home

SSH: The Good, The Bad, The Ugly

What is SSH?

SSH, or Secure Shell, is a network protocol which allows the secure communication between computers. Usually when you hear about SSH, it will be in the context of using a command line utility to login or execute programs remotely. SSH follows the client-server architecture paradigm, meaning that a secure channel will be formed between an SSH client application and an SSH server.

How does SSH work?

SSH uses something called "public key cryptography" to authenticate clients to communnicate with servers. Public key cryptography (a form of asymmetrical encryption) relies on pairs of keys: public keys and private keys. Public keys can be shared, and private keys are only known by a single owner.

The public key is related to its paired private key, but it's not possible to derive a private key from a public key. The relationship between the private and public key means that the public key can be used to encrypt messages that can only be decrypted by using the private key. The server with the public key cannot decrypt anything sent using the private key, only the other way around. This means that you should never share a private key.

SSH can use this form of cryptography to authenticate a client to a server. The client can generate a key pair, and upload the public key to any remote server the client wishes to access remotely. Once this has happened, the server is able to use the public key to encrypt a 'hello' message to the client, and if the client is able to decrypt it (i.e. the client has the correct private key) then it has shown it is the authenticated client and so the communication can start with the correct environment.

diagram

Why is SSH useful?

Some typical uses of SSH include:

  • Enabling remote commands to be executed on a server.
  • Managing network infrastructure and systems.

This is particularly useful if you need to interact with a hosted application or server, either to access files on that host, or to execute remote commands. These commands can vary from outputting environment variables to modifying data stores.

The pattern/syntax for initiating SSH on a Unix machine is below:

ssh [-l username] hostname | user@remote-hostname [command]

This means you can connect to a remote server using something similar to the the following command:

emilys-macbook> ssh username@remote-host
username@remote-host password:
remote-server> ...

If you are running a particular command on a remote host then you can use the following syntax:

ssh user@remote-host "env"
URL=https://www.google.com
USERNAME=test

The above command will connect to the remote server and then will run the env command. In this case, env will output all of the environment variables for this server. The output of the command will be output to the client terminal (e.g. my laptop.), and then closes the connection.

If you are accessing a host with a Ruby on Rails application running on it for example, you could run:

ssh user@remote-host "rails console --sandbox"
Loading development environment in sandbox (Rails 5.1.0)
Any modifications you make will be rolled back on exit
irb(main):001:0>

You will then be able to run commads inside the rails console on the remote machine from your command line!

Tools like GitHub provide the option of using SSH to connect to their services, you can find more information about that here.

How do I set SSH up?

To generate a pair of SSH keys, you can run the following command:

ssh-keygen

You will then see an output like:

Generating public/private rsa key pair.
Enter file in which to save the key (/Users/your-user/.ssh/id_rsa):

You can accept the default location to save the key by pressing enter, and then you will be prompted to enter a password. After this is complete, when you navigate to Users/your-user/.ssh you will see files called id_rsa and id_rsa.pub. id_rsa contains your private key, and id_rsa.pub contains your public key.

Then you will want to add your new key to the SSH agent. The SSH agent handles signing of authentication data, so that when you try to use the key you will only have to enter your password once instead of every time you authenticate.

To do this, you will need to run the SSH agent in the background by running:

eval "$(ssh-agent -s)"

You can then add your SSH private key to the agent by running the following command:

ssh-add -K ~/.ssh/id_rsa

When you attempt to use SSH in the future, you will have to enter your password once and then you shouldn't have to again. This ssh-add command will need to be run every time your computer restarts.

Resources