: 78:28:11:cb:41:81:a2:73:50:5a:d4:49:bb:12:85:03
Are you sure you want to continue connecting(yes/no)? yes
Enter yes. The system responds with this:
The authenticity of host '192.168.0.252' can't be established.
RSA key fingerprint in md5 is: 78:28:11:cb:41:81:a2:73:50:5a:d4:49:bb:12:85:03
Are you sure you want to continue connecting(yes/no)?yes
Enter yes. The system responds with this:
Warning: Permanently added '192.168.0.252' (RSA) to the list of known hosts. Enter passphrase for key '/export/home/bcalkins/.ssh/id_rsa':
Enter your passphrase. The system responds with this:
[email protected]'s password:
Enter the user login password. You then are logged into the remote host.
Sun Microsystems Inc. SunOS 5.9 Generic May $
To copy files using the secure shell, start the secure copy program by typing this line:
scp sourcefile username@hostname:/destinationdir
Where:
sourcefile is the name of the local file that you want to copy.
username is the username on the remote host that you want to connect as.
hostname is the name of the remote system that the file will be copied to.
destinationdir is the name of the directory on the remote host that you will copy the file to.
Type the secure passphrase when prompted. The system responds by displaying this:
The filename
The percentage of the file transferred as it is being copied
The quantity of data transferred as it is being transferred
The estimated time of arrival that the entire file will be copied to the remote directory
In this example, I’ll copy the file named file1 to bcalkins’s home directory on the remote host:
scp file1 [email protected]:~
The system responds with this:
Enter passphrase for key '/export/home/bcalkins/.ssh/id_rsa':
Enter your passphrase. The system responds with this:
[email protected]'s password:
Enter the user login password. You then are logged into the remote host.
file1 100% |*************************************| 12540 0:00
For more information on using the secure shell, refer to the ssh and sshd man pages.