SSH

Using SSH

Logging into a remote machine is quite simple with SSH:

ssh username@medusa.ovgu.de

SSH on Windows

How to install the SSH Client on Windows 10

1. Press the Search button and type “Optional feature” -> Click the top result, which should read, “Add an optional feature”.
2. Click “Add a feature” in Settings
3. Install the Windows OpenSSH Client -> Type “SSH” in the optional features search bar, then tick the entry that reads “OpenSSH Client”. Finally, click the “Install” button at the bottom of your Window. The process will take a few seconds to complete and shouldn’t require a restart.

How to Use SSH in Commands in Windows 10

1. Open Command Prompt (or Powershell) -> Press Start and then type “Command Prompt”. Click the top result.
2. Run the SSH command to view its usage guide -> Command prompt will return a full list of options and syntax for you to use as you require.
3. Connect to your server via your Windows Open SSH client -> In most cases, you won’t need the above options to connect to your SSH server.

If it is the first time that you have connected to this server with SSH, you will receive a prompt similar to the following:

The authenticity of host 'medusa.ovgu.de (141.44.17.54)' can't be established.
ECDSA key fingerprint is SHA256:fgvO3iB0fUsVjbrXLhg8h8ZPZdXa55rnwR+9P72O7oU.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

Type "yes" to confirm the fingerprint (please see the explanation of fingerprints below).

Authenticate, and you now have an interactive session on the remote machine.

Keys

SSH also supports key-based authentication, which is much more secure than password authentication.

It is a common misconception that using keys means that you don't need a password. Though a key instead of a password is used to authenticate to the server, a password is used to protect the key itself on your system (it is possible to create keys that are not password protected, but it is considered poor practice).

Protecting your key with a password is important. Otherwise, if someone accesses your computer, they will gain access to every system that uses that key. That's bad (technical term).

If you don't yet have an SSH key, generate one by running the following, and follow the prompts:

ssh-keygen -t rsa -b 4096

Once you have a key, it can be copied to a server using ssh-copy-id. For example:

ssh-copy-id username@medusa.ovgu.de

X Forwarding

Graphical programs run on the remote server can be displayed on your local machine using a feature called X Forwarding. To enable this, use the -X flag. For example:

ssh -X username@medusa.ovgu.de

However, X Forwarding comes with one major caveat: it is very sensitive to latency, so it is only practical to use when on the same wired network as the server (i.e. on campus).

X Forwarding also requires that your local machine has X installed. This is the default on Linux systems, but macOS systems need to install XQuartz [1] while Windows 10 systems need VcXsrv installed via WSL.

Jump Hosts

If you want to connect to a server that is on a private network, you will want to use a Jump Host.

To explain, let's say we're robbing a bank (sometimes called "self financing" in academia). The server vault isn't publicly available, but lobby is, so we're going to connect to it first and use it as a jump host.

For example:

ssh -J username@lobby username@vault

This will first connect to lobby, and then connect to vault.

This is more convenient than manually SSHing (ssh lobby followed with ssh vault), but more importantantly, it allows for the SSH keys from the original computer to be used to authenticate to both servers. Otherwise, you would need to store a copy of your keys on lobby, which is unsafe. They're called keys for a reason: keep them secret; keep them safe.

Agents

An agent (e.g. ssh-agent) can be used to remember the password to unlock your key, usually with a timeout. This can be quite convenient when connecting frequently to servers.

TODO: Discuss agents. ssh-agent is most often suggested, but its behavior is non-obvious, especially when compared to gpg-agent (which is an option when using RSA keys). On macOS, Apple keychain can be used.

Fingerprints

Each server has a unique fingerprint that identifies it.

In theory, when first connecting to a server, users should take great care to verify that the fingerprint offered is authentic by confirming it against a trusted copy via a different (preferably analog) communication channel (e.g. phone). This allows you to be certain that you are indeed connecting to the server that you think you are, and that no one is attempting a Man-in-the-Middle attack.

In reality (and unsurprisingly), the majority of users do not perform such steps. However, fingerprints still have value, because SSH will notify you if the server's fingerprint changes. This helps protect against future MITM attacks. [2]

Your SSH client maintains a list of server fingerprints in the ~/.ssh/known_hosts file.

Config

SSH has many powerful options. If you want to use different keys for different hosts, use jump hosts automatically when connecting to certain hosts, etc, then you should read man ssh_config. These options are all set in the ~/.ssh/config file.

Authenticate, and you now have an interactive session on the remote machine.

Tutorial: (https://winbuzzer.com/2021/08/25/how-to-enable-and-use-ssh-commands-on-windows-10-xcxwbt/)