Secure Shell (SSH) is a network protocol for command line secure remote data communication. In other words, it is a secure connection between two systems over an insecure network. SSH application can be used from the terminal on Linux and Mac Operating System. It can also be used in windows with the help of a third party software such as putty etc. SSH was created to replace the services like telnet, berkeley rsh and rexec which are less secure in nature and capable of sending password in clear text or plaintext format whereas encryption is used by SSH which provides confidentiality and integrity of the data over an unsecured network.
There are many ways to use SSH. One way is to generate public and private key so that the network connection can be encrypted and then use the password for log on. Second is to manually generate public and private key and use it for authentication and "NOT" using password for authentication. For the second method, when public and private keys are generated then public key are placed on the 'X' number of remote servers/computers that a user will be logging in from his/her local machine. When the public key is present on the remote server/computer with the matching private key on the local machine then there is no need of the password for authentication because user is authenticating based on the private key (keeping in mind that the private key does not get transferred during the authentication).
SSH is used for many things such as remotely logging into a machine and run/execute command but SSH is also used for X11 connections, tunneling, forwarding TCP ports, SFTP, SCP, etc. The default SSH port is 22 for the SSH Server.
SSH client is usually present on most of the Linux Operating Systems and Mac OSX. Microsoft Windows is the only platform where SSH is not present, and one has to use third party software such as PuTTY, openSSH/Cygwin, etc.
SSH keys are generated by command called 'ssh-keygen'. A user can create a passphrase during the key generation process or leave it empty. ssh-keygen stores the keys in $HOME/.ssh/id_rsa (RSA private key) and $HOME/.ssh/id_rsa.pub (RSA public key). Private Key, as the name indicates, should be kept private and not shared. While the public key can be shared and should be placed on the remote servers/computers that user will be connecting to in the future. The content of the public key needs to be copied to $HOME/.ssh/authroized_keys of the remote server/computer. Please see "Note:" below.
Ssh-keygen Command Options:
Following are some of the options which can be used with the ssh-keygen command:
-b refers to the number of bits in a key (768 bits to 2048 bits)
-C enter new comments
-p change passphrase of the private key file instead of creating new key
-t type of key to generate
-q quiets ssh-keygen. It is used by the /etc/rc file while creating new key
-N provides new passphrase
Files used by ssh-keygen utility:
The ssh-keygen uses various files for saving public and private key and following is the list of files:
· $HOME/.ssh/identity: it contains the RSA private key when using the SSH protocol version 1.
· $HOME/.ssh/identity.pub: it contains the RSA public key for authentication when you are using the SSH protocol version 1.
· $HOME/.ssh/id_dsa: it contains the protocol version 2 DSA authentication identity of the user.
· $HOME/.ssh/id_dsa.pub: it contains the DSA public key for authentication when you are using the SSH protocol version 2.
· $HOME/.ssh/id_rsa: it contains the protocol version 2 RSA authentication identity of the user.
· $HOME/.ssh/id_rsa.pub: it contains the protocol version 2 RSA public key for authentication.
# ssh-keygen -t rsa -b 2048
After generating keys, copy rsa public key into file authorized_keys.
(from your home directory)
# cd .ssh
# cat id_rsa.pub >authorized_keys
(This will erase any existing authorized_keys and copies id_rsa.pub into it.)
Here are some web pages with examples you can find by searching Internet for "ssh key generation":
Note: If you're using general SCI home (/home/sci/...) as your directory on desktop or laptop, there is no need to copy ssh keys to servers. All servers at SCI see and have access to home directories. However, if you don't and use a local home directory, please make sure to copy your ssh keys to general SCI home directory.
X11 over SSH:
In order to have X11 over SSH, the remote server/computer should have X11 forwarding enabled in the sshd_config file. (sshd_config file is usually located in /etc/ssh) If the X11 forwarding is enabled than the user can use -X or -Y flag, when using ssh to a remote server/computer.