Passwordless Connection to Remote Servers Using SSH – Secure Shell
SSH was designed in 1995 by Finnish computer scientist Tatu Ylönen. SSH was meant as a replacement for the existing telnet protocol.
Telnet Protocol: A terminal emulation program that is used to access remote servers. It is a simple command line tool. Can also be used to manage remote routers and switches and check if ports are open or closed.
The problem with telnet was that it sends data in plain text as no encryption is used (as it was developed in 1969 in the era before the internet so back then security was not much of a concern). Hence it was susceptible to sniffing attacks. In fact, Tatu Ylönen was motivated to create SSH after a password sniffing attack at his university network.
SSH is a better alternative to Telnet as it protects data from being attacked or stolen while its being transferred over a network. SSH encrypts data during transfer and protects it from potential threats. It also provides password and key authentication (public and private).
Prerequisites to connect to a remote server using SSH: –
- Make sure SSH is installed on your device using the command: –
ssh -V
- Configure SSH server to accept SSH connection. It is done by ensuring that SSH daemon (daemon is a program that helps in running something in the background) is running properly on the server.
systemctl status sshd – To check if ssh daemon is working
systemctl start sshd – To start ssh daemon if it is not enabled
systemctl enable sshd – To ensure it starts on boot
Connecting via SSH: –
- Password based connection: –
Simply type the command:
ssh username@hostname
User name is the user of the client you want to connect and hostname can either be the IP address of the client machine or its domain name.
But password-based connections are insecure as passwords can be cracked. Therefore, we go for: –
- Key based connection: –
- Use the client computer to generate a pair of keys (public and private) using the command: –
ssh-keygen
By default, this will create the folder .ssh and files ida_rsa.pub (public key) and ida_rsa (private key) and the default encryption used will be RSA.
This will also ask for a passphrase which you can add for extra safety.
We can also see that a fingerprint is generated. This fingerprint is the hash of the public key that is generated. SHA256 algorithm is used to create the hash in this case. Fingerprint is required to tell the client that the particular public key is authentic. Without this the public key can be changed by an attacker in order to impersonate the server and conduct Man In The Middle attack.
If you want to change the encryption type and file name and want to add comments to the file to specify for which server the key would be used, use ssh-keygen command in the following manner: –
ssh-keygen -t ed25519 -f ~/.ssh/filename -C “Useful comments”
In the above case ed25519 encryption is used.
- Sending public key to the server
ssh-copy-id -I .ssh/authorized_keys username@hostname
In case the client operating system is windows, use the following command in powershell: –
type $env:USERPROFILE\.ssh\id_rsa.pub | ssh {IP-ADDRESS-OR-FQDN} “cat >> .ssh/authorized_keys”
- Now you can login to the remote server using private key with the command: –
ssh -i private_key_filename serverusername@IPadress_or_domain_name
We have now enabled SSH key login. We can further add a layer of security by Disabling password login: –
Open the SSH Daemon configuration file in the nano editor using the command:
nano /etc/ssh/sshd_config
Search for #PasswordAuthentication Yes
Uncomment it by removing “#” and write no in place of yes.
Restart the SSH Daemon using the command:
systemctl reload sshd
By this we have disabled password login and hence have created a very secure method to login to remote servers using Secure Shell.
