ssh - dwilson2547/wiki_demo GitHub Wiki

• 1. What is SSH?
• 2. How SSH Works
  • 2.1. SSH Connection Process
• 3. SSH Authentication Methods
  • 3.1. Password Authentication
  • 3.2. Public-Key Authentication
  • 3.3. Host-Based Authentication
  • 3.4. Multi-Factor Authentication (MFA)
• 4. SSH Encryption
  • 4.1. Symmetric Encryption
  • 4.2. Asymmetric Encryption
  • 4.3. Hashing
  • 4.4. Key Exchange Algorithms
• 5. SSH Commands and Usage
  • 5.1. Basic SSH Connection
  • 5.2. Specify a Port
  • 5.3. Execute a Remote Command
  • 5.4. SSH with Verbose Output
  • 5.5. SSH Config File
  • 5.6. SSH Tunneling (Port Forwarding)
    • Local Port Forwarding
    • Remote Port Forwarding
    • Dynamic Port Forwarding (SOCKS Proxy)
  • 5.7. SCP (Secure Copy)
  • 5.8. SFTP (SSH File Transfer Protocol)
• 6. SSH Key Management
  • 6.1. Generate SSH Keys
  • 6.2. Copy Public Key to Server
  • 6.3. List Fingerprints of Keys
  • 6.4. Revoke or Remove Keys
• 7. SSH Security Best Practices
  • 7.1. Disable Password Authentication
  • 7.2. Use Strong Key Algorithms
  • 7.3. Restrict SSH Access
  • 7.4. Change the Default SSH Port
  • 7.5. Enable Two-Factor Authentication (2FA)
  • 7.6. Regularly Update SSH
  • 7.7. Monitor SSH Logs
• 8. Troubleshooting SSH Issues
  • 8.1. Connection Refused
  • 8.2. Permission Denied (Public Key)
  • 8.3. Host Key Verification Failed
  • 8.4. Slow SSH Connections
• 9. SSH Use Cases
  • 9.1. Remote Server Management
  • 9.2. Secure File Transfers
  • 9.3. Port Forwarding
  • 9.4. Automated Tasks
  • 9.5. Jump Hosts (Bastion Hosts)
• 10. SSH Alternatives
• 11. Summary

SSH (Secure Shell) is a cryptographic network protocol used for secure remote access, command execution, and file transfers over unsecured networks (e.g., the internet). It provides a secure alternative to insecure protocols like Telnet or FTP by encrypting all communication between the client and server.

SSH operates over TCP port 22 by default and uses asymmetric encryption (public-key cryptography) for authentication and symmetric encryption for data transfer. Here’s a high-level overview of the process:

1. Client Initiates Connection:

   • The SSH client connects to the SSH server on port 22.
   • Example: ssh user@remote-host

2. Key Exchange:

   • The client and server agree on a key exchange algorithm (e.g., Diffie-Hellman) to establish a shared secret key.
   • This key is used to encrypt the session.

3. Authentication:

   • The server authenticates itself to the client using its host key (asymmetric encryption).
   • The client authenticates to the server using:
     • Password authentication: The user enters a password.
     • Public-key authentication: The client proves it has the private key corresponding to a public key stored on the server.

4. Session Establishment:

   • Once authenticated, a secure channel is established, and the client can execute commands or transfer files.

• How It Works:
  • The user provides a username and password.
  • The server verifies the password against its user database.
• Pros: Simple to set up.
• Cons: Vulnerable to brute-force attacks if weak passwords are used.

Example:

ssh user@remote-host

• Prompts for the user’s password.

• How It Works:
  1. The user generates a key pair (public and private keys) on their local machine.

     ssh-keygen -t rsa -b 4096

  2. The public key is copied to the server’s ~/.ssh/authorized_keys file.

     ssh-copy-id user@remote-host

  3. When connecting, the client proves it has the private key corresponding to the public key on the server.
• Pros: More secure than passwords; resistant to brute-force attacks.
• Cons: Requires initial setup and key management.

Example:

ssh -i ~/.ssh/id_rsa user@remote-host

• Uses the private key ~/.ssh/id_rsa for authentication.

• How It Works:
  • The server trusts connections from specific client hosts based on their IP addresses or hostnames.
  • Rarely used due to security risks (e.g., IP spoofing).

• How It Works:
  • Combines password + public-key authentication or password + one-time token (e.g., Google Authenticator).
  • Example: SSH with password + TOTP (Time-Based One-Time Password).

SSH uses a combination of encryption techniques to secure the connection:

• Purpose: Encrypts the data transmitted during the session.
• Algorithms: AES, 3DES, Blowfish, ChaCha20.
• How It Works:
  • The client and server agree on a symmetric encryption algorithm during the key exchange.
  • The shared secret key (from key exchange) is used to encrypt/decrypt data.

• Purpose: Authenticates the server and (optionally) the client.
• Algorithms: RSA, DSA, ECDSA, Ed25519.
• How It Works:
  • The server’s public key is used by the client to verify the server’s identity.
  • For public-key authentication, the client’s private key signs a challenge, and the server verifies it using the client’s public key.

• Purpose: Ensures data integrity.
• Algorithms: SHA-2, MD5 (deprecated).
• How It Works:
  • Hash functions verify that data has not been tampered with during transmission.

• Purpose: Establishes a shared secret key for symmetric encryption.
• Algorithms: Diffie-Hellman (DH), Elliptic Curve Diffie-Hellman (ECDH).
• How It Works:
  • The client and server perform a key exchange to generate a shared secret without transmitting it over the network.

ssh user@remote-host

• Connects to remote-host as user.

Example:

ssh [email protected]

ssh -p 2222 user@remote-host

• Connects to remote-host on port 2222 (default is 22).

ssh user@remote-host "command"

Example:

ssh [email protected] "ls -l /tmp"

• Runs ls -l /tmp on the remote host.

ssh -v user@remote-host

• Shows detailed debug information (use -vv or -vvv for more verbosity).

Edit ~/.ssh/config to define aliases and default settings for SSH connections:

Host myserver
    HostName example.com
    User alice
    Port 2222
    IdentityFile ~/.ssh/id_rsa_myserver

• Connect using:

  ssh myserver

Forwards a local port to a remote server.

ssh -L local-port:remote-host:remote-port user@ssh-server

Example:

ssh -L 8080:localhost:80 [email protected]

• Forwards local port 8080 to port 80 on example.com.

Forwards a remote port to a local machine.

ssh -R remote-port:local-host:local-port user@ssh-server

Example:

ssh -R 8080:localhost:80 [email protected]

• Forwards remote port 8080 to local port 80.

Creates a SOCKS proxy for secure browsing.

ssh -D 1080 user@ssh-server

• Configures your browser to use localhost:1080 as a SOCKS proxy.

Copy files securely over SSH.

scp source-file user@remote-host:destination-path

Example:

scp report.txt [email protected]:/home/alice/

• Copies report.txt to the remote host.

Interactively transfer files over SSH.

sftp user@remote-host

Example:

sftp [email protected]

• Opens an interactive SFTP session.

ssh-keygen -t rsa -b 4096

• Generates a 4096-bit RSA key pair in ~/.ssh/id_rsa (private) and ~/.ssh/id_rsa.pub (public).

Example:

ssh-keygen -t ed25519 -C "[email protected]"

• Generates an Ed25519 key pair (recommended for security and performance).

ssh-copy-id user@remote-host

• Copies the public key to the server’s ~/.ssh/authorized_keys file.

Example:

ssh-copy-id -i ~/.ssh/id_ed25519.pub [email protected]

ssh-keygen -l -f ~/.ssh/id_rsa.pub

• Displays the fingerprint of the public key.

• Remove the public key from the server’s ~/.ssh/authorized_keys file.
• Delete the local private key if compromised:

  rm ~/.ssh/id_rsa

Edit /etc/ssh/sshd_config on the server:

PasswordAuthentication no

• Restart SSH:

  sudo systemctl restart sshd

• Prefer Ed25519 or RSA 4096-bit keys over DSA or smaller RSA keys.

• Limit SSH access to specific users or IPs in /etc/ssh/sshd_config:

  AllowUsers alice bob
  AllowGroups admins

• Use fail2ban to block brute-force attacks.

Edit /etc/ssh/sshd_config:

Port 2222

• Reduces automated attacks targeting port 22.

• Use Google Authenticator or Duo Security with SSH.

sudo apt update && sudo apt upgrade openssh-server  # Debian/Ubuntu
sudo yum update openssh-server                     # RHEL/CentOS

sudo tail -f /var/log/auth.log   # Debian/Ubuntu
sudo tail -f /var/log/secure     # RHEL/CentOS

• Check for failed login attempts or suspicious activity.

• Cause: SSH server is not running or blocked by a firewall.
• Fix:

  sudo systemctl start sshd
  sudo ufw allow 22

• Cause: Incorrect permissions on ~/.ssh or authorized_keys.
• Fix:

  chmod 700 ~/.ssh
  chmod 600 ~/.ssh/authorized_keys
  chmod 600 ~/.ssh/id_rsa

• Cause: The server’s host key has changed (possible MITM attack).
• Fix: Verify the server’s fingerprint and update ~/.ssh/known_hosts:

  ssh-keygen -R remote-host

• Cause: Network latency or inefficient encryption algorithms.
• Fix: Use faster algorithms (e.g., Chacha20-Poly1305) in /etc/ssh/sshd_config:

  Ciphers [email protected],[email protected]

• Administer servers securely from anywhere.

• Use scp or sftp to transfer files encrypted.

• Bypass firewalls or access restricted services.

• Use SSH in scripts for remote backups, deployments, or monitoring.

• Access internal servers via a jump host:

  ssh -J jump-user@bastion-host internal-user@internal-host

• SSH secures remote access using encryption and authentication.
• Public-key authentication is more secure than passwords.
• Port forwarding enables secure tunneling.
• Best practices include disabling passwords, using strong keys, and restricting access.
• Troubleshoot connection issues with logs and permissions.