Back in my web design days, I often helped friends and clients troubleshoot their websites. Instead of driving over to their home or office, I opted for a more practical method to access their websites: SSH.
SSH, or Secure Shell, is a network protocol that offers cryptographic communications, even on an unsecured network. This allows for secure, remote connections to a server, often for transferring files to a website or managing a server.
With SSH, I never need to physically access the server in person. I also never have to worry about security issues. I can always tap into a remote, secure server to fix bugs, update content, or modify server settings.
I’ll explain everything about SSH below, from its key components to best practices to follow.
-
Navigate This Article:
How SSH Works
Some tools — like the terminal — used to access servers via SSH look like they’re from another era. That, unfortunately, may make SSH seem more intimidating.
The good news is that, in my experience, SSH isn’t all that complex to understand. To simplify, I find it best to start with the key components.
Key Components of SSH
Think of SSH as a private conversation between friends. These friends are in different locations, but one friend (let’s call her the client) wants to send a secret message to the other friend (the server).
Other components in the private communications include SSH Daemon and an SSH client, which I’ll talk about below.
- Client and Server: SSH works on a client-server model, where the client initiates a connection and the server responds. It’s like someone calling her friend on the phone. The client must reach out first.
- SSH Daemon: The server runs an SSH daemon (e.g., sshd) that listens for incoming connections and manages them. Think of this like a connected phone that waits for a call.
- SSH Client: A program (like OpenSSH) that the user interacts with to initiate the connection. An SSH client is the medium for communication, similar to a phone or text messaging app.
You have a client contacting a server that uses an SSH daemon to look out for incoming messages.
And the SSH client makes the connection. But what about security? My example of a friend calling another friend isn’t exactly secure, right? Well, that’s where encryption comes into play.
Encryption and Authentication
It’s clear that my example of a phone call isn’t a guaranteed way to achieve maximum privacy. It’s the same with an SSH client. But what if the friends spoke in their own made-up language? That’s similar to how encryption makes SSH secure.
To help you understand encryption and authentication, I’ll walk you through elements like public-key cryptography, symmetric encryption, and what’s called the “handshake” process.
- Handshake Process:
The handshake happens before any secure communications happen. It’s like a short discussion between the two to pick the best protocol versions — and to perform an initial key exchange, which generates a shared secret for the symmetric encryption process to work properly in step three.
- Public-Key Cryptography:
To achieve a private connection, SSH uses what’s called “public-key cryptography.” In short, this type of cryptography involves the exchanging of keys between client and server — like exchanging passwords between friends — to initiate a conversation and generate a secure connection.
The server uses a private key to authenticate, while the client uses a public key for verification.
Authentication Methods:
- Password Authentication: User logs in by entering a password.
- Public-Key Authentication: More secure. The user generates a public-private key pair, and only the private key is required to authenticate.
That public-key cryptography only creates the initial channel for communicating. After the server authenticates and the client verifies, SSH switches to symmetric encryption.
- Symmetric Encryption
Algorithms for symmetric encryption include AES (Advanced Encryption Standard) and DES (Data Encryption Standard), both of which enable secure, speedy environments for data transmission.
This step opens the most secure portal possible for communications. The client and server are now ready to send data back and forth. And the symmetric encryption remains protected and confidential for the entire session.
Key Features of SSH
Now that you have a strong grasp of how SSH works, let’s look at features to expect when you use an SSH client. Hundreds of other features exist, but these are the ones I find most useful.
Secure Remote Login
SSH allows users to remotely access a command line interface on a server or network device securely. This login remains secure, and it’s all thanks to authentication and encryption from the SSH elements I talked about before.
Use Case: A system administrator logging into a web server to configure settings or troubleshoot issues.
File Transfer With SCP and SFTP
One of the main reasons I use SSH is to transfer files to my websites. I might want to upload a WordPress theme, delete some images, or edit one of my CSS files.
Regardless of the reasoning, SSH allows me to transfer files with technologies like SCP and SFTP.
- SCP (Secure Copy Protocol): Enables secure file copying between systems. It’s great for rapid file transfers.
- SFTP (SSH File Transfer Protocol): Provides secure file access, transfer, and management over an SSH connection. This option has stronger file management capabilities than SCP.
Use Case: Securely transferring website files to a remote server or retrieving backups.
Port Forwarding (Tunneling)
This creates a forwarded connection from a local port. As a result, you receive a secure tunnel to a remote server, allowing you to access elements of the server that may usually get restricted by network policies. The data transfer, however, remains encrypted.
Here are the two types of port forwarding you should know:
- Local Port Forwarding: Redirects traffic from one port on the local machine to another port on a remote system via SSH.
- Remote Port Forwarding: Redirects traffic coming from a remote port to a local machine.
Use Case: Accessing internal company applications from outside the corporate network through a secure tunnel.
X11 Forwarding
This type of forwarding allows you to run graphical applications from a remote server on a local machine. It essentially makes it seem like you’re using the remote server’s interface on your local device.
I like to compare it to screen mirroring, where you’re not limited to the interface of an SSH client. Rather, you can interact with the operating systems and applications on the server.
Use Case: Running a graphical Linux application from a remote server on your local machine.
SSH Agent Forwarding
The SSH agent forwarding feature enables users to securely use their local SSH keys on a remote system without copying them over.
Think of an SSH agent forwarding like a friend who holds a landlord’s entire ring of keys when they go to visit one of their rental properties.
Without that trusted friend (the SSH agent), the landlord would have to bring their entire keyring with them, putting all the keys at risk. Instead, they only take along the one necessary key, while the trusted friend holds dozens of others back home.
SSH agents protect all your other keys as you try to connect with an intermediary server.
Use Case: Deploying code to multiple servers using the same local SSH key — without leaving the private key on any remote server.
How to Set Up and Use SSH
I’m glad you took the time to learn the basics of SSH because that helps when working through its setup and use. Now, I’ll show you how to install SSH, generate your keys, and connect to a server.
Installing SSH
To install SSH, you first need to know the type of system you’re using. Is it a Linux/Unix operating system or Windows? With your system in mind, you’ll open the command line terminal on your machine.
The easiest way to open the terminal is to type “Terminal” in the application menu for Linux or the Start menu search bar in Windows.
On Linux/Unix Systems
SSH usually comes pre-installed on Linux/Unix systems, so make sure you’re not going through this process for no reason. Below are the commands — based on your Linux distribution — for installing SSH if it’s not already there.
- To install SSH on Arch Linux:
sudo pacman -Sy openssh
- To install SSH on Ubuntu/Debian/Linux Mint:
sudo apt update && sudo apt install openssh-server openssh-client
- To install SSH on CentOS/Fedora/RHEL:
sudo dnf install openssh-server openssh-clients
Regardless of the Linux distribution, you can then check the SSH version and verify the success of the installation with this command:
ssh -V
After that, your machine is ready to establish remote, secure connections with SSH.
For Windows
Since OpenSSH is now included in Windows, I’d like to walk you through the process of installing an SSH client such as PuTTY.
On the Windows operating system, start by opening the terminal. Simply type “Terminal” into the Start menu search bar.
- Download the PuTTY SSH client: Go to the PuTTY website. Click on the Download PuTTY link, then download the right MSI installer for your Windows version.
- Run the MSI installer: Find the MSI installer file wherever you downloaded it. Double-click the file to start the installation.
- Walk through the Setup Wizard: You’ll see a Setup Wizard. Click through the Next buttons until you can pick a destination folder for your PuTTY installation. Select a folder, then click Next.
- Finish the installation: Click the Install button. Wait for it to finish. When it’s done, click on the Finish button.
Your Windows machine now has PuTTY installed to connect to servers via SSH.
Generating SSH Keys
Before I show you how to generate SSH keys, I’d like to present a few best practices that have helped me in the past. First, I highly recommend storing all your private keys in a secure space.
Opt for an encrypted file storage or password management solution. And always be sure to set strong passphrases.
As a second best practice, I try to limit access to my keys with very strict access controls. Along with regularly rotating keys and backing up those keys in off-site locations, these best practices keep everything secure.
Now onto the generation of SSH keys.
Generating SSH keys on Windows (I’ll use PuTTYgen for this):
- Open the PuTTYgen tool.
- Click on the Generate button.
- Move your mouse to randomize keys.
- Take and save the presented keys, both private and public.
Generating SSH keys on Linux/MacOS:
- Open the terminal.
- Run the ssh-keygen -t rsa -b 4096 command.
- Click through the prompts.
- Set a passphrase and save the keys.
As a final best practice, I encourage you to use devices called HSMs (Hardware Security Modules). They’re like hard drives but with a tamper-resistant environment for securely storing keys.
Connecting to a Server
Now you’re ready to connect to a server. Here’s how I prefer to connect.
Use this command in the terminal:
ssh username@ip-address-for-server
To make a more advanced connection, consider using the following SSH options:
- -X: Great for turning on X11 forwarding, specifically for GUI applications.
- -i: Indicates a specific private key file for authentication.
- -p: Specifies a port to use besides the standard 22 port.
For the command, remember to replace “ssh username” with your SSH username. And swap out “ip-address-for-server” with the server’s IP address.
When using the SSH options, you would insert them into your command, like how I added a -p option here: ssh -p 2222 user@host.
Transferring Files
After I’ve connected to a server, I usually want to transfer files. I like to use one of two methods: SCP (Secure Copy Protocol) or SFTP (SSH File Transfer Protocol).
With SCP:
- Enter and execute this command into the terminal: scp source-file username@server:/path.
- Example: I might want to transfer a file called example.txt to a server. For that, I would use this command: scp example.txt username@server:/path.
With SFTP:
- Log into the server using SFTP with this command in the terminal: sftp username@server.
- Transfer the files: Use put example-file.txt to upload a file to the remote server or get example-file.txt to download a file from the remote server.
There’s no need to worry about security with either SCP or SFTP. Both methods use the power of SSH to keep your communications confidential.
SSH Security Best Practices
On its own, SSH protects all data transfers between your client and a remote server. But these types of technologies are often only as effective as the humans that control them. So, it’s essential to do your part in following the best practices of SSH.
Using Strong Passwords or Public Key Authentication
I’ve found that public key authentication has several advantages over passwords: cryptographic strength, multi-factor authentication, and protection against a compromised server.
In short, the cryptographic element of public key authentication is stronger than even the longest passphrases. And on top of the added layer of security with multi-factor authentication, the key never actually leaves the local client machine.
This means a bad actor can’t easily access the private key.
How to Set Up Public-Key Authentication:
- Create a key pair: Use the ssh-keygen command in your local terminal to generate a pair of public and private keys. Keep the private key secure.
- Copy over the public key to the server: You can do this by manually adding the public key to the server’s ~/.ssh/authorized_keys file, or you have the option to run the ssh-copy-id username@server command in the terminal.
- Configure SSHD: Open the server’s /etc/ssh/sshd_config file to edit its contents. To turn off all password logins, edit this line to read “no:” PasswordAuthentication no.
- Restart the entire SSH service: This step applies all your changes by restarting the SSH service. Simply run the sudo systemctl restart sshd command in the terminal to make it happen.
With public-key authentication in place and password logins disabled, you’re well on your way to a more secure SSH environment.
Disabling Root Login
One best practice to follow involves disabling the root login of the server to prevent brute-force attacks.
These attacks happen when someone targets the root account and tries thousands of username and password combinations to force their way into the server.
How to Disable Root Login
- Open the configuration file for SSH: Open this file in a text editor: /etc/ssh/sshd_config.
- Find the line for PermitRootLogin: Locate the #PermitRootLogin yes line in the file.
- Change it: Modify the line to read PermitRootLogin no. This turns off the root login option.
- Save: Be sure to save your changes and leave the editor.
- Restart: Use the sudo systemctl restart sshd command to restart the SSH service.
I prefer disabling the root login access before trying to transfer files via SSH. This way, I rarely have to worry about one of the most common cyberattacks: brute force attacks.
Changing the Default SSH Port
The default SSH port gets set at 22. Since so many people know this, it’s another vulnerable area for brute force attacks.
As a solution, I change the default SSH port to something else.
How to Change the Default SSH Port
- Change configuration file: Using the following command, open the configuration file in a text editor: sudo nano /etc/ssh/sshd_config.
- Modify the port number: Find this line: #Port 22. Uncomment the line and change the number to another port number, like 2222.
- Make sure the firewall allows the new port: Run this command to allow the new port: sudo ufw allow 2222/tcp.
Once finished, restart your SSH service using the sudo systemctl restart sshd command. I also recommend testing the new port by opening a new terminal and running this command: ssh -p 2222 username@server_ip.
Limiting User Access and IP Whitelisting
One way I like to protect my SSH connection is by limiting user access.
This tells your SSH connection which users to allow based on a whitelist.
IP Whitelisting
There are two easy ways to whitelist users:
- SSH configuration: Edit the /etc/ssh/sshd_config file by inserting which IPs to allow.
- Firewall rules: Consider tools like ufw or iptables to put specific IPs on your whitelist.
Here’s an example of a firewall rule using iptables: iptables -I INPUT -s IP_ADDRESS -j ACCEPT. Here’s one using ufw: ufw allow from IP_ADDRESS.
SSH Key Management and Passphrases
Although we’ve established that private keys work better for security than passphrases, it’s still wise to add a second layer of protection with a passphrase that secures your private keys.
One way to do this without having to re-enter passphrases is with SSH agents.
Using an SSH Agent
- Run the SSH agent: Run the eval $(ssh-agent) command in the terminal to launch the SSH agent.
- Add your keys: Run the ssh-add ~/.ssh/id_rsa command to give your private keys to the SSH agent.
- Complete key verification: List all the added keys by using this command: ssh-add -l.
- Enable agent forwarding: Turn on agent forwarding by opening the ~/.ssh/config file and setting this line to “yes:” ForwardAgent yes.
SSH agents take your private keys and store them in their memory. This way, you get the protection of a passphrase without having to type it in every time.
Common SSH Errors and Troubleshooting
Errors are often part of the SSH process. Sometimes it’s a human error. Sometimes there’s something up with the server. I’ll highlight common errors and how to troubleshoot them below.
Connection Refused
Whenever I see the “Connection Refused” error, it indicates a problem on the server side. Luckily, it’s easy to identify the causes and fix it.
Possible Causes:
- SSH server down
- Firewall blocking
- Incorrect IP or port
How to Fix It:
Check the server status. You should also double check your firewall rules and port configuration to ensure neither block the connection.
Permission Denied (publickey)
Here’s an error that’s fairly easy to understand. It’s telling you the server denied the connection because there’s a problem with the authentication of the public key.
Possible Causes:
- Incorrect or missing SSH keys
- Mis-configured permissions on .ssh folder
How to Fix It:
Start by ensuring the correct public key is on the server and permissions are set properly. Use this command for the right permissions and to ensure the public key is in the file: chmod 700 ~/.ssh, chmod 600 ~/.ssh/authorized_keys.
Network Timeouts
A network timeout error has to do with your network. I’ve also found that network timeouts can occur when other elements, like firewalls and routing issues, interfere with the network.
Potential Causes:
- Network latency
- Firewalls
- Routing issues
How to Fix It:
The first step is to check your network connection. If that’s good, adjust the SSH keepalive settings by editing the sudo nano /etc/ssh/sshd_config file and changing the ClientAliveInterval line to something like ClientAliveInterval 60.
SSH in Modern Use Cases
SSH has lost some of its benefits over the years — thanks to modern content and server management systems — but there are still plenty of use cases. I’ll explain the most common use cases of SSH below.
DevOps and Cloud Management
Using tools like Terraform and Ansible, DevOps and cloud management teams can automate SSH access. They use this automation for workflows and improved security.
Use Case: SSH plays a critical role in managing cloud infrastructure like AWS and Azure and deploying code through CI/CD pipelines.
SSH in IoT
The goal of IoT (Internet of Things) devices is to maintain a secure and efficient infrastructure. With SSH, anyone can improve operational reliability and reduce downtime for a network of IoT devices.
Use Case: Remote management of IoT devices in the field via SSH, ensuring secure firmware updates and configuration management.
Tunneling for Secure Internet Access
SSH tunneling has the unique advantage of creating secure online connections over unsecured networks. It sends traffic through a remote server, which uses SSH as a proxy to add a layer of encryption.
Use Case: Using SSH as a proxy to tunnel web traffic securely over unsecured networks — like with a public WiFi network.
SSH as Your Secure, Mobile Connectivity Friend
Although I find SSH to have a bit of a learning curve, it’s actually much easier to complete tasks — when compared to messy content and server management systems — once you get the hang of it.
SSH keeps your communications between a client and server secure. It also allows for mobile connectivity.
You now know the basics and advanced elements of SSH. You can connect to a server with ease. You can upload and download files while following best practices to remain secure.
Now it’s time to practice what you’ve learned. Go install an SSH client to get started.