Introduction
Over the last fifteen years, SSH has become a standard tool for remote management of Unix-like systems and many network devices. SSH stands for Secure Shell, and is one of the ways to get a command line (shell) access on a remote machine. It was designed to be a secure alternative to previous access methods such as telnet.
Unlike some previous techniques, SSH encrypts all the data that you send and receive from the remote server, and offers secure authentication using SSH keys. This article will describe its basics and help you get started with the following:
- Connecting to a remote host via SSH
- Generating and managing your SSH keys
- Executing commands over SSH
- Using SSH agent for managing multiple SSH keys
Prerequisites
While the aim of this article is to cover the basics, it will still require some basic understanding of the command line and the structure of Unix-like systems.
It will also assume that you have an installed version of OpenSSH on your machine. This package comes preinstalled if you use any of the modern Linux distributions.
SSH Keys
To make SSH really useful, you will need a pair of SSH keys. These keys serve as a way to identify yourself to a remote server using public-key cryptography.
An SSH key consists of two parts — a private key you should keep for yourself, and a public key that can be shared with anyone. The private key should always stay on your local computer, and you should take care not to lose it or let it fall into malicious hands. The public part is the part of the key that you upload to a remote machine you want to access via SSH.
By combining these two keys, a remote machine can determine your identity. When you connect to a remote machine to which you have already uploaded your public key, it will send a challenge-type response and ask your local machine to identify with its private key.
Generating an SSH Key
To generate an SSH key, run the following command in your local terminal:
$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/igor/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/igor/.ssh/id_dsa.
Your public key has been saved in /home/igor/.ssh/id_rsa.pub.
The key fingerprint is:
12:23:34:56:21:g3:g9:93:86:af:4r:bb:11:5d:f8:h9
If you accept all the default values, the above command will generate two files on your system — the ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub files. The first file is your private SSH key, while the second one represents your public key.
Setting Up Keys on Remote Machines
When you have an SSH key pair and a remote machine where you want to connect, you will usually give the public part of that key to a person who already has access to that remote machine.
Your public key should be placed inside the ~/.ssh/authorized_keys in the home directory of the user you want to use on the remote machine.
For example, if you have created your SSH keys as shown in the above example, you can display your public SSH key by executing the following command:
$ cat ~/.ssh/id_rsa.pub
ssh-rsa BBBB3NzaC1yc2EAAAADAQABAAABAQCv9Gz2XJ9Rl6WzcFX0hvmm4Ipjwr2KoaX5i7SqUrn7hAg87cmCGVmvIarE5u8WJYADeRo1QN/ySNnxQkGq9h2qSYK9rnT4M5s280lg9R+YdEkAKf7HzQKSA+QVxnyvV0uLvZKtUHw13gjFCRBCd5BFCYQQ2jsz2DVpXbw58ZIJtlO6Ev3V9+HX3EqR6Q7IVNCjb9HgJql9yKZOvRk+IAlyjpIcVCgDoKYsTjsTA4aSIDqVevenmnYNsk4jFiqcJeHKoEyByoqEkt2NcU0EAG+Ff2pHg5du32Y+iSdF2d/hIMoYikXnX17hpFxXR1+9H02NP76cmzt9IxlEtsGJWYxh igor@devbox
You can copy the above key, and give it to a person who has access to the remote machine. Let’s say that the name of the remote user you want to use when connecting to the machine is john. The content of your public key should then be appended to the /home/john/.ssh/authorized_keys file. That task can be achieved with the following command on the remote machine:
echo "ssh-rsa BBBB3NzaC1yc2EAAAADAQABAAABAQCv9Gz2XJ9Rl6WzcFX0hvmm4Ipjwr2KoaX5i7SqUrn7hAg87cmCGVmvIarE5u8WJYADeRo1QN/ySNnxQkGq9h2qSYK9rnT4M5s280lg9R+YdEkAKf7HzQKSA+QVxnyvV0uLvZKtUHw13gjFCRBCd5BFCYQQ2jsz2DVpXbw58ZIJtlO6Ev3V9+HX3EqR6Q7IVNCjb9HgJql9yKZOvRk+IAlyjpIcVCgDoKYsTjsTA4aSIDqVevenmnYNsk4jFiqcJeHKoEyByoqEkt2NcU0EAG+Ff2pHg5du32Y+iSdF2d/hIMoYikXnX17hpFxXR1+9H02NP76cmzt9IxlEtsGJWYxh igor@devbox" >> /home/john/.ssh/authorized_keys
Connecting to a Remote Machine
Once you have properly set up your public SSH key on a remote host, you will be able to access the machine by executing the ssh command in your local shell.
For example, if 1.2.3.4 is the IP address of your remote machine, you can create an SSH connection to it using this command:
ssh john@1.2.3.4
The first time you connect to the remote machine, ssh will ask your permission to put the fingerprint of the remote machine in your local ~/.ssh/known_hosts file.
The authenticity of host '1.2.3.4' can't be established.
RSA key fingerprint is 12:23:34:56:21:g3:g9:93:86:af:4r:bb:11:5d:f8:h9.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '1.2.3.4' (RSA) to the list of known hosts.
The first time you connect to the server you should type in yes to proceed.
The above question is an integral part of the SSH mechanism, and it protects you from malicious users who want to “sniff” your data over the network. The fingerprint is a way to identify a remote machine. If the fingerprint of the remote server changes, the next time you connect to the machine, ssh will print out a warning message similar to the following:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The RSA host key for 1.2.3.4 has changed,
and the key for the according IP address 1.2.3.4
is unchanged. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
Offending key for IP in /home/igor/.ssh/known_hosts:10
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
12:23:34:56:21:g3:g9:93:86:af:4r:bb:11:5d:f8:h9.
Please contact your system administrator.
Add correct host key in /home/igor/.ssh/known_hosts to get rid of this message.
Host key verification failed.
If you get the above message, make sure to contact your system administrator to determine if the fingerprint has really changed, or if someone is trying to listen in on your connection.
On the other hand, if everything goes smoothly, you should be able to enter the remote host via SSH:
$ ssh john@1.2.3.4
john@1.2.3.4 ~/ $
You can also use the hostname of the remote machine. For example, to connect to the ssh-test.com host, you can execute the following:
ssh john@ssh-test.com
Running Commands over SSH
There are several ways to run commands on the remote machine via SSH. For example, to list the content of the remote user’s home directory, you can run the following on your local machine:
ssh john@1.2.3.4 "ls -lah"
The above command will create a connection to the remote server, and immediately execute the command. When the command stops, the connection will also be closed.
The above scheme will work in the majority of cases, but if you want to open vim or a similar interactive application on the remote host, you will need to use the -t command. For example, to edit test.txt on the remote machine, type the following on your local machine:
ssh -t john@1.2.3.4 "vim test.txt"
When you close vim, the connection to the remote host will also close. On the other hand, if you want to open an interactive shell on the remote machine, you can enter it by executing the following command:
$ ssh -t john@1.2.3.4
john@1.2.3.4 ~/ $ ls
test.txt
john@1.2.3.4 ~/ $ cat
test file
The above session won’t be closed until you execute an exit or logout command on the remote machine.
SSH Agent
If you have multiple SSH keys, or if the SSH keys are encrypted with a passphrase, SSH agents can help you manage them with ease.
Starting an SSH agent can be achieved by executing the following on your local machine:
eval ssh-agent
After the above command, you will have the ability to add your private keys to the agent using the ssh-add command:
ssh-add ~/.ssh/id_rsa
ssh-add ~/.ssh/github_private_key_rsa
In the above example, we added two private keys to the ssh-agent.
SSH agents are most useful when we want to forward our keys to a remote machine. For example, they can be of great help if you have an SSH key that lets you access your GitHub repository from your local machine, but you want to clone the repository on the remote machine using that local key. Luckily, this can be achieved by starting an SSH agent and connecting to the remote machine.
For example, the following workflow lets you clone your repository on the remote machine with a local SSH key:
$ eval ssh-agent
Agent pid 420
$ ssh-add ~/.ssh/github_private_key_rsa
Identity added: /home/igor/.ssh/github_private_key_rsa (/home/igor/.ssh/github_private_key_rsa)
$ ssh john@1.2.3.4
john@1.2.3.4 ~ $ git clone git@github.com:shiroyasha/squash.git
Cloning into 'squash'...
remote: Counting objects: 31, done.
remote: Compressing objects: 100% (8/8), done.
remote: Total 31 (delta 9), reused 4 (delta 4), pack-reused 19
Unpacking objects: 100% (31/31), done.
Checking connectivity... done.
john@1.2.3.4 ~ $ exit
Connection to 1.2.3.4 closed.
Final Words
In this article we saw how to use SSH to get shell access to remote machines. We covered how to use and generate SSH keys, and introduced the SSH agent that gives us better control over our keys.
There is, of course, much more to learn about SSH. Here are some great resources to help you:
P.S. Would you like to learn how to build sustainable Rails apps and ship more often? We’ve recently published an ebook covering just that — “Rails Testing Handbook”. Learn more and download a free copy.