An excursion with SSH
2 August 2006SSH is used to securely login into remote systems. It also makes secure file transfers possible with its scp and sftp utilities. We’ll look briefly how to use SSH for our daily tasks.
As SSH is essentially a protocol, many implementations of it are available, the most common being OpenSSH. We’ll use OpenSSH in all our examples.
Let’s use two GNU/Linux systems here. A Redhat GNU/Linux machine and a SUSE GNU/Linux machine. Any other GNU/Linux distribution will do well. Let’s also have the account by name ‘james’ on Redhat and by name ‘marc’ on SUSE.
Login to remote systems using ssh
Let’s say, we want to login to Redhat from SUSE. Invoke the ssh command as follows
marc@suse:~> ssh james@10.62.100.31
Here 10.62.100.31 is the IP Address of the remote machine(Redhat in this case). You need to change it to the IP Address specific to you.This is the first time we’re connecting to Redhat using SSH. Hence it asks to confirm whether this is the host we actually want to connect.
The authenticity of host ‘10.62.100.31 (10.62.100.31)’ can’t be established.
RSA key fingerprint is ee:15:b3:aa:6b:e7:8f:87:c8:3c:21:87:ab:d0:e3:76.
Are you sure you want to continue connecting (yes/no)?
Say yes and press Enter.
Now it displays a warning and then asks for the password for the account ‘james’ on Redhat
Warning: Permanently added ‘10.62.100.31′ (RSA) to the list of known hosts.
james@10.62.100.31’s password:
Give the password and press Enter.
Now we’re logged into Redhat as indicated by the changed prompt.
[james@redhat ~]$
The whole session between Redhat and SUSE is now secure. Even the password which we provided was transferred securely over the network.
File transfer using scp, sftp
Now, say we would like to copy files between two systems. When SSH is installed we have two utilities at our disposal for this task. They are sftp, scp.
Transferring files using sftp: Let’s say we want to transfer a file named first.cs from SUSE to Redhat. Invoke sftp as follows:
marc@suse:~> sftp james@10.62.100.31
Connecting to 10.62.100.31…
james@10.62.100.31’s password:
It asks for password. Give the password and press Enter.
You’ll be provided an sftp prompt as shown.
sftp>
Type the following at the sftp prompt to transfer the file ‘first.cs’
sftp> put first.cs
If you’ve previously used ftp, you’ll be comfortable with all sftp’s commands. Once you enter the command and press Enter the file will be transferred. Also messages are displayed as follows:
Uploading first.cs to /home/james/first.cs
first.cs 100% 143 0.1KB/s 00:01
sftp>
You can see that the file ‘first.cs’ is uploaded to the home directory of james.
Let’s say we want to get a file ‘id’ from Redhat to SUSE. Enter the following command at the sftp prompt.
sftp> get id
The file will be download into the directory from where you invoked sftp. Also you’ll be notified by the following messages.
Fetching /home/ahsan/id to id
/home/james/id 100% 219 0.2KB/s 00:00
sftp>
If you wanted to upload multiple files present in a directory use the ‘mput *’ command at the sftp prompt
sftp>mput *
It will upload all the files present in the directory from where you invoked sftp. It will skip directories however.
To close the session just type ‘quit’ at the sftp prompt.
sftp> quit
marc@suse:~>
Transfering files using scp: You can also transfer files using scp command.
For example if you want to transfer the file ‘old’ in your current directory to the remote machine, invoke scp as follows:
marc@suse:~> scp old james@10.62.100.31:
james@10.62.100.31’s password:
Give the password and press Enter. The following message will be displayed and file will be transferred to the home directory of the account.
old 100% 19 0.0KB/s 00:00
Similarly if you want to get a file from remote machine to your current directory, you can use scp as follows:
marc@suse:~> scp james@10.62.100.31:new .
james@10.62.100.31’s password:
Here the file ‘new’ is present in the home directory of the user james on Redhat. Give the password and press Enter.
The file ‘new’ will be transferred to you local directory. The following message will also be displayed regarding the transfer.
new 100% 19 0.0KB/s 00:00
Say, if you want to recursively transfer current directory to remote machine, invoke scp as follows:
marc@suse:~/junk> scp -r . james@10.62.100.32:
james@10.62.100.31’s password:
Enter the password. All the files in the current directory and subdirectories will be transferred to the remote machine.
Similarly if you want to download a remote directory recursively to your local system, use scp as follows. Let’s say the path of the remote directory is /home/james/remote/
scp -r james@10.62.100.31:/home/james/remote/ .
james@10.62.100.31’s password:
Give the password and press Enter. The whole directory and its subdirectories will be transferred to the local directory.
You can see how powerful these utilities are and also very secure.
Using Keys
Using password to login into remote systems in only one of the ways ssh allows. You can also use Keys to login into remote systems.
The principle is based on Public Key Cryptography. You need to generate two keys using ssh-keygen program. Then install one of the keys in the remote system and then once it is done you can login.
Using ssh-keygen to generate the keys
Invoke ssh-keygen using two arguments, -t and -b.
-t: gives the type of the key for e.g. dsa or rsa.
-b: gives the number of bits for e.g 1024
Invoke ssh-keygen as follows on the SUSE machine.
marc@suse:~> ssh-keygen -t rsa -b 1024
It will ask the location for the file to save the keys, providing a default location.
Generating public/private rsa key pair.
Enter file in which to save the key (/home/marc/.ssh/id_rsa):
Just press Enter.
Now it’ll ask for a passphrase.
Enter passphrase (empty for no passphrase):
Enter a passphrase(some text which you can remember but others cannot (like password)).
You’ll be asked to enter again. Confirm it.
Enter same passphrase again:
It’ll give you the location where your key files are stored which we’ll use them next.
Your identification has been saved in /home/marc/.ssh/id_rsa.
Your public key has been saved in /home/marc/.ssh/id_rsa.pub.
The key fingerprint is:b3:96:d5:7b:d5:01:1e:57:52:82:c1:93:c1:96:c0:59
marc@suse
Now, you have to copy the key in the file id_rsa.pub just generated into the ~/.ssh/authorized_keys file on the remote machine. If the .ssh directory is not present on the remote machine, create it.
You can do so as follows from your existing ssh session.
scp .ssh/id_rsa.pub james@10.62.100.31:/home/james/.ssh/authorized_keys
Note that if you want to add additional keys to authorized_keys you need to edit and append the new keys in the authorized_keys file.
Now disconnect your existing session between Redhat and SUSE and login again from SUSE to Redhat as follows:
marc@suse:~> ssh james@10.62.100.31
You’ll observe that a you’re greeted with a different message.
Enter passphrase for key ‘/home/marc/.ssh/id_rsa’:
You’re asked to enter the passphrase for the key id_rsa. Before getting into this keys business you’re just asked for password of the account on the remote machine. Enter the passphrase you configured previously.
Now you’ll be logged in.
[james@redhat ~]$
So everytime you login you just need to enter the passphrase. This passphrase actually unlocks the key in your local directory and authenticates you to the remote machine. And your account password will never need to travel over the network.
Even when you use sftp, scp you’ll be asked with only your passphrase.
Managing Keys using ssh-agent
If you’ve appreciated the idea of keys, passphrases, there is still more for you in store.
You can use an utility ssh-agent which will manage keys for you. You just need to invoke ssh-agent and tell it the key file(id_rsa) which you want it to use. Later when you connect to the remote system you wont be asked to enter anything. Everything will be managed for you by ssh-agent.
Now invoke ssh-agent on SUSE as follows:
marc@suse:~> ssh-agent /bin/bash
Now add the keys to the agent as follows using the ssh-add command.
marc@suse:~> ssh-add
It will prompt you for the passphrase.
Enter passphrase for /home/marc/.ssh/id_rsa:
Give the passphrase you’ve configured previously and press Enter.
It will display a message as follows:
Identity added: /home/marc/.ssh/id_rsa (/home/marc/.ssh/id_rsa)
From now onwards, whenever you connect to the remote machine you won’t be asked to enter anything. Everything will be managed for you. You’ll be logged in directly provided ssh-agent is running.
marc@suse:~> ssh james@10.62.100.31
[james@redhat ~]$
The same applies to file transfers using sftp, scp.
Well, we have just completed a useful session with a very powerful tool namely the SSH.
No comments yet