What is SSH and how does it work?
What is SSH?
SSH (Secure Shell) is a protocol. You may have heard of other protocols like HTTP, HTTPS, FTP. These are ways to connect two computers and have a shared agreement on how to communicate. SSH is a protocol that allows us to communicate between two computers over the internet (share files, control, or modify remote computers). It is a secure way of communication which encrypts all data. It’s a protocol to use over the shell that’s why its called a secure shell.
How to use SSH?
To connect to another computer or server via the internet, we need to run this simple command
ssh {user}@{host}
where the {host} is the IP address of a computer that we want to connect, the {user} represents the account that we want to access.
Let’s say I have a server (with IP address 70.74. 251.42) somewhere on the internet. I can run this command from my computer terminal to connect to that server.
ssh root@70.74. 251.42
And now I’m inside of that server. I can access anything I want. Using SSH we can connect to any computer or server anywhere in the world.
But how does it work?
There are three techniques used in SSH
- Symmetrical encryption
- Asymmetrical encryption
- Hashing
1. Symmetrical encryption
Encryption is a way to jumble up a piece of text into something impossible to read without decrypting it. Symmetric encryption uses one secret key for both encryption and decryption. Let’s say I want to share my ‘super-important-password’ with the other computer. Using symmetrical encryption, I can have a key that turns this ‘super-important-password’ into a piece of gibberish like this kWer4BKbcMWhuHT6+N5I1YQ83uvJ1PHuuofiNYDzA60. And as long as the other computer has this same key it can use the key to decrypt kWer4BKbcMWhuHT6+N5I1YQ83uvJ1PHuuofiNYDzA60 and get super-important-password. And whoever is in the middle of our connection won’t be able to understand this hash because they don’t have the key.
But there is a problem. Anyone that has this key can decrypt the information that I’m sending to my server. A secure way to exchange these keys without anyone intercepting it is a key exchange algorithm. The key is never actually transmitted between the two computers. Instead, the two computers share public pieces of data and then manipulate it to independently calculate the secret key. So without the 3rd person having this key exchange algorithm, they won’t be able to find out what our key is.
2. Asymmetrical encryption
Asymmetrical encryption uses two separate keys for encryption and decryption. Let’s say we have two computers communicating via SSH. Each computer has it’s own public key and private key, which are linked together in terms of functionality and together these keys form a public-private key pair. We can share the public key anywhere we want, but the private keys are our absolute secrets that we should never share with anybody.
A message that is encrypted by a computer’s public key can only be decrypted by the same computer’s private key, it’s a one-way relationship.
If we want to share some information from computer A to computer B we need to have computer B’s public key so that we can encrypt that information with B computers public key. Now the B computer can use his private key to decrypt it and get the information that we sent.
This form of encryption (Asymmetrical encryption) is only used during the key exchange algorithm of Symmetrical encryption. Before we initiate a secure connection both parties (A and B computers in this case) generate temporary public and private keys and share the public keys to one another. After that, we can share information between those computers.
3. Hashing
Since asymmetrical encryption is time-consuming most of the SSH connections use symmetrical encryption. Asymmetrical encryption is used only to share a public key and then finally using that key for the communication so it’s fast.
Once a secure session communication has been established the server uses the client’s public key, generates a challenge, and transmits to the client for authentication. If the client can successfully decrypt the message it means that it holds the private key required for the connection then the SSH session finally begins.
Hashing is another form of cryptography used in SSH connections. Hash functions never meant to decrypt anything, unlike symmetrical and asymmetrical encryption. They just generate a unique value of a fixed length for each input that it gets. And it can’t be decrypted.
Using a hash function each message that is transmitted must contain something called MAC which is a hash generated from the symmetric key. We as a client give a hash function some input that contains our symmetric key and a message. Then we send this hashed data to the server. Now the server can use their own symmetric key and the message (because they got it from the client via SSH connection) to generate a hash from this input. And once it matches what the clients hash was that means both have the same symmetric key.
Generating SSH keys
Once we type ssh {user}@{host} we have already established an SSH connection with the server and both the server and the client have the symmetric key generated. Now it’s encrypted and we can safely send our password to the server. But it’s still not recommended to use passwords for secure connections.
A better alternative is to generate public and private keys on our computer for our server. The way we do that is by using this command
ssh-keygen -C “your-email@gmail.com”
Now you should be asked where you want to save your file save it inside of the .ssh folder. After this enter a passphrase for more security. And now you should have your keys generated inside of .ssh folder
You can now copy your public key and share it with your server by running
pbcopy < ~/.shh/id_rsa_server.pub
Let’s go to our server root@70.74. 251.42 and do the same thing on the server. make directory .ssh mkdir .ssh․ And now we can add text inside of .ssh/authorized_keys and paste our public key that we just generated on our computer using nano authorized_key.
We can end the session now. In case you have multiple keys in your .ssh folder you need to set the specific one you’re going to use with that server with this command
ssh-add ~/.ssh/your_id_rsa_server
Finally, we can SSH again into our server. And we just got SSH-ed into our server without a password.
