The SSH (Secure Shell) is a cryptographic protocol for point-to-point communication over the insecure network (Internet). It obsoletes the old protocols used in the old days (
It is commonly used to connect to remote servers, virtual machines or containers in data center or in your private cloud (google compute engine, AWS, ...). But it is also commonly used in conjunction with
git for accessing and updating your repository securely and easy using public keys instead of passwords.
It should also mention any large subjects within ssh, and link out to the related topics. Since the Documentation for ssh is new, you may need to create initial versions of those related topics. TODO
|Version||Release notes||Release Date|
|OpenSSH 7.3p1||Latest version||2016-08-01|
Free version of SSH protocol implementation, OpenSSH is available in all the Linux distributions. It consists of the server and client packages.
# apt-get install openssh-server openssh-client
# yum install openssh-server openssh-clients
Current Fedora is using
dnf instead of
# pacman -S openssh
opensshshould be already installed.
If you want to use more recent version, you need to install the
openssh from brew:
# brew install openssh --with-brewed-openssl --with-keychain-support
openssh client does not need any special setup and is ready to use just after installation. You can try that running
ssh remote, where the
remote is the remote host running
openssh server is usually started after the installation and default setup is applied. If not, you can start it on
systemd based systems using
On Debian-based Linux with systemd:
# systemctl start ssh
On RHEL/CentOS/Fedora and Arch Linux:
# systemctl start sshd
Or on upstart systems using
# service sshd start
openssh have configuration files under
/etc/ssh/. The client is also reading client configuration in
~/.ssh/config. The server is using a file
sshd_config, which contains most of the default values and contains simple key-value pairs. Example:
Protocol 2 PasswordAuthentication yes ChallengeResponseAuthentication no UsePAM yes AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY X11Forwarding yes Subsystem sftp /usr/libexec/openssh/sftp-server
You can create your ssh key using ssh-keygen, it's a program that is part of the ssh installation. To do so just run it and follow the instructions on screen.
Here's an example:
$ ssh-keygen Generating public/private rsa key pair.
The default directory where you ssh key pair will be saved is inside the
.ssh folder in your home directory (you can change this by specifying a valid path) and the default name for the keypair is
id_rsa for the private key and
id_rsa.pub for the public key:
Enter file in which to save the key (/home/nasreddine/.ssh/id_rsa): /home/my_folder/my_ssh_key
You can protect your SSH key from unauthorized use by entering a password. This is optional but it's recommended that you use a passphrase. Note that, like with any other command program, when entering your passphrase it will not show anything on screen but it is being recorded:
Enter passphrase (empty for no passphrase): Enter same passphrase again:
Once you enter your passphrase ssh-keygen will generate a key and save it to the path you chose:
Your identification has been saved in /home/my_folder/my_ssh_key. Your public key has been saved in /home/my_folder/my_ssh_key.pub.
We're done. Now our ssh key is ready for use.
In order to login to a user's account on machine with SSH you can use the command
ssh [email protected]_address. It will ask for a password. If you type the correct password, you will be connected to the shell of that user on that machine. Otherwise it will prompt for the password again.
[email protected]:~# ssh [email protected] [email protected]'s password: Welcome to Ubuntu 16.04 LTS (GNU/Linux 4.4.0-31-generic x86_64) Last login: Fri Jul 22 18:33:27 2016 from 10.11.50.10 [email protected]:~#
If you want to use a specific ssh key to connect to a machine, use
ssh -i /path/to/ssh_secret_key [email protected]
When you are connecting to a machine for the very first time, it will ask you to verify the fingerprint of the target machine. This is a security mechanism for avoiding a man-in-the-middle attack. You can see the fingerprint of the target machine by issuing this command in the target machine.
ssh-keygen -l -E md5 -f /etc/ssh/ssh_host_ecdsa_key.pub
You can type "yes" if both are same. It will proceed to password prompt.
[email protected]:~# ssh [email protected] The authenticity of host '10.11.50.3 (10.11.50.3)' can't be established. ECDSA key fingerprint is dd:a3:de:cd:5b:01:cd:0b:b6:bc:b3:09:c2:c8:1a:68. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.11.50.3' (ECDSA) to the list of known hosts. [email protected]'s password: Last login: Fri Jul 22 17:45:09 2016 from 10.11.1.71 [email protected]:~#
In order to
ssh into a server your identity's public key has to be added to the list of trusted keys. Most commonly this is done per-user:
ssh-copy-id -i ~/.ssh/<identity>.pub <user>@<hostname>
Which can be also done manually:
cat ~/.ssh/<identity>.pub | ssh <user>@<hostname> 'cat >> ~/.ssh/authorized_keys'
After doing that you should be able to log in without need to provide user's password when passing the identity file to the
When you really need to script
ssh connection, piping the password into the
ssh command does not work (
echo passw0rd | ssh host). It is because the password is not read from standard input, but directly from TTY (teleprinter, teletypewriter, Teletype for historical reasons).
But there is
sshpass tool which works around this problem. It can read the password from parameter, file or environment variable. But note that none of these options does not satisfy the security requirements for a passwords!
$ sshpass -p passw0rd ssh host $ sshpass -f /secret/filename ssh host $ SSHPASS=passw0rd sshpass -e ssh host
The command line options can be seen by other users in
ps (during runtime it is masked, but not during start time and you can't rely on it):
... 23624 6216 pts/5 Ss Aug30 0:00 \_ /bin/bash ... 12812 1988 pts/5 S+ 08:50 0:00 | \_ sshpass -p passw0rd ssh host ... 45008 5796 pts/15 Ss+ 08:50 0:00 | \_ ssh host
Note, that environemnet variables of a process are also accessible by other processes on the system using
Finally, storing the password in the file might look like the best possible idea, but still using keys as described in the other examples is preferred way to use
OpenSSH config files are used for configuration that should be applied every time the ssh client is run. Most command line options are possible to put in the config files.
OpenSSH uses configuration from the following sources in order:
Configuration options are listed one by one in the config files.
# This is a comment. # Parameter can be specified like this, separated with white space. StrictHostKeyChecking ask # Or parameter key and value may be separated with white space and =. ForwardX11 = yes # The parameter value can be quoted if it contains white space. IdentityFile "/file system/path with/white space"
The full list of possible config parameters is available here.
One of the most useful features of the config file is that it can be sectioned based on host name or address. In this way you can have different configurations for different hosts.
# Based on host name. Host host1.domain.com User user1 Host host2.domain.com User user2 # Or wildcard matching name or ip. Host *elastic-cloud.com 10.201.4.? User user3
If you have set a long passphrase and do not wish to keep entering it every time you want to connect to the server, you can use SSH-Agent to store your passphrase while you are logged in on your computer.
Start the ssh-agent in the background:
eval "$(ssh-agent -s)" # Agent pid 59566
And add your key to the ssh-agent, you will be prompted to enter your passphrase:
ssh-add ~/.ssh/matrix.ac # Enter passphrase for /home/osaka/.ssh/matrix.ac: # Identity added: /home/osaka/.ssh/matrix.ac (/home/osaka/.ssh/matrix.ac)
Done. Now connect with
ssh [email protected] and you should not have to enter your passphrase. You can extend this by using programs like gnome-keyring/seahorse, keychain and other key managers.