The understated usefulness of SSH, part 1.

December 4, 2008

SSH, or Secure SHell, is probably the most useful tool I’ve discovered since I switched to Ubuntu.  SSH enables you to remotely access other computers over a network, or over the Internet.  It is a secure replacement for TELNET, which although useful, transmits passwords in plain text.

OpenSSH is the FOSS implementation of SSH available in Ubuntu, which also includes SCP for secure copying across a network, and SFTP, a secure implementation of FTP (FTP also sends passwords in plain text).  In Ubuntu, you can go to Places > Connect to Server… to connect to another computer graphically through SSH to move files back and forth, but if you want to get the most out of SSH, you’ll need to use the command line.

First, you’ll need to have the ‘ssh’ package installed (this meta-package includes the openssh-client and openssh-server packages).   Open up a terminal and start by typing:

sudo aptitude install ssh

You’ll need to do the same on the computer you want to connect to.  Once SSH is installed on both systems, you can login remotely like this:

ssh remoteuser@<remote IP address>

You will be prompted for remoteuser’s password on the remote computer (the server).  You can omit the username if the username and password match on the client (local) and the server (remote) computers.  From here you can browse the filesystem, edit configuration files, or even SSH into a third computer (the server becomes the client for the new connection).  Disconnect from an SSH session by typing “exit”.

You can also use SFTP and SCP for moving files back and forth between computers.  SFTP functions exactly the same as FTP.  Just type:

sftp remoteuser@<remote IP address>

At the prompt, type a ‘?’ for options.  “put” is used for uploading files, and “get” is used for downloading them.

Using SCP is similar to using the “cp” command in a terminal.

Download files from the remote computer:

scp remoteuser@<remote IP address>:/path/to/file /local/destination/

Or, upload files to the remote computer:

scp /local/path/to/file remoteuser@<remote IP address>:/remote/destination

Or, move files from one remote computer to another remote computer:

scp userA@<remote IP A>:/path/to/file userB@<remote IP B>:/path/to/destination

Just as you can use SSH to log in to a computer on a LAN, you can also use it to connect to a computer across the Internet.  This involves three additional steps:  Using secure authentication, getting the correct IP address, and setting up Port Forwarding.

Setting up your server for SSH access from any Internet connection is quite useful.  The bad news, is that you are also making your computer fully accessible to anyone with your password and to EVERYONE with the ability to crack it.  This should concern you, because even if there is nothing valuable on your computer, an attacker can use your network as a springboard to attack other computer systems, effectively leaving your fingerprints at the crime scene. The solution is to turn off password authentication, and log in automatically with an RSA key instead.  This step is essential for anyone who will be setting up port forwarding for SSH connections.

Very strong security using RSA Key based authentication is easy to set up and it only takes a few minutes.   You will be generating a RSA key on the computer you want to SSH from (the client), and passing the key to the computer you’ll be SSHing into (the server), which essentially makes your local computer the key to access your server.  After you’ve passed your key to the server you can turn off password authentication, keeping unwanted guests out of your server.  I’ve used this excellent post from Tombuntu.com as a quick reference for a while now, and I’m going to recommend you click the link for the instructions.

To connect to a computer running on your home network, you will also need to know your (external) IP address.  The problem lies in the reality that most ISP’s change the IP address of your Internet connection regularly.  Now, if there is someone at the remote computer, you can instruct them to go to http://www.whatsmyip.org/, and to instant message or email the IP address back to you, which makes things quite simple.  Obviously, this isn’t the most ideal system.  An easier way to set things up would be to use a Dynamic DNS service such as DynDNS.  This service attaches a static URL to your dynamic IP address.  The server keeps the URL up to date by listening to a device on your network which updates the server with your current IP address every minute or so.  Many home routers provide DynDNS support out of the box.  You can also set up a computer on your network to provide this service with these instructions.

The last requirement for enabling SSH connections over the Internet, is to have your home router (AKA residential gateway) forward the SSH port (port 22 by default) to the proper computer on your home network.  If you don’t already know, outsiders on the Internet see your entire network as one IP address:  The external address of your router, assigned by your ISP.  When you try to connect to this address, the router takes the incoming connection (a connection always comes in on a particular port) and forwards that port to the appropriate computer on your network.  You need to make sure this is set up to work correctly before hand.  Instructions for configuring your particular router, and further information about port forwarding can be found on the exceptionally useful website portforward.com.

So, now you can securely SSH into your server from elsewhere.  A problem you may experience, is that if you execute a time consuming command, such as compiling software or wget-ing an iso, and disconnect your session, the program stops immediately.  A great solution to this problem is GNU Screen (Thanks to Aaron Toponce for pointing out this great app).  Screen is a tool that starts a new, resumable command line inside the current one.  Once you are connected to the remote computer, type “screen” to start the program.  Inside screen, you can start downloading that iso with wget, and then press Ctrl+a, and then ‘d’ to disconnect the session.  You can type “exit” to disconnect from the SSH session, if you’d like.  The iso will keep downloading.  At a later point, you can SSH back in, and type “screen -r” to resume your previous session.

Well, that’s it for today.  Next time I’ll cover running GUI (graphical user interface) applications remotely with SSH and X11 forwarding, using compression, and some other useful stuff.

If you have any other useful SSH tips I haven’t mentioned here, feel free to comment.

Advertisements

5 Responses to “The understated usefulness of SSH, part 1.”


  1. […] Vote The understated usefulness of SSH, part 1. […]


  2. […] Vote The understated usefulness of SSH, part 1. […]

  3. Dietrich Says:

    If you like ssh, then you’ll definitely appreciate having sshfs. Also, for accessing that port-forwarded PC behind your router, you can and should definitely try using NoMachine’s NX (http://www.nomachine.com). It’s FREE.

    Here’s a link to a story about using ssh to set up a VPN:

    http://www.dtschmitz.com/dts/2008/12/opensuse-how-to-set-up-ssh-based-point-to-point-connection-vpn.html

    Kindest regards,

    Dietrich T. Schmitz
    Linux IT Consultant
    http://www.dtschmitz.com


  4. […] 11, 2009 Last time, I covered some different ways of using SSH for remote access on a LAN or over the Internet, using […]


  5. […] The understated usefulness of SSH, part 1. […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: