SSH (Secure SHell) is a protocol to communicate distantly with servers or devices.
This is the main way to connect, send/get files, execute commands on your server.
📖 Resources
To connect to a distant server, a way to do it could look like:
ssh <user>:<password>@<host>ℹ️ information
<host>can be anything resolving to a distant server/computer: an IP address, a domain name, or an internal host on a company VPN...
Let's try it
You can now execute any command on your distant serve: try a couple:
ls -latouch TEST.txtls -laagain
You should be able to see the file you just created.
This connection method has a big problem though:
- log out
- open your bash history
cat ~/.bash_history - look at the last line
🃏 hints
- press
ctrl+Dto log out- if you are using ZSH:
cat ~/.zsh_history
You can see in the latest lines the command you used to connect to your server. This means someone with access to your computer could try to harvest some of your passwords with a simple command. This is pretty bad.
Basically, if the access to your computer or server is compromised, we still want to avoid a badly intention person to do harm.
📣 Someone who has access to your server must (still) be harmless.
How can we prevent having password in the history?
ssh <user>@<host>You should see a prompt asking for a password, input it manually.
Tada! You're logged in, without leaking credentials somewhere on your laptop (prompt is not saved to the shell history)
Passwords are not a good idea to log in, for a simple reason:
Humans are terrible at choosing good passwords. (or really good at choosing bad passwords)
Example: pass123, my birthdate, the same password as my FB account, etc.
What we want is use SSH keys to connect to servers for multiple reasons:
- we would not know our own passwords
- complex enough to avoid brute-force attacks
- no credentials leaked if the server is compromised
- ability to revoke access for certain keys easily
📖 Resources
We can generate an SSH key pair (private/public)
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"ℹ️ information
-t rsawill tell the program to generate keys of type RSA-b 4096will generate a 4096 bytes long key (the bigger the number, the safer and slower the key generation will be). 4096 is the today standard, it may double in a couple of years."your_email@example.com"is just to help identify why create the key.
You will need to provide a couple of things:
- a path for where to save this SSH key on your computer (
⚠️ be careful to not erase one of your existing ones) - a passphrase: it will encrypt your private key, so if your computer gets compromised, an attacker cannot get use your SSH keys easily.
Also, add this key to ssh-agent (the program in charge of using your keys when using ssh):
eval "$(ssh-agent -s)"ssh-add -K <path-of-your-key>
Once we have generated a new key, we need to import it to our server. It can be done with the following:
ssh-copy-id -i <path-of-the-ssh-key> <user>@<host>
You can check it work by doing the following:
- Log out of your server if needed
ssh <user>@<host>- You should be logged in without being asked a password.
🎉
SSH connection is one, what we did is actually not enough, let's configure SSH and the operating system to make it more secure: SSH Configuration