SSH (Secure Shell) 22/TCP

Linux users and administrators often need to get shell access to a

remote system by connecting to it over the network. In a modern
computing environment, many headless servers are actually virtual
machines or are running as public or private cloud instances. These systems
are not physical and do not have real hardware consoles. They might not
even provide access to their (simulated) physical console or serial console.

In Linux, the most common way to get a shell prompt on a remote system
is to use Secure Shell (SSH). Most Linux systems (including Red Hat
Enterprise Linux) and macOS provide the OpenSSH command-line program
ssh for this purpose.

In this example, a user with a shell prompt on the machine host uses ssh to
log in to the remote Linux system remotehost as the user remoteuser:
[user@host ~]$ ssh remoteuser@remotehost
remoteuser@remotehost's password: password
[remoteuser@remotehost ~]$

SSH is a secure remote login networking protocol which facilitates virtual

terminal connection. By default ssh is a TCP protocol service and, default
port number is 22. Telnet is also a remote login TCP protocol service but
telnet is not a secure service.

The ssh command encrypts the connection to secure the communication

against eavesdropping or hijacking of the passwords and content.
SSH uses RSA (asymmetric algorithm) for data encryption, and Diffie-
Hellman key exchange algorithm which is the one-way function. It is not for
encryption.

Some systems (such as new cloud instances) do not allow users to use a
password to log in with ssh for tighter security. An alternative way to
authenticate to a remote machine without entering a password is through
public key authentication.

With this authentication method, users have a special identity file

containing a private key, which is equivalent to a password, and which they
keep secret. Their account on the server is configured with a matching
public key, which does not have to be secret. When logging in, users can
configure ssh to provide the private key and if their matching public key is
installed in that account on that remote server, it will log them in without
asking for a password.
SSH authentication files

➢ The private key is used as authentication credentials and it resides in

"~/.ssh/id-rsa" file.

➢ The public key is used to verify the private key and it resides in
"~/.ssh/id-rsa.pub"

➢ The “~/.ssh/known_hosts” file lets the client authenticate the server,

to check that it isn't connecting to a fake server.

Logging Out
When you are finished using the shell and want to quit, you can choose one
of several ways to end the session. You can enter the exit command to
terminate the current shell session. Alternatively, finish a session by
pressing Ctrl+D.

The following is an example of a user logging out of an SSH session:

[remoteuser@remotehost ~]$ exit (or Ctrl + D)
logout
Connection to remotehost closed.
[user@host ~]$
servera.lab.soften.com serverb.lab.soften.com
172.25.250.10/24 172.25.250.11/24

1. From servera, open an SSH session to serverb.

1.1. remote ssh login through hostname

[root@servera ~] # ssh serverb.lab.soften.com

[email protected]’s password: password
[root@serverb ~] # hostname
serverb.lab.soften.com
[root@serverb ~] # exit
(OR)

1.2. remote ssh login through IP address

[root@servera ~] # ssh 172.25.250.11

[email protected]’s password: password
[root@serverb ~] # exit

2. From servera, open an SSH session to serverb as student.

[root@servera ~] # ssh [email protected]

[email protected]’s password: password
[student@serverb ~] $ id
uid=1000(student) gid=1000(student) groups=1000(student),10(wheel)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[student@serverb ~] $ exit
3. Run a Single command in remote host.

3.1. Execute the hostname command on serverb remotely using

SSH without accessing the remote interactive shell.

[root@servera ~] # ssh serverb.lab.soften.com hostname

[email protected]’s password: password
serverb.lab.soften.com
[root@servera ~] #

3.2. Execut the following command on serverb remotely using SSH

without accessing the remote interactive shell.

[root@servera ~] # ssh serverb.lab.soften.com cat /etc/os-release

[root@servera ~] # ssh serverb.lab.soften.com useradd redhat
[root@servera ~] # ssh serverb.lab.soften.com passwd redhat

[root@servera ~] # ssh [email protected] id

[root@servera ~] # ssh [email protected] lsblk

[root@servera ~] # ssh 172.25.250.11 mkdir ~/Desktop/dir{1..5}

[root@servera ~] # ssh [email protected] uname -n ; id
SSH Key-based Authentication
You can configure an SSH server to allow you to authenticate without a password by
using key- based authentication. This is based on a private-public key scheme.

To do this, you generate a matched pair of cryptographic key files. One is a private key,
the other a matching public key. The private key file is used as the authentication
credential and, like a password, must be kept secret and secure. The public key is
copied to systems the user wants to connect to, and is used to verify the private key.
The public key does not need to be secret.

You put a copy of the public key in your account on the server. When you try to log in,
the SSH server can use the public key to issue a challenge that can only be correctly
answered by using the private key. As a result, your ssh client can automatically
authenticate your login to the server with your unique copy of the private key. This
allows you to securely access systems in a way that doesn't require you to enter a
password interactively every time.

Generating SSH Keys

To create a private key and matching public key for authentication, use the ssh-keygen
command. By default, your private and public keys are saved in your ~/.ssh/id_rsa and
~/.ssh/id_rsa.pub files, respectively.

Sharing the Public Key

Before key-based authentication can be used, the public key needs to be copied to the
destination system. The ssh-copy-id command copies the public key of the SSH keypair
to the destination system. If you omit the path to the public key file while running ssh-
copy-id, it uses the default /home/user/.ssh/id_rsa.pub file.

After the public key is successfully transferred to a remote system, you can
authenticate to the remote system using the corresponding private key while logging
in to the remote system over SSH. If you omit the path to the private key file while
running the ssh command, it uses the default /home/user/.ssh/id_rsa file.
Lab Exercise

1. From servera, open an SSH session to serverb as root.

[root@servera ~]# ssh [email protected]

2. Use the su command to switch to the student user on serverb.

[root@serverb ~]# su - student

Password: *****
[student@serverb ~]$

3. Use the ssh-keygen command to generate SSH keys.

[student@serverb ~]$ ssh-keygen

Enter file in which to save the key (/home/operator1/.ssh/id_rsa): Enter
Enter passphrase (empty for no passphrase): Enter
Enter same passphrase again: Enter

4. Use the ssh-copy-id command to send the public key of the SSH
key pair to student on servera.

[student@serverb ~]$ ssh-copy-id student@servera

Are you sure you want to continue connecting (yes/no)? Yes
student@servera's password: *****

5. Execute the hostnamectl command on servera remotely using

SSH without accessing the remote interactive shell.

[student@serverb ~]$ ssh [email protected] hostnamectl

To change the default port (22)
[root@servera ~] # vim /etc/ssh/sshd_config
#Port 22
Port 2222
#AddressFamily any
Esc:wq!

[root@servera ~]# systemctl restart sshd.service

[root@servera ~]# systemctl status sshd.service

[root@servera ~]# semanage port -l | grep ssh

[root@servera ~]# semanage port -a -t ssh_port_t -p tcp 2222

[root@servera ~]# firewall-cmd --permanent --add-port=2222/tcp

[root@servera ~]# firewall-cmd --reload

[root@servera ~]# systemctl restart sshd.service

[root@servera ~]# systemctl status sshd.service

[root@servera ~]# ssh serverb.lab.soften.com (connection refused)

[root@servera ~]# ssh -p 2222 serverb.lab.soften.com

To disable Root login

[root@servera ~] # vim /etc/ssh/sshd_config
PermitRootLogin no
:wq
[root@servera ~] # systemctl restart sshd

To disable password authentication

[root@servera ~] # vim /etc/ssh/sshd_config
PasswordAuthentication no
:wq
[root@servera ~]# systemctl restart sshd
SCP (Secure Copy)
SCP copies files between hosts on a network. It uses ssh for data transfer,
and uses the same authentication and provides the same security as ssh.
SCP will ask for passwords if they are needed for authentication.

servera serverb serverc

172.25.250.10/24 172.25.250.11/24 172.25.250.12/24

1. From servera, copy files from serverb to serverc as the student user.
[root@servera ~]# scp student@serverb:~/Documents/*.txt student@serverc:~/

2. From servera, copy a directory from serverc to serverb as the student

user.
[root@servera ~]# scp -r student@serverc:/soften student@serverb:~/Desktop

eg:
[root@serverb ~]# scp serverb:~/Pictures/* student@serverc:~/Pictures/
[root@serverb ~]# scp serverc:~/Desktop/* . ( “.” --> present location)

[root@serverc ~]# scp 172.25.250.10:~/abc.txt 172.25.250.12:~/Desktop

[root@serverc ~]# scp -r test_dir 172.25.250.11:/mnt/