(Update) Sept. 30, 2019 A new version of the slides (including clustershell was uploaded.

Developed by SSH Communications Security Ltd., Secure Shell is a program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another in a secure way.

It provides strong authentication and secure communications over insecure channels. To use SSH, you have to generate a pair of keys, one public and the other private. The public key authentication is the most secure and flexible approach to ensure a multi-purpose transparent connection to a remote server.

   Download the slides (PDF)

Generating new SSH keys (Linux / Mac OS)

You should generate new SSH key pairs using ssh-keygen for your laptop (use a strong passphrase). There are various algorithms available, so you are encouraged to use at least the following ones:

1
2
$> ssh-keygen -t ed25519 -o -a 100     # Generate ~/.ssh/id_ed25519[.pub]        -- NEW faster/more secure keys
$> ssh-keygen -b 4096 -o -a 100 # Generate classical RSA keys (4096 bits) -- standard keys format, yet 4096 bits

See this blog to better understand why these commands are used.

Your local SSH configuration is located in the ~/.ssh/ directory.

  • Public key: ~/.ssh/id_{rsa,ed25519}.pub. This one is the only one SAFE to distribute.
  • Private (identity) key: ~/.ssh/id_{rsa,ed25519}

SSH Configuration: ~/.ssh/config, where each entry having the following typical format:

1
2
3
4
Host <shortname>
    Port <port>
    User <login>
    Hostname <hostname>
  • ~/.ssh/known_hosts: Contains a list of host keys for all hosts you have logged into that are not already in the system-wide list of known host keys. This permits to detect man-in-the-middle attacks.

Advanced SSH Tools

See also the Awesome SSH Tools

  • assh: Advanced SSH config - ssh wrapper using ProxyCommand that adds regex, aliases, gateways, includes, dynamic hostnames to SSH and ssh-config
  • stormssh - A command line tool to manage SSH connections.
  • DSH – Distributed / Dancer’s Shell, for running simultaneously the same commands over multiple machines over SSH. This tools is similar to the (no longer maintained?) pdsh
  • Mosh – Mobile Shell, whish supports intermittent connectivity.
  • clustershell

SSH under Windows

The OLD way: using Putty tools

The OLD way consisted to install Putty and the associated tools, more precisely:

  • PuTTY, the free SSH client – download
  • Pageant, an SSH authentication agent for PuTTY tools – download
  • PuTTYgen, an RSA and DSA key generation utility – download
  • PSCP, an SCP (file transfer) client, i.e. command-line secure file copy – download
  • WinSCP, SCP/SFTP (file transfer) client with easy-to-use graphical interface
  • PLink, th PuTTy CLI

In this case, the simplest method is probably to download and run the latest Putty installer (does not include WinSCP).

The NEW way: Using MobaXterm!

MobaXterm is an excellent all-in-one tools offering a maximum of flexibility for managing remote sessions. Among its many features, it supports:

  • [tabbed] Sessions management over SSH, Telnet, Rlogin, RDP, VNC, XDMCP, FTP, SFTP or Serial
  • X11 server w. enhanced X extensions
  • Graphical SFTP browser
  • SSH gateway / tunnels wizards
  • [remote] Text Editor
  • etc.

Advanced Tips

Best practices on SSH Server Configuration /etc/ssh/sshd_config

See https://wiki.mozilla.org/Security/Guidelines/OpenSSH

SSH Server Configuration to restrict to Public key authenticationw

The configuration of the SSH server is set in /etc/ssh/sshd_config.

  • Prevent root access:
1
2
3
LoginGraceTime  2m
PermitRootLogin no
StrictModes     yes
  • Disable password authentication and enable public key authentication:
1
2
3
4
5
RSAAuthentication      yes
PubkeyAuthentication   yes
PermitEmptyPasswords   no
PasswordAuthentication no
ChallengeResponseAuthentication no

Once you have finish the edition of the configuration file, you’ll need to restart the SSH service.

  • On CentOS / Redhat like systems: systemctl restart sshd
  • On Debian like systems: service ssh restart

SSH Multiplexing

There are many existing wrappers for executing the same command on multiple hosts over ssh in parallel.

I personnaly like dsh you can then use as follows:

1
dsh [-c | -w] { -a | -g <group> | -m <hostname> } <command> | dshbak -c
  • using -a, you run the command on all nodes listed in machines.list
  • using -g <group>, you restrict the commands to the group of hosts <group>
  • using -m <hostname>, you run the command only on hostname
  • using -c, you run the commands in parallel (default)
  • using -w, you run the commands in sequential

See also my DSH tutorial

As for ClusterShell, it is probably more convenient nowadays. See the above slides.

FAQ

sudo: sorry, you must have a tty to run sudo

To permit the run of sudo commands over ssh (and thus DSH), you have to change the default configuration of sudo which is configured to require a tty. This is generally enforced by having Defaults requiretty in the /etc/sudoers.

Since we connect as localadmin, we can remove this restriction for him by adding:

Defaults:localadmin !requiretty

sshd: Connection closed by <serverIP> [preauth]

This might indicate a SELinux issue: the SSH daemon is not able to read the authorized_keys file upon connection (as the fcontext is wrong). Fix:

1
2
$> cd /path/to/homedir
$> semanage fcontext -a -t ssh_home_t .ssh/ ; restorecon -R -v .ssh/