Secure Shell (SSH)

Secure Shell or SSH is a cryptographic (encrypted) network protocol operating at layer 7 of the OSI Model to allow remote login and other network services to operate securely over an unsecured network.

SSH provides a secure channel over an unsecured network in a client-server architecture, connecting an SSH client application with an SSH server. Common applications include remote command-line login and remote command execution, but any network service can be secured with SSH. The protocol specification distinguishes between major versions, referred to as SSH-1 and SSH-2.

The most visible application of the protocol is for access to shell accounts on Unix-like operating systems, but it sees some limited use on windows as well. In 2015 Microsoft announced that they would include native support for SSH in a future release.

You can find a windows developer preview of OpenSSH and a copy of there road map for this project here.

Installing SSH in Linux

Installing SSH on Linux is as simple as typing..

sudo apt-get install ssh

Once you have installed all the packages your set to start using ssh. To connect to another SSH server type the command below.

ssh (Username)@(host)
ssh [email protected]

As this will be your first connection from your newly installed ssh server you will be prompted  to accept the authenticity of your host, just type yes and the address will get added to your Known Hosts folder and you will then be prompted for your logon password.

Installing SSH in Windows (Putty)

As there is not any native support for SSH in windows at the time i am writing this, your best option is to install a program called Putty.

Putty is an SSH and telnet client, developed originally by Simon Tatham for the windows platform. Putty is open source software that is available with source code and is developed and supported by a group of volunteers.

Putty Download Page

The Putty download page has quite a few different things to download, I will go through each of these later in this tutorial but for now just download the standalone executable putty.exe.

Once downloaded double click putty.exe and a new window will open showing you the putty configuration. In the Host Name (or IP address) type in your SSH servers address (Username)@(host) and then click open.

As this is the first time connecting to your SSH server you will be prompted with a security alert saying it does not know the host, if your sure this is the correct host, just click yes and the host will be added to Putty’s cache.

You will now be prompted for your login, enter your username and password and that is it, you should be logged into your server.

No More Passwords with An SSH Authentication Key

An SSH server can authenticate clients using a variety of different methods. the most basic of these is password authentication, which is easy to use, but not the most secure.

Although passwords are sent to the server in a secure manner, they are generally not complex or long enough to be resistant to repeated, persistent attackers. Modern processing power combined with automated scripts make brute forcing a password-protected account very possible. Although there are other methods of adding additional security(fail2ban, etc), SSH keys prove to be reliable and secure alternative.

SSH key pairs are two cryptographically secure keys that can be used to authenticate a client to an SSH server. Each key pair consists of a public key and a private key.

The private key is retained by the client and should be kept absolutely secret. Any compromise of the private key will allow the attacker to log onto servers that are configured with the associated public key without additional authentication. As and additional precaution, the key can be encrypted on the disk with a pass phrase.

The associated public key can be shared freely without any negative consequences. The public key can be used to encrypt messages that only the private key can decrypt. This property is employed as a way of authenticating using the key pair.

The public key is uploaded to a remote server that you want to be able to log into with SSH. The key is added to a special file within the user account you will be logging into called  ~/.ssh/authorized_keys .

When the client attempts to authenticate using SSH keys, the server can test the client on whether they are in possession of the private key. If the client can prove that it owns the private key, a shell session is spawned or the requested command is executed.

Setup SSH Key Pairs in Linux

To create your keys type the command below.

ssh-keygen -t RSA

The -t lets you choose the type of key that you want to use RSA, DSA or ECSDA by default it will use RSA.

It will say that its generating the public/private key pair and asks you where you would like to save the key. By default it saves it to a hidden folder called .ssh in your home directory, which is fine so just hit enter.

Generating public/private RSA key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):

Now it asks you to enter a passphrase. you can just hit enter again and it will create your key without a passphrase but i strongly advise adding a strong password because if your private key ever gets compromised they will be able to connect to your ssh server without a password.

Enter passphrase (empty for no passphrase): 
Enter same passphrase again:

After adding your passphrase it will save both the public (id_rsa.pub) and privet keys (id_rsa) to the folders specified previously, it also shows you the fingerprint of your key in a randomart image.

Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
16:1d:be:d3:71:0d:7a:6e:fb:97:72:76:2b:2e:b0:3b user@debian
The key's randomart image is:
+---[RSA 2048]----+
|             . . |
|         o . . o |
|        . o o o .|
|           . o = |
|         S o . o |
|       . . . . . |
|            o . .|
|         E . o =o|
|         .o o.=.=|
+-----------------+

All you have to do now is take your Public key (id_rsa.pub) and send it over to the SSH server, there are a few different ways to do this.

If password authentication is still enabled you can run this command to copy over the public key and add it to the .ssh/authorized_keys on the server.

ssh-copy-id (username)@(host)

user@debian:~$ ssh-copy-id [email protected]
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:
|
|Number of key(s) added: 1
|
Now try logging into the machine, with: "ssh  '[email protected]'"
and check to make sure that only the key(s) you wanted were added.

It will then log you out, log back in and if you set a password on your private key you will be prompted to enter it now to unlock it.

You will now be able to log in and out of the server without entering your SSH password you still may need to unlock your privet key if you reboot.

Setup SSH Key Authentication in Windows with Putty

With Putty you need to first download the Putty key generator and Pageant which is an authentication agent used in putty. Both can be downloaded from the Putty Download page.

Once everything is downloaded run Puttygen.exe this will open the Putty Key Generator and from here we can generate a public and private key pair.

To create the public and private key pair first select the type of key you want to generate (SSH -2 RSA or SSH-2 DSA)  and the number of bites in the generated key and just click Generate, it will then prompt you to move the mouse in the blank area to generate some randomness and the green bar will slowly increase as you move the mouse.

Once the green bar has reached the end you will be prompted with your key, I would advise you set a strong security passphrase here otherwise if your keys get compromised  there will be no other line of defense for someone to log straight into your server.

After you have set and confirmed your passphrase click the save Public Key and save it some where secure with a name that makes it recognizable like public and then do the same with the Private Key naming it private.

Now we need to copy the public ssh key to the ~/.ssh/authorized_keys file on your ssh server.

Log into your ssh server with Putty  (Username)@(host) then open up the authorized_keys file with your favorite text editor i am using nano.

nano -w .ssh/authorized_keys
 -w Wordwrap

Open your Public Key in Notepad and add ssh-rsa to the start of your SSH Key as below and copy the whole string up until the final =.

and up until the final =.

Once this has been copied, paste it into your open putty nano session by right clicking in the putty window. This should copy the string from our public key that we copied from notepad earlier into our authorized_keys file. Make sure the key is on one single line with no spaces then save the authorized_keys file and exit nano.

Now the public key is setup on the server we need to use Pageant.exe which we downloaded at the start.

Pageant is an SSH authentication agent. It holds your private keys in memory, already decoded, so that you can use them often without needing to type a passphrase.

When you run Pageant it will put an icon of a computer wearing a hat into the system tray. It will then sit and do nothing until you load a private key into it.

Right click the Pageant icon in the System tray and you will see a menu as below.

Click Add Key and navigate to where you saved your private key, open your private key then you will be asked to enter the passphrase for you key if you set one.

Enter the passphrase and your private key will be loaded into pageant you will now be able to connect to your SSH server without entering your SSH password. You will how ever have to run pageant every time you reboot and authenticate your Private Key with a password.

Setup a SSH Proxy (SOCKS5) Linux and Windows

Have you ever wanted to visit sites during the day from a location that denied access to those sites? Perhaps the company has denied access due to bandwidth considerations or you might have decided that the site you want to go to  might not always be work safe depending on the story or pictures? What you need is the ability to create a secure and encrypted SSH connection to tunnel your browser traffic through.

Using a ssh tunnel to retrieve the data from websites is significantly faster than trying to use X forwarding to open a remote copy of Firefox on the remote machine. If a remote browser is used the connection will be saturated by the graphical front end of the remote browser window. Use the tunnel for the web site’s  data and leave the rendering of the browser to the local machine. This is the most efficient solution.

If you have access to a remote machine by way of SSH you can set up Firefox, or any other SOCKS V5 enabled application, to tunnel its connection through SSH. this way, if you were at work and wanted to browse your favourite sites like Facebook, xhamster, etc that are blocked at the company firewall you could.

To set this up in Linux its as simple as typing the command below in you Linux terminal

ssh -D 8080 (Username)@(host)

Here SSH will create a Socks proxy listening in for connections at local port 8080 and upon receiving a request would route the traffic via SSH channel created between ‘work’ and ‘home’. For this it is required to configure the browser to point to the socks proxy at port 8080 at localhost.

In windows (Putty) its a little bit more complicated you need to setup the connection as normal then on the left hand side click  Connection –> SSH –> Tunnels and you should get a page like this.

from here make sure you click Dynamic put 8080 in the source port and a Destination of localhost then click the Add button. This will add the dynamic port in the forwarded ports box as below.

Once you have D8080 which stands for dynamic port 8080 in your forwarded ports just click open and your connection will be made.

Now you have your tunnel setup you can tunnel any SOCKS 5 aware program like your internet Browser through that encrypted SSH connection, i will show you how to set this up in firefox.

Open Firefox click the icon with the 3 dashes in the top right corner and select Preferences as pictured below.

Then go Advanced –> Network and click settings

Once your in settings you need to change the radio button to Manual Proxy configuration and enter the details as pictured below

Click OK and your internet  traffic in Firefox will now be going through your ssh tunnel then out to the internet.

You can check this by going to https://www.whatismyip.com and if its all working you should see your SSH servers ip.

Tunnelling with Local Port Forwarding

Lets say that yahoo.com is being blocked using a proxy filter at work. A SSH tunnel can be used to bypass this restriction.

To create the SSH tunnel execute the following from ‘work’ machine.

ssh -L 9001:yahoo.com:80 (username)@(host)

The ‘L’ switch indicates  that a local port forward is needed to be created.

Now the SSH client at ‘work’ will connect to the SSH server running at ‘home’ (usually running at port 22) binding port 9001 of ‘work’ to listen for local requests thus creating a SSH tunnel between ‘home’ and ‘work’. At the ‘home’ end it will create a connection to ‘yahoo.com’ at port 80. So ‘work’ doesn’t need to know how to connect to yahoo.com. Only ‘home; needs to worry about that. The channel between ‘work’ and ;home; will be encrypted while the conection between ‘home’ and ‘yahoo.com’ will be unencrypted.

Now it is possible to browse yahoo.com by visiting http://localhost:9001 in the web browser at the ‘work’ computer. The ‘home’ computer will act as a gateway which would accept requests from ‘work’ machine and fetch data and tunnel it back.

Here the ‘host’ to ‘yahoo.com’ connection is only made when the browser makes the request not at the tunnel setup time.

It is also possible to specify a port in the ‘home’ computer itself instead of connecting to an external host. Tis is useful if I were to setup a VNC session between ‘work’ and ‘home’. Then the command line would be as follows.

ssh -L 5900:localhost:5900 (username)@(host)

The Created tunnel can be used to transfer all kinds of data not limited to web browsing sessions. we can also tunnel SSH sessions from this as well. lets assume there is another computer (‘banned’) to which we need to SSH from within work but the SSH access is being blocked. It is possible to tunnel a SSH session to this host  using a local port forward. The setup would look like this.

As can be seen now the transferred data between ‘work’ and ‘banned’ are encrypted end to end. For this we need to create a local port forward as follows.

ssh -L 9001:banned:22 (username)@(host)

Now we need to create a SSH session to local port 9001 from where the session will get tunnelled to ‘banned’ via ‘home’ computer.

ssh -p 9001 localhost

To do local tunnelling within Putty click connection –> SSH –> Tunnels on the left hand side of the putty window

Make sure, once you have entreated the details, you click add and the port will show in forward ports as below

Reverse Tunnelling with remote port forwarding

Lets say it is required to connect to an internal company website from home. The companys firewall is blocking all incoming traffic. How can we connect from ‘home’ to the internal network so that we can browse the internal site? A vpn setup is a good candidate here. however for this example let’s assume we dont have this facility. Enter SSH reverse tunnelling..

As in the earlier case we will initiate a tunnel from the ‘work’ computer behind the firewall. This is possible since only incoming traffic is being blocked and outgoing traffic is allowed. Instead of the -L option we now define -R which specifies a reverse tunnel needs to be created.

ssh -R 9001:intra-site.com:80 (username)@(host)

once executed the SSH client at ‘work’ will connect to SSH server running at home creating a SSH tunnel. Then the server will bind port 9001 on ‘home’ machine to listen for incoming requests which would subsequently be routed through the created SSH channel between ‘home’ and ‘work’. Now its possible to browse the internal site by visiting http://localhost:9001 in ‘home’ web browser. the ‘work’ Pc will then create a connection to intra-site and relay back the response to ‘home’ via the created SSH channel.

To do this with putty click Connection –> SSH –>Tunnels on the right hand side of the putty client then enter your details and click the Add button to add the details into the forwarded ports see below.