What is SSH and what is it for
SSH is a set of programs that allows you to log on to a remote machine to execute commands on it. It is designed to provide secure encrypted communication between two nodes through an insecure network. X11 connections, arbitrary TCP ports, and UNIX domain sockets can also be forwarded over a secure channel. SSH includes programs that additionally allow you to transfer files over an encrypted connection.
SSH brings various security improvements, including user/host authentication, data encryption, and data integrity, making popular attacks such as eavesdropping, DNS / IP spoofing, data forgery, and connection hijacking impossible etc. For FTP, telnet or rlogin users who use a protocol that transmits data in clear text, it is highly recommended that you switch to SSH.
OpenSSH is an open-source implementation of the SSH protocol that allows you to encrypt a network connection using a set of programs. If you want to have SSH on Linux, you can install OpenSSH, which consists of an OpenSSH server and client packages.
The technology works on the principle of server-client. That is, on the remote machine on which you want to execute commands, you need to start the OpenSSH server. You can connect to this server using OpenSSH clients. Both the server and client can be installed on the same computer. Their launch and configuration is performed independently of each other.
OpenSSH server utilities include:
- sshd (OpenSSH Daemon) – daemon program for ssh. sshd expects connections from clients.
- sftp-server (server subsystem SFTP) is a program that participates in file transfers via SFTP. sftp-server is not intended for direct calling, it is usually activated automatically by the sshd daemon.
So, sshd requires the main attention on the server, and the sftp-server program will be launched automatically as needed.
OpenSSH client utilities include:
- ssh (SSH client program) is a program for logging in to a remote machine and executing commands on that remote machine.
- scp is a program for copying files to a remote machine from a local, or in the opposite direction, from local to remote. When transmitting data, an encrypted channel is used.
- sftp is also a program for transferring files over a secure channel. This program is similar to ftp .
- ssh-keygen is a utility for creating and managing authentication keys. It can also be used to revoke keys.
These are the main programs that most users may need to create keys, connect to a remote machine, and when copying files remotely.
The following utilities are present in the OpenSSH package, but do not require the user to explicitly run or are rarely used:
- ssh-add – Adds a private key to an authentication agent.
- ssh-agent is a private key storage program used for public key authentication (RSA, DSA, ECDSA, Ed25519). ssh-agent usually starts at the beginning of an X session or login session, and all other windows or programs start as clients for the ssh-agent program . Through the use of environment variables, the agent can be found and automatically used for authentication when entering other machines using ssh .
- ssh-keyscan is a utility for collecting SSH host public keys from multiple hosts. It was designed to help create and verify ssh_known_hosts files . ssh-keyscan provides a minimal interface suitable for use by shell and perl scripts .
- ssh-keysign – used by ssh to access the keys of the local host and generate the digital signature required during host-based authentication. ssh-keysign is disabled by default and can only be enabled in the global client configuration file / etc / ssh / ssh_config if EnableSSHKeysign is set to yes . ssh-keysign is not intended to be called by the user, but from ssh .
- ssh-copy-id – uses locally available keys for authorization on a remote computer.
How to install openssh
For some configurations, OpenSSH is installed and enabled by default. Typically, this applies to systems that are difficult to access in a way other than SSH. For example, on VPS hosting (virtual private servers), the installed systems almost always even have the SSH service installed and running in the minimum configuration, therefore, after deploying a new server, it is enough for the client to connect using the submitted credentials.
In images for ARM computers, which often do not have a display, as a rule, the OpenSSH service is already installed and running.
In Debain and derivatives (Kali Linux, Linux Mint, Ubuntu), OpenSSH programs can be installed separately, for example, there are packages for the client and for the server openssh-client and openssh-server . Or you can install the ssh meta-package , which contains both the client and server parts.
sudo apt install ssh
sudo pacman -S openssh
OpenSSH Service Management
The ssh client is launched by the user as needed.
The launch of the OpenSSH service is required only on the server.
OpenSSH comes with systemd service files in two ways :
- sshd.service , which keeps the SSH daemon constantly active and starts a new process for each incoming connection. This is especially suitable for systems with a lot of SSH traffic.
- sshd.socket + sshd @ .service, which, on-demand, generate instances of the SSH daemon for each connection. Using this model means that systemd listens for an SSH socket and starts the daemon process only for an incoming connection. This is the recommended way to start sshd in almost all cases.
Thus, if you want to use the first model (the SSH daemon is always active), then type the following commands to start the service and add it to autoload:
sudo systemctl start sshd.service
sudo systemctl enable sshd.service
They will add the SSH daemon to startup and start it right now.
For the second model (running SSH only on demand), do this:
sudo systemctl start sshd.socket
sudo systemctl enable sshd.socket
To check the status of a service:
systemctl status sshd.service
Or if you use a socket:
systemctl status sshd.service
Please note that in different distributions the service may be called ssh or sshd , therefore, in the above commands, use the names:
How to check the SSH service event log
SSH events can be divided into events:
- start and stop this service
- user connection events
To view start and stop events:
journalctl -u sshd.socket
For example, to display the last 100 entries:
journalctl -u sshd.socket | tail -n 100
To display events related to connecting users, other information, including debugging information (depends on setting the message detail level), you can look as follows:
journalctl | grep -i ssh
How to see failed SSH login attempts
If password entry is configured, then to display unsuccessful attempts, type the command:
journalctl | grep -i 'Failed password for'
If you have configured to log in using a public key, but the ability to log in with a password has not been disabled, then after the wrong key, you will be given the opportunity to log in with a password. Such unsuccessful attempts to enter the password can be found with the same command:
journalctl | grep -i 'Failed password for'
If the login attempt fails due to an invalid key, the default verbosity level ( LogLevel ) ( INFO ) does not log special messages. Such unsuccessful attempts can be detected by the entry “ Connection closed by authenticating user ”, but it means disconnection at the authentication stage, regardless of the authentication method – by password or by key.
If you set the verbosity level to VERBOSE , then in the log you can find records of unsuccessful attempts to enter using the public key with the following command:
journalctl | grep -i 'Failed publickey for'
How to view SSH user connection log
To show connections when the password has been entered:
journalctl | grep -i 'Accepted password for'
To show public key authentication connections:
journalctl | grep -i 'Accepted publickey for'