Demystify SSH

Alessandro Senese

Lead Developer

@ceceppa

https://github.com/ceceppa

What is SSH?

“Secure Socket Shell, is a network protocol that provides administrators with a secure way to access a remote computer.

 

-- Wikipedia

 

Encryption ​Algorithm

Symmetric

  • Use the same key to encrypt and decrypt data
  • A=1, B=2, D=3, etc
  • Fast
  • Sharing the Key

Symmetric

same key

Encryption ​Algorithm

Asymmetric

  • Uses different keys to encrypt and decrypt data
  • Slow

Asymmetric

different keys

Ciphertext

A@3   

CDI)"]'

XAS89

  • Same key cannot be used to encrypt and decrypt
  • Key are complementary

Public-key Encryption

Generate key pair

Public key

Private key

You can share

MUST kept

secret

Ciphertext

A@3   

CDI)"]'

XAS89

Private key

Public key

Public-key Encryption

  • Used by SSH, SSL (HTTPS), etc
  • Popular asymmetric key algorithm are: RSA, DSA, etc

How Does SSH Work?

  • Both parties negotiate a session key using public key encryption
  • Agree on an encryption generator, for example AES
  • Agree on symmetric secret key
  • SSH re-keying when max minutes/data has been reached

ssh

Generate private & public key

ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

rsa

4096

Specifies the type of key to create.

Specifies the number of bits in the key to create

dsa,ecdsa,ed25519

also depends by the type of key

  • a different algorithm might be not supported yet by the client or server
  • RSA is still considered strong, but the recommended key length has increased over time

Why 4096?

  • RSA-576 (576 bits) was factored in 2003
  • RSA-768 (768 bits) was factored in 2009
  • RSA-1024 (1024 bits) has not been factored so far.
  • Some version using lower binary digits have been factored
  • RSA-2048 may not be factorisable for many years to come
  • A key size of at least 2048 bits is recommended for RSA; 4096 bits is better

Generate private & public key

Generating public/private rsa key pair.
Enter file in which to save the key (~/.ssh/id_rsa):

Path & Filename

Custom file name can be used for:

  • different services
  • keep personal and company keys separated

Protecting SSH keys

Generate private & public key

Enter passphrase (empty for no passphrase):

Generate private & public key

Generate key pair

Public key

Private key

You can share

MUST kept

secret

Passphrase

Generate private & public key

  • The passphrase is used to encrypt the private key using 128-bit AES
  • If someone is able to read your private key, they are "unable" to use it.
  • Is recommended to reduce risk of keys accidentally leaking from, e.g., backups or decommissioned disk drives
  • If you lost/forgot the passphrase you have to generate a new key pair
  • The passphrase can be changed subsequently

SSH Agent

"ssh-agent is a program to hold private keys used for public key authentication."

 

-- Linux man page

 

  • SSH agent handles the private keys by storing them in memory
  • The keys are never shared with client programs
  • Operations that require a private key will be performed by the agent, and the result will be returned to the requester
  • SSH agent allows using multiple keys easily
  • Communication with other process happens via socket

SSH Agent

Start the ssh-agent in the background

eval "$(ssh-agent -s)"

Add your SSH private key to the agent:

ssh-add ~/.ssh/id_rsa

SSH Usage

ssh [username]@[domain/ip address]
asenese@93digital:~$

Terminal:

To connect:

What we can do with SSH?

  • Install applications on the server remotely
  • Take backups
  • Configure the server remotely
  • Manage files and folders easily
  • Automate deploying of local code
  • and lot more...
  • Access to the remote datatabase via command line

Tools

  • rsync - a fast, versatile, remote (and local) file-copying tool
  • scp - secure copy
  • wordmove - lets you automatically mirror local WordPress installations to the remote server. ”

Server A

Server B

Server A

Server B

  • Create a key pair on Server A
  • Copy the public key from Server A to Server B
  • Repeat the above steps for Server B

SSH Agent Forwarding

SSH agent forwarding can be used to make deploying to a server simple. It allows you to use your local SSH keys instead of leaving keys (without passphrases!) sitting on your server."

 

-- Github

 

SSH Agent Forwarding

Server A

Server B

ssh-agent

forward

SSH Agent Forwarding

ssh -a [...]
  • Method 1
Host [host address]
    ForwardAgent yes
  • Method 2
  • Add to your ssh config file (~/.ssh/config):

Resources

Encryption and HUGE numbers

SSH by Michael W. Lucas

RSA algorithm

WordMove

How RSA works with example