LFCS Training – Secure Shell (SSH)

Jarret B

Well-Known Member
Staff member
Joined
May 22, 2017
Messages
340
Reaction score
367
Credits
11,754
Secure Shell (SSH) allows for encrypted connections between two systems. The encryption method can be changed to your preference as we will cover in this article.
Also we will go over the ways to authenticate, copy files between systems and log onto multiple systems at once.

Client Names

For basic connections between systems it is common to use the IP addresses of the remote systems. The basic command is as follows:

ssh <username>@<hostname/address>

The hostname can be replaced with the IP Address, but if your network has no local DNS set up then you can manually set up a Naming System.

NOTE: If you are logged in, say as ‘User1’, and you do not specify a username on the SSH command-line then the username will default to ‘User1’, the current username.

To start open the Terminal and perform the following:

Code:
cd ~
mkdir .ssh
cd .ssh

The commands should not create an error unless you have already set up or used SSH on the system. If the ‘.ssh’ folder exists then do not worry about it just change into the folder. Open an editor and type in something similar to the following (change your system names and IP addresses as needed for you network):

Code:
Host    server1
    HostName 192.168.56.103
    User jarret
    Port 22
Host    server2
    HostName 192.168.56.104
    User jarret
    Port 22
Host    server3
    HostName 192.168.56.105
    user jarret
    Port 22

The Port for SSH defaults to 22. If you want to use a different IP Port you can change it in the file. Be aware of the username you specify since it can be case-sensitive.
Save the file as ‘config’ in the ‘~/.ssh’ folder.

NOTE: If you want to log in to other system using SSH as a different user then do not name a ‘User’, but leave the line out. If you are going to use the same username then these lines in the configuration can save a little time. Since the IP Port defaults to 22 for SSH you can leave the line out if you aren’t going to change it from the default. The defaults can be left in the ‘config’ file to make it easier to change later if needed. Also, you may want to add the local Host to the ‘config’ file (which will be discussed later in this article).

SSH is very picky about the permissions on the ‘config’ file. To make sure that SSH will work with the ‘config’ file you need to perform the following command to change the permissions:

Code:
chmod 700 ~/.ssh/config

NOTE: The change will make it, so you as the owner, has full rights to the file while no group or other user has any permissions to it. The permissions will secure the ‘config’ file from being accessed by anyone other than Root.

When you first connect using SSH it will default to using a Public key. Once the connection is made you will prompted to initialize the Public key by typing ‘yes’ as shown in Figure 1.

Figure 01.jpg

FIGURE 1

After the connection is made you should see the prompt change in the Terminal showing the username and system name. Since any command you type is being executed on the remote system you can type the following command to see the history of keys set up on the remote system:

Code:
cat ~/.ssh/known_hosts

A sample ‘known_hosts’ file is shown in Figure 2.

Figure 02.jpg

FIGURE 2

The default encryption is ECDSA for SSH, but this can be changed. Some people may
argue that one encryption method may be better than another, but it all comes down to which method you feel better using. The RSA method can be implemented by the following command:

Code:
ssh-keygen -t rsa -b 2048

The ‘-b 2048’ parameter can be dropped, but the option allows for a longer key. The default RSA key length is 1024. By doubling the key length you can help increase the security of the encryption. Larger numbers are allowed, but longer keys can reduce performance.
Once executed you will be prompted to enter a filename for the Public/Private keys. The3 default for the RSA keys are ‘id_rsa’ and ‘id_rsa.pub’. Press ENTER to leave the names as default. Next you will be prompted to enter a passphrase. The ‘password’ will be needed each time you want to use SSH to the system with which you share the Public key. You will then have to re-enter the passphrase to verify that it was typed correctly. After the passphrase is verified then the keys will be made as shown in Figure 3.

Figure 03.jpg

FIGURE 3

Once the command has completed the Public and Private keys will be found in ‘~/.ssh’. You will need to share the Public key with the systems you intend to connect to using SSH.
To copy the Public key to a remote system you can use the command:

Code:
ssh-copy-id -i id_rsa.pub server1

NOTE: The remote system name (server1) can be changed to the system name on your network. If you have not set up a ‘config’ file then you can use the remote system’s IP Address.

The Public key filename must be specified in the case you may have renamed it or have multiple key files for use on different systems.
Once the key has been copied then you can connect normally using the SSH command discussed above. Remote systems will store the Public key in the file ‘.ssh/authorized_keys’. You will be prompted to enter the passphrase to complete the connection. The passphrase does not need to and should not be the same as your user password. The passphrase is a way to protect anyone from accessing remote systems if they should gain access to your system.

Copying Files via SSH

Files can be copied to a remote system using the SSH command ‘scp’. If a file is to be copied into a folder then the folder must exist.
To copy from the local system to a remote system use the following command syntax:

Code:
scp /path/file servername:/path/

If you want to copy a file from a remote system back to your local system you can use the following command:

Code:
scp servername:/path/file /path

Here servername is the remote system with the path and filename. The second option is the path where the file should be placed. If you are currently in the folder to which you want the file placed then you can use a period (.) to represent the current folder.

NOTE: The first option is the source file and the second is the target location.

Login to Multiple Systems Using One Authentication

The command ‘ssh-agent’ can be used to store the password or passphrase to be used on all SSH or SCP connections after ‘ssh-agent’ is executed. Once the ‘ssh-agent’ is exited the password or passphrase is removed.
If SSH-AGENT is used authentication is only needed if a system’s security key is not in the ‘known_hosts’ file.
The command to perform is as follows:

Code:
ssh-agent bash

The command will open a bash shell within the same Terminal. Typing ‘exit’ will close the SSH-AGENT.
Once the Agent has set up the authenticity it is saved in the /tmp folder in a directory starting with ‘ssh-’ and followed by twelve random characters. For now it is empty.
To finish setting up the security key you need to add the key with the command:

Code:
ssh-add

Once entered you will be prompted for the password/passphrase. Once the password/passphrase is verified it will place the key into the file under /tmp.
At this point any SSH or SCP commands you use inside the SHELL-AGENT will not require a password unless the remote system has not been connected to previously. These will require the password/passphrase to set up the ECDSA public keys. If you need to use a different authentication type then you will need to use the ‘ssh-copy’id’ command to copy the public key to the remote system.
When leaving a remote system you type ‘exit’ and finally type ‘exit’ again to exit the SSH-AGENT.

Connecting to Multiple Systems At Once

The command to open multiple connections is called ‘screen’. On CentOS systems the command is not available until it is installed:

Code:
sudo yum install screen -y

The command is only needed on the system from which multiple connections will be made. In my following examples I will be using Server1 as the main system. From Server1 I will connect to Server2 and Server3.
For ‘screen’ to work you need to set up a configuration in your HOME folder. The file is named ‘.screenrc’. A separate line is required for each system which an SSH connection is made. The lines in the file are constructed as follows:

Code:
screen number command

The ‘number’ is the order in the queue and will be the number listed for the Screen. The command is what is used to connect to the specific server. For example my ‘.screenrc’ would be:

Code:
hardstatus alwayslastline 
screen 0 bash
screen 1 ssh server2
screen 2 ssh server3

NOTE: The fist line will cause a status bar to appear at the bottom of the Terminal.

To switch between the connected systems you can use special commands. Press CTRL+A to be able to use the special keys and then press one of the following:

n – next connection
p – previous connection

“ – list connections

As you switch between the connections you may notice something on some systems. If the Hostname has not been changed on the systems then the status bar will show ‘localhost’. The local system will always be shown as ‘localhost’. Other systems can be changed by connecting to them with SSH and performing the following command:

Code:
hostnamectl set-hostname <name>

The parameter for ‘<name>’ will be the name of the system. When you connect to that system you will be shown the name in the status bar. For the name change to take effect you must disconnect from the remote system and reconnect.
You can enter an individual ‘screen’ command in the local SSH window to connect to another remote system.
Try connecting to various systems and understanding SSH well.
 



Members online


Top