1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
|
Some simple advice for people who are starting to use ssh.
# Use the config
If you create a file `~/.ssh/config`, with contents like:
```
Host xxx
HostName yyy
Port 1234
User zzz
```
, then if you type `ssh xxx`, the result will be like executing `ssh -p 1234 zzz@yyy`.
Any ssh command line arguments can be encoded in an SSH client configuration file, so you can access any server with a simple `ssh host` command, without any additional parameters.
Additionally, most modern systems configure SSH tab completion, so if you type `ssh <tab><tab>`, your shell will complete with the hosts in your configuration file.
# Use public key authentication
By default, ssh uses passwords for authentication.
If you use a good password, then password authentication is a decent authentication method.
However, you can use other methods, such as public key authentication.
With public key authentication, you have a public and private key.
If you are working on system A with your *private* key, and you copy your *public* key to system B, then you can ssh from system A to system B without entering a password.
## Security
Note that if someone obtains your private key, they will be able to log in to systems that trust your key.
Knowledge of your private key is similar to knowledge of a password.
Take care making your private key truly private.
If you suspect someone else has been able to obtain your private key, then generate a new key and remove the leaked public key from all systems.
Note that you can generate as many keys as you want.
Managing multiple keys requires more effort, but in some cases it might be more convenient.
For example, if a key is suspected to be leaked, then you might only need to revoke a key and continue using other keys.
## Generating SSH keys
To generate your private and public keys:
```
$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/alex/.ssh/id_rsa):
Created directory '/home/alex/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/alex/.ssh/id_rsa
Your public key has been saved in /home/alex/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:...
The key's randomart image is:
+---[RSA 3072]----+
...
```
## Key type choice
OpenSSH, the standard ssh client, [changed its default type of key generation to Ed25519 in version 9.5 released in late 2023](https://www.openssh.com/txt/release-9.5).
Previously, `ssh-keygen` generated RSA keys, as in the example above.
Many Linux distributions still use OpenSSH versions earlier than 9.5.
You can find advisories like [the following](https://www.ssh.com/academy/ssh/keygen):
> It is quite possible the RSA algorithm will become practically breakable in the foreseeable future. All SSH clients support this algorithm.
Although as of the time of writing this, RSA is considered safe.
However, you can consider generating an Ed25519 key instead, following the most recent OpenSSH defaults.
## Passphrases
By default, if you provide an empty passphrase to `ssh-keygen`, your private key will be stored unprotected.
Anyone that can read the private key file can obtain your key.
You can use a passphrase to protect your key.
If someone obtains a private key file but they don't know the passphrase, then they cannot use the key.
Using a passphrase means that you need to type the passphrase every time you use the key, or use a system such as `ssh-agent`.
This creates a tradeoff between security and convenience.
(Note that a popular criticism of SSH public key authentication is that it is not easy for systems administrators to enforce the use of SSH passphrases.)
# Further SSH features
Many developers have added many useful features to SSH during many years, such as:
* The `scp` command to transfer files using SSH
* Tunnels to establish bidirectional communication between systems without such connectivity.
(For example, to connect to your workstation from a remote system.)
* Jump hosts that expedite the connection to a system that is not directly accessible, by using SSH to establish connection through intermediate systems.
Also, SSH integrates very well with UNIX pipes and tools such as rsync, Git, and many others.
|
