SSH: Remote Servers

School CS100
1

Secure Gateway to Remote Servers

Have you ever needed to control a computer that’s not physically in front of you? Maybe you’re a web developer managing a server, a system administrator overseeing a network, or a researcher running simulations on a powerful cluster. This is where SSH (Secure Shell) comes in. SSH is the standard protocol for securely accessing and managing remote machines. It’s like having a virtual keyboard and monitor for a computer that could be miles away.

This post will guide you through everything you need to know about SSH, from the absolute basics to advanced techniques and software for efficient server management.

The Fundamentals of SSH

1.1 What is SSH?

SSH, or Secure Shell, is a network protocol that provides a secure, encrypted connection between two computers. Think of it as a highly secure tunnel. This tunnel protects your data (commands, files, passwords) from being intercepted or tampered with while it travels across the network, even if that network is the public internet.

Key Concepts:

  • Client: The computer you’re using to connect to the remote machine (e.g., your laptop).

  • Server: The computer you’re connecting to (e.g., a web server, a database server, etc.).

  • Encryption: SSH uses strong cryptographic algorithms (like AES, ChaCha20) to scramble the data, making it unreadable to anyone who doesn’t have the decryption key.

  • Authentication: SSH verifies the identity of both the client and the server to ensure you’re connecting to the correct machine and that the server is trustworthy. This often involves usernames and passwords, but more secure methods (like SSH keys) are highly recommended.

  • Port 22: By default, SSH servers listen for connections on port 22. This is like a specific “door” on the server that is reserved for SSH traffic.

1.2 Why Use SSH?

  • Security: This is the primary reason. Unlike older protocols like Telnet or FTP (which send data in plain text), SSH encrypts everything.

  • Remote Command Execution: You can run commands on the remote server as if you were sitting directly in front of it. This is essential for managing servers, running applications, and performing administrative tasks.

  • File Transfer: SSH provides secure ways to transfer files between your local machine and the remote server (we’ll cover this later with SCP and SFTP).

  • Port Forwarding (Tunneling): A more advanced feature, SSH can create secure tunnels for other applications, allowing you to access services on the remote network as if they were running locally.

  • Widely Supported: SSH is supported on virtually all operating systems (Linux, macOS, Windows – often through third-party clients on Windows).

1.3 Basic SSH Usage – Your First Connection

Let’s connect to a remote server! For this example, we’ll assume:

  • You have an SSH client installed (see the “Getting Started” section below).

  • You know the username and password for a user account on the remote server.

  • You know the server’s IP address or hostname (e.g., 192.168.1.100 or myserver.example.com).

Open your terminal (or command prompt on Windows):

  • Linux/macOS: The ssh command is usually built-in.

  • Windows: You can use the built-in OpenSSH client (available in newer versions of Windows 10/11), PuTTY (a popular free client), or the Windows Subsystem for Linux (WSL).

The basic command:

ssh username@server_ip_or_hostname

Example:

ssh arjun@192.168.1.100

or

ssh arjun@myserver.example.com

Explanation:

  • ssh: The SSH command.

  • username: Your username on the remote server.

  • @: Separates the username and the server address.

  • server_ip_or_hostname: The IP address or hostname of the remote server.

The First Connection Process:

  1. Connection Request: Your SSH client initiates a connection to the server on port 22.

  2. Server Key Exchange: The server sends its public key to your client. This key is used to verify the server’s identity. Your client will likely ask you if you trust this key the first time you connect. You’ll see a message like:

    The authenticity of host '192.168.1.100 (192.168.1.100)' can't be established.
ECDSA key fingerprint is SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

  3. Important: Carefully check the fingerprint if you know it (it’s usually provided by the server administrator). If you’re unsure, type no and investigate. If you type yes, your client will store the server’s public key in a file (usually ~/.ssh/known_hosts) so it won’t ask you again for the same server.

  4. Password Prompt: If the server key is accepted, you’ll be prompted for your password:

    arjun@192.168.1.100's password:

    Enter your password (it won’t be displayed on the screen for security).

  5. Successful Login: If the password is correct, you’ll be logged in, and you’ll see the remote server’s command prompt. You can now run commands on the remote server.

1.4 Basic Commands After Logging In

Once you’re logged in, you can use standard Linux commands:

  • ls: List files and directories.
  • cd: Change directory.
  • pwd: Print working directory (shows your current location).
  • mkdir: Create a directory.
  • rm: Remove files or directories (use with caution!).
  • nano or vim: Text editors (for editing files on the server).
  • sudo: Execute a command with root (administrator) privileges (if your user has sudo access).
  • exit: Log out of the SSH session and close the connection.

1.5 Getting Started: Installing an SSH Client

  • Linux: Most Linux distributions come with an SSH client pre-installed (OpenSSH). If not, you can usually install it using your distribution’s package manager (e.g., apt install openssh-client on Debian/Ubuntu, yum install openssh-clients on Fedora/CentOS).

  • macOS: macOS also includes OpenSSH by default. You can access it through the Terminal application.

  • Windows:

    • Windows 10/11 (Built-in): Open PowerShell and type ssh. If it’s not found, you may need to enable the optional “OpenSSH Client” feature (search for “Optional features” in the Windows settings).

    • PuTTY: A very popular, free, and lightweight SSH client for Windows. Download it from the official website (https://www.putty.org/).

    • Windows Subsystem for Linux (WSL): WSL allows you to run a Linux environment directly on Windows. Once you have WSL installed (e.g., Ubuntu), you’ll have access to the standard Linux ssh command.

    • MobaXterm: Another popular tool for windows. Provides a tabbed terminal with an embedded X server and numerous network tools, including SSH, SFTP, RDP, VNC, and more.

    • Termius: Cross-platform, available on Windows, macOS, Linux, iOS, and Android. Offers a modern interface, port forwarding, and synchronization of settings across devices.

Diving Deeper – Beyond the Basics

2.1 SSH Keys: The Secure and Convenient Alternative to Passwords

Typing your password every time you connect is tedious and, more importantly, less secure than using SSH keys. SSH keys are a pair of cryptographic keys:

  • Private Key: This key is secret and should be kept extremely secure on your local machine. Think of it like the key to your house.

  • Public Key: This key can be shared freely. You place it on the remote server(s) you want to access. Think of it like the lock on your door.

How SSH Key Authentication Works:

  1. Key Generation: You generate a key pair on your local machine.

  2. Public Key Placement: You copy the public key to the ~/.ssh/authorized_keys file on the remote server (for the user account you want to use).

  3. Connection Attempt: When you try to connect, your SSH client uses your private key to create a digital signature.

  4. Verification: The server uses the corresponding public key (from authorized_keys) to verify the signature. If the signature is valid, you’re authenticated without needing to enter a password.

Generating SSH Keys:

ssh-keygen -t ed25519 -C "your_email@example.com"

  • -t ed25519: Specifies the type of key to generate. ed25519 is a modern and secure algorithm. rsa is another common option, but ed25519 is generally preferred for its performance and security.

  • -C “your_email@example.com”: Adds a comment to the key (helpful for identification).

The ssh-keygen command will:

  1. Ask you where to save the keys (the default location is usually ~/.ssh/id_ed25519 for the private key and ~/.ssh/id_ed25519.pub for the public key). Press Enter to accept the default.

  2. Ask you for a passphrase. This is highly recommended! A passphrase adds an extra layer of security. If your private key is ever compromised, the passphrase will prevent it from being used without authorization. You’ll have to enter the passphrase when you use the key, but this is still much more convenient than typing your server password every time.

  3. Generate the key pair.

Copying the Public Key to the Server:

The easiest way to do this is with the ssh-copy-id command:

ssh-copy-id username@server_ip_or_hostname

This command will automatically connect to the server, create the ~/.ssh directory if it doesn’t exist, and append your public key to the ~/.ssh/authorized_keys file. You will be prompted for your password one last time.

If ssh-copy-id is not available, you can do it manually:

  1. Display your public key: cat ~/.ssh/id_ed25519.pub

  2. Copy the entire output (it starts with ssh-ed25519 and ends with your comment).

  3. Connect to the server using ssh (you’ll need to use your password this time).

  4. Create the ~/.ssh directory if it doesn’t exist: mkdir -p ~/.ssh

  5. Edit the ~/.ssh/authorized_keys file: nano ~/.ssh/authorized_keys

  6. Paste your public key into the file (make sure it’s all on one line).

  7. Save the file and exit the editor (Ctrl+X, Y, Enter in nano).

  8. Set the correct permissions: chmod 600 ~/.ssh/authorized_keys and chmod 700 ~/.ssh

Now, you should be able to connect to the server without entering your password (just your ssh passphrase, if you set one).

2.2 SSH Config File (~/.ssh/config)

The SSH config file is a powerful way to simplify and customize your SSH connections. It allows you to define aliases (short names) for servers, specify different usernames, ports, and even key files for different hosts.

Creating the Config File:

touch ~/.ssh/config
chmod 600 ~/.ssh/config
nano ~/.ssh/config

Example Config File:

Host mywebserver
    HostName myserver.example.com
    User johndoe
    IdentityFile ~/.ssh/id_ed25519
    Port 2222

Host dbserver
    HostName 192.168.1.200
    User dbadmin
    IdentityFile ~/.ssh/db_key
    Port 22

Explanation:

  • Host mywebserver: Defines an alias called mywebserver.

  • HostName: The actual hostname or IP address.

  • User: The username to use.

  • IdentityFile: The path to the private key file to use for this host.

  • Port: The port number to connect to (if it’s different from the default 22).

Now, you can connect to mywebserver simply by typing:

ssh mywebserver

This is much easier than remembering the full hostname, username, and key file path! You can define as many hosts as you need in your config file.

2.3 Secure Copy (SCP) and Secure FTP (SFTP)

SCP and SFTP are protocols built on top of SSH for secure file transfer.

  • SCP (Secure Copy): A command-line tool for copying files between your local machine and a remote server. It’s generally faster than SFTP, but less interactive.

    • Copy a file to the remote server:

      scp local_file.txt username@server_ip_or_hostname:/path/to/destination/

    • Copy a file from the remote server:

      scp username@server_ip_or_hostname:/path/to/remote/file.txt /path/to/local/destination/

    • Copy a directory recursively:
      use the -r flag

      scp -r local_directory username@server:/path/to/destination

  • SFTP (Secure FTP): An interactive file transfer protocol. It provides a more FTP-like experience, allowing you to browse directories, list files, and transfer files using commands like get, put, ls, cd, etc.

    sftp username@server_ip_or_hostname

Once connected, you’ll get an sftp> prompt. You can then use commands like:

  • ls: List files on the remote server.
  • pwd: Print the working directory on the remote server.
  • cd: Change directory on the remote server.
  • lls: List files on your local machine.
  • lpwd: Print the working directory on your local machine.
  • lcd: Change directory on your local machine.
  • get remote_file.txt: Download a file from the server.
  • put local_file.txt: Upload a file to the server.
  • exit: Close the SFTP connection.

2.4 Port Forwarding (Tunneling)

SSH port forwarding (also called tunneling) allows you to create a secure connection between a port on your local machine and a port on a remote server (or a port on a machine behind the remote server). This is incredibly useful for accessing services that are not directly exposed to the internet or for creating secure connections to internal network resources.

There are three main types of port forwarding:

  • Local Port Forwarding (-L): Forwards a port on your local machine to a port on the remote server (or a machine accessible from the remote server).

    • This is commonly used to securely access web interfaces or other services running on a remote server.

    • Imagine a web server is running on a remote machine (port 80), but that web server is not accessible directly from the internet, it is behind a firewall and only available on the local network.

    • Example: ssh -L 8080:localhost:80 username@server

      • This command creates a tunnel. When you open http://localhost:8080 in your local browser, the traffic will be securely forwarded through the SSH connection to port 80 on the remote server (localhost from the perspective of the remote server).

  • Remote Port Forwarding (-R): Forwards a port on the remote server to a port on your local machine (or a machine accessible from your local machine).

    • This is less common but can be useful for giving someone temporary access to a service running on your local machine.

    • Example: ssh -R 9000:localhost:8080 username@server

      • This command creates a tunnel. Anyone who connects to port 9000 on the remote server will be connected to port 8080 on your local machine.

  • Dynamic Port Forwarding (-D): Creates a SOCKS proxy on your local machine. This allows you to configure your applications (e.g., your web browser) to use the SSH connection as a proxy server. All traffic from the application will be routed through the SSH tunnel.

    • This allows you to bypass firewalls, access geo-restricted content.

    • Example: ssh -D 1080 username@server

      • This creates a SOCKS proxy listening on port 1080 on your local machine. You can then configure your browser to use this proxy (usually in the network settings).

Best Software for Managing Remote Servers via SSH

While the command-line ssh client is powerful, there are several tools that can significantly enhance your workflow, especially when managing multiple servers.

3.1 Terminal Multiplexers (tmux and screen)

These tools are essential for serious server administration. They allow you to:

  • Create multiple terminal sessions within a single SSH connection: You can have multiple windows and panes open, running different commands simultaneously.

  • Detach and reattach sessions: You can disconnect from the SSH session, and your processes will continue running on the remote server. You can then reattach to the session later, even from a different computer. This is invaluable for long-running tasks.

  • Share sessions: (Less common, but possible) You can allow another user to connect to your screen/tmux session, which can be useful for collaboration or troubleshooting.

  • tmux: The more modern and generally preferred option. It has a more intuitive configuration and a larger feature set.

  • screen: An older, but still widely used, terminal multiplexer. While tmux is generally recommended now, screen is still perfectly viable and may be pre-installed on systems where tmux isn’t.

Basic tmux Usage:

  1. Start tmux: tmux (on the remote server)
  2. Create a new window: Ctrl+b c
  3. Switch between windows: Ctrl+b n (next window), Ctrl+b p (previous window)
  4. Detach from the session: Ctrl+b d
  5. List sessions: tmux ls (from outside tmux)
  6. Reattach to a session: tmux attach -t <session_name> (e.g., tmux attach -t 0 or tmux a -t 0)
  7. Split a window into panes: Ctrl+b " (horizontal split), Ctrl+b % (vertical split)
  8. Navigate between Panes : Ctrl+b
  9. Kill a Window or Pane : Ctrl+b x (you’ll be prompted for confirmation)
  10. Rename a session : tmux rename-session -t

Basic screen Usage:

  1. Start screen: screen (on the remote server)
  2. Create a new window: Ctrl+a c
  3. Switch between windows:
  • Ctrl+a n (next window)
  • Ctrl+a p (previous window)
  • Ctrl+a <window_number> (e.g., Ctrl+a 0 to go to window 0)
  • Ctrl+a " (show a list of windows, then use arrow keys and Enter to select)
  1. Detach from the session: Ctrl+a d
  2. List sessions: screen -ls (from outside screen)
  3. Reattach to a session:
  • screen -r (if there’s only one detached session)
  • screen -r <session_name> (e.g., screen -r 12345.pts-0.servername) Use the output of screen -ls to find the session names
  • screen -x (to attach to an already attached session in multi-display mode – useful for sharing)
  1. Kill a Window : Ctrl+a k (you’ll be prompted for confirmation)
  2. Rename a Session : Inside the screen session: Ctrl+a :sessionname <new_name> (the : enters command mode). Or, from outside the session: screen -S <session_name> -X sessionname <new_name>
  3. Scrollback Mode: Ctrl+a [ (then use arrow keys, Page Up/Down, etc., to scroll. Press Esc to exit scrollback mode). This is crucial for seeing output that has scrolled off the screen.
  4. Copy and Paste (screen’s copy/paste is a bit clunky):
  • Enter copy mode: Ctrl+a [
  • Move the cursor to the start of the text you want to copy.
  • Press Space to begin the selection.
  • Move the cursor to the end of the text you want to copy.
  • Press Space again to copy the selected text to screen’s buffer.
  • Paste: Ctrl+a ]

Key Differences and Why tmux is Often Preferred:

  • Prefix Key: tmux uses Ctrl+b as its prefix key, while screen uses Ctrl+a. This is the key combination you press before issuing a command to the multiplexer. Many people find Ctrl+b more comfortable.

  • Configuration: tmux has a more modern and easier-to-understand configuration file (~/.tmux.conf). screen’s configuration (~/.screenrc) can be more cryptic.

  • Panes: tmux has built-in support for splitting windows into panes (multiple terminals within a single window), which is a very common use case. screen requires some extra configuration to achieve this.

  • Status Bar: tmux’s status bar is more customizable and informative by default.

  • Copy Mode: tmux’s copy mode is generally considered more intuitive and powerful, integrating better with the system clipboard in many cases.

Recommendation:

If you’re new to terminal multiplexers, start with tmux. It’s generally easier to learn and has more features that are useful for modern server administration. However, screen is still a perfectly valid option, especially if you’re working on older systems or have existing screen configurations. The important thing is to use a terminal multiplexer – it will dramatically improve your productivity when working with remote servers.

3.2 MRemoteNG

  • Description: A popular open-source, tabbed, multi-protocol, remote connections manager for Windows.

  • Features:

    • Supports SSH, RDP, VNC, Telnet, and more.

    • Organizes connections in a tree-like structure.

    • Allows you to store credentials securely.

    • Supports scripting and external tools.

  • Best for: Windows users managing a variety of servers and protocols.

3.3 Termius

  • Description: A cross-platform SSH client (Windows, macOS, Linux, iOS, Android) with a modern, user-friendly interface.

  • Features:

    • Synchronization of settings and credentials across devices.

    • Built-in SFTP client.

    • Port forwarding.

    • Snippets (for storing frequently used commands).

    • Premium features (e.g., team collaboration).

  • Best for: Users who need a consistent SSH experience across multiple platforms.

3.4 Royal TS/TSX

  • Description:
    Royal TS (for Windows) and Royal TSX (for macOS) are powerful remote management tools.

  • Features:
    Supports a wide range of protocols including SSH, RDP, VNC, and web-based interfaces.
    Credential management, allowing secure storage and sharing of login information.
    Dynamic folders and smart groups for organizing connections.
    Scripting capabilities with PowerShell (Royal TS) and AppleScript/JavaScript (Royal TSX).

Conclusion

SSH is a fundamental tool for anyone working with remote servers. By mastering SSH, you’ll be well-equipped to securely and efficiently manage any remote system. Start with the basics, practice regularly, and gradually explore the more advanced features and tools. You’ll find that SSH becomes an indispensable part of your workflow.