# SSH (Secure Shell)
# Deep Dive
#### - [OP](https://www.linkedin.com/in/ompragash)
---
## What is SSH?
- *Secure Shell* (or) *Secure Socket Shell*
- SSH is a network protocol
- Helps users to securely access remote servers
- Provides a suite of utilities (**ssh-keygen, ssh-copy-id, scp, sftp**) that implement the SSH protocol.
---
## Insecure to Secure
SSH replaces
- Telnet
- Pioneer of all the communication protocols that exists today
- Plain text-based protocol to transfer data between different systems
----
- rlogin
- [rlogin: The Untold Story](https://resources.sei.cmu.edu/asset_files/TechnicalReport/1998_005_001_16670.pdf)
- Text based protocol same as Telnet
- Utilities that are implemented alonside rlogin:
- rsh "remote shell"
- rcp "remote copy"
---
## Why SSH is more secure?
----
SSH uses encrypted keys to identify the `client` and `server` which adds a layer of security over telnet/rlogin's defaults
----
SSH sets up a per-session encrypted channel for further communication
----
This same approach is used in other SSH services like:
- `scp` (secure copy), SSH's counterpart to rlogin's `rcp`.
- `sftp` (secure FTP), SSH's client/server file transfer protocol.
- SSH port forwarding (so you can run services securely over remote servers).
- SSH X11 forwarding (so you can use X windows securely).
---
## SSH Authentication Methods
Two widely used authentication methods for secure remote access:
- ***Password authentication***
- (using user name and passwords)
- ***Public key-based authentication***
- (using public and private key pairs)
----
## Password Based Authentication
- Username and Password are passed to Server for client authentication
- These credentials are shared through the secure tunnel established by symmetric encryption
- The server checks the ssh database, if found, authenticates the client and allows it to comunicate
----
## Public key-based authentication
- AKA passwordless authentication
- `Client` informs the `Server` with the key-pair it wants to connect
----
- `Server` check for the existence of this key pair and sends a encrypted key
----
- `Client` decrypts this key with the private key and generates a hash value which is sent back to `Server`
----
- `Server` generates its own hash value and compares it with the one sent from the `Client`
- When the hash values are matched, `Server` authenticates the `Client`
---
### How does SSH works?
----
- Client and Server exchange keys
- If connecting for the first time, SSH will prompt for approval of the Host key.
- Host keys are added to `.ssh/known_hosts` file
----
- Depending on the authentication method, SSH will create a session key that's used for the rest of the connection
- These remote connections are encrypted with a cipher (AES, 3DES, Blowfish or RC4 'arcfour')
----
- The connection remains encrypted and persists until you exit out of the remote connection
---
# Let's SSH...!
---
Authenticating using Username and Password
---
## Generate SSH Key-Pair
```
ssh-keygen
```
---
## Copy Public Key to the Server Node
```
ssh-copy-id username@hostname
```
---
## Disable password-based SSH authentication
- Set `PasswordAuthentication no` in `/etc/ssh/sshd_config`
- Restart **SSH** service
---
# Jump Server
- Acts as SSH gateway to connect to servers in DMZ zone
- Reroutes SSH traffic
----
Add below settings to `.ssh/config`
```
Host jumpserver
User username
Hostname jump-server.ip
IdentityFile /Users/ompragash/.ssh/jumpserver.pem
Host server.ip
ProxyJump jumpserver
```
----
Connect to Server and check auth logs to verify the SSH connection goes through the configured Jump Server
```
tail -f /var/log/auth.log
```
---
# Wrap Up!!
- What is SSH and How it works?
- SSH Authentication Methods
- Set-up jump server
- Best SSH practices
---
# Thank You!
{"title":"OpenSSH DeepDive","breaks":true,"metaMigratedAt":"2023-06-17T16:10:15.684Z","metaMigratedFrom":"YAML","slideOptions":"{\"transition\":\"slide\"}","contributors":"[{\"id\":\"28a471b1-f48b-455d-9a59-4dd0bcb1fb8a\",\"add\":4163,\"del\":137}]"}