OpenSSH

OpenSSH

OpenSSH is used to securly run a shell on remote system. If you have user account on remote linux system providing ssh service running on the system. ssh is the command to is used to normally used to log into the remote system. The ssh command can also be used to execute a particular command on the remote system.

Syntax to connect to remote host
ssh <user>@<host>

Connect to remote host
$ ssh juniour@192.168.2.34
The authenticity of host '192.168.2.34 (192.168.2.34)' can't be established.
ECDSA key fingerprint is SHA256:IkEL1FLfd6Tzb6pwDg0Sx8bhpczQLNXimGn5tKhKQAo.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.2.34' (ECDSA) to the list of known hosts.
juniour@192.168.2.34's password:
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 3.16.0-30-generic x86_64)
* Documentation:  https://help.ubuntu.com/
New release '16.04.4 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
WARNING: Security updates for your current Hardware Enablement Stack
ended on 2016-08-04:
* http://wiki.ubuntu.com/1404_HWE_EOL
There is a graphics stack installed on this system. An upgrade to a
configuration supported for the full lifetime of the LTS will become
available on 2016-07-21 and can be installed by running 'update-manager'
in the Dash.
Last login: Wed Jun 27 11:54:49 2018 from 192.168.2.10
juniour@hackaholic:~$ whoami
juniour
juniour@hackaholic:~$

Execute a command on remote host
Syntax: ssh <user>@<host> <command>

$ ssh juniour@192.168.2.34 hostname
juniour@192.168.2.34's password:
hackaholic

SSH Host keys:

SSH communicate through public-key encryption. When ssh client connects to an SSH server, before the client log in, server sends the copy of its public key. This is used to set up secure communication channel and to authenticate the server to the client.
When first time user connect to the server, the ssh command stores the server public key in the users  ~/.ssh/know_hosts file. Every time when user connect after first time, client makes sure it get the same public key from the server that is stored in ~/.ssh/know_hosts.If the public key from server didn’t match with the one stored in the know_hosts, it drops the connection assuming that network is hijacked or server is breached.

In the first example $ ssh juniour@192.168.2.34 you can see Warning: Permanently added ‘192.168.2.34’ (ECDSA) to the list of known hosts.

Server host keys are stored in /etc/ssh

SSH Key based Authentication( passwordless authentication):

User can authenticate ssh login without password using public key authentication. ssh uses Asymmetrical encryption in that to send data in a single direction, two associated keys are needed. One of these keys is known as the private key, while the other is called the public key. The public key can be freely shared with any party. It is associated with its paired key, but the private key cannot be derived from the public key. The mathematical relationship between the public key and the private key allows the public key to encrypt messages that can only be decrypted by the private key. This is a one-way ability, meaning that the public key has no ability to decrypt the messages it writes, nor can it decrypt anything the private key may send it.

The private key should be kept entirely secret and should never be shared with another party. This is a key requirement for the public key paradigm to work. The private key is the only component capable of decrypting messages that were encrypted using the associated public key.

Key Generation:
Key generation can be done using command ssh-keygen. This generates private key ~/.ssh/id_rsa and public key id_rsa.pub

$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/kumarshubham/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/kumarshubham/.ssh/id_rsa.
Your public key has been saved in /Users/kumarshubham/.ssh/id_rsa.pub.
The key fingerprint is:
SA256:gkR7ZEE7eX5AJj3joR1Yl6YG344iEP90T+zfH2+3su8 kumarshubham@15-0004-kumarshubham.local
The key's randomart image is:
+---[RSA 2048]----+
|    ..*=+ ..     |
|  .. +o**.o      |
|   oo =*oX       |
|  ...oo+B.+      |
|   ..o.oS*.      |
|    . o...+      |
|     . .   . . . |
|            ... =|
|             .=E=|
+----[SHA256]-----+

Now you will see private key (id_rsa) and public key (id_rsa.pub) in ~/.ssh directory.

Note: Always provide passphrase during key generation. Passphrase is used to protect the private key. If  stolen will be difficult to crack. With no password its dangerous. Don’t leave passphrase blank.

$ ls ~/.ssh
id_rsa           id_rsa.pub       id_telstra_rsa       id_telstra_rsa.pub    known_hosts

Public key id_rsa.pub need to be copied to the destination system. ssh-copy-id command will hep to copy the key.

Syntax: ssh-copy-id -i <public_key> <user>@<host>

$ ssh-copy-id -i ~/.ssh/id_rsa.pub juniour@192.168.2.34
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/Users/kumarshubham/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
juniour@192.168.2.34's password:
Number of key(s) added:        1
Now try logging into the machine, with:   "ssh 'juniour@192.168.2.34'"
and check to make sure that only the key(s) you wanted were added.

Now try to login to remote system.
$ ssh juniour@192.168.2.34
Enter passphrase for key '/Users/kumarshubham/.ssh/id_rsa':

Now it ask for password for the private key, what’s  the point of using key for passwordless ssh?.
This can be avoided using ssh-add command.
$ ssh-add
Enter passphrase for /Users/kumarshubham/.ssh/id_rsa:

Now we can login passwordless to the remote system.

$ ssh juniour@192.168.2.34
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 3.16.0-30-generic x86_64)
* Documentation:  https://help.ubuntu.com/
New release '16.04.4 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
WARNING: Security updates for your current Hardware Enablement Stack
ended on 2016-08-04:
* http://wiki.ubuntu.com/1404_HWE_EOL
There is a graphics stack installed on this system. An upgrade to a
configuration supported for the full lifetime of the LTS will become
available on 2016-07-21 and can be installed by running 'update-manager'
in the Dash.
Last login: Wed Jun 27 12:47:16 2018 from 192.168.2.10

Openssh Service configuration

The configuration file is /etc/ssh/_sshd_config. Many feature can be enable or disable from configuration file.  Some of the feature is covered below. For more look into man sshd_config.

Deny root user to login.
permitRootLogin no

Prohibit password login, only key based login
passwordAuthentication no

Prohibit list of user to login
DenyUsers usera userb
Provide list of user separated by space.

Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *