Back to Compendiums

The SSH Guide

by matsjfunke

Introduction

This guide covers SSH (Secure Shell), a protocol for secure communication and remote access between computers. It provides an overview of the SSH protocol and practical usage examples, such as generating keys, configuring server access, and managing users.

SSH Keys

  • Public Key: Used for one-way encryption. It encrypts data that only the corresponding private key can decrypt. Share this key with servers you want to access.
  • Private Key: Decrypts data encrypted with the public key, allowing secure access and communication. Store this key securely on your local machine and protect it with a strong passphrase. Never share your private key with anyone.

SSH Protocol

SSH protocol flowchart

  1. Client sends public key to server:

    • The server checks this public key against its list of authorized keys to verify if the client is permitted to connect.
    • The client and server agree on SSH protocol versions and encryption methods, then perform a key exchange to secure the channel.

  2. Server sends its public key to client:

    • The client verifies this key against its known hosts list to ensure the server is trusted.

  3. Server sends a challenge (string) encrypted with the client's public key:

    • This ensures that only the client with the corresponding private key can decrypt it.

  4. Client decrypts the challenge and sends it back:

    • The server verifies the decrypted string to confirm the client's identity.

  5. Session Establishment:

    • After successful authentication, a secure, encrypted session is established, allowing the client to execute commands and transfer data safely.

SSH Usage

  1. generate ssh-key in you terminal
bash
1cd ~/.ssh
2
3ssh-keygen -t ed25519
4
5Enter file in which to save the key (/path/to/your/.ssh/id_ed25519): <project-name>
6
7Enter passphrase (empty for no passphrase): <CR> or enter any passphrase
8
  1. add pbulic key to server (usually done via webinterface of hosting provider)

copy the public key

bash
1cat ~/.ssh/<project-name>.pub
2
  1. give permission to read privatekey-file
bash
1chmod 400 ~/.ssh/<project-name>
2

  1. Allow network access via SSH

    • Source IP: Any IPv4, Any IPv6
    • Protocol: TCP
    • Port: 22

  2. Connenct to server via SSH

bash
1ssh -i ~/.ssh/<project-name> root@<IPv4>
2

Managing SSH Users and Permissions

In this section, we'll cover managing users and permissions with SSH to ensure only authorized individuals access your servers, enhancing security.

  1. Create a non-root user with sudo privileges
bash
1adduser <username>
2
3usermod -aG sudo <username>
4
  1. Copy SSH key for new user
bash
1mkdir -p /home/<username>/.ssh
2cp ~/.ssh/authorized_keys /home/<username>/.ssh/
3chown -R <username>:<username> /home/<username>/.ssh
4chmod 700 /home/<username>/.ssh
5chmod 600 /home/<username>/.ssh/authorized_keys
6
  1. Test sudo access with the new user:
bash
1su - <username>
2# with new user run
3sudo whoami  # Should return "root"
4
  1. After confirming everything works, you should update the SSH configuration to disable root login:
bash
1sudo vim /etc/ssh/sshd_config
2

Change or add these lines:

bash
1PermitRootLogin no
2PasswordAuthentication no
3PubkeyAuthentication yes
4
  1. Restart the SSH service:
bash
1sudo systemctl restart ssh
2
  1. Test new SSH connection in a new terminal window before logging out:
bash
1ssh -i ~/.ssh/<project-name> <username>@<IPv4>
2