How to make the most of OpenSSH

OpenSSH is a network connectivity and remote login tool that securely encrypts all traffic, originally developed by OpenBSD developers for use in their operating system. Considering the OpenBSD developers’ primary focus on security, it is no surprise that OpenSSH quickly became the standard remote login implementation for all Linux and Unix operating systems. OpenSSH uses a client server model with the ssh command providing client functionality and sshd providing server functionality.

In this tutorial you will learn:

  • How to install OpenSSH
  • How to login to a remote shell
  • How to copy files between machines with scp
  • How to enable key based authentication and disable password based login
  • How to save configurations of frequently accessed machines for easier connections
  • How to mount a remote file-system over ssh protocal
  • How to use port forwarding/tunneling
  • to access a machine behind NAT/firewall
  • to create a web proxy
How to make the most of OpenSSH - Tips & Tricks

How to make the most of OpenSSH – Tips & Tricks

Software requirements and conventions used

Software Requirements and Linux Command Line Conventions
Category Requirements, Conventions or Software Version Used
System Debian based, Red Hat based, and Arch based systems are explicitly covered, but the OpenSSH suite is distribution-independent and all instructions should work for any distribution that uses Systemd as it’s init system.
Software OpenSSH
Other Root privileges to modify configuration files
Conventions # – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command
$ – requires given linux commands to be executed as a regular non-privileged user

Installing OpenSSH

Most distributions will provide the option to install OpenSSH during their initial install, but it can still be installed manually if this option was not chosen. On Debian and Red Hat based systems you will have to install the server and client separately, whereas on Arch based systems the client and server are installed as a single package (see the example below). Note that if you are using a firewall, be sure to open port 22 for incoming traffic on any machine that you would like to use as a server.

On Debian based systems

$ sudo apt-get install openssh-server
$ sudo apt-get install openssh-client


On Red Hat based systems (note: on Fedora version 22 or later replace yum with dnf)

$ sudo yum install openssh-server
$ sudo yum install openssh-client

On Arch based system

$ sudo pacman -S openssh

After installing the ssh server, some distributions will enable the sshd service by default and others will not. On recent versions of the above distributions enter the following to ensure that the ssh daemon is enabled and able to be connected to by clients.

$ sudo systemctl start sshd
$ sudo systemctl enable sshd

This will start the service now and upon every subsequent boot.

Login to a Remote Shell

Logging into a remote shell is the most basic and common use of OpenSSH. The following command will allow you to login from one networked machine to another, assuming both have Open SSH installed. NOTE: Replace “username” with the username of the user you want to login as. If you are connecting to another computer on the same network as you then replace “host” with the ip address or hostname of that machine. If you are logging into a machine over the internet then replace “host” with the ip address or domain name of that machine.

$ ssh username@host

By default, sshd requires the password of the user to authenticate, so enter the user’s password and now you are logged into that machine as that user. If the user is the root user or has sudo privileges then you can now completely administer the machine remotely. Note that if you are connecting to a server that is using a port other than the default 22 (for example 10001) then you will need to specify the port number by inserting “ -p 10001 “ (The “-p” must be lowercase, more on this later) between ssh and the rest of the command.

Copying Files Between Machines

the scp command can be used to copy files to or from one machine and another. To do so you must first provide the path of the file you want to copy and then the path where you want the file to be copied.

For example, to copy the file todolist.txt from the client ~/Documents folder to the remote machine’s ~/Downloads folder enter the following.

$ scp ~/Documents/todolist.txt username@host:~/Downloads/

Similarly, you can copy a file from the server to the client. Simply provide the path of the file on the server, followed by the desired path on the client machine. For example, we can copy the same todolist.txt that we just uploaded, into the /tmp directory of the local machine by issuing the following command.

$ scp username@host:~/Downloads/todolist.txt /tmp/

Note that if you are copying to/from a server that is using a port other than the default 22 (for example 10001) then you will need to specify the port number by inserting “ -P 10001 “ between scp and the rest of the command. Also, note that this is a capital P in contrast to the lowercase p used by the ssh command. The process for copying directories is the same, except that you must specify the “-r” flag to recursively copy a directory along with all of its subdirectories and files therein. The following command will copy the entire Documents directory from the local user to the remote user’s Downloads folder.

$ scp -r ~/Documents username@host:~/Downloads/

As an alternative to the scp command you can use the sftp command to transfer files between machines. It behaves like the classic ftp command but unlike ftp, it is fully encrypted.

Configuring Key Based Authentication

If you are using OpenSSH on your secure home network then you may be fine with password authentication. However, if you are using it over the internet, enabling key based authentication and disabling password authentication on your internet facing server is recommended for additional security. This can also be useful if you simply want to avoid having to type the password to login or if you use the server machine on public wifi.

Key based authentication uses a cryptographic key-pair consting of a private key that is stored only on the local client machine and a public key that is stored on the remote server.

First, generate the private/public key-pair on the local client machine.

$ ssh-keygen -t rsa

Then upload only the public key to the remote machine

$ ssh-copy-id -i ~/.ssh/id_rsa.pub username@host

Now login to the remote server and if you are not prompted for the user password, the key-based login is functioning and you can disable password based login.
Using your favorite text editor open /etc/ssh/sshd_config as root or with sudo

$ sudo vim /etc/ssh/sshd_config


and make the following changes by changing yes to no for these fields and uncommentating them as necessary (Delete # if the line starts with it).

ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no

Next, reload the sshd service.

$ sudo systemctl reload ssh

Save Configurations of Frequently Accessed Machines For Easier Connections

It may be useful to save the configurations of frequently accessed machines so that you can connect to them more easily; especially if they have sshd listening on a non default port(not 22). To do so you add entries to your ~/.ssh/config file.
An entry for a machine you would connect to using the following command

$ ssh -p 1666 bob@remotemachine

looks like this.

host remotemachine
    User bob
    Hostname remotemachine
    Port 1666

Then you can access that machine using the following command going forward.

$ ssh remotemachine

Mounting a Network File-system with SSHFS

Although it is not part of the OpenSSH suite, sshfs can be installed using the package manager and then used to mount remote file-systems over the network. Let’s assume that you want to access the home directory of user1@machine1 on your local file-system.

Create the directory where you want to mount the remote file-system.

$ mkdir sshmount

Mount the file-system specifying the remote path and the local path where you would like to mount it.

$ sshfs user1@machine1:/home/user1 sshmount

To unmount the file-system issue either of the following commands

$ fusermount -u sshmount

or

$ sudo umount sshmount


Port Forwarding/Tunneling

Port forwarding, also known as tunneling, can be used to provide encryption for applications and protocols whose network traffic would otherwise be sent in the clear. The next two example show two other uses of port forwarding.

Accessing a Remote Shell on a Machine that is behind NAT or Firewall

What if you want to ssh over the internet into a machine that is behind NAT or a firewall? In this scenario there are 3 machines.

  1. The machine behind NAT you want to login to remotely
  2. An internet facing server you have ssh access to
  3. A machine on another network that you want to use to login to machine 1 over the internet

For the ssh command the -L switch forwards connections to the specified local port to the host port specified. Similarly, The -R switch forwards connections to the specified remote port to the local port specified.

On machine 1 enter the following command.

user1@1 $ ssh -R 10125:localhost:22 user2@2

On machine 3 enter the following commands. NOTE: The second command should be opened in a new terminal window or TTY.

user3@3 $ ssh -L 10001:localhost:10125 user2@2
user3@3 $ ssh user1@localhost -p 10001

The first command will seem like it logged into machine 2 normally, but it will also bind port 22 (sshd service) from machine 1 to port 10125 on machine 2 so that connections to port 10125 on machine 2 are forwarded to port 22 on machine 1. The second command will also seem like it logged into machine 2 normally, but it binds port 10001 from machine 3 to port 10125 on machine 2 so that connections to port 10001 on machine 3 are forwarded to port 10125 on machine 2, which is then forwarded to port 22 on machine 1. Then, finally machine 3 was able to log into machine 1, by connecting to port 10001 on itself which it forwarded through the tunnel we created.

Using OpenSSH as a Web Proxy

Using the -D flag you are able to use your remote ssh server as a SOCKS proxy. This can be particularly useful for web browsing, for example if you are on public WiFi and want some extra privacy, or if you are on a work/school/other network that may snoop traffic or censor content.

Simply issue the following command and you will be able to use port 8888 your local machine as a SOCKS proxy, so that connections to port 8888 will be securely forwarded to the remote server and fully encrypted from prying eyes on the local network.

ssh -D 8888 username@host
firefox_socks_proxy

Configuring SOCKS proxy in Firefox


Comments and Discussions
Linux Forum