A quick guide to ssh
Table of Contents
1 What is ssh?
ssh is a standard protocol (with many different software implementations) for interacting with computers over a network in an encrypted session. Using ssh protects your communications with a remote computer from eavesdroppers and provides methods for reliably authenticating computers and users.
2 Features of ssh
2.1 session encryption
- all communication (after session negotiation) is encrypted
- protocol is conceptually similar to (but not the same as) SSL/TLS
- protection from network eavesdropping to collect usernames/password or other sensitive data
2.2 host authentication
- hosts can be verified with public-key cryptography
- typically on first connection you see a message like
The authenticity of host '52.26.151.118 (52.26.151.118)' can't be established. RSA key fingerprint is 1f:cf:5c:16:95:f2:8a:eb:2d:4a:f9:99:53:ed:c5:24. Are you sure you want to continue connecting (yes/no)?
- In a high-security environment you might want to verify the host key fingerprint before accepting
- accepting the key (with "yes") adds the public key to .ssh/known_hosts
- future connections to the same host are verified with that public key
- once you know a host's key, limits possibility of "man-in-the-middle" attacks where someone impersonates the remote host to monitor your communication
- you get a scary warning if the host public key changes on the remote host
2.3 user authentication
- You can also identify yourself to a remote host with similar public-key cryptography
- doesn't require knowing or even having a password for the account on the remote host
- generate a key with "ssh-keygen" and save to a file (like "my-id.pem")
- place the public key (my-id.pub) in .ssh/authorized_keys on the remote host
- use "ssh -i my-id.pem" to offer that identity key for authentication
- almost always a good idea to password-protect identity keys (use a good, non-empty password when creating or "ssh-keygen -p" to add/change a password) since that also encrypts the private key data
- you have to give the password when using the key
- "ssh-agent" holds pre-unlocked keys that it will offer automatically (so you don't always have to use "ssh -i")
- "ssh-add" installs keys in the current ssh-sgent
- "ssh-add -d" deletes keys from ssh-agent
- "ssh-add -l" shows keys currently loaded in ssh-agent
3 ssh usage
3.1 Log in to a remote host (using the same login name you have locally)
ssh remotehost.example.com
3.2 Log in to a remote host with a specified remote user account
ssh remoteuser@remotehost.example.com
3.3 Offer a specified identity key for authentication with -i
ssh -i my-id.pem remoteuser@remotehost.example.com
- uses the private key file "my-id.pem"
3.4 lots of options
man ssh
3.5 .ssh/config to set preferences
man ssh_config
4 scp - transfer files via an ssh connection
4.1 scp from-spec to-spec
- just like cp, but can specify host and user information in addition to a file path
- remotehost.example.com:path – log in to remotehost.example.com, then get a file from the specified path
- remoteuser@remotehost.example.com:path – specify a different remote user
4.2 upload a file to the remote host
scp local_file remoteuser@remotehost.example.com:remote_file
4.3 download a file from remote host
scp remoteuser@remotehost.example.com:remote_file local_file
4.4 can also use -i like ssh for identity keys for account authentication
scp -i my_id.pem remoteuser@remotehost.example.com:remote_file local_file