ssh, the Secure SHell : Concepts & generalities



ssh is a Secure remote SHell designed as a replacement for Telnet, RSH and other unsecure remote shells. This post aims to give you a general view of this yet wonderful piece of software.

Note : Please see the “ssh, the Secure SHell : Practical examples” post for ssh practical examples.







1 Generalities

1.1 ssh components description

ssh consists of three major components : (excerpt from RFC4251 )

  1. The Transport Layer Protocol [SSH-TRANS] provides server authentication, confidentiality, and integrity. It may optionally also provide compression. The transport layer will typically be ran over a TCP/IP connection, but might also be used on top of any other reliable data stream.
  2. The User Authentication Protocol [SSH-USERAUTH] authenticates the client-side user to the server. It runs over the transport layer protocol.
  3. The Connection Protocol [SSH-CONNECT] multiplexes the encrypted tunnel into several logical channels. It runs over the user authentication protocol.

    : The difference between insecure and unsecure

    – insecure
    describes a network that may not be secure
    describes a netwotk that is surely not secure.
    e.g : In case of the internet unsecure may be the best description but insecure is still a valid adjective.


1.2 How ssh works ?

The encryption used by ssh is intended to provide confidentiality and integrity of data over an unsecured network, such as the Internet.

It offers a secure communication channel across insecure networks. All data, including passwords, are sent in encrypted form. ssh provides confidentiality, integrity, and authentication (when using digital certificate for public key deployment).

  • Confidentiality is provided by symmetric key encryption.
  • Integrity is provided by message authentication codes (MACs).
  • Authenticationmay be provided:
    • For server (host running sshd): through RSA method (server public key must be specifically accepted at first connection)
      Note : this is a very important point regarding ssh security, you MUST NOT validate a server key you cannot verify.
    • For client
      1. by using digital certificate for public key management.
      2. It (of course) uses diffie-hellman for initial key exchange.




2 ssh setup

2.1 Directories & files permissions

ssh related directories permissions are quiet important as they may just prevent ssh from working! (which is preferable against connecting to/from a weak server/client) Here is a list of each directories and file permissions.

There is 2 kinds of configurations files :system-wide configuration file (located in /etc/ssh) & user-specific configuration file (located in ~/.ssh). They are parsed in a specific order as follows :

  1. command line options
  2. user-specific file
  3. system-wide file


Important note : I personally witness that even the parent directory of the user specific .ssh directory (the HOME directory actually) permissions can prevent you from setting a working password-less ssh connection. With a 777 permissions on this .ssh parent directory i could not get it work : I had to chmod it to 700 to make it works…


2.1.1 user-specific file permissions

Located as usual (for user specific configuration files) in user’s home (~) as :

  • ~/.ssh = 700
  • ~/.ssh/id_rsa = 600
  • ~/.ssh/authorized_keys = 600
  • ~/.ssh/ = 644
  • ~/.ssh/known_hosts = 644


2.1.2 system-wide file permissions

Located as usual (for system wide configuration files) in /etc as :

  • /etc/ssh = 755
  • /etc/ssh/moduli = 600
  • /etc/ssh/ssh_config = 644
  • /etc/ssh/sshd_config = 644
  • /etc/ssh/ssh_host_rsa_key = 600
  • /etc/ssh/ = 644


2.1.3 Ssh files description

  • id_[rsa|dsa] : those are the user’s private(s) key(s), you may have different type of key, such as rsa key and dsa key.
  • id_[rsa|dsa].pub  : those are user’s public(s) key(s), you may have different type of key, such as rsa key and dsa key.
  • authorized_keys  : this is the file containing the user’s public key that has already been connected. This file allows some options in its syntax, which may be useful to define public key specific commands or environment settings.
    : that this file is only user-specific, there is no system-wide equivalent file.
  • known_hosts : this file lists the hosts (machines) public keythat has already been connected AND explicitly accepted at the usual following prompt:
    The authenticity of host 'localhost (::1)' can't be established.
    RSA key fingerprint is c0:e5:b6:34:5e:t7:0a:91:a0:a6:56:79:11:e1:ef:b9.
    Are you sure you want to continue connecting (yes/no)?

    The system-wide version of this file is better be maintained by the administrator when the per-user file is maintained automatically: whenever the user connects to an unknown host, its key is added to the per-user file.

  • ssh_host_[rsa|rsa]_key are the computer public key (may be rsa or dsa type)
  • ssh_host_[rsa|rsa] are the computer public key (may be rsa or dsa type)
  • moduli : this file contains prime numbers and generators for use by sshd in the Diffie-Hellman Group Exchange key exchange method. (excerpt from man moduli)
  • ssh_config : this file is the system-wide configuration file for client side, this file provides defaults for users, and the values can be changed in per-user configuration files ( ~/.ssh/config) or on the command line. (excerpt from man ssh-config)
  • sshd_config : this file is the ssh daemon configuration file.


2.1.4 Configuration files

These are the configuration files for ssh, on server side first then the one for client side.

  • sshd_config (for ssh server), see section above for infos.
  • ssh_config (for ssh client), see section above for infos.


3 ssh Commands

The ssh suite provides number of utilities, here is a list for those utlities (note that some of those may not be available on all systems).

3.1 ssh-add

  • excerpt from man ssh-add

ssh-add adds RSA or DSA identities to the authentication agent, ssh-agent. When run without arguments, it adds the files ~/.ssh/id_rsa, ~/.ssh/id_dsa and ~/.ssh/identity. Alternative file names can be given on the command line. If any file requires a passphrase, ssh-add asks for the passphrase from the user. The passphrase is read from the user’s tty. ssh-add retries the last passphrase if multiple identity files are given.


3.2 ssh-agent

  • excerpt from man ssh-agent

ssh-agent is a program to hold private keys used for public key authentication (RSA, DSA). The idea is that ssh-agent is started in the beginning of an X-session or a login session, and all other windows or programs are started as clients to the ssh-agent program. Through use of environment variables the agent can be located and automatically used for authentication when logging in to other machines using ssh.


3.3 ssh-copy-id

This utility mainly help you copying your public key (or another user public key) to a remote machine.

  • excerpt from man ssh-copy-id
    ssh-copy-id is a script that uses ssh to log into a remote machine (presumably using a login password, so password authentication should be enabled, unless you have done some clever use of multiple identities)  It also  changes  the  permissions  of  the remote userâs home, ~/.ssh, and ~/.ssh/authorized_keys to remove group writability (which would otherwise prevent you from logging in, if the remote sshd has  StrictModesset   in  its  configuration).
  • Example
    Copy the public key of user1 to remote_machine2 in user2 account. (this will allow the connection of user1 as user2 on remote_machine2 without password)
ssh-copy-id -i /user1_home/ user2@remote_machine2


3.4 ssh-keygen

This utility allow you to generate a couple of public/private keys using different algorythm.

  • excerpt from man ssh-keygen
    ssh-keygen generates, manages and converts authentication keys for ssh(1).  ssh-keygen can create RSA keys for use by SSH protocol version 1 and RSA or DSA keys for use by SSH protocol version 2.


3.5 ssh-keyscan

  • excerpt from man ssh-keyscan
    ssh-keyscan is a utility for gathering the public ssh host keys of a number of hosts.  It was designed to aid in building and verifying ssh_known_hosts files.  ssh-keyscan provides a minimal interface suitable for use by shell and perl scripts.


3.6 ssh-askpass

  • Definition
    (excerpt from RTFM ask-pass)
    ssh-askpass is an X11-based pass-phrase dialog for use with Openssh. It is intended to be called from the ssh-add program and not invoked directly. ssh-askpass supports most standard Toolkit command line arguments, with the exception of -geometry, -borderwidth, -iconic, -rv, and -title. See X.
  • Examples
    1. Using a ssh-askpass dialog box to send password to classic sshconnection command:
      export SSH_ASKPASS=/usr/bin/ssh-askpass

      then try your new feature:

      setsid ssh <user>@<host>



4 ssh Options

This section list some of the options i discovered and which i found very useful (either in shell scripts or in CLI).

This section is to be updated from times to times.

Note : Please go to this page for practical ssh examples.

4.1 “Shell Script” oriented options

  1. use the “batch mode” to avoid ssh asking you ANYTHING! This will return an exit code of “0” if everything went smooth or something different from “0” if anything went wrong:
    -o "BatchMode=yes"
  2. Use the “quiet mode” to avoid ssh to display informations messages
    ssh -q <remoteHost> -l <remoteUser>

4.2 “Interactive usage” oriented options

  1. Enter the third and last verbosity level of ssh ‘useful for debugging a tricky connection!) :
Tagged on: ,

Leave a Reply

Your email address will not be published. Required fields are marked *

This site supports SyntaxHighlighter via WP SyntaxHighlighter. It can highlight your code.
How to highlight your code: Paste your code in the comment form, select it and then click the language link button below. This will wrap your code in a <pre> tag and format it when submitted.