What is OpenSSH? #
OpenSSH is a protocol that allows us to log on and execute commands on remote computers.
OpenSSH is a protocol that allows us to log on and execute commands on remote computers. It is an open-source implementation of the Secure Shell (SSH) protocol, which provides secure encrypted communications between two untrusted hosts over an insecure network.
OpenSSH is a set of powerful tools for managing your networked computers. You’ll learn about different ways to configure the OpenSSH server application and how to adjust them.
OpenSSH is freely available, open source software designed to securely connect to and transfer files between servers. Some old tools, such as telnet and rcp, are not secure and transmit your passwords in plain text. It is advisable to avoid these. OpenSSH is a software suite that provides a daemon and client tools to facilitate remote control and file transfer operations securely. It can replace your current legacy filesharing technology.
The OpenSSH server, sshd, watches for client connections and, when one comes in, establishes the appropriate connection based on the client that is connecting. The OpenSSH server creates a remote control session after authentication, for instance, if the remote machine is connected using the ssh client programme. The OpenSSH protocol requires remote users to authenticate themselves before accessing a remote computer to copy files over. They have access to a variety of authentication options, such as key-based authentication or only a password.
Installing the OpenSSH client and server applications is not difficult. I recommend using this command to install the client on your Linux system:
sudo apt install openssh-client
The installation of the OpenSSH software and associated files is completed with this terminal command:
sudo apt install openssh-server
Configure the default behaviour of the OpenSSH server application, sshd, by editing the file /etc/ssh/sshd config. For information about configuration directives used in this file, you may view their appropriate manual pages with the following command:
There are many directives in the sshd configuration file controlling such things as communication settings, and authentication modes. The following are examples of config directives that can be changed by editing the /etc/ssh/sshd config file.
Furthermore, make sure that you check the configuration of your ssh server after making any changes and before restarting it.
sudo sshd -t -f /etc/ssh/sshd_config
To change this configuration directive, you would have to do the following:
- To display the contents of the issue.net file as a login banner, you might want to modify this line in your /etc/ssh/sshd file:
To change the ssh config file, first make the changes, then save it and restart the application using this command at a terminal prompt:
sudo systemctl restart sshd.service
SSH Keys #
SSH allows us to securely connect two hosts without the need for a password. It does this by using a private key and public key which are together mathematically unbreakable.
To generate the keys from a terminal prompt, enter:
ssh-keygen -t rsa
This will generate the keys using the RSA Algorithm. At the time of this writing, the generated keys will have 3072 bits. You can modify the number of bits by using -b option. For instance, to generate keys with 4096 bits you can do:
ssh-keygen -t rsa -b 4096
During the process you will be prompted for a password. Simply hit Enter when prompted to create the key.
By default the public key is saved in the file ~/.ssh/id_rsa.pub, while ~/.ssh/id_rsa is the private key. Now copy the id_rsa.pub file to the remote host and append it to ~/.ssh/authorized_keys by entering:
Finally, double check the permissions on the authorized_keys file, only the authenticated user should have read and write permissions. If the permissions are not correct change them by:
chmod 600 .ssh/authorized_keys
You should now be able to SSH to the host without being prompted for a password.
Import keys from public keyservers #
These days many users have already ssh keys registered with services like launchpad or github. Those can be easily imported with:
The prefix lp: is implied and means fetching from launchpad, the alternative gh: will make the tool fetch from github instead.