Ssh And Secure Remote Access

Category: Transport and Application Layer Protocols
Type: Network Concepts
Generated on: 2025-07-10 08:57:56
For: Network Engineering, Administration & Technical Interviews

---

SSH and Secure Remote Access: Cheat Sheet

What is SSH? Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. It provides a secure channel over an insecure network by encrypting all traffic between the client and the server.

Why is it important?

• Secure Remote Access: Enables secure login and command execution on remote servers.

• Data Confidentiality: Protects sensitive data from eavesdropping.

• Data Integrity: Ensures data is not tampered with during transmission.

• Tunneling: Supports port forwarding for secure access to other services.

• Automation: Used in scripting and automation for remote server management.

• Client: The machine initiating the SSH connection.

• Server: The machine accepting the SSH connection.

• Port 22: Default TCP port for SSH. Can be changed for security.

• Encryption: Using algorithms to scramble data, making it unreadable to unauthorized parties. Common algorithms include AES, ChaCha20, and Blowfish.

• Authentication: Verifying the identity of the client and/or server. Methods include password authentication, public key authentication, and Kerberos.

• Public Key Authentication: Using a key pair (public and private key) for authentication. The public key is placed on the server, and the client uses its private key to prove its identity.

• SSH Tunneling (Port Forwarding): Redirecting network traffic through the SSH connection.

  • Local Port Forwarding (-L): Traffic from the client is forwarded to the server, then to a destination.
  • Remote Port Forwarding (-R): Traffic from the server is forwarded to the client, then to a destination.
  • Dynamic Port Forwarding (-D): Creates a SOCKS proxy on the client.

• SSH Keys: Used for authentication. Consist of a public and private key. The public key is placed in ~/.ssh/authorized_keys on the server.

• Known Hosts: A file (~/.ssh/known_hosts) on the client that stores the public keys of servers the client has connected to. Used to prevent man-in-the-middle attacks.

• Host Key: The server’s public key, used to identify the server.

• SSH Agent: A program that holds private keys in memory, allowing you to use them without typing the passphrase each time.

Client                                   Server
-------                                  -------
| SSH Client                             | SSH Server
|                                        |
|  1. TCP Connection (Port 22)  ------->|
|  2. Key Exchange                 <----->|
|  3. Authentication               <----->|
|  4. Encrypted Communication  <----->|
|                                        |
-------                                  -------

Steps:

1. TCP Connection: The client initiates a TCP connection to the server on port 22 (or a configured port).
2. Key Exchange: Client and server negotiate a shared secret key for encryption. Algorithms like Diffie-Hellman are used. This ensures that even if someone is eavesdropping, they cannot derive the shared secret.
3. Authentication: The client authenticates to the server. This can be done via:
   • Password Authentication: The client enters a password.
   • Public Key Authentication: The client proves ownership of a private key corresponding to a public key stored on the server.
4. Encrypted Communication: All subsequent communication is encrypted using the negotiated shared secret key.

SSH is primarily a transport layer protocol providing a secure channel. It also uses application layer protocols for authentication and key exchange. Detailed packet capture analysis requires specialized tools like Wireshark.

• Key Exchange: Algorithms like Diffie-Hellman Group Exchange are used. The client and server exchange public values, allowing them to derive a shared secret without transmitting the secret itself.
• Encryption: Symmetric encryption algorithms (AES, ChaCha20) are used to encrypt the data stream after key exchange.
• Message Authentication Code (MAC): Algorithms like HMAC-SHA256 are used to ensure data integrity and prevent tampering.

Example Wireshark Filter (for SSH):

tcp.port == 22

This filter will show all TCP packets on port 22, which is the default SSH port.

• Secure Remote Access to a Linux Server: Connecting to a server to manage files, install software, and monitor performance.

  ssh user@server_ip

• Secure File Transfer (SCP): Copying files securely between machines.

  scp local_file user@server_ip:/remote/directory/

• Secure File Transfer (SFTP): Interactive file transfer over SSH.

  sftp user@server_ip

• Port Forwarding:

  • Local Port Forwarding: Accessing a database server on a remote network.

    ssh -L 3306:db_server:3306 user@server_ip

    This forwards local port 3306 to the db_server on the other side of the SSH connection. You can then connect to localhost:3306 to access the database.
  • Remote Port Forwarding: Allowing access to a service running on your local machine from a remote server.

    ssh -R 8080:localhost:80 user@server_ip

    This forwards traffic from server_ip:8080 to localhost:80 on the client machine.

• Automated Script Execution: Running scripts on remote servers as part of an automated deployment process.

  ssh user@server_ip "sudo apt update && sudo apt upgrade -y"

• Git over SSH: Securely cloning and pushing code to a remote Git repository. This requires SSH key authentication to be configured.

• Connection Refused: The SSH server is not running or is not listening on the specified port.

  • Solution: Verify the SSH server is running on the remote machine. Check the SSH server configuration file (/etc/ssh/sshd_config) to ensure it’s listening on the correct port. Use netstat -tulnp | grep sshd on the server to confirm.

• Permission Denied (Public Key): The public key is not correctly placed in ~/.ssh/authorized_keys or has incorrect permissions.

  • Solution: Ensure the public key is added to ~/.ssh/authorized_keys on the server. The file and directory permissions should be restrictive: chmod 700 ~/.ssh and chmod 600 ~/.ssh/authorized_keys.

• Incorrect Password: The password entered is incorrect.

  • Solution: Double-check the password. Consider using public key authentication for improved security and convenience.

• Host Key Verification Failed: The server’s host key has changed, indicating a potential man-in-the-middle attack.

  • Solution: Carefully verify the new host key with the server administrator. If you are certain the key is legitimate, remove the old key from ~/.ssh/known_hosts and reconnect. If you are unsure, do not connect.

• Firewall Blocking SSH: A firewall is blocking traffic on port 22 (or the configured SSH port).

  • Solution: Configure the firewall to allow traffic on the SSH port. Use iptables (Linux) or Windows Firewall. For example, on Linux (iptables): sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT.

• Slow SSH Connection: Caused by network latency, DNS issues, or high CPU usage.

  • Solution: Check network connectivity using ping. Verify DNS resolution. Check server CPU and memory usage. Consider using connection multiplexing (see below).

• Connection Multiplexing: Opening multiple SSH sessions over a single TCP connection.

  • Benefit: Reduces overhead by reusing an existing connection.
  • Configuration (client): Add the following to ~/.ssh/config:

    Host *
        ControlMaster auto
        ControlPath ~/.ssh/sockets/%r@%h:%p
        ControlPersist 600

Server-Side Configuration (/etc/ssh/sshd_config):

Port 22
ListenAddress 0.0.0.0  # Listen on all interfaces
#ListenAddress 192.168.1.100  # Listen on a specific IP

PermitRootLogin no       # Disable root login
AllowUsers user1 user2    # Allow specific users
#DenyUsers user3         # Deny specific users

PasswordAuthentication no  # Disable password authentication
PubkeyAuthentication yes  # Enable public key authentication

ChallengeResponseAuthentication no # Disable keyboard-interactive authentication

UsePAM yes              # Use PAM for authentication
X11Forwarding no       # Disable X11 forwarding
TCPKeepAlive yes        # Enable TCP keepalive
ClientAliveInterval 300 # Send keepalive every 300 seconds
ClientAliveCountMax 3   # Max 3 keepalive attempts before disconnecting

Client-Side Configuration (~/.ssh/config):

Host server1
    HostName server1.example.com
    User myuser
    Port 2222
    IdentityFile ~/.ssh/id_rsa_server1
    ForwardAgent yes

Host *.example.com
    User generic_user
    IdentityFile ~/.ssh/id_rsa_generic

Host jumpbox
    HostName jumpbox.example.com
    User jumpbox_user
    ProxyJump user@gateway.example.com  # SSH through a jump host

Generating SSH Keys:

ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa -C "your_email@example.com"

Copying Public Key to Server:

ssh-copy-id user@server_ip
# Or manually:
cat ~/.ssh/id_rsa.pub | ssh user@server_ip "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"

• What is SSH, and why is it important? (See Quick Overview)

• Explain the difference between password authentication and public key authentication. Password authentication relies on a shared secret (the password), which can be vulnerable to brute-force attacks. Public key authentication uses a key pair, where the private key is kept secret and the public key is placed on the server. This is more secure and convenient.

• How does SSH ensure confidentiality and integrity? Confidentiality is achieved through encryption using algorithms like AES or ChaCha20. Integrity is ensured using MAC algorithms like HMAC-SHA256, which generate a cryptographic hash of the data to detect tampering.

• What is SSH tunneling (port forwarding), and what are the different types? SSH tunneling allows you to forward network traffic through a secure SSH connection. The types are:

  • Local Port Forwarding (-L): Forwards traffic from the client to the server, then to a destination.
  • Remote Port Forwarding (-R): Forwards traffic from the server to the client, then to a destination.
  • Dynamic Port Forwarding (-D): Creates a SOCKS proxy on the client.

• What is a “jump box” or “bastion host,” and why is it used? A jump box is a server that sits between the public internet and a private network. It acts as a single point of entry for accessing resources within the private network, improving security. You SSH to the jump box first, then SSH from the jump box to the target server.

• What steps would you take to secure an SSH server?

  • Disable password authentication.
  • Use public key authentication.
  • Change the default SSH port.
  • Limit access to specific users or groups.
  • Disable root login.
  • Use a firewall to restrict access to the SSH port.
  • Keep the SSH server software up to date.
  • Implement intrusion detection and prevention systems.

• How do you troubleshoot a “Permission denied (publickey)” error? (See Common Issues)

• Explain the difference between SCP and SFTP. SCP (Secure Copy) is a simple protocol for copying files securely over SSH. SFTP (SSH File Transfer Protocol) is a more feature-rich protocol that provides interactive file transfer capabilities, including directory listing, file deletion, and renaming. SFTP is generally preferred.

• TLS/SSL: Transport Layer Security / Secure Sockets Layer - Another cryptographic protocol for securing network communication, commonly used for web traffic (HTTPS).

• VPN: Virtual Private Network - Creates a secure, encrypted connection over a public network, often used for remote access to corporate networks.

• IPsec: Internet Protocol Security - A suite of protocols for securing IP communications by authenticating and encrypting each IP packet.

• Kerberos: A network authentication protocol that uses tickets to verify the identity of users and services.

• PKI: Public Key Infrastructure - A system for managing digital certificates and public keys, used for authentication and encryption.

• Firewalls: Network security devices that control network traffic based on predefined rules.

• Intrusion Detection/Prevention Systems (IDS/IPS): Security systems that monitor network traffic for malicious activity and take action to prevent or mitigate threats.

• OpenSSH: The most popular open-source implementation of the SSH protocol.

• PuTTY: A popular SSH client for Windows.

This cheat sheet provides a comprehensive overview of SSH and secure remote access. Remember to practice using these concepts and commands to gain a deeper understanding. Good luck!