OpenSSH is a network connectivity and remote login tool that securely encrypts all traffic, originally developed by OpenBSD developers for use in their operating system. Considering the OpenBSD developers’ primary focus on security, it is no surprise that OpenSSH quickly became the standard remote login implementation for all Linux and Unix operating systems. OpenSSH uses a client server model with the ssh command providing client functionality and sshd providing server functionality.
In this tutorial you will learn:
- How to install OpenSSH
- How to login to a remote shell
- How to copy files between machines with scp
- How to enable key based authentication and disable password based login
- How to save configurations of frequently accessed machines for easier connections
- How to mount a remote file-system over ssh protocal
- How to use port forwarding/tunneling
- to access a machine behind NAT/firewall
- to create a web proxy
Software requirements and conventions used
|Category||Requirements, Conventions or Software Version Used|
|System||Debian based, Red Hat based, and Arch based systems are explicitly covered, but the OpenSSH suite is distribution-independent and all instructions should work for any distribution that uses Systemd as it’s init system.|
|Other||Root privileges to modify configuration files|
|Conventions|| # - requires given linux commands to be executed with root privileges either directly as a root user or by use of |
Most distributions will provide the option to install OpenSSH during their initial install, but it can still be installed manually if this option was not chosen. On Debian and Red Hat based systems you will have to install the server and client separately, whereas on Arch based systems the client and server are installed as a single package (see the example below). Note that if you are using a firewall, be sure to open port 22 for incoming traffic on any machine that you would like to use as a server.
On Debian based systems
$ sudo apt-get install openssh-server $ sudo apt-get install openssh-client
On Red Hat based systems (note: on Fedora version 22 or later replace yum with dnf)
$ sudo yum install openssh-server $ sudo yum install openssh-client
On Arch based system
$ sudo pacman -S openssh
After installing the ssh server, some distributions will enable the sshd service by default and others will not. On recent versions of the above distributions enter the following to ensure that the ssh daemon is enabled and able to be connected to by clients.
$ sudo systemctl start sshd $ sudo systemctl enable sshd
This will start the service now and upon every subsequent boot.
Login to a Remote Shell
Logging into a remote shell is the most basic and common use of OpenSSH. The following command will allow you to login from one networked machine to another, assuming both have Open SSH installed. NOTE: Replace “username” with the username of the user you want to login as. If you are connecting to another computer on the same network as you then replace “host” with the ip address or hostname of that machine. If you are logging into a machine over the internet then replace “host” with the ip address or domain name of that machine.
$ ssh username@host
By default, sshd requires the password of the user to authenticate, so enter the user’s password and now you are logged into that machine as that user. If the user is the root user or has sudo privileges then you can now completely administer the machine remotely. Note that if you are connecting to a server that is using a port other than the default 22 (for example 10001) then you will need to specify the port number by inserting “ -p 10001 “ (The “
-p” must be lowercase, more on this later) between ssh and the rest of the command.
Copying Files Between Machines
the scp command can be used to copy files to or from one machine and another. To do so you must first provide the path of the file you want to copy and then the path where you want the file to be copied.
For example, to copy the file
todolist.txt from the client
~/Documents folder to the remote machine’s
~/Downloads folder enter the following.
$ scp ~/Documents/todolist.txt username@host:~/Downloads/
Similarly, you can copy a file from the server to the client. Simply provide the path of the file on the server, followed by the desired path on the client machine. For example, we can copy the same
todolist.txt that we just uploaded, into the
/tmp directory of the local machine by issuing the following command.
$ scp username@host:~/Downloads/todolist.txt /tmp/
Note that if you are copying to/from a server that is using a port other than the default 22 (for example 10001) then you will need to specify the port number by inserting “
-P 10001 “ between scp and the rest of the command. Also, note that this is a capital
P in contrast to the lowercase
p used by the ssh command. The process for copying directories is the same, except that you must specify the “
-r” flag to recursively copy a directory along with all of its subdirectories and files therein. The following command will copy the entire Documents directory from the local user to the remote user’s Downloads folder.
$ scp -r ~/Documents username@host:~/Downloads/
As an alternative to the scp command you can use the sftp command to transfer files between machines. It behaves like the classic ftp command but unlike ftp, it is fully encrypted.
Configuring Key Based Authentication
If you are using OpenSSH on your secure home network then you may be fine with password authentication. However, if you are using it over the internet, enabling key based authentication and disabling password authentication on your internet facing server is recommended for additional security. This can also be useful if you simply want to avoid having to type the password to login or if you use the server machine on public wifi.
Key based authentication uses a cryptographic key-pair consting of a private key that is stored only on the local client machine and a public key that is stored on the remote server.
First, generate the private/public key-pair on the local client machine.
$ ssh-keygen -t rsa
Then upload only the public key to the remote machine
$ ssh-copy-id -i ~/.ssh/id_rsa.pub username@host
Now login to the remote server and if you are not prompted for the user password, the key-based login is functioning and you can disable password based login. Using your favorite text editor open
/etc/ssh/sshd_config as root or with sudo
$ sudo vim /etc/ssh/sshd_config
and make the following changes by changing yes to no for these fields and uncommentating them as necessary (Delete # if the line starts with it).
ChallengeResponseAuthentication no PasswordAuthentication no UsePAM no
Next, reload the sshd service.
$ sudo systemctl reload ssh
Save Configurations of Frequently Accessed Machines For Easier Connections
It may be useful to save the configurations of frequently accessed machines so that you can connect to them more easily; especially if they have sshd listening on a non default port(not 22). To do so you add entries to your
~/.ssh/config file. An entry for a machine you would connect to using the following command
$ ssh -p 1666 bob@remotemachine
looks like this.
host remotemachine User bob Hostname remotemachine Port 1666
Then you can access that machine using the following command going forward.
$ ssh remotemachine
Mounting a Network File-system with SSHFS
Although it is not part of the OpenSSH suite, sshfs can be installed using the package manager and then used to mount remote file-systems over the network. Let’s assume that you want to access the home directory of user1@machine1 on your local file-system.
Create the directory where you want to mount the remote file-system.
$ mkdir sshmount
Mount the file-system specifying the remote path and the local path where you would like to mount it.
$ sshfs user1@machine1:/home/user1 sshmount
To unmount the file-system issue either of the following commands
$ fusermount -u sshmount
$ sudo umount sshmount
Port forwarding, also known as tunneling, can be used to provide encryption for applications and protocols whose network traffic would otherwise be sent in the clear. The next two example show two other uses of port forwarding.
Accessing a Remote Shell on a Machine that is behind NAT or Firewall
What if you want to ssh over the internet into a machine that is behind NAT or a firewall? In this scenario there are 3 machines.
- The machine behind NAT you want to login to remotely
- An internet facing server you have ssh access to
- A machine on another network that you want to use to login to machine 1 over the internet
For the ssh command the
-L switch forwards connections to the specified local port to the host port specified. Similarly, The
-R switch forwards connections to the specified remote port to the local port specified.
On machine 1 enter the following command.
user1@1 $ ssh -R 10125:localhost:22 user2@2
On machine 3 enter the following commands. NOTE: The second command should be opened in a new terminal window or TTY.
user3@3 $ ssh -L 10001:localhost:10125 user2@2 user3@3 $ ssh user1@localhost -p 10001
The first command will seem like it logged into machine 2 normally, but it will also bind port 22 (sshd service) from machine 1 to port 10125 on machine 2 so that connections to port 10125 on machine 2 are forwarded to port 22 on machine 1. The second command will also seem like it logged into machine 2 normally, but it binds port 10001 from machine 3 to port 10125 on machine 2 so that connections to port 10001 on machine 3 are forwarded to port 10125 on machine 2, which is then forwarded to port 22 on machine 1. Then, finally machine 3 was able to log into machine 1, by connecting to port 10001 on itself which it forwarded through the tunnel we created.
Using OpenSSH as a Web Proxy
-D flag you are able to use your remote ssh server as a SOCKS proxy. This can be particularly useful for web browsing, for example if you are on public WiFi and want some extra privacy, or if you are on a work/school/other network that may snoop traffic or censor content.
Simply issue the following command and you will be able to use port
8888 your local machine as a SOCKS proxy, so that connections to port 8888 will be securely forwarded to the remote server and fully encrypted from prying eyes on the local network.
ssh -D 8888 username@host