SSH — Secure Shell

Using ssh and scp

Let’s say you are user ann on host A — for example, dierdorf@dell. You would like to run a command on a different Linux host B as user bob (possibly yourself again — dierdorf@prismnet.com) and see the results on your screen. Perhaps you want to copy a file from one machine/user to another. Once upon a time, the telnet and ftp utilities were used for these purposes, but their use has been deprecated (and sometimes even forbidden) because they are insecure. In today’s security-conscious world, the openssh package provides the tools you need.

Ssh [secure shell] runs a command on another computer, while scp [secure copy] transfers files. Both have “secure” in their name because all communication between the machines — commands, passwords, results, files — is encrypted.

• First, make sure both machines have packages openssh-client and openssh-server installed. (Use apt-get, synaptic, or whatever.) Also make sure you have both ann and bob’s logon passwords!
• To run a single command-line program on B from A, use the following syntax:

  ann@A:~> ssh bob@B program [arguments]
  bob@B's password: 
  
  [program’s output]
  
  ann@A:~>
  

  You will be prompted to enter bob’s password. The program will actually run on B, but the Standard Output of the program will be displayed on ann’s screen. ssh will work with any two machines connected to the Internet; it uses TCP/IP directly and does not require B’s drive(s) to be visible (mounted) on A. The only requirement is that bob@B can be resolved to an IP address.

• If you run ssh without a program name, then after entering the password you will be at a command prompt on the other machine. For example,

  ann@A:~> ssh bob@B
  bob@B's password: 
  bob@B:~>
  ...whatever
  bob@B:~> exit
  ann@A:~>
  

  Note you are now in bob’s home directory. To cancel the remote session, just type exit. The remote session will be using bob’s default shell, so if the default is bash on one machine and zsh on the other, you may need to mentally shift gears.

• It is also possible to run graphical programs on B from A’s command line. All you have to do is use the -X option to ssh:

  ann@A:~> ssh -X bob@B graphicalprogram [arguments]
  bob@B's password: 
  

  This will open a window on A’s desktop to show the program, even though it is actually executing on B. Note that you have to know the actual name of the graphical program. Of course this will run more slowly than if it was running "native" on B’s display, because all the screen data has to be encrypted, sent across the net, and then decrypted before XWindows can display it. On B, it would just get blasted straight to the video card. (The moral is don’t try playing twitch games on a different machine using SSH!)

  If you want to have this procedure as an icon on machine A, create a new “Link to Application” and, in the “Command” field of the “Application” tab, enter the invocation as above.
  

• One last shortcut: If you invoke ssh only with a host name, it defaults to using the user name with which you are currently logged in. Therefore, these two commands are equivalent:

  dierdorf@dell:~> ssh dierdorf@gw mycommand  
  dierdorf@dell:~> ssh gw mycommand

  ---

• The syntax for using scp [secure copy] to move things from one machine to another is very similar to cp:

  ann@A:~> scp [options] [source] [destination]
  ann@A:~> scp myfile bob@B:backup/myfile
  bob@B's password: 
  ann@A:~> scp -p bob@B:remotefile .
  bob@B's password: 
  

  “bob@B:” (note the colon) represents the home directory of user bob on host B, so the first example copies the file to bob’s backup directory. The most common option is -p, which preserves the file date and time during the copy. Use -r [recursive] to copy a complete directory in either direction. Again, you will need to know bob’s password.

  ---

• To run Windows programs from Linux, there is a free Windows ssh client/server called Copssh. Simply install it on XP, Vista, or Win7 in the usual way. You’ll have to play with the Windows Firewall to allow remote users in, but then you’ll be able to execute stuff on the Windows machine using ssh on Linux or Mac or another Windows machine. (Since it is an ssh client as well as a server, once Copssh is installed you can run programs on Linux, OS-X, etc. boxes from Windows, too, assuming they have their own ssh server running.)

Using Another Computer without Entering a Password

Normally, ssh and scp will ask you for bob’s password every time they are invoked. To bypass this step with Linux (either because you think it’s a nuisance or because you need to have it in a script which runs unattended), you need to set up automatic authentication as follows. This example assumes ann@A wants to avoid passwords when executing as bob@B.

1. Logon to host A as user ann. From a command line, generate a pair of authentication keys. Do not enter a passphrase.

   ann@A:~> ssh-keygen -t rsa
   Generating public/private rsa key pair.
   Enter file in which to save the key (/home/ann/.ssh/id_rsa): 
   Created directory '/home/ann/.ssh'.
   Enter passphrase (empty for no passphrase): 
   Enter same passphrase again: 
   Your identification has been saved in /home/ann/.ssh/id_rsa.
   Your public key has been saved in /home/ann/.ssh/id_rsa.pub.
   The key fingerprint is:
   3a:4f:0c:79:3a:9f:88:7c:3b:4d:e9:5f:31:ac:97:e2 ann@A
   

   This created (if necessary) directory ~/.ssh and the key files id_rsa and id_rsa.pub.

2. Now use ssh to create a directory ~/.ssh as user bob on B. (If the directory already exists, the -p option ensures there is no error.)

   ann@A:~> ssh bob@B mkdir -p .ssh
   bob@B's password: 
   

3. Finally append ann's new public key to bob’s ~/.ssh/authorized_keys file and enter bob's password one last time. (This will create bob’s ~/.ssh/authorized_keys file if it doesn’t exist.)

   ann@A:~> cat .ssh/id_rsa.pub | ssh bob@B 'cat >> .ssh/authorized_keys'
   bob@B's password: 
   

4. From now on you can logon to B as bob from A as ann (or run a single program) without a password:

   ann@A:~> ssh bob@B
   bob@B:~>...
   
   bob@B:~>exit
   ann@A:~>
   

5. Once you’ve proved it works, logon to B, change to directory .ssh and make all the files private to you:

   ann@A:~> ssh bob@B
   bob@B:~> cd .ssh
   bob@B:~/.ssh> chmod 700 *
   

6. Repeat all this in the other direction if you want password-less login from B to A.