Secure Shell (SSH)

Secure Shell (SSH) is a cryptographic network protocol used to provide secure access to a computer over an unsecured network, commonly utilized by systems administrators for remote management tasks. It encompasses both the protocol itself and a suite of utilities that implement its functionality. SSH ensures robust security through strong password authentication, public key authentication, and encrypted data communications between connected computers over open networks like the internet. This encryption capability is pivotal for maintaining the security of systems by enabling secure access and management of networked systems.

SSH operates using a client-server model, where a Secure Shell client application connects to an SSH server, with the client displaying the session and the server executing it. The protocol can support various application protocols, including those used for terminal emulation and file transfers, and is capable of creating secure tunnels for other application protocols, such as remotely running X Window System graphical sessions. By default, an SSH server listens on the standard TCP port 22.

The primary purpose of SSH is to replace less secure terminal emulation or login programs like Telnet, remote login (rlogin), and remote shell (rsh), enabling secure remote login and terminal sessions. Additionally, it replaces file transfer programs like File Transfer Protocol (FTP) and remote copy (rcp). SSH is typically used to connect to a remote host for terminal sessions, which involves encrypting and authenticating communications using public key cryptography. For example, a typical SSH command looks like this: ssh [email protected], where the client attempts to connect to a server using a specified user ID.

Once the connection is established, the remote host's public key fingerprint is presented for authentication, and upon approval, the host key is stored in the local system's known_hosts file. This allows subsequent connections to proceed without additional approval, as the host key authenticates the connection.

SSH is ubiquitous in data centers, shipping by default with Unix, Linux, and Mac servers. It secures various types of communications between local machines and remote hosts, including secure remote access, command execution, software patch delivery, and other administrative tasks. Furthermore, SSH keys facilitate automated server access and are often employed in scripts, backup systems, and configuration management tools. The protocol also supports creating secure tunnels for local, remote, and dynamic port forwarding, providing single sign-on (SSO) capabilities across accounts.

SSH's reliance on key-based authentication using public key pairs ensures secure host-to-host communication, with each host generating unique public key pairs for authentication. This functionality extends to managing routers, server hardware, virtualization platforms, and operating systems, ensuring secure administrative configurations and access.

Learn more about SSH

Secure Copy Protocol (SCP)

Secure Copy Protocol (SCP) is a network protocol that enables the secure transfer of files between hosts on a network, primarily within Linux and Unix-like operating systems. SCP is built upon the Secure Shell (SSH) protocol, which offers encrypted communication sessions, ensuring that data and passwords remain secure during transmission. This encryption ensures that even if the traffic is intercepted, the information remains protected.

SCP is widely utilized for its security features, making it an essential tool in environments where safeguarding data is critical, such as enterprise networks, cloud deployments, and remote server management. Unlike traditional file transfer protocols, SCP leverages SSH to encrypt data, which enhances its security and makes it a preferred choice for system administrators and developers.

SCP Command Syntax

The basic syntax for the scp command is as follows:

scp [option] [user_name@source_host:path/to/source/file] [user_name@target_host:target/path]

When executing this command, if the user name is omitted, it defaults to the current user. Additionally, if the path is omitted, the command will look for (or copy) the file locally. Users must ensure that they have read access to the files they wish to copy on the source system and write access on the destination system.

SCP Command Options and Examples

SCP offers various command options to customize and optimize the file transfer process. Each option has both a short and a longer, descriptive form.

• Copying Files: To copy a file from a local host to a remote server, the command format is:

scp Desktop/sample_example.txt root@136.183.142.28:/home/remote_dir

• Copying Directories: To copy directories recursively, the -r option is used:

scp -r example root@147.182.143.28:/home/remote_dir

• Using Specific Port: If a remote system uses a different SSH port, the -P option specifies the port:

scp -P 2222 Desktop/sample_example.txt root@147.182.143.28:/home/remote_dir

• Quiet and Verbose Modes: Use -q to run SCP in quiet mode, disabling progress and non-error messages, or -v for verbose mode to help with troubleshooting:

scp -q Desktop/sample_example.txt root@136.183.142.28:/home/remote_dir

SCP not only secures file transfers but also provides flexibility through various options and features, making it a vital tool for secure data management across networks.

Explore SCP command options

How-to Tips

This section provides practical tips and techniques for using SSH and SCP effectively in various scenarios.

Copying Only Updated Files

When you need to copy a large number of files from a local machine to a remote server, using SCP can result in unnecessary duplication of files that haven't changed since the last transfer. To optimize this process, you can use rsync, which only sends updated files to the server, reducing load and time.

rsync -avh -e ssh $sourceLoc $user@$serverAddr:$remoteLoc

Running a Script Remotely

If you have a shell script, such as script.sh, that you wish to execute on a remote server, you can use SSH to pass the script to the server and run it using the bash -s prefix.

ssh ${user}@${serverAddr} 'bash -s' < script.sh

Port Tunneling

SSH can be used to tunnel ports, which is especially useful for debugging when a port cannot be exposed externally due to security restrictions. For instance, if a web service is running on port 5000 on a server but is not accessible externally, you can tunnel this port to your local machine. This allows you to access the service locally as if it were running on your computer.

ssh -N -L localhost:$localPort:localhost:$serverPort ${user}@${serverAddr}

Executing Commands Directly

SSH allows for the execution of one-off commands directly from the command line, eliminating the need for separate steps to connect, authenticate, and then execute a command.

ssh user01@server01 "rpm -qa | grep nano"

Secure File Transfer with SCP

For simple file transfer tasks, SCP is a straightforward alternative to SSH. To copy a file from your local machine to a remote server or vice versa, you can use the SCP command. Here's how you can copy a file file.txt:

scp file.txt user@remote_host:/path/to/remote/directory

And to copy a file from a remote system to your local directory:

scp server01:/projects/file.txt .

By mastering these SSH and SCP tips, users can enhance their productivity and ensure secure, efficient remote management and file transfers.

Discover more SSH tips

Tricks and Advanced Techniques

Utilizing SCP Command Options

The SCP command provides numerous options that allow users to customize and optimize the file transfer process. For instance, you can run SCP in quiet mode using the -q option, which suppresses the progress meter and non-error messages, providing a cleaner output. This can be particularly useful in scripts where you want to minimize console output. Conversely, the -v option enables verbose mode, providing detailed debugging information that can help in troubleshooting any issues during file transfer.

Limiting Bandwidth and Enhancing Speed

When transferring large files, you may wish to limit the bandwidth usage to avoid saturating your network. This can be accomplished by using the -l parameter followed by a number representing the desired bandwidth limit in kilobits per second. For example, setting the bandwidth limit to 100 KB/s would require a value of 800 (100 x 8) due to the conversion from bytes to bits.

To enhance transfer speed, the -C option can be used to compress files during transfer. This is particularly beneficial for large files or directories, as the compression reduces the amount of data sent over the network. Once the transfer is complete, the file returns to its original size.

Advanced Security and Protocol Specifications

For users concerned with security, SCP allows the specification of different encryption ciphers using the -c option. By default, SCP uses AES-128 encryption, but you can switch to more secure ciphers such as 3DES for heightened security measures.

Moreover, SCP can be configured to exclusively use either IPv4 or IPv6 protocols by employing the -4 or -6 options, respectively. This can be particularly useful in network environments that are configured to prioritize a specific IP version.

Preserving File Attributes

Preserving file attributes such as modification and access times, modes, and permissions during file transfers can be critical for maintaining file integrity and system consistency. This is achieved by utilizing the -p option, ensuring that the file's metadata remains unchanged during the transfer process. This capability makes SCP a reliable tool for system administrators who need to maintain precise file attributes across different systems.

By leveraging these advanced techniques, users can maximize the efficiency and security of their file transfers using SCP, tailoring the command to meet specific network requirements and operational constraints.

Advanced SCP techniques

Security Considerations

SSH (Secure Shell or Secure Socket Shell) is a robust protocol that provides users, especially systems administrators, a secure method to access computers over unsecured networks. It ensures strong password authentication, public key authentication, and encrypted data communications between two computers, which makes it crucial for maintaining system security across open networks such as the internet. Despite its secure nature, SSH implementations are sometimes targeted by brute-forcing and bot activities, making it essential to adhere to security best practices, such as transitioning from password authentication to SSH key-based authentication, to fortify SSH servers against such threats.

One of the most common uses of SSH is to facilitate secure file transfers and remote command execution. While SCP (Secure Copy Protocol) has been widely used for these purposes, there is a growing consensus in the security community about its potential vulnerabilities, which has led some security officers to recommend SFTP (SSH File Transfer Protocol) as a safer alternative. The debate over the security of SCP underscores the importance of evaluating the underlying infrastructure and popular trust in SCP against evolving security threats and standards.

Recent vulnerabilities, such as the one tracked as CVE-2024-6409, have highlighted potential risks in certain OpenSSH versions, specifically 8.7p1 and 8.8p1, which are vulnerable to remote code execution (RCE) due to a race condition in signal handling. This vulnerability affects the privsep child process, thereby impacting systems running Red Hat Enterprise Linux 9. It is critical to note that if only one of the related vulnerabilities, like CVE-2024-6387, is addressed, the unresolved vulnerability becomes a more attractive target for attackers. Security researchers emphasize the importance of addressing both vulnerabilities to mitigate the risk of exploitation effectively.

Active exploits targeting such vulnerabilities have been detected, further illustrating the need for vigilance. For instance, an exploit for CVE-2024-6387 has been observed targeting servers primarily located in China, emphasizing the necessity for organizations to patch their systems promptly and employ robust security measures to prevent potential breaches. These developments highlight the ongoing need to stay informed about security vulnerabilities and maintain a proactive approach to securing SSH and related utilities against emerging threats.

Read more about SSH security

Tools and Resources

SSH Protocol

SSH, or Secure Shell, is a network protocol that provides a secure method for accessing remote systems. It is widely used for executing commands on remote machines and for secure file transfers. SSH ensures that data exchanged between the client and server is encrypted, thus protecting against eavesdropping and man-in-the-middle attacks. Its versatility extends beyond just command execution; it also supports secure tunneling and port forwarding, making it an indispensable tool in network administration.

SCP Utility

Secure Copy Protocol (SCP) is a command-line utility that utilizes SSH to facilitate the secure transfer of files between hosts over a network. SCP encrypts data in transit, ensuring confidentiality and integrity, which is particularly crucial in environments where security is a top priority. This utility is straightforward to use, allowing for both local-to-remote and remote-to-local file transfers. SCP is favored for its simplicity and ease of use, especially for one-time secure transfers.

Basic SCP Commands

To transfer a file from a local machine to a remote host, the following syntax is used:

scp /path/to/local/file user@remote_host:/path/to/remote/directory

Conversely, to copy a file from a remote host to a local machine, the command is:

scp user@remote_host:/path/to/remote/file /path/to/local/directory

These commands ensure that the files are securely transferred using SSH for authentication and encryption.

Learn more about SCP

Alternatives to SCP

While SCP is robust, there are alternative tools for secure file transfer, each with unique features:

• SFTP (SSH File Transfer Protocol): Like SCP, SFTP uses SSH for encryption, but it offers more features, such as directory listing and resuming interrupted transfers, which can be beneficial for complex file management tasks.
• Rsync: This utility is designed for efficient file transfer and synchronization. Rsync uses delta encoding to transfer only changes made to files, making it bandwidth-efficient. It can also utilize SSH for secure transfers, combining security with efficiency.

Orkes Cloud for Workflow Orchestration

In the context of modern software architecture, Orkes provides a leading workflow orchestration platform that aids in developing, connecting, and deploying applications and microservices. Managed through Orkes Cloud, this platform allows developers to focus on building applications without the burden of infrastructure maintenance, thus accelerating delivery and reducing total cost of ownership.

By leveraging these tools and resources, users can ensure secure and efficient file management and application deployment, enhancing productivity and security in their IT operations.

Explore more tools and resources

Diagrams

SSH and SCP Workflow

SCP Command Options

In conclusion, mastering SSH and SCP is essential for secure and efficient network management.