The top three SSH tricks
Security Skills
Secure Shell (SSH) is more than a simple remote connectivity protocol. The SSH utility is one of the most versatile tools in your administrative toolbox. You can use SSH to copy files securely, and you can even build it into automation scripts.
Trick 1: Configuring a More Secure SSH
Although SSH is secure in a default installation, you can make some tweaks to provide an even more secure environment. The parameters to change are located in /etc/ssh/sshd_config
. The first security change is to deny root user logins by finding the line
PermitRootLogin Yes
and changing the Yes
to No
If you have a limited number of users (fewer than 10), you can use the AllowUsers
entry to limit which users can use SSH to connect to the server. Remember to include yourself on the user list, which is space delimited:
AllowUsers bob admin fred joe
If you have more than 10 users or if you choose to manage by groups, create an sshusers
or similar group and add users as needed:
$ sudo groupadd --r sshusers $ sudo usermod --a --G sshusers bob
In sshd_config
, use the AllowGroups
directive with your group name,
AllowGroups sshusers
and restart the SSH daemon:
$ sudo service ssh restart
For systemd servers, use either of the following commands:
$ sudo systemctl restart sshd $ sudo systemctl restart ssh
A final change to enhance SSH security on your network is to allow SSH sessions to originate only from a single server, often known as a "jump" server. This change is outside of the SSHD configuration and only involves limiting the allowed IP address through iptables by entering the command
$ sudo iptables -A INPUT -p tcp -s [IP address of allowed server] --dport 22 -j ACCEPT
on the server to which you want to SSH.
Trick 2: Copying Files Securely
The SSH protocol also includes Secure Copy (SCP) and Secure FTP (SFTP), which let you copy files securely to and from remote computers. For example, the following command copies file.txt
to a specific path on a remote system:
scp file.txt <user>@<remote_server>:/<path>/file.txt
A more specific example is shown in Listing 1.
Listing 1: SCP Example
scp file.txt bob@calypso:/opt/test/file.txt bob@calypso's password: file.txt 100% 0 0.0KB/s 00:00
To copy a file from a remote system, change the syntax slightly:
scp bob@calypso:/opt/test/file.txt .
The trailing dot means the copy is to the current directory on the local system.
SFTP works like FTP at the command line: You can transfer one file or many with the use of wild cards, and you can put
and get
files (Listing 2).
Listing 2: Secure FTP
# Initiate an SFTP session; the system will ask for user@remote_server's password $ sftp user@remote_server # Send files to a remote server sftp> put file.txt sftp> put file.txt new.txt test.txt sftp> mput *.txt # Get files from a remote server sftp> get file.txt sftp> get file.txt new.txt test.txt sftp> mget *.txt
Trick 3: Passwordless SSH Connections
Often, it is convenient to connect from one system to another without using a password, especially to initiate automated tasks. If you don't use a shared key setup, your scripts will have to contain passwords, which is a security risk. You might think that passwordless SSH is also a security risk, and it would be, except that you can control the systems to which a user account can connect, which increases security.
In the example here, the content of a local file is concatenated to a remote file. The file need not already exist on the remote system, but if it does, a redirect (>>
) will append to the end of the remote file, rather than overwriting it.
To begin, you use SSH to connect to every host to which you want to configure passwordless SSH; then, SSH back to the original host from each system to accept the host fingerprint and to establish a local .ssh
directory in your user's home directory on the remote system:
$ ssh-keygen --t rsa $ cat .ssh/id_rsa.pub >>.ssh/authorized_keys $ cat .ssh/authorized_keys | ssh remote_host 'cat >> .ssh/authorized_keys'
During this process, you need to enter your password for the remote host and then type exit to return to the original host. Now, when you enter ssh remote_host
, no password is required.
SSH is the best defense against network eavesdropping because all communications are secure by default. SSH's capabilities are so extensive that you can purchase entire books about it. Learning how to use SSH in automated scripts for transferring files and for managing servers makes you a very powerful administrator indeed.