What is SSH? A Comprehensive Guide to Basic Usage and Security Measures

What is SSH? A Clear Explanation of Basic Concepts

SSH (Secure Shell) is a protocol for establishing encrypted, secure communication between computers over a network. It is primarily used for logging into remote servers, executing commands, and transferring files, and has become an indispensable technology in modern server management.

Traditional remote connection protocols like Telnet and rlogin transmitted communication data in plaintext (unencrypted), posing a significant security risk: if packets were intercepted, usernames and passwords could be leaked. SSH was developed in 1995 by Tatu Ylönen at the Helsinki University of Technology, fundamentally solving these problems by encrypting communication data.

Today, SSH is adopted not only for managing Linux and Unix-based servers but also as a standard tool for Windows server management. It is widely used in cloud and container environments as well.

How SSH Works: The Basics of Encryption and Authentication

Communication Encryption

SSH uses multiple cryptographic techniques to protect communication between the client and server. The following steps occur during connection establishment:

First, the client and server agree on encryption algorithms and key exchange methods (negotiation). Then, a shared secret key is securely exchanged using methods like Diffie-Hellman key exchange or Elliptic Curve Diffie-Hellman (ECDH). All subsequent communication data is encrypted using this shared key.

Common encryption algorithms used in SSH include AES (Advanced Encryption Standard) and ChaCha20-Poly1305. HMAC (Hash-based Message Authentication Code) is also used to ensure data integrity.

Authentication Methods

SSH primarily offers three authentication methods:

Password authentication is the most common, where users log in by entering a username and password. It is simple to configure, but without a strong password, it can be vulnerable to brute-force attacks.

Public key authentication is a more secure method using asymmetric cryptography. A private key is placed on the client side, and a public key on the server side. Authentication is performed via a challenge-response mechanism during connection. Since passwords are not transmitted over the network, security is significantly improved.

Kerberos authentication integrates with a centralized authentication infrastructure within an organization and is often adopted in large enterprise environments.

Basic SSH Usage: Commands and Connection Methods

Connecting to a Server with SSH

The most basic SSH connection command is:

ssh username@server_ip_address

For example, if the username is “taro” and the server’s IP address is 192.168.1.100, you would enter:

ssh [email protected]

On the first connection, the server’s fingerprint (of its public key) is displayed, and you are prompted with “Are you sure you want to continue connecting (yes/no)?”. Entering “yes” saves the server’s public key in the client’s known_hosts file, and this confirmation is skipped on subsequent connections.

To use a port other than the default port 22, specify the -p option:

ssh -p 2222 [email protected]

Executing Remote Commands

With SSH, you can execute commands directly on the server without logging in interactively.

ssh [email protected] "df -h"

This command connects to the server, checks disk usage, displays the result locally, and then automatically disconnects. This is extremely useful when using SSH from scripts.

File Transfer with SCP

SCP (Secure Copy Protocol) is a tool for securely transferring files using SSH’s encrypted channel.

To upload a local file to the server:

scp local_file_path username@server_ip:remote_path

To download a file from the server to local:

scp username@server_ip:remote_file_path local_path

To transfer an entire directory, add the -r option.

Synchronization Transfer with rsync

For transferring large numbers of files or performing regular backups, rsync is suitable. rsync uses SSH as a tunnel and transfers only differences, making it efficient.

rsync -avz -e ssh local_path username@server_ip:remote_path

The -a option specifies archive mode (preserving permissions and timestamps), -v for verbose output, and -z for compression during transfer.

Steps to Set Up SSH Key Authentication

Generating a Key Pair

The first step in setting up public key authentication is generating a key pair on the client side. Run the following command in the terminal:

ssh-keygen -t ed25519 -C "[email protected]"

The -t option specifies the key type. Ed25519 is the currently recommended key type, offering high security with a shorter key length than RSA. If an RSA key is needed, specify -t rsa -b 4096.

When executed, you will be prompted for a location to save the key and for a passphrase. Setting a passphrase enhances security because even if the private key is leaked, only someone who knows the passphrase can use it.

Placing the Public Key on the Server

After generating the key pair, id_ed25519 (private key) and id_ed25519.pub (public key) are created in the ~/.ssh/ directory. The easiest way to place the public key on the server is using the ssh-copy-id command:

ssh-copy-id [email protected]

Running this command will prompt for a password and then automatically add the public key to the ~/.ssh/authorized_keys file on the server.

For manual setup, copy the contents of the client’s public key and paste it into the ~/.ssh/authorized_keys file on the server. The permissions for this file must be set to 600.

Connection Test and Disabling Password Authentication

After setting up key authentication, perform a connection test first. If the connection works, you can disable password authentication on the server side for enhanced security.

Edit the /etc/ssh/sshd_config file and make the following settings:

PasswordAuthentication no PubkeyAuthentication yes

After changing the settings, restart the SSH service with the systemctl restart sshd command. Before disabling password authentication, ensure that connection via key authentication works reliably. Be cautious, as a misconfiguration could lock you out.

Major SSH Configuration Files

Client-Side Configuration

Client-side SSH configuration is written in the ~/.ssh/config file. If you frequently connect to certain servers, configuring this file can significantly simplify connections.

Host myserver
    HostName 192.168.1.100
    User taro
    Port 22
    IdentityFile ~/.ssh/id_ed25519

With this configuration, simply typing ssh myserver will automatically apply the specified IP address, username, port, and key file.

Server-Side Configuration

SSH server configuration is done in the /etc/ssh/sshd_config file. Here are key configuration items:

Port specifies the listening port for SSH. The default is 22, but it is recommended to change it for security hardening.

PermitRootLogin sets whether SSH login for the root user is allowed. For security, it is recommended to set this to no.

MaxAuthTries limits the number of authentication attempts allowed per connection. The default is 6, but setting it to around 3 can reduce the effectiveness of brute-force attacks.

AllowUsers and AllowGroups allow you to explicitly specify users or groups permitted to connect via SSH.

ClientAliveInterval and ClientAliveCountMax allow you to configure automatic disconnection of idle sessions.

SSH Security Measures: Practical Hardening Methods

Changing the Port Number

SSH’s default port 22 is a primary target for automated scans and brute-force attacks. Changing the Port setting in sshd_config to a non-standard port number can significantly reduce unauthorized access attempts.

However, changing the port is not a fundamental security measure; it only increases the attacker’s effort. Use it in combination with other measures.

Implementing fail2ban

fail2ban is a tool that monitors log files, detects unauthorized access attempts, and automatically blocks IP addresses. It is widely used as an effective countermeasure against SSH brute-force attacks.

After installing fail2ban, adjust the maximum retry count and ban period in the SSH jail configuration within /etc/fail2ban/jail.conf. While the default settings provide some protection, customization according to your environment is recommended.

Cautions for SSH Agent Forwarding

ssh-agent is a tool that holds private keys in memory, requiring you to enter a passphrase only once. It is convenient when connecting to multiple servers with the same key.

However, SSH agent forwarding (ssh -A) carries a risk of the key being misused from the forwarding server. Use it only on trusted servers. It is also recommended to disable the AgentForwarding setting in sshd_config.

SSH Version Management

SSH software includes OpenSSH (free and widely adopted) and commercial SSH from SSH Communications Security. Most Linux distributions come with OpenSSH pre-installed, and security patches are regularly released.

To maintain security, it is crucial to always update to the latest version. If a critical vulnerability is discovered, a prompt update is necessary.

SSH Applications: Port Forwarding and Tunneling

Local Port Forwarding

Local port forwarding connects a port on your local machine to a port on a remote server.

ssh -L 8080:localhost:80 [email protected]

This command means that connecting to port 8080 locally will forward traffic via SSH to port 80 on the remote server. This allows secure access to databases or web management interfaces on the remote server.

Remote Port Forwarding

Remote port forwarding performs the reverse direction of transfer.

ssh -R 9090:localhost:3000 [email protected]

This makes an application running on your local machine (port 3000) accessible via port 9090 on the remote server. It is useful for temporarily exposing an application under development to the external network.

Dynamic Port Forwarding (SOCKS Proxy)

Dynamic port forwarding allows you to use the SSH connection as a SOCKS proxy server.

ssh -D 1080 [email protected]

By changing your browser’s proxy settings to SOCKS5 (localhost:1080), all traffic is forwarded via SSH. This can be used for secure internet access on public Wi-Fi networks or for accessing resources in restricted network environments.

Primary Use Cases for SSH

Server Management and Operations

SSH is most commonly used to manage web servers, database servers, and application servers. System administrators use SSH for operational tasks such as checking logs, editing configuration files, installing packages, and restarting services.

CI/CD Pipelines

In Continuous Integration/Continuous Deployment (CI/CD) pipelines, SSH is widely used in the deployment step. Tools like GitHub Actions, GitLab CI, and Jenkins connect to servers via SSH to automate application deployment and migrations.

Remote Development Environments

Tools like the Visual Studio Code Remote - SSH extension and JetBrains Gateway now allow you to set up development environments directly on SSH-connected servers. This enables development leveraging the resources of high-performance remote servers, independent of your local machine’s performance.

Securing Database Connections

Using SSH tunnels enables secure connections to databases that cannot be accessed directly. Many database clients, such as MySQL Workbench and DBeaver, come with built-in SSH tunnel connection features.

Comparison with Similar Technologies

SSH vs Telnet

Telnet is a remote connection protocol like SSH, but since its communication is not encrypted, it is no longer recommended for use due to security reasons. SSH has been widely adopted as the successor technology to Telnet.

SSH vs VPN

A VPN is a tunneling technology that encrypts an entire network, while SSH is a protocol that protects individual connections. VPNs are suitable for protecting an organization’s entire communication, whereas SSH is suited for connections to specific servers. The two are complementary and are often used together.

SSH vs HTTPS

HTTPS is a protocol for encrypting communication between a web browser and a web server. While SSH is used by system administrators and developers for server management, HTTPS is used for end-user web communication.

Conclusion

SSH is a foundational technology for enabling secure connections to remote servers. Understanding its basic usage and implementing appropriate security measures allows for safe and efficient server management.

It is important to gradually strengthen security measures, such as implementing key authentication, changing the port number, and deploying intrusion detection tools like fail2ban. SSH configuration and management are essential skills for system administrators and developers. I hope you can apply the knowledge introduced in this article to practical use.