General

Secure Shell (SSH)

A quick and simple introduction to SSH and practical usage

  • #protocol
  • #ssh
  • #remote

Secure Shell (SSH) is a cryptographic protocol that enables secure communication between two devices over an unsecured network. It is used for remote login, command execution and file transfer.

SSH operates in a server-client architecture where authentication can be performed from the client side via password login or public/private key pairs.

Server

The server is the target machine that is ready for any client to connect to. In Linux, the SSH daemon (also known as sshd) is required to turn the machine into a SSH server.

Installation

SSH can be installed via the openssh package that is available to most Linux distributions. Before the installation, perform a quick check whether openssh is already installed.

ssh

If it is already installed, the help text will be printed to the console.

usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface]
           [-b bind_address] [-c cipher_spec] [-D [bind_address:]port]
           [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11]
           [-i identity_file] [-J [user@]host[:port]] [-L address]
           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
           [-Q query_option] [-R address] [-S ctl_path] [-W host:port]
           [-w local_tun[:remote_tun]] destination [command [argument ...]]

If it has not been installed yet, just find the relevant package to install based on the distribution package repository. Here are some examples of how to install openssh in Ubuntu and Arch Linux. In Ubuntu, the functionality for client and server are packaged separately whereas it is all-in-one in Arch Linux.

# Ubuntu
sudo apt-get install openssh-server openssh-client

# Arch Linux
sudo pacman -S openssh

To install SSH in Windows, refer to this guide on MSDN.

Enable/Start SSH

SSH daemon can be controller by systemctl to start, stop, restart, enable or disable.

sudo systemctl start sshd.service

Unblock Firewall

For machines that have firewall installed, it is required to open the port 22 for SSH inbound connection.

sudo ufw allow ssh

Retrieve IP

IP address of the target machine is required to use SSH from the client machine. If the machine falls under the same network, i.e. connecting to the same Wi-Fi, then local IP will do the job. To get the IP address for the local network in Linux, run the following ip command.

ip a

This will print the information about the network including the local IP address.

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute
       valid_lft forever preferred_lft forever
2: eno1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    link/ether 80:aa:aa:aa:aa:aa brd ff:ff:ff:ff:ff:ff
    altname enp3s0
3: wlo1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 40:aa:aa:aa:aa:aa brd ff:ff:ff:ff:ff:ff
    altname wlp2s0
    inet 192.168.68.114/24 brd 192.168.68.255 scope global dynamic noprefixroute wlo1
       valid_lft 6915sec preferred_lft 6915sec
    inet6 fe80::aaaa:aaaa:aaaa:aaaa/64 scope link noprefixroute
       valid_lft forever preferred_lft forever

Client

Client is the machine that will be connecting to the SSH server via the command line. To connect to the server machine, we use the SSH command shown below. Replace the <username> and <ip-address> with the appropriate info.

ssh <username>@<ip-address>

If the machine and user are successfully validated, it will prompt for the password for that particular user to sign in. When we successfully SSH into the machine for the first time, there will be a warning message that asks us to trust the host. Enter yes and we are good to go.

The authenticity of host '192.168.68.114 (192.168.68.114)' can't be established.
ED25519 key fingerprint is SHA256:vEM3bnZJ09HNs4NnxxxxxxxxxxxxxxxxxxxxxxJuJ9Y.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

Here is the screenshot of using MobaXTerm from my Windows 10 machine to SSH into my Arch Linux laptop. I like MobaXTerm as it comes with lots of useful feature such as SSH out of the box.

Successful login with MobaXTerm

Unbeknownst to me, my Neovim theme and configuration plays nicely too. Not to mention the language server protocol is also active while I am editing the codes.

Active LSP when editing Clojure codes

View Logins

Logs for the SSH logins can be retrieved via journalctl, the utility to query structured logs from systemd's logging service.

journalctl -u sshd

This will display the detailed logs for each login via the SSH to the server machine. Read more on the different parameters that can be used for querying the logs in this article.

References

Secure Shell.ย Wikipedia. Retrieved 2024, September 13 from https://en.wikipedia.org/wiki/Secure_Shell
Gite, V. Linux start sshd (OpenSSH) server command.https://www.cyberciti.biz/faq/linux-start-sshd-openssh-server-command/
Todd, E. How to View SSH Logs?https://www.strongdm.com/blog/view-ssh-logs
Terpollari, O. How to Install OpenSSH Server In Linux.https://www.tecmint.com/install-openssh-server-in-linux/
โ† QuineData Validation with Zod โ†’