What is SSH (Secure Shell Protocol)?
What is SSH (Secure Shell Protocol)?
SSH is a cryptographic protocol for connecting to network services over an unsecured network. Common applications for SSH are remote login and remotely executing commands on Linux hosts, but that only scratches the surface of what you can do with SSH.
A key benefit of SSH is its near-ubiquity. With OpenSSH having been released back in 1999, SSH can be found on nearly every Operating
System. SSH applications are based on a client-server architecture, with an SSH client connecting to a SSH Server. Let’s look at a simple
example: I’ve created a new server on a cloud provider. During setup, I had to provide my SSH keys, or more specifically my SSH Public Key.
When the server is booted, this key is added to the server, the server boots and the SSH Server process waits for a connection. I’m now able
to connect to the host using SSH,
ssh [email protected], almost transparently. My local terminal feels as if I was
plugged into the host with a monitor.
SSH is a protocol, not a product. The protocol covers 3 main areas.
- Authentication involves proving a user or a machine’s identity; that is, who they claim to be. For SSH, the authentication method means confirming that the user has the correct credentials to access the SSH Server.
- SSH is an encrypted protocol, so the data is unintelligible except to the intended recipients.
- SSH guarantees that the data traveling over the network arrives unaltered. If a third party was to modify traffic during transit, SSH would detect this.
What can you SSH into?
SSH can be used to access any computer. While the primary use was to connect to servers, the definition of “compute” has become more ubiquitous. For example, there are even very small SSH Servers, such as Dropbear SSH that only needs 110kb of space, designed for “embedded”-type Unix systems such as routers and IoT devices. You can even SSH into a self-driving vehicle.
What is OpenSSH?
OpenSSH is an OpenBSD project — it was the first fork of the original and now proprietary SSH program developed by Tatu Ylönen. SSH is a
generic term, and for the rest of the article when we say “SSH” we are referring to the protocol. OpenSSH is still actively maintained and is included in most major UNIX distributions. If you type
ssh, you’ll most likely be interacting with
OpenSSH. Try typing
ssh -V to find your current version.
OpenSSH is a powerful tool, but there are a lot of features that should be avoided — if you set it up incorrectly, bad things will happen. This is why we recommend following these steps to make sure you are following SSH best practices. There are other issues you might encounter, such as the trust on first use (TOFU) problem or adding RBAC to connections. Using an open-source product such as Teleport can help fill these gaps.
SSH public/private keys
By default SSH runs on port 22, and it’s common to open the port up to the whole internet. This means it’s a common target for hackers to
probe SSH. If you’re using a SSH password, there will be many brute-force attacks. This is why it’s recommended to use
ssh keygen to
create strong authentication keys for SSH. Learn more about how to set up SSH keys, and you might want to consider adding a
second factor to SSH authentication, in case someone gets a hold of your keys. If implementing passwordless SSH, it’s important to understand the
pros and cons of the options available to you.
When creating an SSH Key, there are a bunch of options. Should you use RSA, DSA, ECDSA, or EdDSA? For a while, it was a choice between RDA 2047/4096 and ED25519, but after AWS started supporting ED25519 keys, this would be our recommendation.
SSH client configuration
The SSH Client is a tool used on your laptop, workstation or even mobile device. Depending on your OS, you’ll have SSH installed by default. If using Windows, you’ll have to pick a SSH client if you’re not using WSL. After you’ve made your first few connections, you’ll quickly want to edit your SSH configuration, to increase security and productivity. For example, creating an alias for ‘ssh dev’, that'll configure the user and set up the correct agent forwarding. For a full list of the SSH configuration, check out our ssh_config guide.
The SSH Server is the program that runs on the device you want to connect to. It could be a ‘server’ but can also be an embedded device. Since SSH is a protocol, the program could be from a range of different SSH Servers, with most having some kind of interoperability. For example, it’s possible to Teleport with OpenSSH.
Because the SSH server is the gateway to your machine, it’s worth double-checking that all SSH activity is audited and that logs can’t be manipulated. While /var/log/auth.log provides some basic information about a SSH session, it might miss on activity during the session; it's worth setting up SSH Session recording. If you only have a couple of hosts, you might want to consider hardening SSH to prevent brute-force attacks, or using SSH port knocking.
The next level up from SSH keys is SSH certificates. OpenSSH has supported the use of certificates since OpenSSH 5.4 which was released back in 2010.
With SSH certificates, you generate a certificate authority (CA) and then use this to issue and cryptographically sign certificates that can authenticate users to hosts, or hosts to users. There are a few unique properties of certificates that greatly improve security. For example, since SSH certificates can be issued on-demand, this makes it easy only to provide a certificate for that period of time, and after that, the certificate will automatically expire. When someone logs in for the day, they can get an 8-hour certificate. The next day they’ll need to re-authenticate to get a new certificate.
The second benefit is the ability to link certificates to a user and their identity. By linking a cert to a user, it becomes easy to figure out who accessed which system and provide fine-grained RBAC for which systems they can access.
The SSH agent (ssh-agent) is a SSH key manager that stores the SSH key in a process memory so that users can log into SSH servers without having to type the key’s passphrase every time they authenticate with the server. In addition to the key management feature, SSH agent supports agent forwarding, which helps to authenticate with servers that sit behind a bastion or jump server.
There is a risk in using an SSH agent — you should never forward your SSH agent on a machine you do not trust. Although the private keys never leave your machine when using the SSH agent, the agent itself is forwarded to the jump server in forwarding mode. Thus, anyone with root access to that jump server can communicate with the agent, impersonate you as an authentic user, and access any servers where the key is authorized.
We recommend taking a few steps to review how you use an SSH agent and ensure you use it safely.
Secure Copy Protocol (SCP) and Secure File Transfer Protocol (SFTP)
SCP is a handy tool for transferring files over SSH file transfer protocol, providing easy commands to transfer
files from and to hosts; for example, using
scp local_file.txt remote_host:/home. While SCP is as ubiquitous as SSH, it has many security
and performance issues. We have a post that deepdives into SCP and provides a few better and modern alternatives.
SFTP has recently replaced the underlying protocol for SSH file transfer. SFTP stands for Secure File Transfer Protocol (SFTP) and provides a faster and more secure method for transferring files.
SSH tunnels let you proxy arbitrary traffic over SSH. With local port forwarding, SSH tunnels let us connect to insecure protocols, securely access remote services, or even bypass content filters by using dynamic port forwarding. We have an in-depth guide to SSH tunnels, how they work and a few ideas for what to use them for.
SSH production best practices
It’s a best practice not directly connect to machines, but instead access them through a bastion or jump server. Bastions can be hardened machines that can be placed on the internet and can become the gateway to accessing the rest of your fleet. If you are looking for a quick guide on creating an SSH bastion, read our post on setting up an SSH Bastion or our in-depth post on SSH bastion host best practices. Implementing certificate-based authentication is also considered the best method among password-based, key-based and host-based authentication.
History of SSH
Before talking about the invention of the Secure Shell Protocol, it's important to understand a few of the technologies used before.
rlogin (remote login) was an early BSD Unix tool introduced in the 80s, but had many fundamental security problems, such as sending usernames and passwords in cleartext. Early users also ran into usability problems with
rlogin. Other solutions such as telnet had similar security and UX issues.
SSH was first designed in 1995 by Finnish computer scientist Tatu Ylönen, but today most users use OpenSSH, which has become synonymous with SSH. OpenSSH is shipped with all major Linux distributions and is under constant development. Developments of the The Secure Shell (SSH) Connection Protocol IETF standard is available within RFC 4254.
How SSH works
Secure Shell (SSH) is a widely used Application Layer Protocol to secure connections between clients and servers. SSH handshake is a process in the SSH protocol responsible for negotiating initial trust factors for establishing a secure channel between an SSH client and SSH server for an SSH connection. The handshake process includes:
- SSH protocol version exchange
- Key Exchange
- Elliptic Curve Diffie-Hellman Initialization
- Elliptic Curve Diffie-Hellman Reply
- New Keys
SSH provides remote access to the remote computer using symmetric encryption, and will decrypt the connection.
The five steps of the handshake are outlined in this post on SSH handshake explained, covering all steps from the TCP connection to connections and accessing the host.
Once a user has set up SSH, they'll use SSH commands to access the hosts.
Here are few SSH command line examples.
# SSH into a host ssh [email protected] # Execute commands on a remote host. # Find out remote server disk space usage: ssh [email protected] 'df -H'
Generating SSH keys
SSH is known for using Public key cryptography, using the private key pair on the developer's machine following the client-server model. If you don't already have an SSH key, you must generate a new SSH key to use for authentication.
Generating a new SSH Key
# $ ssh-keygen -t `ed25519` -C "[email protected]" # > Generating public/private ALGORITHM key pair. # > Enter a file in which to save the key (/Users/YOU/.ssh/id_ALGORITHM:) [Press enter] # Adding a passphrase to the SSH Key. # > Enter passphrase (empty for no passphrase): [Type a passphrase] # > Enter same passphrase again: [Type passphrase again]
OpenSSH comes pre-installed into many UNIX systems, Linux and MacOS users will be familiar with using ssh on the terminal.
# Checking SSH Version ➜ ~ ssh -V OpenSSH_9.0p1, LibreSSL 3.3.6
Windows have more options with the additions of Windows Sub-system for Linux, WSL and WSL2. WLS2 has made it much easier to use OpenSSH on Windows.
For people looking to use graphical tools with SSH, we recommend trying:
- Putty on Windows
- Teleport Connect for Windows, MacOS and Linux
Explore SSH Tutorials
Learn more about SSH
Practical Guide to Secure SSH Access
Nearly all Teleport features are available in the open source package.
SSH Access - Industry Best Practices
Industry best practices for securing SSH access.
SSH Bastion Host Best Practices
Best practices for securing SSH bastion hosts.
How to Use Teleport with OpenSSH
How to use Teleport with OpenSSH.
Easy to get started
Teleport is easy to deploy and use. We believe that simplicity and good user experience are key to first-class security.
- The tsh client allows users to login to retrieve short-lived certificates.
- The teleport agent can be installed on any server, database, application and Kubernetes cluster with a single command.
# on a client$ tsh login --proxy=example.com
# on a server$ apt install teleport
# in a Kubernetes cluster$ helm install