Fun with SSH

What is SSH?

SSH stands for "secure shell". Using SSH allows you to securely connect to a remote server, just as if you were sitting in front of the server's keyboard. To use SSH you will need an SSH client, and a server that will allow SSH login. You will also need to have a valid user name and password for the server.

Although SSH is used most commonly to remotely administer computers, an SSH connection can also be used to transfer files (either through secure FTP or using scp), run programs (command line or graphical using X11), or to tunnel other network traffic (such as internet browsing) through a secure server.

UNIX-based or UNIX-like operating systems (such as OS X and Linux) have native SSH support. On Windows, there are several programs that support SSH. I use PuTTY, a free TTY emulator, to perform SSH operations on Windows systems. Although the directions below assume that you are using a UNIX/Linux system, most of the operations will work just fine on Windows using PuTTY.

Using ssh to log in to a server

The syntax for using ssh is:

$ ssh [username]@[hostname]

If you are connecting to a server account that uses the same user name as your local account, you don't need to specify the remote user name.

Create an ssh connection to a remote server:

In Terminal, enter:

$ ssh [some.webserver.com]

At this point, if you've never accessed this specific ssh server from your computer before, you'll be prompted to verify the fingerprint of the server's key. Answering "yes" will save the server's fingerprint in a local cache. If the fingerprint ever changes, ssh (and scp) will sound an alarm, as this could be an indication of a man-in-the-middle attack in progress.

You will be prompted to enter the password for the remote account. After you have entered a valid password, you will be logged in to the remote server.

Create an SSH tunnel for secure web browsing

Using an SSH tunnel for web browsing or other internet activity, such as email, can keep your personal information secure even when you are using an unencrypted wireless connection. All of your internet traffic is encrypted and routed through the remote server using SSH. The remote server handles the rest.

If you want to route traffic through an SSH connection, you will need to set your SSH connection to act as a SOCKS proxy. In Terminal, enter:

$ ssh -D 1080 [username]@[some.webserver.com]

This will open an SSH tunnel through the remote server using port 1080 on your local computer. To use a different port, just change the port number.

Once the SSH tunnel is set up, you simply need to change your web browser (or other SOCKS-enabled program) to use your own computer as a proxy. Find the proxy settings for your browser. Select SOCKS proxy, enter "localhost" or "127.0.0.1" as the host name and enter the port number you used to create the proxy.

If you do a lot of browsing using SSH proxies, you might find it easier to use a program to do the behind-the-scenes setup of your secure tunnel. On a Mac, I use SSH Tunnel Manager to set up secure proxies. On Windows, I prefer Bitvise Tunnelier, which works very well to perform the same task (and many other tasks as well). Both programs are free for personal use.

Use sshfs and FUSE to access a remote volume as if it were a local drive

FUSE is an SSH-based filesystem implementation for Linux. MacFUSE is a project supported by Google that aims to replicate the functionality of Linux FUSE on Mac OS X. What this means to a Mac user is that you get all the goodness of Linux FUSE thanks to Google.

On Linux:

Many distributions will have precompiled binaries of FUSE and sshfs available from the package manager (apt-get, yum, etc.). If you want to compile it yourself, download FUSE and sshfs from the FUSE Sourceforge site. Run ./configure, make and make install as root.

Once the program is installed, to mount a FUSE volume simply run:

$ sshfs [username]@[hostname]: [mountpoint]

To unmount, run:

$ fusermount -u [mountpoint]

On a Mac:

Start by downloading MacFUSE and sshfs from the Google Code MacFuse project site. Run the MacFUSE installer, and drag the sshfs app into your Applications directory.

Run the sshfs app. It will prompt you for a remote host name and user name. If you wish, you can also specify a directory name.

After entering this information, you will be prompted for your remote password. When the password is validated, the remote volume will appear in your Finder as if it were a local hard drive.

Although the sshfs program will not remember your password, you can skip the password prompt by following the directions below for setting up a DSA public/private key pair for your remote server.

Use scp instead of FTP

FTP is an insecure protocol for transferring files. While you can increase security by using SFTP (FTP over SSH), you're still limited in that you can only transfer files between your own computer and the server. Using scp, you can securely transfer files to or from any computer on which you have a valid account, password and SSH access.

The syntax for using scp is:

$ scp [username]@[hostname]:[source file] [username]@[hostname]:[destination directory]

If you are copying from your local system, you only need to specify the source path (not the user name or host name). If you are copying to a server account that uses the same user name as your local account, you don't need to specify the remote user name.

Use scp to move files between your computer and a remote server:

In Terminal, enter:

$ scp /path/to/some/file [username]@[some.webserver.com]:/path/to/put/file/

It should copy the file, prompting for a password on the remote server. If you have a DSA public/private key pair set on the server, it will transfer without prompting.

Use scp to transfer files between remote servers:

In Terminal, enter:

$ scp [username]@[source.server.com]:/path/to/some/file [username]@[destination.server.com]:/path/to/put/file/

It should copy the file, prompting for a password for each remote server. (Note: For some reason I see authentication failures when I try to test this with my server after setting a DSA public/private key pair.)

Use ssh and scp without a password prompt

When you log in to an SSH server you need to send your password to authenticate the connection. While this is relatively secure, a third party could potentially capture the password when you are logging in. By using a public/private DSA key pair on the server and your local computer, you can eliminate both the password prompt and the potential for intercepted traffic.

Generate an ssh key pair:

For Mac or Linux:

Open Terminal and generate an SSH key using the command:

$ ssh-keygen

The keygen by default should specify RSA keys (DSA is deprecated and will be dropped by many services).

Generating public/private dsa key pair.
Enter file in which to save the key (/home/[user]/.ssh/id_rsa):

Hit [enter] for default file name.

Enter passphrase (empty for no passphrase):

Hit [enter] for no passphrase.

Enter same passphrase again:

Hit [enter] again to confirm no passphrase.

Your identification has been saved in /home/[user]/.ssh/id_rsa.
Your public key has been saved in /home/[user]/.ssh/id_rsa.pub.
The key fingerprint is: [long string of number pairs] [user]@[localhost]

Your public and private keys are now saved to ~/.ssh/id_rsa.pub and ~/.ssh/id_rsa, respectively.

For Windows:

You will need the key generator program PuTTYgen, available from the PuTTY website. Run the program, choosing RSA key (for length, 1024 bits ought to be enough). PuTTYgen will create the public and private keys for you, based on random numbers generated by your mouse movements. You will be prompted to enter a passphrase for your key pair. Save the private key where you can find it, and copy the public key into a text file to upload to your server. When you go to use this key, you will need to tell your PuTTY session where to find it, and enter your passphrase to enable the key. The Pageant program can help simplify this procedure; See the PuTTY documentation for more information.

Copy the key to your Web server:

In Terminal, enter:

$ scp ~/.ssh/id_rsa.pub [some.webserver.com]:.ssh/authorized_keys2

If your user name on the local computer is not the same as the user name on the web server, use this instead:

$ scp ~/.ssh/id_rsa.pub [username]@[some.webserver.com]:.ssh/authorized_keys2

You will be prompted for your password on the server. Enter it, and the key file will be copied.

Alternatively, if you already have an authorized keys file on your server, you can open this file with a text editor and paste in new public keys. Use a single line for each new key. Save the file and exit the text editor when you are finished.

Test the ssh key:

In Terminal, enter:

$ ssh [some.webserver.com]

It should log you in without a password. If not, check your work. Also check that your server allows public key exchange (most servers have this feature enabled by default). If you are successful, all connections to this server using SSH will not require you to enter a password.

Shamelessly ~~stolen from~~ inspired by Lifehacker and O'Reilly Network.

Links marked with this icon [ external link icon

] will leave this website.