SSH client

Introduction

The client of OpenSSH is the binary program ssh. Its location on Linux/Unix systems is /usr/local/bin/ssh, and on Windows systems is \Program Files\OpenSSH\bin\ssh.exe.

Linux systems generally come with ssh, if not, you need to install it.

# Ubuntu 和 Debian
$ sudo apt install openssh-client

# CentOS 和 Fedora
$ sudo dnf install openssh-clients

After installation, you can use the -V parameter to output the version number to check whether the installation is successful.

$ ssh -V

Basic usage

The most common use of ssh is to log in to the server, which requires the server to install and be running SSH server software.

The ssh login server command is as follows.

$ ssh hostname

In the above command, hostname is the host name, which can be a domain name, an IP address or a host name inside the LAN. If the user name is not specified, the current user name of the client will be used as the login user name of the remote server. If you want to specify a user name, you can use the following syntax.

$ ssh user@hostname

In the above command, the user name and host name are written together, separated by @.

The user name can also be specified using the -l parameter of ssh. In this case, the user name and host name do not have to be written together.

$ ssh -l username host

ssh connects to port 22 of the server by default, and the -p parameter can specify other ports.

$ ssh -p 8821 foo.com

The above command connects to port 8821 of the server foo.com.

Connection process

After ssh connects to the remote server, there is a verification process first to verify whether the remote server is an unfamiliar address.

If it is the first time to connect to a server, the command line will display a paragraph of text, indicating that the machine is not recognized, and reminding the user to confirm whether to connect.

The authenticity of host 'foo.com (192.168.121.111)' can't be established.
ECDSA key fingerprint is SHA256:Vybt22mVXuNuB5unE++yowF7lgA/9/2bLSiO3qmYWBY.
Are you sure you want to continue connecting (yes/no)?

The above text tells the user that the fingerprint of the server foo.com is unfamiliar, and allows the user to choose whether to continue the connection (enter yes or no).

The so-called "server fingerprint" refers to the hash value of the public key of the SSH server. Each SSH server has a unique pair of keys, which are used to communicate with the client, and the hash value of the public key can be used to identify the server.

The following command can view the fingerprint of a certain public key.

$ ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key.pub
256 da:24:43:0b:2e:c1:3f:a1:84:13:92:01:52:b4:84:ff   (ECDSA)

In the above example, the ssh-keygen -l -f command will output the fingerprint of the public key /etc/ssh/ssh_host_ecdsa_key.pub.

ssh will store the fingerprints of the public keys of all servers connected to this machine in the file ~/.ssh/known_hosts of this machine. Each time you connect to the server, use this file to determine whether it is an unfamiliar host (unknown public key).

After the above paragraph, enter yes, the fingerprint of the current server can also be stored in the local ~/.ssh/known_hosts file, and the following prompt will be displayed. When you connect again in the future, the warning will no longer appear.

Warning: Permanently added 'foo.com (192.168.121.111)' (RSA) to the list of known hosts

Then, the client will establish a connection with the server. Then, ssh will ask the user to enter the password of the account to log in. After the user enters and verifies that the password is correct, you can log in to the shell of the remote server.

Server key change

Server fingerprints can prevent someone from pretending to be a remote host maliciously. If the key of the server is changed (for example, the SSH server is reinstalled), when the client connects again, the fingerprints of the public key will not match. At this time, the client will terminate the connection and display a warning message.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
77: a5: 69: 81: 9b: eb: 40: 76: 7b: 13: 04: a9: 6c: f4: 9c: 5d.
Please contact your system administrator.
Add correct host key in /home/me/.ssh/known_hosts to get rid of this message.
Offending key in /home/me/.ssh/known_hosts:36

The above text means that the public key fingerprint of the host is not the same as the one stored in the ~/.ssh/known_hosts file, and it must be processed before connection can be made. At this time, you need to confirm what caused the change of the public key fingerprint, whether it was malicious hijacking, or the administrator changed the SSH server public key.

If the new public key is confirmed to be trustworthy and you need to continue the connection, you can execute the following command to delete the original public key fingerprint from the ~/.ssh/known_hosts file.

$ ssh-keygen -R hostname

In the above command, hostname is the name of the host whose public key has been changed.

In addition to using the above command, you can also manually modify the known_hosts file to delete the public key fingerprint.

After deleting the original public key fingerprint, re-execute the ssh command to connect to the remote server, add the new fingerprint to the known_hosts file, and you can successfully connect.

Execute remote commands

After the SSH login is successful, the user enters the command line environment of the remote host, and the prompt that he sees is the prompt of the remote host. At this time, you can enter the commands you want to execute on the remote host.

Another way to execute remote commands is to write the command directly after the ssh command.

$ ssh username@hostname command

The above command will cause SSH to execute the command command on the remote host immediately after a successful login.

Below is an example.

$ ssh foo@server.example.com cat /etc/hosts

The above command will execute the command cat /etc/hosts remotely immediately after the login is successful.

When using this syntax to execute commands, the ssh client does not provide an interactive Shell environment, but directly outputs the execution results of remote commands on the command line. However, some commands require an interactive Shell environment, in which case the -t parameter should be used.

# Error
$ ssh remote.server.com emacs
emacs: standard input is not a tty

# No error
$ ssh -t server.example.com emacs

In the above code, the emacs command requires an interactive Shell, so an error is reported. Only by adding the -t parameter, ssh will allocate an interactive shell.

Encryption parameters

During the handshake phase of an SSH connection, the client must agree with the server on an encryption parameter set (cipher suite).

The encryption parameter set contains several different encryption parameters, which are connected by underscores. The following is an example.

TLS_RSA_WITH_AES_128_CBC_SHA

Its meaning is as follows.

-TLS: Encrypted communication protocol -RSA: key exchange algorithm -AES: encryption algorithm -128: The strength of the encryption algorithm -CBC: Mode of encryption algorithm -SHA: Hash function for digital signature

The following is an example of a handshake message sent by the client to the server.

Handshake protocol: ClientHello
    Version: TLS 1.2
    Random
        Client time: May 22, 2030 02:43:46 GMT
        Random bytes: b76b0e61829557eb4c611adfd2d36eb232dc1332fe29802e321ee871
    Session ID: (empty)
    Cipher Suites
        Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256”
        Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
        Suite: TLS_RSA_WITH_AES_128_GCM_SHA256
        Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
        Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
        Suite: TLS_RSA_WITH_AES_128_CBC_SHA
        Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA
        Suite: TLS_RSA_WITH_RC4_128_SHA
    Compression methods
        Method: null
    Extensions
        Extension: server_name
            Hostname: www.feistyduck.com
        Extension: renegotiation_info
        Extension: elliptic_curves
            Named curve: secp256r1
            Named curve: secp384r1
        Extension: signature_algorithms
            Algorithm: sha1/rsa
            Algorithm: sha256/rsa
            Algorithm: sha1/ecdsa
            Algorithm: sha256/ecdsa”

In the above handshake information (ClientHello), the Cipher Suites field is that the client lists the optional encryption parameter set, and the server selects a parameter set it supports.

After the server is selected, it sends a response to the client.

Handshake protocol: ServerHello
    Version: TLS 1.2
    Random
        Server time: Mar 10, 2059 02:35:57 GMT”
        Random bytes: 8469b09b480c1978182ce1b59290487609f41132312ca22aacaf5012
    Session ID: 4cae75c91cf5adf55f93c9fb5dd36d19903b1182029af3d527b7a42ef1c32c80
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    Compression method: null
    Extensions
        Extension: server_name
        Extension: renegotiation_info”

In the above response message (ServerHello), the Cipher Suite field is the encryption parameter finally selected by the server.

ssh command line configuration items

The ssh command has many configuration items, modify its default behavior.

-c

The -c parameter specifies the encryption algorithm.

$ ssh -c blowfish,3des server.example.com
# Or
$ ssh -c blowfish -c 3des server.example.com

The above command specifies the encryption algorithm blowfish or 3des.

-C

The -C parameter indicates compressed data transmission.

$ ssh -C server.example.com

-D

The -D parameter specifies the Socks listening port of the machine. All requests received on this port will be forwarded to the remote SSH host, also known as dynamic port forwarding. For details, please refer to the "Port Forwarding" chapter.

$ ssh -D 1080 server

The above command forwards all requests received on port 1080 of this machine to the server server.

-f

The -f parameter indicates that the SSH connection is running in the background.

-F

The -F parameter specifies the configuration file.

$ ssh -F /usr/local/ssh/other_config

The above command specifies the use of the configuration file other_config.

-i

The -i parameter is used to specify the private key, meaning "identity_file", and the default value is ~/.ssh/id_dsa. Note that the corresponding public key must be stored on the server, see the chapter "Key Login" for details.

$ ssh -i my-key server.example.com

-l

The -l parameter specifies the account name for remote login.

$ ssh -l sally server.example.com
# Equivalent to
$ ssh sally@server.example.com

-L

The -L parameter sets local port forwarding, see the chapter "Port Forwarding" for details.

$ ssh  -L 9999:targetServer:80 user@remoteserver

In the above command, all requests sent to the local 9999 port will be sent to the targetServer's port 80 through the remoteserver, which is equivalent to directly connecting to the targetServer's port 80.

-m

The -m parameter specifies the algorithm for verifying data integrity (message authentication code, MAC for short).

$ ssh -m hmac-sha1,hmac-md5 server.example.com

The above command specifies the data verification algorithm as hmac-sha1 or hmac-md5.

-N

The -N parameter is used for port forwarding, which means that the established SSH is only used for port forwarding and cannot execute remote commands. This can provide security. For details, see the chapter "Port Forwarding".

-O

The -o parameter is used to specify a configuration command.

$ ssh -o "Keyword Value"

For example, the configuration file has the following content.

User sally
Port 220

Through the -o parameter, the above two configuration commands can be passed in from the command line.

$ ssh -o "User sally" -o "Port 220" server.example.com

When using the equal sign, the configuration command does not need to be written in quotation marks, but there can be no spaces before and after the equal sign.

$ ssh -o User=sally -o Port=220 server.example.com

-p

The -p parameter specifies the server port that the SSH client connects to.

$ ssh -p 2035 server.example.com

The above command connects to port 2035 of the server.

-q

The -q parameter indicates quiet mode, without outputting any warning messages to the user.

$ ssh –q foo.com
root’s password:

The above command uses the -q parameter and only outputs the prompt that requires the user to enter the password.

-R

The -R parameter specifies remote port forwarding, see the chapter "Port Forwarding" for details.

$ ssh -R 9999:targetServer:902 local

The above command needs to be executed on the springboard server. Specify the local computer local to listen to its own port 9999. All requests sent to this port will be redirected to port 902 of the targetServer.

-t

The -t parameter provides an interactive shell when ssh runs remote commands directly.

$ ssh -t server.example.com emacs

** - v **

The -v parameter displays detailed information.

$ ssh -v server.example.com

-v can be repeated multiple times to indicate the level of detail of the information, such as -vv and -vvv.

$ ssh -vvv server.example.com
# Or
$ ssh -v -v -v server.example.com

The above command will output the most detailed connection information.

** - V **

The -V parameter outputs the version of the ssh client.

$ ssh –V
ssh: SSH Secure Shell 3.2.3 (non-commercial version) on i686-pc-linux-gnu

The above command output the local ssh client version is SSH Secure Shell 3.2.3.

-X

The -X parameter means to open the X window for forwarding.

$ ssh -X server.example.com

-1,-2

The -1 parameter specifies the SSH 1 protocol to be used.

The -2 parameter specifies the use of SSH 2 protocol.

$ ssh -2 server.example.com

-4,-6

-4 specifies the use of IPv4 protocol, which is the default value.

$ ssh -4 server.example.com

-6 specifies the use of IPv6 protocol.

$ ssh -6 server.example.com

Client configuration file

Location

The global configuration file of the SSH client is /etc/ssh/ssh_config, and the user's personal configuration file is in ~/.ssh/config, which has a higher priority than the global configuration file.

In addition to configuration files, the ~/.ssh directory also contains some personal key files and other files. Below are some of the common files.

-~/.ssh/id_ecdsa: the user's ECDSA private key. -~/.ssh/id_ecdsa.pub: The user's ECDSA public key. -~/.ssh/id_rsa: RSA private key for SSH protocol version 2. -~/.ssh/id_rsa.pub: RSA public key for SSH protocol version 2. -~/.ssh/identity: RSA private key used for SSH protocol version 1. -~/.ssh/identity.pub: RSA public key used for SSH protocol version 1. -~/.ssh/known_hosts: Contains the fingerprint of the public key of the SSH server.

Host Settings

The user's personal configuration file ~/.ssh/config can list the respective connection parameters according to different servers, so that there is no need to enter repeated parameters every time you log in. Below is an example.

Host *
     Port 2222

Host remoteserver
     HostName remote.example.com
     User neo
     Port 2112

In the above code, Host * means it takes effect for all hosts, and the following Port 2222 means that the default connection port of all hosts is 2222, so there is no need to specify the port when logging in. The indentation here is not necessary, just for visually, easy to identify the settings for different hosts.

The following Host remoteserver means that the following settings are only effective for the host remoteserver. remoteserver is just an alias. The specific host is specified by the HostName command. The two items User and Port represent the user name and port respectively. The Port here will override the Port setting in the Host * section above.

In the future, when logging in to remote.example.com, as long as the ssh remoteserver command is executed, the parameters specified in the config file will be automatically applied. The configuration format of a single host is as follows.

$ ssh remoteserver
# Equivalent to
$ ssh -p 2112 neo@remote.example.com

The value of the Host command can use wildcards. For example, Host * means a setting that is valid for all hosts, and Host *.edu means a setting that is only valid for the host whose first-level domain name is .edu. Their settings can be overridden by the settings of a single host.

Configuration command syntax

Each line in the ssh client configuration file is a configuration command. A space or an equal sign can be used between the configuration command and the corresponding value.

Compression yes
# Equivalent to
Compression = yes

Lines beginning with # represent comments and will be ignored. Blank lines are equivalent to comments.

Main configuration commands

The following are some of the main configuration commands of the ssh client and their sample values.

  • AddressFamily inet: Indicates that only IPv4 protocol is used. If it is set to inet6, it means that only IPv6 protocol is used.
  • BindAddress 192.168.10.235: Specify the IP address of the machine (if the machine has multiple IP addresses).
  • CheckHostIP yes: Check whether the IP address of the SSH server matches the public key database.
  • Ciphers blowfish,3des: Specify the encryption algorithm.
  • Compression yes: Whether to compress the transmission signal.
  • ConnectionAttempts 10: The maximum number of attempts when the client connects.
  • ConnectTimeout 60: When the client connects, if the server does not reply within the specified number of seconds, the connection attempt will be terminated.
  • DynamicForward 1080: Specify the dynamic forwarding port.
  • GlobalKnownHostsFile /users/smith/.ssh/my_global_hosts_file: Specify the location of the global public key database file.
  • Host server.example.com: Specify the domain name or IP address of the connection. It can also be an alias and supports wildcards. All configurations after the Host command are for the host until the next Host command.
  • HostKeyAlgorithms ssh-dss,ssh-rsa: Specify the key algorithm, the priority is from high to low.
  • HostName myserver.example.com: In the case of using an alias in the Host command, HostName specifies the domain name or IP address.
  • IdentityFile keyfile: Specify the private key file.
  • LocalForward 2001 localhost:143: Specify local port forwarding.
  • LogLevel QUIET: Specify the log level of detail. If set to QUIET, most warnings and prompts will not be output.
  • MACs hmac-sha1,hmac-md5: Specify the data verification algorithm.
  • NumberOfPasswordPrompts 2: The maximum number of attempts for the user to enter the wrong password when the password is logged in.
  • PasswordAuthentication no: Specify whether to support password login. However, here is only the client prohibition, the real prohibition needs to be set on the SSH server.
  • Port 2035: Specify the SSH server port that the client connects to.
  • PreferredAuthentications publickey, hostbased, password: Specify the priority of various login methods.
  • Protocol 2: Supported SSH protocol version, multiple versions are separated by commas.
  • PubKeyAuthentication yes: Whether to support key login. This is only the client setting, and the corresponding setting is also required on the SSH server.
  • RemoteForward 2001 server:143: Specify remote port forwarding.
  • SendEnv COLOR: The environment variable name sent by the SSH client to the server. Multiple environment variables are separated by spaces. The value of the environment variable is copied from the current environment of the client.
  • ServerAliveCountMax 3: If there is no response from the server, how many times the client sends the keepalive signal before disconnecting. The default value of this item is 3.
  • ServerAliveInterval 300: After the client establishes a connection, if it does not receive a message from the server within a given number of seconds, the client sends a keepalive message to the server. If you do not want the client to send, this item is set to 0.
  • StrictHostKeyChecking yes: yes means strict check. If the server public key is unknown or changed, the connection is refused. no means that if the server public key is unknown, it will be added to the client public key database. If the public key changes, the client public key database will not be changed, and a warning will be output and the connection is still allowed to continue. ask (default value) means to ask the user whether to continue.
  • TCPKeepAlive yes: Whether the client periodically sends keepalive information to the server.
  • User userName: Specify the account name for remote login.
  • UserKnownHostsFile /users/smith/.ssh/my_local_hosts_file: Specify the location of the current user's known_hosts file (server public key fingerprint list).
  • VerifyHostKeyDNS yes: Whether to check the DNS record of the SSH server to confirm whether the public key fingerprint is consistent with the save in the known_hosts file.