SSH - Overview and Guide

Quick Roundup - What is SSH?

SSH stands for the Secure SHell. It is a way to provide a secure way of permitting remote login access and file transfer across a network. SSH commands completely encrypt the connection between client and server. SSH can also tunnel additional connections such as X11 (X Windows) and SSH agents. SSH provides appropriate encryption, as mandated by NRAO Security Policies, for internet login access to our machines.

There are three levels at which you can use the Secure Shell:

Bare bones: just use the ssh or scp commands. You have to enter your password every time.

Key based access: Use SSH keys, have a passphrase, use ssh-agent so you don't need to enter password for each and every invocation of slogin or scp.

Advanced use: as above, but also use features such as tunneling for X11, web proxies, or other protocols through the connection; restrict networks from which connections can be made, and confine access to certain commands.

As you can see, you can either use the secure shell in a mode where you supply your password on the server for each and every login (the bare bones level mentioned above), or you can use keys and an agent to "cache" your identity and only enter a passphrase challenge once per X11 (or Windows or OSX) session. Most users will find using the agent and keys much easier in the long term, at the cost of a small one-time effort of key setup.

IMPORTANT: The login or "Bastion" Servers

Each site has a login server that accepts SSH connections from the internet at large. These bastion servers are the only way for you to connect via SSH to NRAO's internal network.

These servers are set up to ignore your personal authorized_keys file (see below for details on that file) and use one managed by the system administrators instead. If you have a demonstrable need for an entry in the system's authorized_keys file for your account, you must:

Contact your local helpdesk with the request, including a short description of why you need it;

Verify to them that your private key is indeed encrypted with a passphrase; and Supply them with your public key (identity.pub) or tell them where it is located if not in the default ~/.ssh/ location.

Requests for such additions will by default be set up only to allow such key based access from NRAO networks (from=*.nrao.edu). Expanding the range to allow additional networks to use key based access will be only where it is needed and must be as narrow as feasible (class B, C, or D network ranges).

SSH Clients

Linux and MacOS systems come with OpenSSH (ssh, scp, etc.) installed.

Windows 10 and higher also include OpenSSH available as terminal commands. Windows users desiring a graphical SSH client should use PuTTY. This is free software that doesn't need to be "installed"; just download, unpack, and run. NRAO / AUI machines, you may have access to SecureCRT in your "Start" menu. It has a few different features than putty (and predated it).

The SSH Agent

The ssh-agent program allows you to unlock your private ssh key(s) so that you only get the passphrase challenge once per session. It avoids having to enter the passphrase for each ssh or scp command that you use. Most Linux and MacOS desktop environments integrate ssh-agent into their system keychain or other secrets management.

A pre-requisite for making (sensible) use of the agent is the (usually one-time) generation of keys. See the section below on ssh keys for how to create a public-private set of keys for your account, if you have not already done so.

To add your default key to the agent, just type this in a terminal window (Linux or Mac): ssh-add </dev/null and you should get a pop-up dialog asking for the passphrase.  You only need to do this once per session; the agent keeps the key cached for as long as you are logged in (even over suspend or hibernate events).

SSH For Mac Users

For those sitting in front of Mac OSX systems, ssh-agent works just like it does under Linux, except that the SSH_AUTH_SOCK variable is not needed. Also, ssh-agent can store key passphrases in your system keychain.

SSH For Windows Users

The PuTTY package comes with a program called Pageant that provides the same functionality as ssh-agent on other platforms. It requires that you have generated a private key in *.PPK format. When run, pageant will put an icon (a computer wearing a hat) into the system tray. Right-clicking on this icon brings up a menu including view keys and add key. Use these to add a key once you have generated it (see below).

SSH For Linux/Unix Users

As all NRAO desktop and laptop Linux systems are configured to use GNOME or KDE, the ssh-agent process is automatically started for you. You do not have to edit any configuration file, nor do you have to start it by hand. It's there for you to use.

For other systems, check if the agent is already running by checking your environment: echo $SSH_AUTH_SOCK should give more than a blank line. If it is not running, use the text-only access method in the next section.

SSH For Text-only Access

For those who prefer not to use this app, or if you are using a Solaris system or a text-only login such as a server or one of the Virtual Consoles of a Linux system, you may need to start ssh-agent manually. Once you have logged on, or have a terminal window running, type this:

eval `ssh-agent`

Note: Users with tcsh or csh as their login shell should type eval `ssh-agent -c` instead.

Basic Use

SSH Key-based Access

This section shows you how to create and use a set of ssh keys for your NRAO accounts. Most users will want to read the section for desktop users, but we present laptop users first to avoid duplication of key generating effort.

NOTE on sshpass: Most modern Linux distros will include a utility called "sshpass". Unfortunately sshpass works by storing your password insecurely and, thus, is not permitted by NRAO's Computing Security Policy. Please use SSH keys instead.

Generating SSH keys

To generate or re-generate your ssh keys, use the following commands in a terminal window:

ssh-keygen -a 100 -t ed25519

This commands generates an ED25519 SSH keypair.

Users who need access to systems running RHEL 7 and earlier should also generate a 3072-bit RSA keypair:

ssh-keygen -a 100 -b 3072 -t rsa

Important notes:

• DSA keys are considered insecure and will not be accepted. 
• Do NOT use your NRAO password as your SSH key passphrase; 
• All SSH private keys must be encrypted (must use a passphrase). Make sure you enter a good, memorable passphrase.

Copying keys for access to other sites

Many NRAO users have a different home directory (filer area) at each site. In order for systems at other sites to honor your SSH key, you must copy your public SSH key to your home directory at all three NRAO sites. Note: Laptop users usually have a local home directory and must do this for their home site as well.

After generating SSH keys, copy your public key to your NRAO network home directory by running

ssh-copy-id <username>@login.<site>.nrao.edu

If you only have an existing RSA or DSA key, and are attempting to update access to an RHEL8 machine you will need to run the copy id command against and existing RHEL7 machine.  Once the new key is in place it should start to work to log in to an RHEL8 machine.

Changing your SSH key passphrase

You can change the phrase on your private key by using this command:

ssh-keygen -p -f ~/.ssh/id_ed25519


It will prompt you for old phrase, and the new one (twice for verification). There is no need to alter the public key; the passphrase is used only to unlock the private one.

What's this authorized_keys file?

The authorized_keys file in your .ssh directory contains all SSH public keys that are authorized to access your account. This file must contain ONLY public keys for which you control the private key and for which the private key is encrypted using a strong passphrase. Do not allow other users to write to your authorized_keys file.

Advanced Use

Tunneling, Compression

Please see the SSH Tunneling for Linux and Mac page for a detailed user guide.

The first thing most newcomers to SSH notice on using it for remote logins is that the DISPLAY environment variable is already set. You can immediately start running X client programs on the remote machine, and have the display show up on your desktop or laptop (the screen in front of you). Do not use the obsolete xhost, xauth, or other commands, and do not try to set the variable yourself. It just works!

In addition, the normal ssh behaviour is to tunnel your ssh agent information, so that (on the remote host) if you give another ssh command to a more distant host, that more distant host will still be able to "see" your local ssh agent. This is particularly useful when logging into the login.{site}.nrao.edu "bastion hosts" or login servers, which are the only ones exposed to the outside internet. When you are at another institution or travelling, or connecting from your NRAO laptop at home perhaps, you will often want to do this two-hop step to get to your desktop, for example: ssh login.cv.nrao.edu, then from there, ssh mydesktop.cv.nrao.edu

But tunneling doesn't stop there. You can tunnel practically any Internet protocol through a SSH connection. The most obvious candidates are POP3 and IMAP for remote e-mail reading.

As for compression, it's enabled with the -C switch on the slogin or ssh or scp command line, or in your ~/.ssh/config file. For text-based activities on a modem connection, compression can realize a 2- or 3-fold apparent improvement in bandwidth; this can make, for example, use of the X11 version of emacs usable over a 28.8 K-baud PPP modem connection. Some postscript files may transfer via scp at close to 10 Kbytes/second under such circumstances.

Restricting the Remote Command

There are two ways in which you can "batten down" a permitted connection by using your authorized_keys file:

you could for example prepend a key in the file with the string from=*.nrao.edu to restrict access to NRAO domain names. See the manual page on the ssh daemon (=man sshd=) for details, and the manual page on ssh_config for the wildcard patterns you can use.

Secure FTP

For those who prefer the old-style ftp command interface (account based, not anonymous), there is good news. The sftp program (psftp for PuTTY) provides this by a special SSH connection to the remote host. Just type, for example:

sftp login.cv.nrao.edu

and you will find yourself (after the password ­ or passphrase ­ challenge) in a very familiar environment. Most of the usual ftp commands will work for you, and you can type help for additional information.

Windows users who need to use SFTP can use FileZilla.

Debugging, Problems

Short version: ssh -v. Add one or two more v's for even more and ridiculous levels of verbosity.

Some problems you encounter may be due to lax permissions on the server end. For example, your ~/.ssh/ directory cannot be group writable (but does need to be world readable). If you must have a copy of your private key on the destination server, it must be protected against reading by anyone except you: chmod 0600 id_dsa.

See also Stupid SSH Tricks, a talk given to the Local Unix User's Group (CHUUG) in Charlottesville some years ago by Pat Murphy.

For more information, see the manual page for ssh. What you've read on this page here covers just the basics.