Basic SSH

Just basic shh information.

Secure SHell allows a user to securely login to a remote machine from a terminal and execute commands as if sitting at the rhost's keyboard.

To login to a remote machine:
$ssh user@rhost

//////////////////////////////////////////////////////////////////////
*Sources of info:
$man ssh
"Setting Up SSH Keys"

//////////////////////////////////////////////////////////////////////
*More secure

The connection data is encrypted so ssh can be used over an insecure network (read the internet).
The sshd runs in the backround and listens for connections on port 22 by default. So if you don't want anyone to be able to login to your machine remotely then you have to change the default behaviour or block that port/protocol on your favourite firewall. Having said that if you have chosen all your account passwords wisely then you are quite secure, see bellow.

You can of course be more secure by not running the sshd at all if you never plan to use it or not allowing password only login's (by using keys). Or setting up your firewall to only accept connections on that port/protocol from specific hosts, MAC addresses or IP address that you would like to use ssh from.

For sshd exposed to the internet:
Beware that dictionary attacks are fairly common. I have counted >11 different IP addresses each trying this in a week and I don't run a well publicised site! So for improved security I would suggest one or more of the following:

1. Use a non standard port since port 22 is obviously targeted.
2. Don't allow direct root login since then user_name=root and now only the password has to be guessed. Login as user then su, now 3 things have to be guessed.
3. Don't use real 'dictionary' words for user_names or passwords. eg Jared+exponential may seem hard to guess but both exist. Perhaps jaredss5+Supe537surfe or the such would be a better way to construct user+pass.
4. Commonly tried user_names are: user, test, future, admin, root, www, web. So beware that you have not left one of these lying around and that they don't have ssh rights.

To see if ssh is running:
$ps -A|grep ssh

4036 ? 00:00:00 ssh-agent
4263 ? 00:00:00 sshd

sshd is the daemon
ssh-agent starts with X not much use without sshd.

//////////////////////////////////////////////////////////////////////

*

Setting Up SSH Keys

SSH keys allow you to login to a remote host without a password. To set up ssh keys, follow these steps:

  1. Use ssh-keygen to set up keys for logging in without a password.

    user@host:~$ ssh-keygen -t dsa
    Generating public/private dsa key pair.
    Enter file in which to save the key (/home/user/.ssh/id_dsa):
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:
    Your identification has been saved in /home/user/.ssh/id_dsa.
    Your public key has been saved in /home/user/.ssh/id_dsa.pub.
    The key fingerprint is:
    6d:e9:f1:da:a5:78:70:af:92:f9:dc:ae:12:9e:51:f4 user@host

  2. Append the contents of id_dsa.pub to the authorized_keys file in your home directory on a remote host. Note that the user names do not need to be the same on the two hosts.

    user@host:~$ scp ~/.ssh/id_dsa.pub remote_user@remote_host:
    user@host:~$ ssh remote_user@remote_host
    remote_user@remote_host:~$ cat id_dsa.pub >> .ssh/authorized_keys
    remote_user@remote_host:~$ rm id_dsa.pub

    The next time you ssh to remote_user@remote_host, you will be logged in without needing to enter a password.

  3. To login from remote_host to host, just run ssh-keygen on remote_host and append the contents of the id_dsa.pub to the authorized_keys file on host.

    Alternatively, to login without a password between multiple (trusted!) hosts, run ssh-keygen on each host. Then append the contents of id_dsa.pub on each host to a single authorized_keys file. Finally, copy the authorized_keys file to the .ssh directory on each host.