-
Notifications
You must be signed in to change notification settings - Fork 2
SSH for Beginners
ssh
is a basic tool that allows us to connect to a server safely, transfer files and many other things. For example, ansible
uses it to connect to our servers, and thus configure them as we indicate in our inventories of services and servers and according to the tasks indicated in ala-install
.
ssh
uses a system of public and private cryptographic keys. Making a simplistic comparison, think of a key (private key) as the key to your house, and one lock (the public key) or more locks for match that key that you can put in different places and thus open them with the same key.
You can have different public and private keys for different uses (work, home, car, bike, etc).
You can share the public key in several places (the ideal thing is to have the same lock on all the doors of your house or your car). But the private key, you only share it with your family members (or with members of your team), although it is advisable that each one use their own different keys and locks to enter the same sites.
That is to say, a door can have several locks, and the door can be opened with different keys and here our metaphor gets a bit mixed up, but let's hope it is understood. Imagine that you have a chain and you add several locks chained (see the image). If any neighbor opens their lock with their key, the chain will open.
The same happens with ssh. You can configure several public keys in a server and account (that is several chained locks) and any one that have one (private) key of that locks can enter to the server.
If the lock is not positioned properly, you will not be able to open that door chain (and access that server).
Yes, you can use a password to access to a server without using SSH keys, like Abracadabra
to open a magic door, but SSH keys are a more secure option and we prefer to use them.
Just typing:
ssh-keygen
will ask for some name and password and it will generate a key pair for your with the default values.
You can also specify more options for that key:
ssh-keygen -q -t rsa -b 2048 -f .ssh/my-key
You should authorized that public key in your server adding it to /home/your-user/.ssh/authorized_keys
This is like to put the new lock in your chain.
To do that you can:
- Use
ssh-cp-id
(more details) to copy the public key to your user/server (recommended)ssh-copy-id -i .ssh/my-key jane@1.2.3.4
(lets say that your user isjane
and1.2.3.4
is the IP of your server. - or edit manually
.ssh/authorized_keys
accessing by ssh to your user/server (more risky if you don't know well what you are doing):
ssh jane@1.2.3.4
nano .ssh/authorized_keys2
# add there the contents or .ssh/my-key.pub and save the file
so the next time you access to your server you can use that key instead of the user/server password:
ssh -i .ssh/my-key jane@1.2.3.4
Not all of our servers are directly connected to the Internet. Our data centers are like an office building in which not all offices have a door to the street, to the outside.
Our servers have public and/or private IP addresses. Using also a metaphor, given a building, we cannot put a postal address with a street number to each office in the building, therefore, a street number is shared, and then the floor/door is used, for example, to indicate an office inside the building.
This also affects security. Imagine what a mess if each office gave onto the street, outside. For this reason, many times, it is accessed through a portal, or a security control that then gives you access to the rest of the building. Sometimes you have to go through several security checks until you reach the office you want to enter.
In ssh
terminology this is a bastion, gateway or proxyjump
. You "jump" to one server to be able to access another typically, an internal server.
Like the classic web http port is 80
, or https 443
, the default port for SSH, is 22
. If on a server you ring the bell 80
the web will answer you, if you touch 443
the secure web will answer you, and if you ring the bell 22
, then ssh answers.
Sometimes another port is used instead of the default port 22
. This happens many times when we have internal servers and the external machine uses port 22
for itself. In these cases a different port (for example 22001
) is redirected to the internal machine port 22
.
The basic one:
ssh jane@1.2.3.4
or specifying the key to use:
ssh -i .ssh/my-key jane@1.2.3.4
as this is more a more long a complicate to remember we can edit the .ssh/config
file to set up this connection for future reuse, adding:
Host my_server
HostName 1.2.3.4
IdentityFile ~/.ssh/my-key
User jane
With this configuration now we can just type:
ssh my_server
to connect to that IP address with the user jane
and using that ssh key.
You can access to an internal server using a bastion/gateway/proxyjump like:
ssh -J gateway.l-a.site jane@1.2.3.4
But as this command is a bit difficult to memorize and also it can be longer if you have to specify keys, etcetera, it's recommended to use the .ssh/config
file instead to do the same:
Host my_server
HostName 1.2.3.4
IdentityFile ~/.ssh/my-key
ProxyJump gateway.l-a.site
User jane
scp
and sftp
are two utilities that allow for secure file transfers over SSH.
scp
(Secure Copy) is a command-line utility that allows you to securely copy files and directories between two locations. With scp
, you can copy a file or directory:
- From your local system to a remote system
- From a remote system to your local system
- Between two remote systems from your local system
Here is the basic syntax of scp
:
scp source_file user@dest:/path/to/destination
For example, if you have a file on your local machine called test.txt
that you want to copy to a remote machine with IP 1.2.3.4
, you could use:
scp test.txt jane@1.2.3.4:/home/jane
sftp
(SSH File Transfer Protocol) is another method of transferring files securely between hosts. It is more interactive and flexible than scp
because it allows you to navigate the directory structure, create directories, and delete files on the remote host, among other things.
Here is how you might start a session:
sftp jane@1.2.3.4
Once connected, you can use ls
to list files, cd
to change directory, get
to download files, and put
to upload files.
rsync
is a utility for efficiently transferring and synchronizing files across computer systems. It's commonly used for backups and mirroring and as an improved copy command for everyday use. The rsync
command will only transfer changes in the source files to the destination, making it very efficient.
Here is the basic syntax of rsync
:
rsync options source destination
For example, to copy a directory from your local system to a remote system, you might use:
rsync -av /local/dir/ jane@1.2.3.4:/remote/dir/
The -a
option is for archive, which preserves permissions, links, etc. The -v
option is for verbose, which provides detailed output of what the command is doing.
Or more complex command like this that rsync some directory recursively (-a
) but using sudo to maintain users/groups and permissions (if you are transferring data from users different than jane), maintaining links (-H
), continuing a previous transfer (--partial
), and using some specific ssh key.
rsync -aH --partial -e "ssh -i ~/.ssh/some-key" --rsync-path="sudo rsync" /data jane@1.2.3.4:/data/
The remote server you want to access runs a SSH server, but to connect to it, you need a SSH client. There are different versions but as we use openssh in the server side, it's recommend to use openssh in the client side too.
- Mac or GNU/Linux has openssh out of the box in their terminals.
- Windows 10 instructions: https://docs.microsoft.com/es-es/windows-server/administration/openssh/openssh_install_firstuse
- Older Windows versions can use emulators like cygwin or msys2 that includes the openssh package respectively.
Index
- Wiki home
- Community
- Getting Started
- Support
- Portals in production
- ALA modules
- Demonstration portal
- Data management in ALA Architecture
- DataHub
- Customization
- Internationalization (i18n)
- Administration system
- Contribution to main project
- Study case