SSH: Secure System Administration and File Transfers over Insecure Networks

Table of Contents#

• What is SSH?
• SSH Architecture
• Common Practices
• Best Practices
• SSH Tunneling and Port Forwarding
• Example Usage
• References

What is SSH?#

SSH is a cryptographic network protocol that allows for secure communication between two untrusted hosts over an insecure network. It provides authentication, confidentiality, and integrity for the data being transmitted. SSH can be used for various purposes such as remote login (similar to Telnet but secure), executing commands on a remote server, and transferring files (using SCP or SFTP).

SSH Architecture#

SSH operates in a client-server model. The client initiates a connection to the server. The communication between the client and server is encrypted. The key components of SSH architecture include:

• Authentication: SSH supports multiple authentication methods. The most common ones are password-based authentication (where the user enters their password) and public-key authentication (where a pair of keys - public and private - are used. The public key is stored on the server, and the private key is kept secure on the client. When the client tries to connect, it uses the private key to prove its identity). Modern deployments increasingly use Ed25519 keys for their speed and strong security properties.
• Encryption: SSH uses strong encryption algorithms (like AES - Advanced Encryption Standard) to encrypt the data in transit. This ensures that even if someone intercepts the network traffic, they won't be able to read the actual data. Modern OpenSSH also supports post-quantum hybrid key exchange to protect against future threats.

Common Practices#

Password-based Authentication#

• Login: To log in to a remote server using password-based authentication, you can use the following command:

ssh username@remote_server_ip

For example, if your username is "john" and the remote server's IP is "192.168.1.100":

ssh [email protected]

You will then be prompted to enter your password.

Public-key Authentication#

1. Generate Keys: On the client machine, generate an SSH key pair (if not already generated). Use the ssh-keygen command:

ssh-keygen -t ed25519 -C "[email protected]"

This generates an Ed25519 key pair, which is the recommended key type for modern SSH. Ed25519 keys are faster, shorter, and offer strong security. You'll be asked where to save the keys (usually the default location ~/.ssh/id_ed25519 is fine) and for a passphrase (strongly recommended for added security).

For systems that require broader compatibility, RSA with a 4096-bit key is still acceptable:

ssh-keygen -t rsa -b 4096

2. Copy Public Key: Copy the public key (usually ~/.ssh/id_rsa.pub) to the remote server. You can use the ssh-copy-id command (if available). For example:

ssh-copy-id username@remote_server_ip

This will append the public key to the ~/.ssh/authorized_keys file on the remote server. 3. Login: Now you can log in without entering a password (if the private key is accessible and the passphrase is correct if set):

ssh username@remote_server_ip

File Transfers (SFTP and rsync)#

SSH provides several methods for transferring files securely. The most common are SFTP, scp, and rsync.

SFTP (Recommended)#

SFTP (SSH File Transfer Protocol) is the modern standard for secure file transfer. Despite the name, it is not related to FTP — it runs entirely over SSH. To copy a file to a remote server:

sftp username@remote_server_ip
sftp> put local_file.txt /home/user/
sftp> exit

To download a file:

sftp username@remote_server_ip
sftp> get /home/user/remote_file.txt .

scp (Legacy)#

The scp command provides quick one-off file copies. Note that the SCP protocol was deprecated in OpenSSH 9.0 (2022) in favor of SFTP, though the scp command still works by using SFTP internally:

# Copy a file to a remote server
scp local_file.txt username@remote_server_ip:/home/user/
 
# Copy a file from a remote server
scp username@remote_server_ip:/home/user/remote_file.txt .

rsync (Incremental Transfers)#

For transferring large directories or syncing files that change frequently, rsync is the most efficient choice. It uses a delta algorithm to transfer only the parts of files that have changed:

# Sync a directory to a remote server
rsync -avz /local/path/ username@remote_server_ip:/home/user/
 
# Sync from remote to local
rsync -avz username@remote_server_ip:/home/user/remote_dir/ /local/path/

The -a flag preserves permissions and timestamps, -v shows progress, and -z compresses data during transfer.

Best Practices#

Security#

• Use Strong Passwords: If using password-based authentication, ensure passwords are complex (a mix of uppercase, lowercase letters, numbers, and special characters).
• Limit Password Authentication: On the server, it's a good idea to disable password-based authentication for regular users (except for maybe an emergency account) and rely mainly on public-key authentication. This can be configured in the /etc/ssh/sshd_config file on most Linux systems. Look for the PasswordAuthentication option and set it to no (after making a backup of the original config file).
• Update SSH Server: Regularly update the SSH server software on your systems. Newer versions often contain security patches.

Key Management#

• Backup Private Keys: Keep backups of your private keys in a secure location (like an encrypted external drive). Losing the private key means you won't be able to authenticate using that key pair.
• Rotate Keys: Periodically rotate your SSH keys (especially for high-security systems). This reduces the risk of a compromised key being misused over a long period.
• Use ssh-agent: If your private key has a passphrase (it should), use ssh-agent to avoid re-entering it for every connection. Start the agent and add your key:

eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519

On most desktop Linux distributions and macOS, the agent starts automatically and integrates with the desktop keyring.

Simplify Connections with SSH Config#

If you connect to multiple servers regularly, create an SSH config file at ~/.ssh/config to define shortcuts:

Host myserver
    HostName 192.168.1.100
    User john
    IdentityFile ~/.ssh/id_ed25519

Now you can connect with just ssh myserver instead of typing the full address and options each time. You can also set per-host options like port numbers, proxy jumps, and forwarding rules.

Additional Hardening#

• Change the Default Port: While security through obscurity alone is insufficient, changing SSH from the default port 22 to a non-standard port reduces automated scanning noise. Edit /etc/ssh/sshd_config and set Port 2222 (or another unused port).
• Disable Root Login: Prevent direct root login over SSH by setting PermitRootLogin no in /etc/ssh/sshd_config.
• Use Fail2Ban: Install fail2ban to automatically block IP addresses that show repeated failed login attempts, which helps defend against brute-force attacks.

SSH Tunneling and Port Forwarding#

SSH can forward (tunnel) network traffic through its encrypted connection, allowing you to securely access services that may not otherwise be directly reachable. There are three types of port forwarding.

Local Port Forwarding (-L)#

Local port forwarding redirects traffic from a port on your local machine to a remote host through the SSH server. This is useful for securely accessing remote services (like databases or web applications) as if they were running locally:

ssh -L 8080:localhost:80 username@remote_server_ip

This command forwards local port 8080 to port 80 on the remote server. You can then access the remote web server at http://localhost:8080.

Remote Port Forwarding (-R)#

Remote port forwarding does the reverse — it makes a service running on your local machine accessible from the remote server:

ssh -R 9000:localhost:3000 username@remote_server_ip

This makes your local application (running on port 3000) accessible on port 9000 of the remote server. This is useful for exposing a local development server to the internet or providing remote access to local services.

Dynamic Port Forwarding (-D)#

Dynamic port forwarding creates a SOCKS proxy that routes traffic through the SSH server. This is useful for secure web browsing on untrusted networks:

ssh -D 1080 username@remote_server_ip

After connecting, configure your browser or application to use localhost:1080 as a SOCKS5 proxy. All traffic will be routed through the encrypted SSH tunnel.

Example Usage#

Remote Command Execution#

Suppose you want to check the disk usage on a remote server. Instead of logging in, you can execute the command directly:

ssh username@remote_server_ip "df -h"

This will run the df -h command (which shows disk usage in a human-readable format) on the remote server and display the output on your local machine.

SFTP for Interactive File Transfer#

SFTP (SSH File Transfer Protocol) provides an interactive way to transfer files. To start an SFTP session:

sftp username@remote_server_ip

Once in the SFTP session, you can use commands like ls (to list files on the remote server), lcd (to change the local directory), cd (to change the remote directory), get (to download a file from remote to local), and put (to upload a file from local to remote).

References#

• OpenSSH Manual Pages — Official documentation for ssh, sshd, ssh-keygen, and related tools.
• SSH Academy — ssh.com — Comprehensive resource on the SSH protocol, key management, and tunneling.
• SSH Port Forwarding Explained — DigitalOcean — Detailed guide on local, remote, and dynamic port forwarding.
• "SSH: The Secure Shell: The Definitive Guide" by Daniel J. Barrett, Richard E. Silverman, and Robert G. Byrnes (O'Reilly, 2005) — A thorough reference for SSH concepts, though some details reflect older OpenSSH versions.

This blog has provided a comprehensive overview of SSH, from its basic concepts to practical usage and best practices. By following these guidelines, you can ensure secure system administration and file transfers in your network environment.