Java Eclipse Linux Operating Systems Web Technology Software Software Engineering Computing Societies
SSH  is a secure protocol that allows us to access a remote machine. After authentication, all traffic between the client and remote machines are encrypted. The client also keeps track of machines that it has communicated with before, and warns the user if the public key of the machine changes, as that could be a sign of a man-in-the-middle attack.
To a large extent, ssh obsoletes several older network protocols such as telnet and ftp, and these older protocols should not be used as they are not secure.
OpenSSH  is an open source implementation of SSH tools. It is available for many Unix like systems, and is widely used.
To log into host as a particular user, we can use either of the
following forms of the
ssh -l [username] [host]
where username is the username that we would like to log in as, and host is the domain name and the IP address of the host we would like to log into.
command can be used to copy files between local and remote locations
scp [sourcefile] [...] [dest_loc]
where sourcefile and dest_loc can either be a local file
path, or a remote file path in the format
SSH Tunneling  is a powerful feature of the SSH. It allows us to access a service remotely in a secure manner, even one that uses an insecure protocol (such as VNC). All traffic between the client and service will be encrypted to ensure data integrity and confidentiality.
To do this, we need to set up an SSH tunnel between a port on the local machine and the desired port on the destination machine. Instead of accessing the destination machine directly, we need to set up the application to point to the local port. SSH will encrypt the application traffic, and redirect it to the destination server machine. This is shown in the diagram below.
To set up an SSH tunnel, execute the following command
ssh -L[local_port]:localhost:[destination_port] [username]@[server]
server specifies the hostname of the ssh server machine through which the tunnel will be set up. username is a valid login for the ssh server
option specifies the local port and the destination port on the
destination machine. The
in the option specification indicates that the destination machine is
the same as the machine on which the ssh server is running. We can
specify a different destination machine than
. This could be useful if we want to use the ssh server as a proxy
server to connect to machines behind a firewall, for instance.
account has all rights and permissions on the sytem, it is critical to
account on a Linux (indeed any Unix like) system. To minimize the
chances of a brute force attack on the root account, it is a good idea
to disable root login through ssh
To disable root login, modify
#LoginGraceTime 2m PermitRootLogin no #StrictModes yes #MaxAuthTries 6 #MaxSessions 10
sshd. On Fedora, the following command should do the trick
sudo systemctl restart sshd.service
Besides standard password based authentication, SSH provides an alternative way of authentication with the remote machine, based on public key authentication.
Instead of authenticating by passing the account password over the network, authentication is based on public/private key pair generated for the account on the client machine. The ssh server will then use the public key to issue a challenge to the client machine to confirm that it has access to the corresponding private key, thereby authenticating the client machine.
If set up properly, this can provide a more secure way for authenticating the login  . However, it is important to ensure that the private key is properly secured, by making sure that the account is properly secured, and the ssh private key is protected with a passphrase.
To enable public key authentication, update
to ensure that the following lines are set properly
PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys
sshd if necessary.
Next, we need to generate the ssh public/private key on the client
account by running
. As we discussed before, to properly secure the system, it's best to
choose a non-trivial passphrase instead of leaving it empty. The
private key will be encrypted with the passphrase, providing protection
even if the account was broken into.
If defaults are chosen, the public key can be found in the
file in the client account. We need to add the public key of the client
file on the remote account that we want to log in to. It is important
to make sure that we have appropriately restricted permissions to both
directory and the
file. Assuming the
has been copied to the remote account, we can achieve the above with
the following commands.
chmod 700 .ssh chmod 600 .ssh/authorized_keys cat id_rsa.pub >> ~/.ssh/authorized_keys
Next time when we try to log in to the remote account from the (authorized) client account, ssh client will ask for the appropriate passphrase to be specified so it can decrypt the private key, before authenticating with the remote machine.
ssh-agent can be used to minimize the number of times the passphrase must be typed in. Instead of asking for the passphrase every time we try to log in, the passphrase will be requested once for the session. 
To set up ssh-agent, run
to add the public key file we desire, as follows.
ssh-agent ssh-add [public_key_file_path]
Note that in the gnome environment, the gnome-keyring can handle ssh
keys to support the same behavior, so by default, the instructions in
this section is not necessary. If this behavior is not desirable, we
can disable this and use
To differentiate between different public key files, use the
program to print the fingerprint as follows
ssh-keygen -l -f [public_key_file_path]
Written by Mike Kwong