What is SSH, and how do I use it?
Table of Contents
SSH stands for Secure Shell protocol, and you’ve probably come across it while navigating the world of web hosting. It secures all information while in transit over a network by encrypting it. Thanks to this security protocol, you can manage your files, transfer or modify them and execute commands directly on the server.
In this article, we will focus on what SSH means, how it works, what it’s used for, and what SSH keys are. Here, you’ll also learn how to establish an SSH connection to your server and the common commands at your disposal.
You can manage your files and folders through an SSH connection, modify their permissions, edit files directly on the server, etc.
SSH features explained
Secure Shell protocol provides various security features, and below you’ll find a list of the most notable:
- Privacy of your data – Secure Shell protects your data from disclosure by encrypting it.
- Integrity of communications – The Secure Shell protocol guarantees that information exchanged remains unaltered.
- Authentication – This protocol requires proof of identity from senders and receivers in order to establish a connection.
- Authorization – SSH also allows you to configure access control to accounts, providing users with different privileges.
- Forwarding/tunneling to encrypt TCP/IP-based sessions – Users can set up tunnels to transfer unencrypted traffic over an encrypted network channel.
What is SSH protocol used for?
Secure Shell protocol has a wide variety of uses; most often, it is used by system administrators. It is implemented by default in Unix, Linux, Windows and MAC servers. This protocol creates a secure channel between a local computer and a remote server, allowing the execution of commands, access to resources, file transfer, performance updates, etc. It is also used in various file transfer protocols, routers, server hardware management, and operating system administration.
Additionally, the Secure Shell protocol assists with identity management, access control, and process automation.
What are the different SSH authentication methods?
In general, there are two broadly used SSH authentication methods: password-based authentication and public-key (PKI) based authentication.
Password-based authentication
In this type of authentication, when a client tries to connect to a remote server, it identifies the user with a username and password. When a user types in their access credentials, the server checks whether they are present within its database. The logins are shared over an encrypted channel; if they match, the server allows the client to connect.
Although passwords are the conventional method of user identification, there is always a risk of compromise. To maintain proper password hygiene, you must set strong passwords, change them on a regular basis and keep them private.
Unfortunately, with the number of credentials that we use these days, that may be challenging for many users. This creates the ideal conditions for hackers to exploit your login information. Although passwords are encrypted while in transition between the remote computers, a brute-force attack could still crack them. Naturally, this fact makes passwords a less safe method of identification. Disclosure of your SSH credentials can allow root access to a hacker, leading to terrible consequences.
PKI authentication
Key-based authentication is the preferred method and is recommended over password-based authentication, which can be brute-forced.
PKI authentication utilizes cryptographic keys to establish a trust relationship between server and client. Key-based identification can require a passphrase (password) or can function without a passphrase on the encryption key.
To use this authentication type, you have to generate an SSH key pair. The key pair consists of a public and a private key. The public key is kept on the server, while the private key is kept on your computer.
When you connect via Secure Shell, a trust relationship between your computer and the server is established using the key pair. If one of the keys is missing or there is a discrepancy between the keys, a connection cannot be established.
The authentication method SiteGround supports is PKI authentication since it provides better security for your SSH access.
SSH Architecture and components
The SSH protocol has a layered architecture, encapsulating 3 main layers – transport, authentication and connection. In this section, we’ll review each of them and their components, so keep reading.
Transport layer
Habitually, the transport layer uses the Internet Protocol suite’s (TCP/IP) Transmission Control Protocol on the default SSH port number 22. This layer takes care of the initial encryption key exchange and authentication, verifies its integrity and inaugurates the encryption/decryption. It also compresses the transmitted data to speed up the process. Thus, it plays a major role in safe and secure information exchange between remote hosts.
At SiteGround, the default port number for SSH is 18765, deviating from the default port 22 for extra security enhancement.
During the course of the key exchange phase, the server identifies itself to the client using a host key. If you are connecting to that server for the first time, the client will ask you whether you accept this host key and if you do – the client saves a copy of it locally.
If you confirm that you want to continue, the client stores the copy in a known host keys file for future reference.
This way, in consecutive connections to the same server, the client would only need to verify the host key against the record it holds.
Authentication layer
When the transport layer has set up the encryption, the client is prompted to authenticate itself using one of the supported methods. The user-authentication layer provides a suite of authentication algorithms and tends to the client’s authentication.
As aforementioned, SiteGround only allows PKI authentication and supports the following encryption algorithms for public and private key pairs.
- DSA
- RSA
- ECDSA
- Ed25519
The default cryptographic algorithm for generating a key pair at SiteGround is RSA, 2048-bit encryption, comparable to a 617-digit long password.
SSH keys
An SSH key pair consists of private and public keys used in a public SSH key authentication method. In this authentication method, a file (known as the private key) is typically held on the client’s side, and the other file (known as the public key) is stored on the server’s side. Each pair of SSH keys is unique, ensuring that only users with the correct pair are granted access.
- Public keys allow users access to a remote SSH server, and servers use them to encrypt data. Practically anyone holding the pair’s SSH public key can encrypt data, but only the user with the private key can decrypt it.
When the client sends the public key to the SSH server and the server confirms its authenticity, the server marks the key as authorized. Hence, public keys are also called authorized keys. They are stored in the authorized_keys file in the user account’s home directory.
- Private keys are also called identity keys since they are proof of the user’s identity. A user can only be properly authenticated by the server if the user has the private key corresponding to the public key. Users have to keep their private keys confidential and refrain from sharing them with others.
- A Session key is collectively generated by the SSH client and the server. This symmetric key is used to encrypt the entire SSH session. Both entities agree on a session key to use based on the public and private key data to generate a “shared secret”. It is shared by the two parties securely and is used to encrypt and decrypt the exchanged data (i.e., symmetric encryption).
This way, an eavesdropper can’t intercept the data in transit; when the session is closed, the session key is destroyed.
Connection layer
When the authentication process is completed successfully, a multiplexed connection to the SSH server is initiated in multiple channels. Each of these logical channels transfers data in both directions, allowing many sessions to stem from a single SSH connection.
One of these channels is the Secure File Transfer Protocol (SFTP), which allows you to access and transfer files securely over an SSH connection.
How does SSH work?
As you’ve probably figured out, you’ll need an SSH client to establish an SSH connection to your server. Secure Shell functions on a client-server model, whereby the SSH client is a piece of software that allows users to securely connect to a remote host.
The SSH client initiates an SSH connection request to the server, and the SSH server responds with a random message. The client encrypts that message using the private key and sends it back to the server. The server then decrypts that message using the public key corresponding to the client’s private key. This way, the server verifies that the public and private keys are both parts of one pair.
Once that check is completed, both entities agree on a shared secret (session key) to use for the session.
When the shared secret is established, the client uses the private and session keys to compute a hashed value, which is sent to the server. In the meantime, the server also computes a hashed value using the session key and public key. If both values match, that proves that the client is the owner of the private key and the server grants SSH access to the client.
How to generate and import SSH keys
So far, you’ve understood that the first step to establishing an SSH connection is generating an SSH key pair.
You can do that either locally or from your web hosting account if your plan includes SSH access. All SiteGround plans allow SSH access so our clients can effectively manage their websites via SSH.
This section will explain how to generate a key pair from your Site Tools, how to do that locally, and how to import your SSH key, so read on.
Generate an SSH key pair from Site Tools
If you are a SiteGround client, to generate new RSA keys, you have to log into the Site Tools for the site you wish to allow access to. When there, navigate to the Dev > SSH Manager from the sidebar, type in a name for your key and set a password, then click Create.
After the pair is created, you’ll see an “SSH key is generated” message. You can manage all your keys from the Manage SSH Keys section. Click on the Actions menu next to your chosen key name to get the private and public keys from the pair.
From the same menu, you can also specify which IP addresses (or IP ranges) can get access with the key pair, change its name and get the SSH credentials.
Since SSH keys are generated directly by the server, you only need to copy the Private key and save it in a text file on your computer.
Generate an SSH Key pair locally
Alternatively, you can generate an SSH key pair on your local computer; the steps vary depending on your operating system (OS).
You can use an SSH client for Windows to generate SSH keys called PuTTY, and you can follow the steps in this article on how to do that.
Mac OS has a built-in SSH client called Terminal, you can easily find it using the Spotlight Search feature by pressing the Space + Command keys. Load the Terminal application, type “ssh-keygen -t rsa” in the command line and press Enter. This command will generate a key pair with the SSH ID “rsa”. That will be the name of your key pair. For more detailed information, check out our article How to create SSH keys on your Mac OS.
Linux OS users can also use the built-in Terminal to generate keys with the same “ssh-keygen” command.
After generating the keys, find them on your computer’s corresponding location and copy the Public key.
How to import SSH keys at SiteGround
To import a new SSH key, go to Site Tools > Devs > SSH Keys Manager > Add new > Import. Enter the key name and paste the public key in the respective field. Alternatively, import it via the Import Key from the File link.
When the Public SSH key is imported there, you will be able to manage access to it by IP address. You can also view the SSH key from the Actions menu, although you’ll only be able to see the Public key.
How to establish SSH access to your hosting account
Now that your SSH keys are ready, you can follow the steps in the articles below to see how you can connect depending on your OS.
- How to log in to my SiteGround shared account via SSH using PuTTY?
- Log in to my SiteGround shared account via SSH on Mac OS?
- How to log in to my SiteGround shared account via SSH in Linux?
Common SSH commands
To manage your files via SSH connection, you’ll need to acquire at least a basic set of SSH commands to use. Take a look at our SSH tutorials to learn how to list, create a new file/folder, edit or delete files and folders, create and extract archives, or manage permissions and ownership.
To summarize, in this article, we’ve explained what SSH protocol is, its architecture, what SSH keys are, and other components. We’ve also touched on how SSH works, how to generate or import SSH keys, and how to connect to your account via SSH.