User SSH

What is SSH ?

SSH is a communication encryption protocol that can be used to open a remote shell session on a distant machine, hence its name (SSH stands for Secure Shell).

Benefits of SSH

There are many reasons why SSH has been widely adopted in the world of computing infrastuctures : - strong authentication with keys; - strong encryption; - available on all operating systems; - ...

How does it work ?

SSH protocol is based on symmetric and asymmetric encryption techniques. In symmetric encryption, a single secret key is used to encrypt and decrypt the communication between two parties, meaning that these latter must share the secret. In asymmetric encryption, to send data in one direction from a party B to a party A, a key pair is needed : the public key of party A is used by party B to encrypt the message, and the private key is used by party A to decrypt the encrypted message. The public key can be freely shared with any party, while the private key must be kept secret and never be shared. The mathematical relationship between a public key and its corresponding private key allows the public key to encrypt messages that can only be decrypted by the associated private key.

In SSH, symmetric encryption is used to encrypt the communication between two parties, making use of a secret shared key that has been produced during a process based on asymmetric encryption. Asymmetric encryption is also used for authentication of parties.

You will find more detailed explanations on these links : link1, link2.

Conclusion :

The important thing to keep from all these technical explanations is the following :

To use SSH, you need to generate a key pair : the private key must stay secret and should never be shared or copied somewhere else than your laptop, while the public key can be shared. Due to their special mathematical relationship, the two keys are linked in a unique way, with the consequence that if you loose one, the other instantly becomes useless, and your are obliged to generate a new key piar.

Managing your key(s)

This section explains how to generate an SSH keypair on your personal laptop.

Linux

Open your favorite terminal and type the command "ssh-keygen". You should get something like this :

[mdupont@guse ~]$ ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/home/mdupont/.ssh/id_rsa): 
Created directory '/home/mdupont/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/mdupont/.ssh/id_rsa.
Your public key has been saved in /home/mdupont/.ssh/id_rsa.pub.
The key fingerprint is:
54:16:96:4d:0f:b5:a7:5a:c3:d8:12:a0:77:e7:8f:89 mdupont@guse.iihe.ac.be
The key's randomart image is:
+--[ RSA 2048]----+
|          *=o..  |
|         =...o . |
|        o . o + .|
|       . . . B o |
|        S   o B  |
|             = = |
|            E o .|
|                 |
|                 |
+-----------------+

This command is interactive. You're first asked to specify the filename for the private key : press ENTER so that the default name suggested between parentheses will be used. After that, you'll be asked to provide a passphrase to protect the private key. We strongly advise you to do so. And finally, you'll be asked to confirm the passphrase.

As a result of the previous command, you will find a new directory named ".ssh" in your home directory. It should contain the following files :

[mdupont@guse ~]$ ls -al .ssh/
...
-rw-------  1 mdupont mdupont 1675 Apr 10 16:16 id_rsa
-rw-r--r--  1 mdupont mdupont  402 Apr 10 16:16 id_rsa.pub

You will notice that the private key (id_rsa) is protected with very restrictive permissions (read and write only allowed to the owner). Please don't change these permissions, otherwise ssh won't work ! If you've accidentally changed the permissions on the private key, you can always restore them like this :

$ chmod 600 ~/.ssh/id_rsa

MacOS

TBD

Windows

Explained in full details on this [1].

Gaining access to a remote Linux server

Although SSH can be used with a login and password, this authentication method is forbidden by most sysadmins because some users tend to choose too weak passwords that won't resist to a brute-force attack. On the other hand, getting access to a remote Linux machine with your SSH keypair is really simple : you just need to append your public key at the end of a file ~/.ssh/authorized_keys file on the remote machine.

Let's explain SSH key-based access with an example. Imagine you've got an account 'mdupont' created for you on a remote Linux machine called 'linserver.iihe.ac.be', and that your home directory on this machine is /home/mdupont. Then, to gain key-based access to this machine, you just need the content of your public key (on your laptop : ~/.ssh/id_rsa.pub) to be added to the file /home/mdupond/.ssh/authorized_keys on the remote server. Once it's done, you can connect like this :

$ ssh mdupont@linserver.iihe.ac.be

Managing custom connection options

This tutorial explains how you can simplify your SSH commands by modifying the file ~/.ssh/config.

To demonstrate the power of this trick, let's consider the following example :

A user mdupont has to connect as root on a remote machine called linserver.iihe.ac.be whose SSH port is actually 22222 (instead of the traditional 22) using a private key ~/.ssh/id_rsa_root_linserver with the X11 forwarding option ('-X'). So, the ssh command he would normally type is :

$ ssh -X -P 22222 -i .ssh/id_rsa_root_linserver root@linserver.iihe.ac.be

To avoid having to type such a long and difficult to memorize command, he can add the following lines to his .ssh/config file :

Host linserver
HostName linserver.iihe.ac.be
User root
IdentityFile ~/.ssh/id_rsa_root_linserver
Port 22222
ForwardX11 yes

Now, the user just have to type :

$ ssh linserver

Multi-hop connection with ssh-agent

The use case covered by this section is the following :

Let's say that from your laptop, you can connect with SSH to a remote server A, and that from that server, you can connect to B using the same keypair you used to connect to A. Server B being in a private network, you can't connect to B directly from your laptop, you are obliged to make a first hop by connecting to A, and then, from A you can connect to B.

The problem with achieving this use case is that you need to copy your private ssh key to machine A. This is tedious, error-prone and above all, dangerous because if machine A is compromised, your private key will be stolen. Anyway, your private key should always be kept on your laptop, you should never copy it elsewhere.

Thanks to ssh-agent, you don't need to copy your private key. You must first make sure ssh-agent is running on your laptop. On most recent operating system, ssh-agent should be configured to start automatically when you open a session. To check if ssh-agent is running :

$ echo $SSH_AGENT_PID

If it gives a number, the agent is already running. If not, you need to start it like this :

$ eval <tt>ssh-agent</tt>
$ ssh-add

To make sure ssh-agent is started during the next sessions, you can the following lines to your ~/.bashrc :

if [ -z "$SSH_AGENT_PID" ] ; then
    eval <tt>ssh-agent</tt>
    ssh-add
fi

Now, jumping from your laptop to server A, and then from A to B can be done like this :

[mdupont@laptop ~]$ ssh -A A
[mdupont@A ~]$ ssh B

The magic is in the '-A' option of the first command. This option does the agent forwarding : it will ensure that your agent running on your laptop is usable from the remote machine A as well.

Creating a tunnel for port-forwarding

Port-forwarding with SSH tunnels is useful when you want to access a service on a machine that's protected by a firewall. This one will generally block all ports except the 22 for SSH, thus preventing you from accessing the services hosted by this machine.

To ease explanations, let's consider the following example :

Imagine that you have created a virtual machine where you've launched a Jupyter Notebook running on port 8888. Due to the firewall, this port is blocked, and even if it was not the case, you would have to configure Jupyter to allow non-local connections , which is a risky option by the way. SSH port-forwarding tunnels bring a secure and simple solution to this problem. Here is how to create such a tunnel :

Linux

Given that you've got an account "cloudadm" on the remote machine with IP address 193.58.172.167, you've got to issue the following command in your Linux shell :

ssh -L 8888:localhost:8888 cloudadm@193.58.172.167

The effect of this is that the local port 8888 on your laptop will be forwarded through the SSH tunnel to the port 8888 on the remote machine. Thus, to access your Jupyter Notebook, you'll just have to type something like https://localhost:8888... in the address bar of your browser.

Windows

With PuTTY :

Image(port_forwarding_tunnels_with_putty.png, width=30%)

1. Specify the local port (called "Source port")
2. Specify the destination formatted like this : <IP_REMOTE_MACHINE>:<PORT_OF_SERVICE_ON_REMOTE_MACHINE>
3. Click on the "Add" button
4. The new port-forwarding rule is added
5. Click on "Open" button to create the tunnel

With MobaXterm :

In the "Tools" menu, select "MobaSSHTunnel (port forwarding)". Then, in the MobaSSHTunnel window, click on the button "New SSH tunnel" and fill in the fields like on this screen capture :

Image(port_forwarding_tunnels_with_mobaxterm.png, width=30%)

After having clicked on the "Save" button, you'll find the new port-forwarding rule :

Image(port_forwarding_rules_mobaxterm.png, width=30%)

Click on the Image(play_button_mobaxterm.png, width=1%) button to create the tunnel.

Further reading

At the end of this very good article from a blog, you will find a troubleshooting section.

Template:TracNotice