SSH Secure Shell Client()V329


SSHWinClient-3.0.0.exe, SSHWinClient

Step by Step:1. Secure Shell Client / / SSH Secure Shell / Secure Shell Client

Profile Settings-Connection, Terminal Answerback xterm

Global Settings-Appearance-Font, Fixedsys, 12

Global Settings-Appearance-Colors, Foreground Silver; Background Black

ssh-1.2.31.tar.gz ssh-2.4.0.tar.gz ( ssh-3.0.1.tar.gz)

Server Client ( root privilege): ssh1: sh configure –with-x –with-libwrap –with-etcdir=/etc/ssh1 make depend all install ssh2: sh configure –with-x –with-libwrap make all install

Client ( root privilege): ssh1: sh configure make depend all mkdir -p $HOME/ssh for files in scp ssh ssh-add ssh-agent ssh-askpass ssh-keygen; do install -m 700 -s $files $HOME/ssh/$files1 done ( ssh2 , ssh1) ssh2: sh configure make all for files in `find apPS -name s\*2` ; do files2=`basename $files tr -d [2]` install -m 700 -s $files $HOME/ssh/$files2 done

Struts ,Spring ,HibernateMyeclipse6.0 IDEIDE

MIUIV2.6.4.1475 ()

20151.3 _ (win) _iPhone4SA5

VS2010~2015VA_X 2073(vs2015)

sketchup2015(RoundCorner) v3.0a

New User Tutorial Basic SSH

Category:Featured ArticlesTechnical SupportTags:command linecpanellinuxnewusertutorialpermissionsserverssh

If you have an account on a cPanel server with shell access or your own VPS or Dedicated server running Linux then SSH is a powerful tool to have in your skill set.

SSH(akaSecure Shell) is a way of logging into your server from a remote computer such as your home desktop or laptop. The remote connection utilizes encryption on both the servers end and your end to keep the entire session secure.

The most common type of connection that our support department uses is to SSH into a server as the root user. Logging in as root allows you to make systemwide changes, restart important services, and perform many other tasks that only the root user is allowed to do (by default).

If you are going to initiate your remote connection from a Linux or Mac OS X computer you can start using SSH by opening up the Terminal application. Linux users should know how to find the terminal, and Mac OS X users need only open their Applications folder and then the Utilities folder to find Unfortunately SSH is not built-in to Windows, so you will need to download an application likePuTTY.

Once your terminal is open you can start your SSH session as root using the following command:

(where m is your servers name)

This commands tells your computer I want to open a new SSH session to the server called, and I want to log in as the user root.

If this is your first time connecting to the server using this hostname your SSH client will ask if you are sure you want to connect to a new, previously unknown host. Say yes and you will be prompted for the root accounts password (or simply, root password). After you have typed in the password and it is accepted you will be logged in to the server as the root user.

Before you continue, it is important to note that logging in to a server as root is a powerful but also potentially DANGEROUS system administration tool. The root user is allowed to change/delete practically everything in a server without any type of warning or confirmation of changes being made. Always backup your files before you modify them using a simple backup command:

For new shell users, the above command breaks down like so:

The prompt. Shows you your username (

) and the name of the server you are logged into (

). For example: If you were logged into a server called webstuff1 and your username was bill, your prompt might display

indicates the directory you are currently looking at/working in (

The copy command. Tells the server to copy the file to a new file with a different name, or the same name but in a different location (path).

The new copy of the file that will be created. You can also specify a new location like /home/username/file.bak .

To review, the above command creates a copy of file in the same location as the original and calls it file.bak.

If this is your first time using a shell interface, be sure to check out part two of the New User Tutorial series:Basic Shell Commands.

You can alsosetup SSH keysfor easier authentication,restart some services from the command linechange the SSH portto a different port number,learn how to use pipesto send the output from one command to another command, or even tellSSH to stop allowing the root user to connect.

Liquid Webs Heroic Support is always available to assist customers with this or any other issue. If you need our assistance please contact us:

Updating an A record from Command Line

Apache Error: semget: No space left on device

New User Tutorial: Basic Shell Commands

How To: Give a Linux User Root-level Access Using sudo

How To: Change Monitoring Settings Using Manage

Our Heroic Sales and Support teams are available 24 hours byphone or e-mailto assist.

SSH Essentials Working with SSH Servers Clients and Keys

Get the latest tutorials on SysAdmin and open source topics.

We hope you find this tutorial helpful. In addition to guides like this one, we provide simple cloud infrastructure for developers.Learn more

SSH Essentials: Working with SSH Servers, Clients, and Keys

SSH is a secure protocol used as the primary means of connecting to Linux servers remotely. It provides a text-based interface by spawning a remote shell. After connecting, all commands you type in your local terminal are sent to the remote server and executed there.

In this cheat sheet-style guide, we will cover some common ways of connecting with SSH to achieve your objectives. This can be used as a quick reference when you need to know how to do connect to or configure your server in different ways.

Read the SSH Overview section first if you are unfamiliar with SSH in general or are just getting started.

Use whichever subsequent sections are applicable to what you are trying to achieve. Most sections are not predicated on any other, so you can use the examples below independently.

Use the Contents menu on the left side of this page (at wide page widths) or your browsers find function to locate the sections you need.

Copy and paste the command-line examples given, substituting the values in

The most common way of connecting to a remote Linux server is through SSH. SSH stands for Secure Shell and provides a safe and secure way of executing commands, making changes, and configuring services remotely. When you connect through SSH, you log in using an account that exists on the remote server.

When you connect through SSH, you will be dropped into a shell session, which is a text-based interface where you can interact with your server. For the duration of your SSH session, any commands that you type into your local terminal are sent through an encrypted SSH tunnel and executed on your server.

The SSH connection is implemented using a client-server model. This means that for an SSH connection to be established, the remote machine must be running a piece of software called an SSH daemon. This software listens for connections on a specific network port, authenticates connection requests, and spawns the appropriate environment if the user provides the correct credentials.

The users computer must have an SSH client. This is a piece of software that knows how to communicate using the SSH protocol and can be given information about the remote host to connect to, the username to use, and the credentials that should be passed to authenticate. The client can also specify certain details about the connection type they would like to establish.

Clients generally authenticate either using passwords (less secure and not recommended) or SSH keys, which are very secure.

Password logins are encrypted and are easy to understand for new users. However, automated bots and malicious users will often repeatedly try to authenticate to accounts that allow password-based logins, which can lead to security compromises. For this reason, we recommend always setting up SSH key-based authentication for most configurations.

SSH keys are a matching set of cryptographic keys which can be used for authentication. Each set contains a public and a private key. The public key can be shared freely without concern, while the private key must be vigilantly guarded and never exposed to anyone.

To authenticate using SSH keys, a user must have an SSH key pair on their local computer. On the remote server, the public key must be copied to a file within the users home directory at~/.ssh/authorized_keys. This file contains a list of public keys, one-per-line, that are authorized to log into this account.

When a client connects to the host, wishing to use SSH key authentication, it will inform the server of this intent and will tell the server which public key to use. The server then check itsauthorized_keysfile for the public key, generate a random string and encrypts it using the public key. This encrypted message can only be decrypted with the associated private key. The server will send this encrypted message to the client to test whether they actually have the associated private key.

Upon receipt of this message, the client will decrypt it using the private key and combine the random string that is revealed with a previously negotiated session ID. It then generates an MD5 hash of this value and transmits it back to the server. The server already had the original message and the session ID, so it can compare an MD5 hash generated by those values and determine that the client must have the private key.

Now that you know how SSH works, we can begin to discuss some examples to demonstrate different ways of working with SSH

This section will cover how to generate SSH keys on a client machine and distribute the public key to servers where they should be used. This is a good section to start with if you have not previously generated keys due to the increased security that it allows for future connections.

Generating a new SSH public and private key pair on your local computer is the first step towards authenticating with a remote server without a password. Unless there is a good reason not to, you should always authenticate using SSH keys.

A number of cryptographic algorithms can be used to generate SSH keys, including RSA, DSA, and ECDSA. RSA keys are generally preferred and are the default key type.

To generate an RSA key pair on your local computer, type:

This prompt allows you to choose the location to store your RSA private key. Press ENTER to leave this as the default, which will store them in the.sshhidden directory in your users home directory. Leaving the default location selected will allow your SSH client to find the keys automatically.

The next prompt allows you to enter a passphrase of an arbitrary length to secure your private key. By default, you will have to enter any passphrase you set here every time you use the private key, as an additional security measure. Feel free to press ENTER to leave this blank if you do not want a passphrase. Keep in mind though that this will allow anyone who gains control of your private key to login to your servers.

If you choose to enter a passphrase, nothing will be displayed as you type. This is a security precaution.

Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/ The key fingerprint is: 8c:e9:7c:fa:bf:c4:e5:9c:c9:b8:60:1f:fe:1c:d3:8a keys randomart image is: +–[ RSA 2048]—-+ + o S . o . * + o + = O . + = = + ….Eo+ +—————–+

This procedure has generated an RSA SSH key pair, located in the.sshhidden directory within your users home directory. These files are:

: The private key. DO NOT SHARE THIS FILE!

: The associated public key. This can be shared freely without consequence.

Generate an SSH Key Pair with a Larger Number of Bits

SSH keys are 2048 bits by default. This is generally considered to be good enough for security, but you can specify a greater number of bits for a more hardened key.

To do this, include the-bargument with the number of bits you would like. Most servers support keys with a length of at least 4096 bits. Longer keys may not be accepted for DDOS protection purposes:

If you had previously created a different key, you will be asked if you wish to overwrite your previous key:

If you choose yes, your previous key will be overwritten and you will no longer be able to log into servers using that key. Because of this, be sure to overwrite keys with caution.

If you have generated a passphrase for your private key and wish to change or remove it, you can do so easily.

Note: To change or remove the passphrase, you must know the original passphrase. If you have lost the passphrase to the key, there is no recourse and you will have to generate a new key pair.

To change or remove the passphrase, simply type:

You can type the location of the key you wish to modify or press ENTER to accept the default value:

Enter the old passphrase that you wish to change. You will then be prompted for a new passphrase:

Here, enter your new passphrase or press ENTER to remove the passphrase.

Each SSH key pair share a single cryptographic fingerprint which can be used to uniquely identify the keys. This can be useful in a variety of situations.

To find out the fingerprint of an SSH key, type:

You can press ENTER if that is the correct location of the key, else enter the revised location. You will be given a string which contains the bit-length of the key, the fingerprint, and account and host it was created for, and the algorithm used:

To copy your public key to a server, allowing you to authenticate without a password, a number of approaches can be taken.

If you currently have password-based SSH access configured to your server, and you have thessh-copy-idutility installed, this is a simple process. Thessh-copy-idtool is included in many Linux distributions OpenSSH packages, so it very likely may be installed by default.

If you have this option, you can easily transfer your public key by typing:

This will prompt you for the user accounts password on the remote system:

The authenticity of host ( cant be established. ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe. Are you sure you want to continue connecting (yes/no)? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed — if you are prompted now it is to install the new keys .11.111s password:

After typing in the password, the contents of your~/.ssh/id_rsa.pubkey will be appended to the end of the user accounts~/.ssh/authorized_keysfile:

Number of key(s) added: 1 Now try logging into the machine, with: ssh .11.111 and check to make sure that only the key(s) you wanted were added.

You can now log into that account without a password:

If you do not have thessh-copy-idutility available, but still have password-based SSH access to the remote server, you can copy the contents of your public key in a different way.

You can output the contents of the key and pipe it into thesshcommand. On the remote side, you can ensure that the~/.sshdirectory exists, and then append the piped contents into the~/.ssh/authorized_keysfile:

You will be asked to supply the password for the remote account:

The authenticity of host ( cant be established. ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe. Are you sure you want to continue connecting (yes/no)? yes .11.111s password:

After entering the password, your key will be copied, allowing you to log in without a password:

If you do not have password-based SSH access available, you will have to add your public key to the remote server manually.

On your local machine, you can find the contents of your public key file by typing:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqql6MzstZYh1TmWWv11q5O3pISj2ZFl9HgH1JLknLLx44+tXfJ7mIrKNxOOwxIxvcBF8PXSYvobFYEZjGIVCEAjrUzLiIxbyCoxVyle7Q+bqgZ8SeeM8wzytsY+dVGcBxF6N4JS+zVk5eMcV385gG3Y6ON3EG112n6d+SMXY0OEBIcO6x+PnUSGHrSgpBgX7Ks1r7xqFa7heJLLt2 demo@test

You can copy this value, and manually paste it into the appropriate location on the remote server. You will have to log into the remote server through other means (like the DigitalOcean web console).

On the remote server, create the~/.sshdirectory if it does not already exist:

Afterwards, you can create or append the~/.ssh/authorized_keysfile by typing:

You should now be able to log into the remote server without a password.

The following section will cover some of the basics about how to connect to a server with SSH.

To connect to a remote server and open a shell session there, you can use thesshcommand.

The simplest form assumes that your username on your local machine is the same as that on the remote server. If this is true, you can connect using:

If your username is different on the remoter server, you need to pass the remote users name like this:

Your first time connecting to a new host, you will see a message that looks like this:

The authenticity of host ( cant be established. ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe. Are you sure you want to continue connecting (yes/no)? yes

Type yes to accept the authenticity of the remote host.

If you are using password authentication, you will be prompted for the password for the remote account here. If you are using SSH keys, you will be prompted for your private keys passphrase if one is set, otherwise you will be logged in automatically.

To run a single command on a remote server instead of spawning a shell session, you can add the command after the connection information, like this:

This will connect to the remote host, authenticate with your credentials, and execute the command you specified. The connection will immediately close afterwards.

By default the SSH daemon on a server runs on port 22. Your SSH client will assume that this is the case when trying to connect. If your SSH server is listening on a non-standard port (this is demonstrated in a later section), you will have to specify the new port number when connecting with your client.

You can do this by specifying the port number with the-poption:

To avoid having to do this every time you log into your remote server, you can create or edit a configuration file in the~/.sshdirectory within the home directory of your local computer.

Edit or create the file now by typing:

In here, you can set host-specific configuration options. To specify your new port, use a format like this:

This will allow you to log in without specifying the specific port number on the command line.

If you have an passphrase on your private SSH key, you will be prompted to enter the passphrase every time you use it to connect to a remote host.

To avoid having to repeatedly do this, you can run an SSH agent. This small utility stores your private key after you have entered the passphrase for the first time. It will be available for the duration of your terminal session, allowing you to connect in the future without re-entering the passphrase.

This is also important if you need to forward your SSH credentials (shown below).

To start the SSH Agent, type the following into your local terminal session:

This will start the agent program and place it into the background. Now, you need to add your private key to the agent, so that it can manage your key:

You will have to enter your passphrase (if one is set). Afterwards, your identity file is added to the agent, allowing you to use your key to sign in without having re-enter the passphrase again.

If you wish to be able to connect without a password to one server from within another server, you will need to forward your SSH key information. This will allow you to authenticate to another server through the server you are connected to, using the credentials on your local computer.

To start, you must have your SSH agent started and your SSH key added to the agent (see above). After this is done, you need to connect to your first server using the-Aoption. This forwards your credentials to the server for this session:

From here, you can SSH into any other host that your SSH key is authorized to access. You will connect as if your private SSH key were located on this server.

This section contains some common server-side configuration options that can shape the way that your server responds and what types of connections are allowed.

If you have SSH keys configured, tested, and working properly, it is probably a good idea to disable password authentication. This will prevent any user from signing in with SSH using a password.

To do this, connect to your remote server and open the/etc/ssh/sshd_configfile with root or sudo privileges:

Inside of the file, search for thePasswordAuthenticationdirective. If it is commented out, uncomment it. Set it to no to disable password logins:

After you have made the change, save and close the file. To implement the changes, you should restart the SSH service.

Now, all accounts on the system will be unable to login with SSH using passwords.

Some administrators suggest that you change the default port that SSH runs on. This can help decrease the number of authentication attempts your server is subjected to from automated bots.

To change the port that the SSH daemon listens on, you will have to log into your remote server. Open thesshd_configfile on the remote system with root privileges, either by logging in with that user or by usingsudo:

Once you are inside, you can change the port that SSH runs on by finding thePort 22specification and modifying it to reflect the port you wish to use. For instance, to change the port to 4444, put this in your file:

Save and close the file when you are finished. To implement the changes, you must restart the SSH daemon.

After the daemon restarts, you will need to authenticate by specifying the port number (demonstrated in an earlier section).

To explicitly limit the user accounts who are able to login through SSH, you can take a few different approaches, each of which involve editing the SSH daemon config file.

On your remote server, open this file now with root or sudo privileges:

The first method of specifying the accounts that are allowed to login is using theAllowUsersdirective. Search for theAllowUsersdirective in the file. If one does not exist, create it anywhere. After the directive, list the user accounts that should be allowed to login through SSH:

Save and close the file. Restart the daemon to implement your changes.

If you are more comfortable with group management, you can use theAllowGroupsdirective instead. If this is the case, just add a single group that should be allowed SSH access (we will create this group and add members momentarily):

Now, you can create a system group (without a home directory) matching the group you specified by typing:

Make sure that you add whatever user accounts you need to this group. This can be done by typing:

Now, restart the SSH daemon to implement your changes.

It is often advisable to completely disable root login through SSH after you have set up an SSH user account that hassudoprivileges.

To do this, open the SSH daemon configuration file with root or sudo on your remote server.

Inside, search for a directive calledPermitRootLogin. If it is commented, uncomment it. Change the value to no:

Save and close the file. To implement your changes, restart the SSH daemon.

There are some cases where you might want to disable root access generally, but enable it in order to allow certain applications to run correctly. An example of this might be a backup routine.

This can be accomplished through the root usersauthorized_keysfile, which contains SSH keys that are authorized to use the account.

Add the key from your local computer that you wish to use for this process (we recommend creating a new key for each automatic process) to the root usersauthorized_keysfile on the server. We will demonstrate with thessh-copy-idcommand here, but you can use any of the methods of copying keys we discuss in other sections:

Now, log into the remote server. We will need to adjust the entry in theauthorized_keysfile, so open it with root or sudo access:

At the beginning of the line with the key you uploaded, add acommand=listing that defines the command that this key is valid for. This should include the full path to the executable, plus any arguments:

Save and close the file when you are finished.

Now, open thesshd_configfile with root or sudo privileges:

Find the directivePermitRootLogin, and change the value toforced-commands-only. This will only allow SSH key logins to use root when a command has been specified for the key:

Save and close the file. Restart the SSH daemon to implement your changes.

The SSH daemon can be configured to automatically forward the display of X applications on the server to the client machine. For this to function correctly, the client must have an X windows system configured and enabled.

To enable this functionality, log into your remote server and edit thesshd_configfile as root or with sudo privileges:

Search for theX11Forwardingdirective. If it is commented out, uncomment it. Create it if necessary and set the value to yes:

Save and close the file. Restart your SSH daemon to implement these changes.

To connect to the server and forward an applications display, you have to pass the-Xoption from the client upon connection:

Graphical applications started on the server through this session should be displayed on the local computer. The performance might be a bit slow, but it is very helpful in a pinch.

In the next section, well focus on some adjustments that you can make on the client side of the connection.

On your local computer, you can define individual configurations for some or all of the servers you connect to. These can be stored in the~/.ssh/configfile, which is read by your SSH client each time it is called.

Create or open this file in your text editor on your local computer:

Inside, you can define individual configuration options by introducing each with aHostkeyword, followed by an alias. Beneath this and indented, you can define any of the directives found in thessh_configman page:

You could then connect toon port 4444 using the username demo by simply typing:

You can also use wildcards to match more than one host. Keep in mind that later matches can override earlier ones. Because of this, you should put your most general matches at the top. For instance, you could default all connections to not allow X forwarding, with an override forexample.comby having this in your file:

Save and close the file when you are finished.

If you find yourself being disconnected from SSH sessions before you are ready, it is possible that your connection is timing out.

You can configure your client to send a packet to the server every so often in order to avoid this situation:

On your local computer, you can configure this for every connection by editing your~/.ssh/configfile. Open it now:

If one does not already exist, at the top of the file, define a section that will match all hosts. Set theServerAliveIntervalto 120 to send a packet to the server every two minutes. This should be enough to notify the server not to close the connection:

Save and close the file when you are finished.

By default, whenever you connect to a new server, you will be shown the remote SSH daemons host key fingerprint.

The authenticity of host ( cant be established. ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe. Are you sure you want to continue connecting (yes/no)? yes

This is configured so that you can verify the authenticity of the host you are attempting to connect to and spot instances where a malicious user may be trying to masquerade as the remote host.

In certain circumstances, you may wish to disable this feature.Note: This can be a big security risk, so make sure you know what you are doing if you set your system up like this.

To make the change, the open the~/.ssh/configfile on your local computer:

If one does not already exist, at the top of the file, define a section that will match all hosts. Set theStrictHostKeyCheckingdirective to no to add new hosts automatically to theknown_hostsfile. Set theUserKnownHostsFileto/dev/nullto not warn on new or changed hosts:

You can enable the checking on a case-by-case basis by reversing those options for other hosts. The default forStrictHostKeyCheckingis ask:

Host * StrictHostKeyChecking no UserKnownHostsFile /dev/null Host testhost HostName

StrictHostKeyChecking ask UserKnownHostsFile /home/

Multiplexing SSH Over a Single TCP Connection

There are situations where establishing a new TCP connection can take longer than you would like. If you are making multiple connections to the same machine, you can take advantage of multiplexing.

SSH multiplexing re-uses the same TCP connection for multiple SSH sessions. This removes some of the work necessary to establish a new session, possibly speeding things up. Limiting the number of connections may also be helpful for other reasons.

To set up multiplexing, you can manually set up the connections, or you can configure your client to automatically use multiplexing when available. We will demonstrate the second option here.

To configure multiplexing, edit your SSH clients configuration file on your local machine:

If you do not already have a wildcard host definition at the top of the file, add one now (asHost *). We will be setting theControlMaster,ControlPath, andControlPersistvalues to establish our multiplexing configuration.

TheControlMastershould be set to auto in able to automatically allow multiplexing if possible. TheControlPathwill establish the path to control socket. The first session will create this socket and subsequent sessions will be able to find it because it is labeled by username, host, and port.

Setting theControlPersistoption to 1 will allow the initial master connection to be backgrounded. The 1 specifies that the TCP connection should automatically terminate one second after the last SSH session is closed:

Save and close the file when you are finished. Now, we need to actually create the directory we specified in the control path:

Now, any sessions that are established with the same machine will attempt to use the existing socket and TCP connection. When the last session exists, the connection will be torn down after one second.

If for some reason you need to bypass the multiplexing configuration temporarily, you can do so by passing the-Sflag with none:

Tunneling other traffic through a secure SSH tunnel is an excellent way to work around restrictive firewall settings. It is also a great way to encrypt otherwise unencrypted network traffic.

SSH connections can be used to tunnel traffic from ports on the local host to ports on a remote host.

A local connection is a way of accessing a network location from your local computer through your remote host. First, an SSH connection is established to your remote host. On the remote server, a connection is made to an external (or internal) network address provided by the user and traffic to this location is tunneled to your local computer on a specified port.

This is often used to tunnel to a less restricted networking environment by bypassing a firewall. Another common use is to access a localhost-only web interface from a remote location.

To establish a local tunnel to your remote server, you need to use the-Lparameter when connecting and you must supply three pieces of additional information:

The local port where you wish to access the tunneled connection.

The host that you want your remote host to connect to.

The port that you want your remote host to connect on.

These are given, in the order above (separated by colons), as arguments to the-Lflag. We will also use the-fflag, which causes SSH to go into the background before executing and the-Nflag, which does not open a shell or execute a program on the remote side.

For instance, to connect toexample.comon port 80 on your remote host, making the connection available on your local machine on port 8888, you could type:

Now, if you point your local web browser to127.0.0.1:8888, you should see whatever content is atexample.comon port 80.

A more general guide to the syntax is:

Since the connection is in the background, you will have to find its PID to kill it. You can do so by searching for the port you forwarded:

You can then kill the process by targeting the PID, which is the number in the second column of the line that matches your SSH command:

Another option is to start the connectionwithoutthe-fflag. This will keep the connection in the foreground, preventing you from using the terminal window for the duration of the forwarding. The benefit of this is that you can easily kill the tunnel by typing CTRL-C.

SSH connections can be used to tunnel traffic from ports on the local host to ports on a remote host.

In a remote tunnel, a connection is made to a remote host. During the creation of the tunnel, aremoteport is specified. This port, on the remote host, will then be tunneled to a host and port combination that is connected to from the local computer. This will allow the remote computer to access a host through your local computer.

This can be useful if you need to allow access to an internal network that is locked down to external connections. If the firewall allows connectionsoutof the network, this will allow you to connect out to a remote machine and tunnel traffic from that machine to a location on the internal network.

To establish a remote tunnel to your remote server, you need to use the-Rparameter when connecting and you must supp

Free Webmaster Resources

You are (main page)Free Webmaster Resources

Welcome ms directory of free webmasters resources. We have links to free resources for webmasters and web developers, such as web hosting, CGI scripts, PHP scripts, JavaScripts, DHTML scripts, Java applets, forums, search engines, FTP software, web log analyzers, web statistics, privacy and security, email, affiliate programs, polls, etc.

Free HTML, Web and WYSIWYG Web Editors

Free Programmers / ASCII Text Editors

Free Online Editors and Integrated Development Environment (IDE)

Free HTML Validators / CSS Validators / Broken Link Validators

Free FTP Clients, Download Managers

Free SSH (Secure Shell) and Telnet Clients

Free News Feed Editors, Builders and Generators

Free Podcasting Software to Publish Podcasts

Free Embedded Web Video Player Scripts/Code

Free Fonts for Programmers, Webmasters and Designers

tofrodos: Free DOS to Unix Text File Converter

Domain Name, DNS and Web Redirection

Free Static and Dynamic DNS Services, Free Nameservers

Free Web / URL Redirection Services

How to Register Your Own Domain Name

Tips on Choosing Your Own Domain Name

Web Hosting: Free Web Hosts and Budget Web Hosts

Free Embedded Web Video Player Scripts/Code

Free JavaScript, AJAX, DHTML and Web 2.0 Scripts

Free SSL Certificates for Websites/Web Servers

JavaScript: Free Scripts, Tutorials, Articles

Is It Legal to Use Any Piece of Music, Image, or Article for my Website?

Is it Okay to Post YouTube Videos on My Website? (Copyright Question)

How to Create a Logo for Your Site the Quick and Easy Way

Improving Your Affiliate Program Income

How to Accept Credit Cards on Your Website

Free SSL Certificates for Websites/Web Servers

Website Promotion and Search Engines

Free Blog and News Feed Pinging Services

How to Create a Search Engine Friendly Website

How to Make Your WordPress Blog Search-Engine-Friendly

Your Websites Spelling and the Search Engines

How to Improve Your Search Engine Ranking on Google

Free Web Log Analysers and Web Statistics

Free Web Statistics Services (Remote Hosting)

Free Hit Counter and Website Statistics Perl CGI Scripts

Miscellaneous Free Webmaster Resources

Free SSL Certificates for Websites/Web Servers

Free JavaScript Minifiers (Minimizers), Obfuscators and Compressors

Free/Open Source Web (HTTP) Server Software

Free Web Hosting Control Panel Software

Free Mail Servers (Email Servers / Mail Transfer Agents)

Free Online Flash Site Builders and Tutorials

Free Translation Software and Services

Free AJAX Libraries, Frameworks, Tools and Resources

How to Install and Configure Apache, PHP, Perl and MySQL on Windows the Easy Way (with XAMPP)

How to Install and Configure Apache 2 on Windows

How to Install Apache 2.2 on Windows Vista

How to Install and Configure PHP 5 to Run with Apache on Windows

How to Set Up a Custom 404 File Not Found Page

Website Promotion / Search Engine Promotion Guides

Website Revenue / Income Making Guides

.htaccess and Apache Web Server Configuration Guides

Reviews of Software / Services for Webmasters

Webmaster Frequently Asked Questions Free Webmaster Tutorials and Articles- complete index of tutorials

Free Security, Privacy, and Anonymity

Free JavaScript Minifiers (Minimizers), Obfuscators and Compressors

Free Image Pop-Up JavaScripts (Where Image Overlays Current Web Page)

Free Online Editors and Integrated Development Environment (IDE)

Free PHP Compilers: compile PHP scripts to native code, or Java bytecode

Free Embedded Web Video Player Scripts/Code

Free Image/Photo Slide Show JavaScript

Free GUI Builders, Application Builders and Rapid Application Development (RAD) Software

Free Autorun/Autoplay DVD and CD Menu Creation Software

Free DVD Authoring and Creation Software

Whats the Difference Between a Domain Name Registrar and a Web Host?

How to Double-Space Text and Change the Line Spacing on a Web Page (HTML/CSS)

How to Create a Coloured (Colored) Box in HTML/CSS

How to Centre (Center) Text on Your Web Page with CSS

Can You Fix a Typo in a Domain Name After You Register It?

What Should the Width of a Web Page Be?

How to Move Your Website to SSL (ie, Convert from HTTP to HTTPS)

Does the Price of a Domain Depend on the Name Chosen? Why do Some Domains Cost So Much?

Do I Need a Web Editor if I Create a Blog?

How to Insert a YouTube Video into Your Website with Microsoft Expression Web

How to Install and Configure Apache, PHP, Perl and MySQL on Windows the Easy Way (with XAMPP)

Free Mobile-Friendly Two Column Layout Wizard

How to Make Your Images Mobile-Friendly (Responsive Design)

How to Make a Mobile-Friendly Website: Responsive Design in CSS

Should I Use a Specialized Blog Host or Install My Own Blog Software?

How to Reserve a Domain Name. Do You Need a Web Host if You Want to Reserve a Domain for Future Use?

Whats the Difference Between a Content Management System (CMS), a Blog, a Web Editor and an Online Site Builder?

Should I Learn HTML or Just Use a WYSIWYG Web Editor? Pros and Cons of Using a Visual Web Editor vs Learning HTML

How to Centre a DIV Block Using CSS

What is MySQL? What is a Database? What is SQL?

What is HTML, CSS, JavaScript, PHP and Perl? Do I Need to Learn Them to Create a Website?

How to Boot a CD or DVD in Windows 8.1

How to Change BIOS Settings on a Computer with Windows 8.1 Installed

How to Shut Down Windows 8 (Full Shutdown and Normal Hybrid Shutdown)

How to Set Up a Standard User Account (or Limited Account) on Windows Vista and Windows 7 for Daily Use

How to Back Up Your Hard Disk in Windows

How to Securely Prepare Your Old Computer for Disposal

How to Work Around the Missing Up Arrow Button in Vistas Windows Explorer

How to Create/Start Your Own Website: The Beginners A-Z Guide

Hard Disk Backup and Restore, Hard Disk Image and Cloning Utilities

Free DVD Authoring and Creation Software

Free Data Recovery, File and Partition Recovery, Undelete and Unformat Software

Expression Web Tutorial: How to Design a Website with Microsoft Expression Web

Dreamweaver Tutorial: How to Design a Website with Dreamweaver CS6

BlueGriffon Tutorial: How to Design a Website with BlueGriffon 2

How to Design and Publish Your Website with KompoZer

Keep track of whats new on with yournews readerby pointing it tothefreecountry.coms news feed. Note: for historical reasons, this

column also includes information fromthesitewizard.coms news feedandHowToHaven.coms news feed.

Another source ofFree Royalty Free Music and Soundshas been added to the site. They have all sorts of sounds and loops that you can use in your commercial multimedia presentations, Youtube videos, animations that you place ona website you made, and so on.

An open source web editor script has been added to theFree Online Web-Based WYSIWYG HTML Editor JavaScriptspage. Note that these scripts are meant for existing webmasters who want to give their visitors the ability to typeHTMLcode (for example, into their forms). If you are looking for an editor tocreate a website, theFree HTML Editors and WYSIWYG Web Editorspage is more relevant. You may also want to readHow to Make / Design a Websitefor a detailed step-by-step guide.

Another banner rotation script has been added to theFree Banner Rotation JavaScriptspage. You can use it to rotate advertisements, photos (like aslide show), banners, text, or whatever else you want onyour website.

New page:How to Double-Space Text and Change the Line Spacing on a Web Page (HTML/CSS). Once again, Im clearing my backlog of visitor queries on how to accomplish certain things on a website. This time, it is to answer a question on how to add additional space between lines, such as to double-space text, or even the reverse, to reduce the gap. This requires a bit of help fromCSS.

New page:How to Create a Coloured (Colored) Box in HTML/CSS. I was asked by a visitor how he could create a coloured box into which he could put some text, to supplement the information given in his main content. This tutorial shows you how to do this with a bit of HTML and CSS.

Another open source text editor has been added to theFree Programmers Editors, Integrated Development Environment (IDE) and Plain Text Editorspage. It runs on Windows, Mac OS X, Linux and FreeBSD.

New page:How to Centre (Center) Text on Your Web Page with CSS. This article deals with how you cancentre text on a web page or in a DIV block or box using CSS.

A new open source tabbed file manager has been added to theFree File Managers and Graphical Shellspage. Such programs are useful if you feel that the default Windows Explorer lacks certain features (eg the ability to open two windows side-by-side without having to manually position the windows every time, so that you can do things like copy or move files from one folder to another).

New page:The Crucial Task Often Forgotten by New Webmasters (Until Its Too Late). No one likes a nag, but this is not something you want to discover the hard way.

A new open source program was added toFree Graphical Ping Utilitiespage. Such software are useful if you want to check if a particular host (ie, machine) on a network (eg, the Internet) is reachable. If you havecreated your own website, it may even be used to monitor it so as to notify you when it is down or just not reachable.

New page:Can You Fix a Typo in a Domain Name After You Register It?I was asked by a visitor who made a spelling error whenbuying a domain namewhether he couldedit the name to fix the typo. This article answers that question.

Those who havemade their own websitemay be interested in the latest addition to theFree HTML/CSS Validators, Broken Link and Website Accessibility Checkerspage. It not only checks for broken links, but can also give you some useful information about the pages on your site, for example, how many links have to be clicked before that page can be reached, the number of inbound links pointing to it, etc.

New page:How to Record a Game Video. If you want torecord a video of your game playthrough, either for posting to avideo sharing siteor to put onyour own website, you may be interested in this guide. It shows you how you can set up and use free (and open source) software on your computer to record your gameplay.

New page:How to Centre an Image with CSS. Find out how to centre (center) an image along the horizontal axis of your web page using CSS. Note that if you have designed your site using my guide oncreating a website, and used one of the visual web editors mentioned, you can also centre it from within the editor (as taught in that guide).

I have added 3 more programs to theFree Screen Video Recorders, Game Recorders and Screen Capture Softwarepage. Two of them can even capture your computer game-playing sessions, while the 3rd sports an incredibly simple user-interface that even a novice will find easy (useful for quick recordings to show a friend or relative how to do something).

New page:How to Use Letters and Roman Numerals in Numbered Lists (HTML/CSS Tutorial). I was asked by a visitor how he could use letters of the alphabet instead of numbers in his ordered (numbered) lists. This article answers that question, and also shows you how to switch to Roman numerals, if that is what you prefer.

Two more free services have been added to theFree Video Sharing Hostspage. If you are looking for somewhere to upload your videos (whether they are gameplay videos, home videos or whatever), you can find some of the options here. (The alternative is toget a web host,create a websiteand host it yourself. Its not as hard as you think.)

For those interested in putting up a forum on their website, where visitors can discuss various topics, 2 new software have been added to theFree PHP Forum Scriptspage. One is the usual forum that you can add to any site, and the other is designed to integrate into a WordPress blog.

A Delphi compiler has been added to theFree Pascal Compilers / Free Delphi Compilerspage. It includes an IDE with an editor, debugger, compiler and numerous visual components. For those who dont know what Delphi is, it is an object-oriented dialect of the Pascal programming language.

A new implementation of Smalltalk has been added to theFree Smalltalk Compilers and Interpreterspage. This one lets you write computer programs in the Squeak/Smalltalk language for execution on a web page without requiring your visitors to install any plugins. For those unfamiliar with Smalltalk, it is an object oriented language, second in the list of most loved languages among 64,000 developers surveyed in 2017.

New page:How to Add a Contact Form to Your Website with BlueGriffon 2. Find out how to add a contact (or feedback) form to your website using BlueGriffon. This is the final chapter of theBlueGriffon 2 tutorial, so if you were waiting for me to finish the series beforemaking a website, you can now find all the chapters online.

A new SSH program has been added to theFree SSH (Secure Shell) and Telnet Clientspage. For those not familiar with such things, SSH clients allow webmasters to access the computer where theirwebsites are hostedthrough a command line window, as though they are seated directly at that computer. They are often used to perform various administrative tasks that are otherwise difficult (or impossible) to do.

Are you setting up your own business (onlineor otherwise)? Then you probably need an accounting software to keep track of your finances. Check out theFree Accounting Softwarepage, where a new program has just been added.

Two open source programs have been added to theFree Clipboard Managers and Extenderspage. Such software are especially useful to programmers and webmasters who may cut/copy and paste a lot of text (and other things like images, filenames,HTML, etc) between different windows. They allow you to paste something you copied some time ago, and that you may have already overwritten in the default clipboard.

A new open source program for Windows has been added to theFree Screen Video Recorders and Screen Capture Softwarepage. This one is a Windows program that can do video recordings of the screen (along with audio from a microphone or speaker) and webcam, as well as take screenshots.

A new computer program has been added to theFree File Synchronization Softwarepage. Such tools allow you to back up your files and folders to another location and keep the data in sync. This latest addition not only supports backing up to the usual hardware devices (like hard disks, USB drives, CD/DVD media) but also to FTP servers and over the local area network.

New page:How to Publish (Upload) Your Website with BlueGriffon 2. This article deals with how you can transfer your website to the Internet. It is chapter 8 of theBlueGriffon 2 tutorial.

(Note: for those who dont actually use BlueGriffon, but want to upload your pages or other files, please read my more general tutorialHow to Upload a File to Your Website.)

A free and open source program has been added to theFree TV PVR (Personal Video Recorder) and TV Recording Softwarepage. This one handles a wide variety of inputs (DVB-C/C2/T/T2/S/S2, ATSC, ISDB-T, IPTV, SATIP, etc), supports EPG (Electronic Programme Guide), and can also serve as a TV streaming server. For those who are not sure what I just said because of the heavy jargon, the software essentially lets you record TV shows, and can also send those shows to other devices in your home.

Another open source tool has been added to theFree Make Utilitiespage. For those not sure what make in this context means, it refers to a type of software used by programmers to automate the process of building a computer program from its source files.

Another free computer program has been added to theFree Media Player, Free DVD / Blu Ray Playerspage. Like the others listed there, it handles a large number of media formats, in addition to DVDs and Blu Rays.

New page:How to Create Multiple Pages for Your Website with BlueGriffon 2.x. This article shows you how to add multiple pages to your website using the free BlueGriffon web editor. It is chapter 7 of the BlueGriffon 2.x tutorial.

Another host has been added to theFree File Storage Hostingsite. This one is from Mozilla and it allows you to upload a file of up to 1 GB in size for download by one person within 24 hours. I have no idea how long this service will last though. Nearly all the services I previously listed on the page have long disappeared. (Free file storage hosts seem to have a half-life measured in months, if even that.)

A new text editor has been added to theFree Programmers Editors and Plain Text Editorspage. This one runs on Windows, Mac OS X and Linux and is open source.

New page:How to Add a Navigation Menu to Your Website with BlueGriffon 2.x. Find out how to add a navigation menu, complete with buttons that change colour when a mouse hovers over it, toyour websiteusing the free BlueGriffon web editor. This is chapter 6 of the BlueGriffon 2.x tutorial.

Another Atari ST emulator has been added to theFree Atari Emulatorspage. This one is open source and comes with ROMs for Atari 520ST and 1040ST. For those wondering, an Atari emulator is a computer program that mimics the old Atari computers sold in the 1980s and 1990s, and can run software written for those machines on your modern computer.

New page:How to Make Text and Images into Clickable Links with BlueGriffon 2.x. This article shows you how to make the words and pictures on your website into links using the free BlueGriffon web editor. It is chapter 5 of theBlueGriffon 2.x tutorial.

Copyright © 1998-2016 by Christopher Heng. All rights reserved.

thesitewizard, thefreecountry and HowToHaven are trademarks of Christopher Heng.

This page was last updated on 20 June 2016.

If you find this site useful, pleaselink to us.

How to Use SSH

If youre connecting to another computer over the Internet, youll probably want to keep your data safe. SSH is one way to help do that. To make it happen, youll need to set up SSH properly on your computer, and then create an encrypted connection to your server. Just remember, in order for the connection to be secure, both ends of the connection need to have SSH enabled. Follow this guide to make sure that your connection is as safe as possible.

For Windows, you will need to download and install an SSH client program. The most popular one is Cygwin, which is available for free from the developers website. Download and install it like you would any other program. Another popular free program is PuTTY.

During the Cygwin installation, you must choose to install OpenSSH from the Net section.

Linux and Mac OS X come with SSH already installed on the system. This is because SSH is a UNIX system, and Linux and OS X are derived from UNIX.

If you have Windows 10 with the Anniversary Update, you can install the Windows Subsystem for Linux which comes with SSH preinstalled.

Open the terminal program that is installed by Cygwin, or Bash on Ubuntu on Windows for Windows 10, or open the Terminal in OS X or Linux. SSH uses the terminal interface to interact with other computers. There is no graphical interface for SSH, so you will need to get comfortable typing in commands.

Before you dive into creating secure keys and moving files, youll want to test that SSH is properly configured on your computer as well as the system you are connecting to. Enter the following command, replacing username with your username on the remote computer, and remote with the address for the remote computer or server:

$ ssh username@remote

You will be asked for your password once the connection is established. You will not see the cursor move or any characters input when you type your password.

If this step fails, then either SSH is configured incorrectly on your computer or the remote computer is not accepting SSH connections.

When you first connect to the remote computer, you should be located in your HOME directory. To move around the directory structure, use the

will move you into the specified subdirectory.

will move you into the specified directory from the root (home).

will return you to your HOME directory.

Check your current directorys contents.

To see what files and folders in your current location, you can use the

will list all of the files and folders in your current directory.

will list the contents of the directory along with additional information such as size, permissions, and date.

will list all the contents including hidden files and folders.

Copy files from your location to the remote computer.

If you need to copy files from your local computer to the computer you are accessing remotely, you can use the

scp /localdirectory/example1.txt username@remote:path

will copy example1.txt to the specified path on the remote computer. You can leave path blank to copy to the root folder of the remote computer.

scp username@remote:/home/example1.txt ./

will move example1.txt from the home directory on the remote computer to the current directory on the local computer.

command to make copies of files either in the same directory or into a directory of your choosing:

will create a copy of example1.txt called example2.txt in the same location.

will create a copy of example1.txt in the location specified by directory.

If you want to change a files name or move it without copying, you can use the

will rename example1.txt to example2.txt. The file will stay in the same location.

will rename directory1 to directory2. The directorys contents will remain unchanged.

will move example1.txt into directory1.

mv example1.txt directory1/example2.txt

will move example1.txt into directory1 and rename it to example2.txt

If you need to remove anything from the computer you are connected to, you can use the

will delete the file example1.txt after prompting you to confirm.

will delete directory1 and all of its contents.

You can change the read and write privileges of your files using the

will add the write (modify) permission to the file for the user (u). You can also use the

modifier for group permissions or the

will add the read (access) permission to the file for the group.

There are a large list of permissions that you can use to secure or open various aspects of your system.

Learn the other assorted basic commands.

There are a few more important commands that you will be using quite a bit in the shell interface. They include:

will create a new subdirectory called newdirectory.

will display your current directory location.

shows who is logged into the system.

will create a new file and open the file editor. Different system will have different file editors installed. The most common are pico and vi. You may need to use different commands if you have a different file editor installed.

Get detailed information on any command.

If you are unsure as to what a command will do, you can use the

command to learn about all of the possible uses and parameters:

will display information about that command.

will search all of the man pages for the keyword you specify.

These keys will allow you to connect to the remote location without having to enter your password each time. This is a much more secure way to connect to the remote computer, as the password will not have to transmitted over the network.

Create the key folder on your computer by entering the command

Create the public and private keys by using the command

You will be asked if you would like to create a passphrase for the keys; this is optional. If you dont want to create a passphrase, press Enter. This will create two keys in the .ssh directory: id_rsa and

Change your private keys permissions. In order to ensure that the private key is only readable by you, enter the command

Place the public key on the remote computer.

Once your keys are created, youre ready to place the public key on the remote computer so that you can connect without a password. Enter the following command, replacing the appropriate parts as explained earlier:

$ scp .ssh/ username@remote:

Make sure to include the colon (:) at the end of the command.

You will be asked to input your password before the file transfer starts.

Install the public key on the remote computer.

Once youve placed the key on the remote computer, you will need to install it so that it works correctly. First, log in to the remote computer the same way that you did in Step 3.

Create an SSH folder on the remote computer, if it does not already exist:

Append your key to the authorized keys file. If the file does not exist yet, it will be created:

$ cat .ssh/authorized_keys

Change the permissions for the SSH folder to allow access:

Once the key has been installed on the remote computer, you should be able to initiate a connection without being asked to enter your password. Enter the following command to test the connection:

$ ssh username@remote

If you connect without being prompted for the password, then the keys are configured correctly.

Categories:Featured ArticlesInternet Security

Español:usar SSH Deutsch:SSH verwenden Portugus:Utilizar SSH Italiano:Usare il Protocollo Secure SHell (SSH) : SSH :SSH Français:utiliser un serveur SSH Bahasa Indonesia:Menggunakan SSH Nederlands:SSH gebruiken العربية:استخدام SSH हिन्दी:SSH का उपयोग करें Čeština:Jak použvat SSH 한국어:SSH 사용법 ไทย:ใช้ SSH

Thanks to all authors for creating a page that has been read 702,861 times.

Establish an SSH Connection from a PC

Establish an SSH Connection from a PC

For Linux packages with SSH access.

Learn how to connect to your 1&1 webspace using a Secure Shell (SSH) connection from a PC in order to run command-line utilities.

Learn how toUpgrade a 1&1 Packageif you require SSH access and your pacakge does not support it.

To connect via SSH, you will first need to download a SSH client. The most well known free SSH client is called PuTTY. You can download the

programhereor simply do a web engine search for putty to find another website that offers PuTTY for download.

You will need your SSH username and password available in the 1&1 Control Panel to connect. This user name and password is the same as the initial FTP user name and password that came with your package and can not be deleted. For more help, please referenceWhat information is required to make a SSH connection?

Enter yourhost nameinto theHost Name (or IP address)text box.

SelectSSHas theConnection typeunder the text box.

PuTTY Configuration WindowStep 4Enter your SSH user name into theAuto-login usernametext box. Your user name should start with the letterufollowed by numbers.

Please note:You can only use your SSH user or your main FTP user to login via SSH (as they are identical).Additional FTP users that have been manually created by you cannot log in to your webspace via SSH.PuTTY Configuration Window Connection DataStep 5From the left-hand side, clickSession.

PuTTY Configuration Window Connection DataStep 6In the text box belowSaved Sessions, enter a name for this configuration. It is recommended to use one of the domain names in your package as the name.

Click theSavebutton to save your configuration as this name.

PuTTY Configuration WindowStep 7The configuration will be saved using the name chosen and you should now see this name in the list ofSaved Sessions. In the future when you open PuTTY, you can simply click this name and click the Load button to load this configuration and then click the Open button to connect.

Click theOpenbutton to connect via SSH.

PuTTY Configuration WindowStep 8The first time you connect to your webspace via SSH, the server will supply the SSH key fingerprint used for encryption. A warning appears that this key is not yet saved. Click theYesbutton to save the key.

Once the key is saved, you will not receive this prompt when connecting to your webspace in the future.

PuTTY Security Alert WindowPlease note:We regularly update our SSH keys to provide the best security. You may receive a notice informing you that your original key is unrecognized which means that PuTTY has detected a new key. Confirm the inquiry in order to proceed.Step 9The window will prompt you for a password to connect.The password will not be displayed on the screen nor will the cursor move when typing the password.This is normal. As a security precaution, no letters, asterisks or spaces are shown as you type the password to prevent bystanders from knowing the length of your password.

Type the password and then pressENTER.

PuTTY WindowStep 10You are now logged into your Linux web hosting package via SSH and presented with a command prompt to begin running linux commands!

For additional information, you may want to reference:

Required Information for an SSH Connection – 1&1 Help Center

Back Up Your MySQL Database Using SSH – 1&1 Help Center

Explanation of SSH (Secure Shell Access) – 1&1 Help Center

Import Your MySQL Database Using SSH – 1&1 Help Center

Alter Your SSH Settings for Use with 1&1 CDN – 1&1 Help Center

Change File Permissions via SSH – 1&1 Help Center

SSH Secure Shell Clientpublic key

3. KeyPassphrase

5. SSH ServerEdit-Settings-keyupload

6. SSH ServerLinuxSSH Secure Shell ClientWindows

ssh-keygen -i -f authorized_keys


8. sshd sudo service ssh restart

9. keysc:\Users\username\AppData\Roaming\SSH\UserKeys

SSH Secure Shell(TM) 329(Build 283)ⰲװƽ

SSH Secure Shell(TM) 3.2.9(Build 283)ⰲװƽأ˹߿ʹԶ̿LinuxҿԷLinuxϵͳļĽʹLinuxWindows֮һݵ

SSH Secure Shell(TM) 3.2.9(Build 283)ⰲװƽһSSHܽܿͻˡTELNETFTPԼRȼͨѶʽԽĴİȫ⡣ΪϵͳȫûȨƹSSHDZҪġ

SSH Secure Shell(TM) 3.2.9(Build 283)ⰲװƽһTELNETFTPԼRĹ߰ssh ҪĴ⡣ΪϵͳȫûȨƹSSHDZҪġ SSHӢSecure ShellļʽͨʹSSH԰ݽܣ"ֹʽͲʵˣҲֹܹDNSƭIPƭ

* PermitRootLogin yes Ϊ no ûֱͨԶ

* Ӳ AllowUsers Զӵû (ÿոָ)

* Ҳʹ DenyUsers for fine-grained selection of users.

* If you enable the openssh server and you have no intention for now to enable remote connections you may add AllowUsers nosuchuserhere to disable anyone connecting.

SSH Secure Shell ClientĽ취 – ܸ

vi /etc/sysconfig/i18n ޸ǰȱݣ




secure CRTڿͻˣѡ—Ựѡ—–ַ룬ѡUTF-8


this.p= m:2, b:2, loftPermalink:, id:fks_, blogTitle:SSH Secure Shell ClientĽ취, blogAbstract:

vi /etc/sysconfig/i18n ޸ǰȱݣ




, blogTag:, blogUrl:blog/static/284166465, isPublished:1, istop:false, type:2, modifyTime:39, publishTime:93, permalink:blog/static/284166465, commentCount:0, mainCommentCount:0, recommendCount:0, bsrk:-100, publisherId:0, recomBlogHome:false, currentRecomBlog:false, attachmentsFileIds:[], vote:, groupInfo:, friendstatus:none, followstatus:unFollow, pubSucc:, visitorProvince:, visitorCity:, visitorNewUser:false, postAddInfo:, mset:000, mcon:, srk:-100, remindgoodnightblog:false, isBlackVisitor:false, isShowYodaoAd:false, hostIntro:, hmcon:0, selfRecomBlogCount:0, lofter_single:


$a.selfIntroescapeif great260$suplement/if

list a as x if x_index

$fn2(x.publishTime,yyyy-MM-dd HH:mm:ss)

if !!(blogDetail.preBlogPermalink)

/if if !!(blogDetail.nextBlogPermalink)

if x.publisherUsername==visitor.userNameelse/if

if defined(newslist)&&newslist.length

0 list newslist as x if x_index

$x.nickNameescapeͶƱ var first_option = true list x.voteDetailList as voteToOption if voteToOption==1 if first_option==false,/if $b[voteToOption_index] /if /list if (x.role!=-1) ,$c[x.role] /if

if x.userName==/if /if /list

SSH Tutorial for Linux

This document covers the SSH client on theLinuxOperating System and other OSes that use OpenSSH. If you useWindows, please read the documentSSH Tutorial for WindowsIf you use Mac OS X or other Unix based system, you should already have OpenSSH installed and can use this document as a reference.

This article is one of the top tutorials covering SSH on the Internet. It was originally written back in 1999 and was completely revised in 2006 to include new and more accurate information. As of October, 2008, it has been read by over 473,600 people and consistently appears at the top of Googles search results for SSH Tutorial and Linux SSH.

There are a couple of ways that you can access ashell(command line) remotely on most Linux/Unix systems. One of the older ways is to use the telnet program, which is available on most network capable operating systems. Accessing a shell account through the telnet method though poses a danger in that everything that you send or receive over that telnet session is visible in plain text on your local network, and the local network of the machine you are connecting to. So anyone who can sniff the connection in-between can see your username, password, email that you read, and commands that you run. For these reasons you need a more sophisticated program than telnet to connect to a remote host.

SSH, which is an acronym for Secure SHell, was designed and created to provide the best security when accessing another computer remotely. Not only does it encrypt the session, it also provides better authentication facilities, as well as features like secure file transfer, X session forwarding, port forwarding and more so that you can increase the security of other protocols. It can use different forms of encryption ranging anywhere from 512 bit on up to as high as 32768 bits and includes ciphers like AES (Advanced Encryption Scheme), Triple DES, Blowfish, CAST128 or Arcfour. Of course, the higher the bits, the longer it will take to generate and use keys as well as the longer it will take to pass data over the connection.

These two diagrams on the left show how a telnet session can be viewed by anyone on the network by using a sniffing program like Ethereal (now called Wireshark) or tcpdump. It is really rather trivial to do this and so anyone on the network can steal your passwords and other information. The first diagram shows user jsmith logging in to a remote server through a telnet connection. He types his username jsmith and password C0lts06!, which are viewable by anyone who is using the same networks that he is using.

The second diagram shows how the data in an encrypted connection like SSH is encrypted on the network and so cannot be read by anyone who doesnt have the session-negotiated keys, which is just a fancy way of saying the data is scrambled. The server still can read the information, but only after negotiating the encrypted session with the client.

When I say scrambled, I dont mean like the old cable pay channels where you can still kinda see things and hear the sound, I mean really scrambled. Usually encryption means that the data has been changed to such a degree that unless you have the key, its really hard to crack the code with a computer. It will take on the order of years for commonly available computer hardware to crack the encrypted data. The premise being that by the time you could crack it, the data is worthless.

This tutorial isnt going to cover how to install SSH, but will cover how to use it for a variety of tasks. Consult your Linux distributions document for information on how to setup OpenSSH.

Chances are that if you are using a version of Linux that was released after 2002, that you already have OpenSSH installed. The version of SSH that you will want to use on Linux is called OpenSSH. As of this writing (October 2009), the latest version available is 5.3, but you may encounter versions from 3.6 on up. If you are using anything lower than version 3.9, Id strongly advise you to upgrade it.

To really make ssh useful, you need a shell account on a remote machine, such as on aSusoaccount.

The first thing well do is simply connect to a remote machine. This is accomplished by running ssh hostname on your local machine. The hostname that you supply as an argument is the hostname of the remote machine that you want to connect to. By default ssh will assume that you want to authenticate as the same user you use on your local machine. To override this and use a different user, simply use the argument. Such as in this example:

The first time around it will ask you if you wish to add the remote host to a list of known_hosts, go ahead and say yes.

The authenticity of host ( cant be established. RSA key fingerprint is 53:b4:ad:c8:51:17:99:4b:c9:08:ac:c1:b6:05:71:9b. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added (RSA) to the list of known hosts.

It is important to pay attention to this question however because this is one of SSHs major features. Host validation. To put it simply, ssh will check to make sure that you are connecting to the host that you think you are connecting to. That way if someone tries to trick you into logging into their machine instead so that they can sniff your SSH session, you will have some warning, like this:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: POSSIBLE DNS SPOOFING DETECTED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ The RSA host key for has changed, and the key for the according IP address is unchanged. This could either mean that DNS SPOOFING is happening or the IP address for the host and its host key have changed at the same time. Offending key for IP in /home/suso/.ssh/known_hosts:10 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 96:92:62:15:90:ec:40:12:47:08:00:b8:f8:4b:df:5b. Please contact your system administrator. Add correct host key in /home/suso/.ssh/known_hosts to get rid of this message. Offending key in /home/suso/.ssh/known_hosts:53 RSA host key for has changed and you have requested strict checking. Host key verification failed.

If you ever get a warning like this, you should stop and determine if there is a reason for the remote servers host key to change (such as if SSH was upgraded or the server itself was upgraded). If there is no good reason for the host key to change, then you should not try to connect to that machine until you have contacted its administrator about the situation. If this is your own machine that you are trying to connect to, you should do some computer forensics to determine if the machine was hacked (yes, Linux can be hacked). Or maybe your home computers IP address has changed such as if you have a dynamic IP address for DSL. One time I received this message when trying to connect to my home machines DSL line. I thought it was odd since I hadnt upgraded SSH or anything on my home machine and so I choose not to try to override the cached key. It was a good thing that I didnt try because I found out that my dynamic IP address had changed and that out of chance, another Linux machine running OpenSSH took my old IP.

After saying yes, it will prompt you for your password on the remote system. If the username that you specified exists and you type in the remote password for it correctly then the system should let you in. If it doesnt, try again and if it still fails, you might check with the administrator that you have an account on that machine and that your username and password is correct.

Now that you have spent all that time reading and are now connected, go ahead and logout.;-) Once youre back to your local computers command prompt enter the command ssh-keygen -b 4096 to generate a strong key.

It should begin spitting out the following:

Generating public/private rsa key pair. Enter file in which to save the key (/home/localuser/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/localuser/.ssh/id_rsa. Your public key has been saved in /home/localuser/.ssh/ The key fingerprint is: e7:06:7f:2c:32:bf:84:a8:5b:8d:63:98:f3:ee:a2:8b The keys randomart image is:

It will prompt you for the location of the keyfile. Unless you have already created a keyfile in the default location, you can accept the default by pressing enter.

Next it will ask you for a passphrase and ask you to confirm it. The idea behind what you should use for a passphrase is different from that of a password. Ideally, you should choose something unique and unguessable, just like your password, but it should probably be something much longer, like a whole sentence. Here are some examples of passphrases Ive used in the past:

The right thing changes from state to state

the purpose of life is to give it purpose

Theyre not going to guess this passphrase!

Some passphrases that Ive used have had as many as 60 characters along with punctuation and numbers. This makes the passphrase harder to guess. To give you an idea of how much more secure a passphrase is than a password. Consider this. Even if you narrowed down the number of words someone could use in a passphrase to 2000 potential words, if that person used 5 words in a sentence from that 2000 word set, it would mean there are 32,000,000,000,000,000 different combinations. Compare this with 6,095,689,385,410,816, which is the total possible combinations in an 8 character password using upper and lower case characters, numbers and punctuation (about 94 potential characters). So an 8 character password has 5.25 timeslesscombinations than a 5 word passphrase. In actuality, most people choose words from a set of 10,000 or more words, bringing the complexity of a 5 word passphrase to 16,405 or more times greater than that of a 8 character password. So on average, the difficulty of cracking a passphrase is much greater than any password that could be used. Interestingly, the potential number of combinations of 8 word passphrase of someone with an adult vocabulary (8000 words or more) is almost equal to the number of 8 character password combinations multiplied by itself or about 16,777,216,000,000,000,000,000,000,000,000 combinations.

Dont use any famous quotes or phrases for your passphrase, they may be easily guessed by another person or by a brute force cracking program.

The reason why you would generate a key file is so that you can increase the security of your SSH session by not using your system password. When you generate a key, you are actually generating two key files. One private key and one public key, which is different from the private key. The private key should always stay on your local computer and you should take care not to lose it or let it fall into the wrong hands. Your public key can be put on the machines you want to connect to in a file called .ssh/authorized_keys. The public key is safe to be viewed by anybody and mathematically cannot be used to derive the private key. Its just like if I gave you a number 38,147,918,357 and asked you to find the numbers and operations I used to generate that number. There are nearly infinite possibilities.

Whenever you connect via ssh to a host that has your public key loaded in the authorized_keys file, it will use a challenge response type of authentication which uses your private key and public key to determine if you should be granted access to that computer It will ask you for your key passphrase though. But this is your local ssh process that is asking for your passphrase, not the ssh server on the remote side. It is asking to authenticate you according to data in your private key. Using key based authentication instead of system password authentication may not seem like much of a gain at first, but there are other benefits that will be explained later, such as logging in automatically from X windows.

Recent versions of OpenSSH will print out a randomart ASCII art image representing your keys fingerprint. This is meant to make it easier to identify a matching key when compared with another keys randomart.

If you do not have the ssh-copy-id program available, then you must use this manual method for installing your ssh key on the remote host. Even if you do have the ssh-copy-id program, its good to do the manual installation at least once so that you have a good understanding of what is going on, because this is where a lot of people end up having problems.

Go ahead and copy your public key which is in ~/.ssh/ to the remote machine.

scp ~/.ssh/ .org:.ssh/authorized_keys

It will ask you for your system password on the remote machine and after authenticating it will transfer the file. You may have to create the .ssh directory in your home directory on the remote machine first. By the way, scp is a file transfer program that uses ssh. Well talk more about it later.

Now when ssh to the remote machine, it should ask you for your key passphrase instead of your password. If it doesnt, it could be that the permissions and mode of the authorized_keys file and .ssh directory on the remote server need to be set more restrictively. You can do that with these commands on the remote server:

You can also put the public key in the remote authorized_keys file by simply copying it into your paste buffer, logging into the remote machine and pasting it directly into the file from an editor like vi, emacs or nano. I would recommend using the cat program to view the contents of the public key file though because using less will end up breaking the single line into multiple lines.

A newer way that you can quite easily install your public ssh key on a remote host is with the ssh-copy-id program like this:

It will prompt you for your password on the remote host and take care of the rest. That was easy. So why didnt I just tell you how to use this program in the first place? Well, in my experience, many of the problems people have with ssh revolve around trying to get their ssh public key installed correctly. Its a good thing that theyve made a program to do the dirty work for you, but in the interest of building your skills, you should at least do the manual install once so that you know what is involved.

The true usefulness of using key based authentication comes in the use of the ssh-agent program. Usually, the ssh-agent program is a program that starts up before starting X windows and in turn starts X windows for you. All X windows programs inherit a connection back to the ssh-agent, including your terminal windows like Gnome Terminal, Konsole, xfce4-terminal, aterm, xterm and so on. What this means is that after youve started up X windows through ssh-agent, you can use the ssh-add program to add your passphrase one time to the agent and the agent will in turn pass this authentication information automatically every time you need to use your passphrase. So the next time you run:

you will be logged in automatically without having to enter a passphrase or password. Most recent distributions will automatically start ssh-agent when you login to X windows through a session manager like gdm (graphical login). I found that as of this writing the following distributions started ssh-agent by default.

Most distributions prior to about 2002 did not start it.

Dont worry if you dont see your distro listed in here. You can check if it is already running by running this command.

If there is an ssh-agent process listed there, then you can just start using it, otherwise, you should consult your distributions documentation on OpenSSH and running the ssh-agent.

Once youve verified that ssh-agent is running, you can add your ssh key to it by running the ssh-add command:

If the program finds the RSA key that you created above, it will prompt you for the passphrase. Once you have done so it should tell you that it has added your identity to the ssh-agent:

Identity added: /home/username/.ssh/id_rsa (/home/username/.ssh/id_rsa)

Now you can try logging into that remote machine again and this time you will notice that it just logs you right in without prompting you for any password or passphrase.

To make adding your passphrase easier, you can add the ssh-add program to your desktop session startup programs and it will bring up a prompt in X windows to ask for your passphrase every time you login to your desktop. You should also have the gtk2-askpass program installed. Or x11-askpass. They are the real programs that actually prompt you for your password. ssh-add just runs them if its not being run in a terminal. Below is a screenshot of the Gnome Sessions Configuration dialog with ssh-add added to the startup programs.

One lesser known feature of X windows is its network transparency. It was designed to be able to transmit window and bitmap information over a network connection. So essentially you can login to a remote desktop machine and run some X windows program like Gnumeric, Gimp or even Firefox and the program will run on the remote computer, but will display its graphical output on your local computer.

To try this out, you will need an account on a remote computer that has X windows installed with some X windows applications. servers do not have any such programs so you will need to either login to one of your other workstations or another server that does have them. The key to making it work is using the -X option, which means forward the X connection through the SSH connection. This is a form of tunneling.

If this doesnt work, you may have to setup the SSH daemon on the remote computer to allow X11Forwarding, check that the following lines are set in /etc/ssh/sshd_config on that computer:

X11Forwarding yes X11DisplayOffset 10 X11UseLocalhost yes

For some newer programs and newer versions of X windows, you may need to use the -Y option instead for trusted X11 forwarding. Try using this option if your X11 windows program fails to start running with a message like this one that was for Gimp:

The program gimp-2.2 received an X Window System error. This probably reflects a bug in the program. The error was BadWindow (invalid Window parameter). (Details: serial 154 error_code 3 request_code 38 minor_code 0) (Note to programmers: normally, X errors are reported asynchronously; that is, you will receive the error a while after causing it. To debug your program, run it with the –sync command line option to change this behavior. You can then get a meaningful backtrace from your debugger if you break on the gdk_x_error() function.)

Like X11 session forwarding, SSH can also forward other TCP application level ports both forward and backwards across the SSH session that you establish.

For example, you can setup a port forward for your connection from your home machine to so that it will take connections to localhost port 3306 and forward them to the remote side port 3306. Port 3306 is the port that the MySQL server listens on, so this would allow you to bypass the normal host checks that the MySQL server would make and allow you to run GUI MySQL programs on your local computer while using the database on your suso account. Here is the command to accomplish this:

ssh -L .org

The -L (which means Local port) takes one argument of


so you specify what host and port the connection will go to on the other side of the SSH connection. When you make a connection to the local-port port, it sends the data through the SSH connection and then connects to connect-to-host:connect-to-port on the other side. From the point of view of connect-to-host, its as if the connection came from the SSH server that you login to. In the case above,

This is much like a VPN connection allows you to act like you are making connections from the remote network that you VPN into.

Take a moment to think of other useful connections you can make with this type of network tunnel.

Another useful one is for when you are away from home and cant send mail through your home ISPs mail server because it only allows local connections to block spam. You can create an SSH tunnel to an SSH server that is local to your ISP and then have your GUI mail client like Thunderbird make a connection to localhost port 8025 to send the mail. Here is the command to create the tunnel:

One thing to note is that non-root users do not normally have the ability to listen on network ports lower than 1024, so listening on port 25 would not work, thus we use 8025. It really doesnt matter, you can use any port as long as your email client can connect to it.

You can also reverse the direction and create a reverse port forward. This can be useful if you want to connect to a machine remotely to allow connections back in. For instance, I use this sometimes so that I can create a reverse port 22 (SSH) tunnel so that I can reconnect through SSH to a machine that is behind a firewall once I have gone away from that network.

ssh -R 8022:localhost:22 .ip.address

This will connect to my home machine and start listening on port 8022 there. Once I get home, I can then connect back to the machine I created the connection from using the following command:

Remember to use the right username for the machine that you started the tunnel from. It can get confusing. You also have to keep in mind that since you are connecting to the host called localhost, but its really a port going to a different SSH server, you may wind up with a different host key for localhost the next time you connect to localhost. In that case you would need to edit your .ssh/known_hosts file to remove the localhost line. You really should know more about SSH before doing this blindly.

As a final exercise, you can keep your reverse port forward open all the time by starting the connection with this loop:

while true; do ssh -R 8022:localhost:22 .ip.address; sleep 60; done

This way, if you happen to reboot your home machine, the reverse tunnel will try to reconnect after 60 seconds. Provided youve setup keys and your ssh-agent on the remote machine.;-)

So thats great and all, but eventually you are going to want to know how you can do tunneling without having to specify the address that you want to forward to.

This is accomplished through the -D SOCKS5 option.

Any application that supports the SOCKS5 protocol (and most of the big network programs do) can forward its network connection over SSH and dynamically forward to any hostname that you specify. So for a web browser, any URL that you type in the URL field, would be sent through the SSH tunnel. Firefox, Xchat, Gaim and many others all support using SOCKS5. The setting is usually under preferences in the connection settings.

Remember, in the words of Benjamin Uncle Ben Parker, with great power comes great responsibility. Just because you can get around firewalls and use other hosts for sending network traffic, doesnt mean that some system administrator isnt going to notice you.

Sometimes you dont really want to run a shell like Bash on the host you are connecting to. Maybe you just want to run a command and exit. This is very simply accomplished by putting the command you wish to run at the end of your ssh connection command.

This will probably generate output similar to the following.

total 220 drwxr-xr-x 2 root root 4096 Nov 9 04:08 bin drwxr-xr-x 3 root root 4096 Nov 11 09:29 boot drwxr-xr-x 23 root root 122880 Nov 14 02:36 dev drwxr-xr-x 68 root root 12288 Jan 10 04:03 etc drwxr-xr-x 189 root root 4096 Jan 9 00:40 home drwxr-xr-x 2 root root 4096 Mar 12 2004 initrd drwxr-xr-x 9 root root 4096 Nov 9 04:07 lib drwx—— 2 root root 16384 Sep 26 2004 lost+found drwxr-xr-x 2 root root 4096 Apr 14 2004 misc drwxr-xr-x 6 root root 4096 Nov 12 02:11 mnt drwxr-xr-x 3 root root 4096 Oct 15 22:17 opt dr-xr-xr-x 307 root root 0 Nov 14 02:36 proc drwx—— 44 root root 8192 Jan 9 16:23 root drwxr-xr-x 2 root root 8192 Nov 9 04:08 sbin drwxr-xr-x 2 root root 4096 Mar 12 2004 selinux drwxr-xr-x 9 root root 0 Nov 14 02:36 sys drwxrwxrwt 20 root root 4096 Jan 10 06:46 tmp drwxr-xr-x 17 root root 4096 Dec 7 2004 usr drwxr-xr-x 26 root root 4096 Jan 10 2005 var

Then you can process the output however you want using the normal shell conventions.

You can also do something called forced-command where you force any login attempt to run a specific command regardless of what is specified on the command line by the client.

To do this, you put this variable and the command you want to force in the authorized_keys file on the remote host:

command=/usr/bin/backup ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAvna…..

Put the variable before the start of the line for the key. There are other variables you can use here like from= to allow only from a specific host. These variables can be put together separated by commas.

(This space is intentionally left blank)

SCP is basically a program that uses the SSH protocol to send files between hosts over and encrypted connection. You can transfer files from your local computer to a remote host or vice versa or even from a remote host to another remote host.

Here is a basic command that copies a file called report.doc from the local computer to a file by the same name on the remote computer.

Note how the lack of a destination filename just preserves the original name of the file. This is also the case if the remote destination includes the path to a directory on the remote host.

To copy the file back from the server, you just reverse the from and to.

If you want to specify a new name for the file on the remote computer, simply give the name after the colon on the to side.

Or if you want to copy it to a directory relative to the home directory for the remote user specified.

scp report.doc .net:reports/monday.doc

You can also use fullpaths which are preceded with a /.

To copy a whole directory recursively to a remote location, use the -r option. The following command copies a directory named mail to the home directory of the user on the remote computer.

Sometimes you will want to preserve the timestamps of the files and directories and if possible, the users, groups and permissions. To do this, use the -p option.

Sometimes you may have trouble keeping your SSH session up and idle. For whatever reason, the connection just dies after X minutes of inactivity. Usually this happens because there is a firewall between you and the internet that is configured to only keep stateful connections in its memory for 15 or so minutes.

Fortunately, in recent versions of OpenSSH, there is a fix for this problem. Simply put the following:

Host * Protocol 2 TCPKeepAlive yes ServerAliveInterval 60

The file above can be used for any client side SSH configuration. See the ssh_config man page for more details. The TCPKeepAlive yes directive tells the ssh client that it should send a little bit of data over the connection periodically to let the server know that it is still there. ServerAliveInterval 60 sets this time period for these messages to 60 seconds. This tricks many firewalls that would otherwise drop the connection, to keep your connection going.

All good things come to an end. And there are many common ways to end your SSH session.

The last one is actually the user pressing the Ctrl key and the letter d at the same time. These all are ways of terminating the SSH session from the server side. They usually exit the shell which in turn logs you off the machine.

What you may not know, is that there is another way to close an SSH session. This is useful if you lose connectivity with the machine and you have no way of ending your shell session. For example, this happens momentarily if you stay logged into a machine while it is shutdown. SSH has its own command line escape sequences. These can be used to end connections, create new port forwards or list current ones and a few other functions. To end a connection even when you dont have a command prompt, type return twice (for good measure) and then the sequence ~.. Thats a tilde followed by a period.

This will terminate the SSH connection from the client end instead of the server end.

Here are some links where you can find more information about SSH

Marks presentation notes from the January 2006 BLUG meeting

The old non-wiki version of this tutorial(last modified 2007-08-04)

The much older version of this tutorial(1999-02-21)

Linked to by front page(2006-03-03) (823 diggs!)

This tutorial was cited by Patent WO2009077781 A1

Original document, graphics and examples by Mark Krenz ()

Thank you to the following people for sending corrections:

(noticing that MySQL should be 3306, not 3066)

(Suggesting a clarification in the username and password prompt section)

(Suggesting the switch to RSA 4096 bit keys, this document was way overdue for that change, thanks)

Other people listed o

Software and Computers

The Learning Fellows Programorganized by the Dartmouth Center for the Advancement of Learning (DCAL) and Educational Technologiesembeds advanced students in classes around campus. Its a model that is rapidly changing the Dartmouth classroom experience, says the programs director, Kes Schroer.

Learn about the programin the March 21 issue ofDartmouth News.

Dartmouth provides manysoftware programsfree of charge for most general computing and academic purposes to members of the Dartmouth community.

Computers and commercially available software and peripherals can be purchased on campus throughThe Computer Store.

Information, Technology & Consulting also provides a number of options fordata storage.

If you have questions or need further information, contactyour departments IT support office, or contact the IT Service Desk via email at[emailprotected], via phone at or walk in to see them in Baker/Berry 178J.

Want to know how to do something? Want to know how something works? The answer probably lies in theKnowledge Base.

ITC has a tool called TeamViewer that allows our staff to provide tech support by controlling your computer remotely, but only with your explicit permission.Learn more about TeamViewer.

CheckDartPulsefor information about the current status and planned downtimes of Dartmouths information systems.

Install theAlertUsapplication to receive emergency notifications on your computer.

Let us knowif you found a problem or would like to offer feedback about our website.

Copyright © 2018 Trustees of Dartmouth College

Information, Technology & Consulting

Developing Your New Website and Project Consulting

Project & Portfolio Management Office

Email, Communication and Collaboration

Dartmouth and Microsoft Campus Agreement

The Institute for Security Technology Studies Founded

Understanding the SSH Encryption and Connection Process

Get the latest tutorials on SysAdmin and open source topics.

We hope you find this tutorial helpful. In addition to guides like this one, we provide simple cloud infrastructure for developers.Learn more

Understanding the SSH Encryption and Connection Process

SSH, or secure shell, is a secure protocol and the most common way of safely administering remote servers. Using a number of encryption technologies, SSH provides a mechanism for establishing a cryptographically secured connection between two parties, authenticating each side to the other, and passing commands and output back and forth.

In other guides, we have discussedhow to configure SSH key-based accesshow to connect using SSH, andsome SSH tips and tricks.

In this guide, we will be examining the underlying encryption techniques that SSH employs and the methods it uses to establish secure connections. This information can be useful for understanding the various layers of encryption and the different steps needed to form a connection and authenticate both parties.

In order to secure the transmission of information, SSH employs a number of different types of data manipulation techniques at various points in the transaction. These include forms of symmetrical encryption, asymmetrical encryption, and hashing.

The relationship of the components that encrypt and decrypt data determine whether an encryption scheme is symmetrical or asymmetrical.

Symmetrical encryption is a type of encryption where one key can be used to encrypt messages to the opposite party, and also to decrypt the messages received from the other participant. This means that anyone who holds the key can encrypt and decrypt messages to anyone else holding the key.

This type of encryption scheme is often called shared secret encryption, or secret key encryption. There is typically only a single key that is used for all operations, or a pair of keys where the relationship is easy to discover and it is trivial to derive the opposite key.

Symmetric keys are used by SSH in order to encrypt the entire connection. Contrary to what some users assume, public/private asymmetrical key pairs that can be created are only used for authentication, not the encrypting the connection. The symmetrical encryption allows even password authentication to be protected against snooping.

The client and server both contribute toward establishing this key, and the resulting secret is never known to outside parties. The secret key is created through a process known as a key exchange algorithm. This exchange results in the server and client both arriving at the same key independently by sharing certain pieces of public data and manipulating them with certain secret data. This process is explained in greater detail later on.

The symmetrical encryption key created by this procedure is session-based and constitutes the actual encryption for the data sent between server and client. Once this is established, the rest of the data must be encrypted with this shared secret. This is done prior to authenticating a client.

SSH can be configured to utilize a variety of different symmetrical cipher systems, including AES, Blowfish, 3DES, CAST128, and Arcfour. The server and client can both decide on a list of their supported ciphers, ordered by preference. The first option from the clients list that is available on the server is used as the cipher algorithm in both directions.

On Ubuntu 14.04, both the client and the server are defaulted like this:aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-,aes256-,chacha20-,aes128-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour.

This means that if two Ubuntu 14.04 machines are connecting to each other (without overriding the default ciphers through configuration options), they will always use theaes128-ctrcipher to encrypt their connection.

Asymmetrical encryption is different from symmetrical encryption in that to send data in a single direction, two associated keys are needed. One of these keys is known as theprivate key, while the other is called thepublic key.

The public key can be freely shared with any party. It is associated with its paired key, but the private keycannotbe derived from the public key. The mathematical relationship between the public key and the private key allows the public key to encrypt messages that can only be decrypted by the private key. This is a one-way ability, meaning that the public key has no ability to decrypt the messages it writes, nor can it decrypt anything the private key may send it.

The private key should be kept entirely secret and should never be shared with another party. This is a key requirement for the public key paradigm to work. The private key is the only component capable of decrypting messages that were encrypted using the associated public key. By virtue of this fact, any entity capable decrypting these messages has demonstrated that they are in control of the private key.

SSH utilizes asymmetric encryption in a few different places. During the initial key exchange process used toset upthe symmetrical encryption (used to encrypt the session), asymmetrical encryption is used. In this stage, both parties produce temporary key pairs and exchange the public key in order to produce the shared secret that will be used for symmetrical encryption.

The more well-discussed use of asymmetrical encryption with SSH comes from SSH key-based authentication. SSH key pairs can be used to authenticate a client to a server. The client creates a key pair and then uploads the public key to any remote server it wishes to access. This is placed in a file calledauthorized_keyswithin the~/.sshdirectory in the user accounts home directory on the remote server.

After the symmetrical encryption is established to secure communications between the server and client, the client must authenticate to be allowed access. The server can use the public key in this file to encrypt a challenge message to the client. If the client can prove that it was able to decrypt this message, it has demonstrated that it owns the associated private key. The server then can set up the environment for the client.

Another form of data manipulation that SSH takes advantage of is cryptographic hashing. Cryptographic hash functions are methods of creating a succinct signature or summary of a set of information. Their main distinguishing attributes are that they are never meant to be reversed, they are virtually impossible to influence predictably, and they are practically unique.

Using the same hashing function and message should produce the same hash; modifying any portion of the data should produce an entirely different hash. A user shouldnotbe able to produce the original message from a given hash, but theyshouldbe able to tell if a given message produced a given hash.

Given these properties, hashes are mainly used for data integrity purposes and to verify the authenticity of communication. The main use in SSH is with HMAC, or hash-based message authentication codes. These are used to ensure that the received message text is intact and unmodified.

As part of the symmetrical encryption negotiation outlined above, a message authentication code (MAC) algorithm is selected. The algorithm is chosen by working through the clients list of acceptable MAC choices. The first one out of this list that the server supports will be used.

Each message that is sent after the encryption is negotiated must contain a MAC so that the other party can verify the packet integrity. The MAC is calculated from the symmetrical shared secret, the packet sequence number of the message, and the actual message content.

The MAC itself is sent outside of the symmetrically encrypted area as the final part of the packet. Researchers generally recommend this method of encrypting the data first, and then calculating the MAC.

You probably already have a basic understanding of how SSH works. The SSH protocol employs a client-server model to authenticate two parties and encrypt the data between them.

The server component listens on a designated port for connections. It is responsible for negotiating the secure connection, authenticating the connecting party, and spawning the correct environment if the credentials are accepted.

The client is responsible for beginning the initial TCP handshake with the server, negotiating the secure connection, verifying that the servers identity matches previously recorded information, and providing credentials to authenticate.

An SSH session is established in two separate stages. The first is to agree upon and establish encryption to protect future communication. The second stage is to authenticate the user and discover whether access to the server should be granted.

When a TCP connection is made by a client, the server responds with the protocol versions it supports. If the client can match one of the acceptable protocol versions, the connection continues. The server also provides its public host key, which the client can use to check whether this was the intended host.

At this point, both parties negotiate a session key using a version of something called the Diffie-Hellman algorithm. This algorithm (and its variants) make it possible for each party to combine their own private data with public data from the other system to arrive at an identical secret session key.

The session key will be used to encrypt the entire session. The public and private key pairs used for this part of the procedure are completely separate from the SSH keys used to authenticate a client to the server.

The basis of this procedure for classic Diffie-Hellman is:

Both parties agree on a large prime number, which will serve as a seed value.

Both parties agree on an encryption generator (typically AES), which will be used to manipulate the values in a predefined way.

Independently, each party comes up with another prime number which is kept secret from the other party. This number is used as the private key for this interaction (different than the private SSH key used for authentication).

The generated private key, the encryption generator, and the shared prime number are used to generate a public key that is derived from the private key, but which can be shared with the other party.

Both participants then exchange their generated public keys.

The receiving entity uses their own private key, the other partys public key, and the original shared prime number to compute a shared secret key. Although this is independently computed by each party, using opposite private and public keys, it will result in the

The shared secret is then used to encrypt all communication that follows.

The shared secret encryption that is used for the rest of the connection is called binary packet protocol. The above process allows each party to equally participate in generating the shared secret, which does not allow one end to control the secret. It also accomplishes the task of generating an identical shared secret without ever having to send that information over insecure channels.

The generated secret is a symmetric key, meaning that the same key used to encrypt a message can be used to decrypt it on the other side. The purpose of this is to wrap all further communication in an encrypted tunnel that cannot be deciphered by outsiders.

After the session encryption is established, the user authentication stage begins.

The next stage involves authenticating the user and deciding access. There are a few different methods that can be used for authentication, based on what the server accepts.

The simplest is probably password authentication, in which the server simply prompts the client for the password of the account they are attempting to login with. The password is sent through the negotiated encryption, so it is secure from outside parties.

Even though the password will be encrypted, this method is not generally recommended due to the limitations on the complexity of the password. Automated scripts can break passwords of normal lengths very easily compared to other authentication methods.

The most popular and recommended alternative is the use of SSH key pairs. SSH key pairs are asymmetric keys, meaning that the two associated keys serve different functions.

The public key is used to encrypt data that can only be decrypted with the private key. The public key can be freely shared, because, although it can encrypt for the private key, there is no method of deriving the private key from the public key.

Authentication using SSH key pairs begins after the symmetric encryption has been established as described in the last section. The procedure happens like this:

The client begins by sending an ID for the key pair it would like to authenticate with to the server.

file of the account that the client is attempting to log into for the key ID.

If a public key with matching ID is found in the file, the server generates a random number and uses the public key to encrypt the number.

The server sends the client this encrypted message.

If the client actually has the associated private key, it will be able to decrypt the message using that key, revealing the original number.

The client combines the decrypted number with the shared session key that is being used to encrypt the communication, and calculates the MD5 hash of this value.

The client then sends this MD5 hash back to the server as an answer to the encrypted number message.

The server uses the same shared session key and the original number that it sent to the client to calculate the MD5 value on its own. It compares its own calculation to the one that the client sent back. If these two values match, it proves that the client was in possession of the private key and the client is authenticated.

As you can see, the asymmetry of the keys allows the server to encrypt messages to the client using the public key. The client can then prove that it holds the private key by decrypting the message correctly. The two types of encryption that are used (symmetric shared secret, and asymmetric public-private keys) are each able to leverage their specific strengths in this model.

Learning about the connection negotiation steps and the layers of encryption at work in SSH can help you better understand what is happening when you login to a remote server. Hopefully, you now have a better idea of relationship between various components and algorithms, and understand how all of these pieces fit together.

Simple setup. Full root access. Straightforward pricing.

How To Protect Your Linux Server Against the GHOST Vulnerability

How to Protect Your Server Against the Shellshock Bash Vulnerability

How to Protect Your Server Against the Heartbleed OpenSSL Vulnerability

How to Install TrueCrypt (CLI) on Linux

How To Use WPScan to Test for Vulnerable Plugins and Themes in WordPress

This work is licensed under aCreative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

SSH The Secure Shell The Definitive Guide

Wheres the cart? Now you can get everything onSafari. To purchase books, visit Amazon or your favorite retailer. Questions?See our FAQor contact customer service:

Secure your computer network with SSH! With transparent, strong encryption, reliable public-key authentication, and a highly configurable client/server architecture, SSH (Secure Shell) is a popular, robust, TCP/IP-based solution to many network security and privacy concerns. It supports secure remote logins, secure file transfer between computers, and a unique tunneling capability that adds encryption to otherwise insecure network applications. Best of all, SSH is free, with feature-filled commercial versions available as well.

SSH: The Secure Shell: The Definitive Guide

covers the Secure Shell in detail for both system administrators and end users. It demystifies the SSH man pages and includes thorough coverage of:

SSH1, SSH2, OpenSSH, and F-Secure SSH for Unix, plus Windows and Macintosh products: the basics, the internals, and complex applications.

Configuring SSH servers and clients, both system-wide and per user, with recommended settings to maximize security.

Advanced key management using agents, agent forwarding, and forced commands.

Forwarding (tunneling) of TCP and X11 applications in depth, even in the presence of firewalls and network address translation (NAT).

Undocumented behaviors of popular SSH implementations.

Installing and maintaining SSH systems.

Whether youre communicating on a small LAN or across the Internet, SSH can ship your data from here to there efficiently and securely. So throw away those insecure .rhosts and hosts.equiv files, move up to SSH, and make your network a safe place to live and work.

Authentication by Cryptographic Key

Connecting Without a Password or Passphrase

SSH and File Transfers (scp and sftp)

Installation and Compile-Time Configuration

Letting People in: Authentication and Access Control

Compatibility Between SSH-1 and SSH-2 Servers

Forwarding Security: TCP-wrappers and libwrap

Debug Messages: Your First Line of Defense

SSH1 Port by Sergey Okhapkin (Windows)

Obtaining and Installing the Server

F-Secure SSH Client (Windows, Macintosh)

© 2017 OReilly Media, Inc. All trademarks and registered trademarks appearing on are the property of their respective owners.

Terms of Service•Privacy Policy•Editorial Independence

SSHSecure Shell

sudo yum install -y openssh-server openssh-clients

sudo apt-get install -y openssh-server openssh-client

Protocol 2,1 SSH SSH 2 1

PasswordAuthentication yes SSH

PermitEmptyPasswords no


id_rsa () ()

cat /root/.ssh/ /root/.ssh/authorized_keys

sudo chmod 600 /root/.ssh/authorized_keys

SSH SSH id_rsa Xshell

Protocol Basics Secure Shell Protocol – The Internet Protocol Journal Volume 12 No4

Secure Shell (SSH) Protocol is a protocol for secure network communications designed to be relatively simple and inexpensive to implement. The initial version, SSH1, focused on providing a secure remote logon facility to replace Telnet and other remote logon schemes that provided no security [4]. SSH also provides a more general client-server capability and can be used to secure such network functions as file transfer and e-mail. A new version, SSH2, provides a standardized definition of SSH and improves on SSH1 in numerous ways. SSH2 is documented as a proposed standard in RFCs 4250 through 4256 [13], [58].

SSH client and server applications are widely available for most operating systems. It has become the method of choice for remote login and X tunneling and is rapidly becoming one of the most pervasive applications for encryption technology outside of embedded systems. SSH is organized as three protocols that typically run on top of TCP (Figure 1):

Provides server authentication, data confidentiality, and data integrity with forward secrecy (that is, if a key is compromised during one session, the knowledge does not affect the security of earlier sessions); the transport layer may optionally provide compression

Authenticates the user to the server

Multiplexes multiple logical communications channels over a single underlying SSH connection

Server authentication occurs at the transport layer, based on the server possessing a public-private key pair. A server may have multiple host keys using multiple different asymmetric encryption algorithms. Multiple hosts may share the same host key. In any case, the server host key is used during key exchange to authenticate the identity of the host. For this authentication to be possible, the client must have presumptive knowledge of the server public host key. RFC 4251 dictates two alternative trust models that can be used:

The client has a local database that associates each host name (as typed by the user) with the corresponding public host key. This method requires no centrally administered infrastructure and no third-party coordination. The downside is that the database of name-to-key associations may become burdensome to maintain.

The host name-to-key association is certified by a trusted

(CA). The client knows only the CA root key and can verify the validity of all host keys certified by accepted CAs. This alternative eases the maintenance problem, because ideally only a single CA key needs to be securely stored on the client. On the other hand, each host key must be appropriately certified by a central authority before authorization is possible.

Figure 2: SSH Transport Layer Protocol Packet Exchanges

Figure 2 illustrates the sequence of events in the SSH Transport Layer Protocol. First, the client establishes a TCP connection to the server with the TCP protocol and is not part of the Transport Layer Protocol. When the connection is established, the client and server exchange data, referred to as packets, in the data field of a TCP segment. Each packet is in the following format (Figure 3):

Packet length is the length of the packet in bytes, not including the packet length and Message Authentication Code (MAC) fields.

Padding length is the length of the random padding field.

Payload constitutes the useful contents of the packet. Prior to algorithm negotiation, this field is uncompressed. If compression is negotiated, then in subsequent packets this field is compressed.

After an encryption algorithm is negotiated, this field is added. It contains random bytes of padding so that that total length of the packet (excluding the MAC field) is a multiple of the cipher block size, or 8 bytes for a stream cipher.

If message authentication has been negotiated, this field contains the MAC value. The MAC value is computed over the entire packet plus a sequence number, excluding the MAC field. The sequence number is an implicit 32-bit packet sequence that is initialized to zero for the first packet and incremented for every packet. The sequence number is not included in the packet sent over the TCP connection.

Figure 3: SSH Transport Layer Protocol Packet Formation

After an encryption algorithm is negotiated, the entire packet (excluding the MAC field) is encrypted after the MAC value is calculated.

The SSH Transport Layer packet exchange consists of a sequence of steps (Figure 2). The first step, theidentification string exchange,begins with the client sending a packet with an identification string of the form:

SSH-protoversion-softwareversion SP comments CR LF

where SP, CR, and LF are space character, carriage return, and line feed, respectively. An example of a valid string isSSH-2.0-billsSSH_3.6.3q3CRLF. The server responds with its own identification string. These strings are used in the DiffieHellman key exchange.

Next comesalgorithm negotiation.Each side sends anSSH_MSG_KEXINITcontaining lists of supported algorithms in the order of preference to the sender. Each type of cryptographic algorithm has one list. The algorithms include key exchange, encryption, MAC algorithm, and compression algorithm. Table 1 shows the allowable options for encryption, MAC, and compression. For each category, the algorithm chosen is the first algorithm on the clientÀâ„s list that is also supported by the server.

Table 1: SSH Transport Layer Cryptographic Algorithms

Three-key Triple Digital Encryption Standard (3DES) in Cipher-Block-Chaining (CBC) mode

Twofish in CBC mode with a 256-bit key

Twofish in CBC mode with a 256-bit key

Advanced Encryption Standard (AES) in CBC mode with a 256-bit key

Serpent in CBC mode with a 256-bit key

Sorry, no results matched your search criteria(s). Please try again.

HMAC-SHA1; Digest length = Key length = 20

First 96 bits of HMAC-SHA1; Digest length = 12; Key length = 20

HMAC-SHA1; Digest length = Key length = 16

First 96 bits of HMAC-SHA1; Digest length = 12; Key length = 16

Sorry, no results matched your search criteria(s). Please try again.

Sorry, no results matched your search criteria(s). Please try again.

The next step iskey exchange.The specification allows for alternative methods of key exchange, but at present only two versions of DiffieHellman key exchange are specified. Both versions are defined in RFC 2409 and require only one packet in each direction. The following steps are involved in the exchange. In this, C is the client; S is the server;pis a large safe prime;gis a generator for a subgroup of GF(p);qis the order of the subgroup;V_Sis the S identification string;V_Cis the C identification string;K_Sis the S public host key;I_Cis the CSSH_MSG_KEXINITmessage; andI_Sis theS SSH_MSG_KEXINITmessage that was exchanged before this part began. The values ofp, g,andqare known to both client and server as a result of the algorithm selection negotiation. The hash function hash() is also decided during algorithm negotiation.

with its private host key. S sends (K_S

) to C. The signing operation may involve a second hashing operation.

really is the host key for S (for example, using certificates or a local database). C is also allowed to accept the key without verification; however, doing so will render the protocol insecure against active attacks (but may be desirable for practical reasons in the short term in many environments). C then computes

As a result of these steps, the two sides now share a master keyK. In addition, the server has been authenticated to the client, because the server has used its private key to sign its half of the DiffieHellman exchange. Finally, the hash valueHserves as a session identifier for this connection. When computed, the session identifier is not changed, even if the key exchange is performed again for this connection to obtain fresh keys.

Theend of key exchangeis signaled by the exchange ofSSH_MSG_NEWKEYSpackets. At this point, both sides may start using the keys generated fromK,as discussed subsequently.

The final step isservice request.The client sends anSSH_MSG_SERVICE_REQUESTpacket to request either the User Authentication or the Connection Protocol. Subsequent to this request, all data is exchanged as the payload of an SSH Transport Layer packet, protected by encryption and MAC.

The keys used for encryption and MAC (and any needed IVs) are generated from the shared secret keyK,the hash value from the key exchangeH,and the session identifier, which is equal toHunless there has been a subsequent key exchange after the initial key exchange. The values are computed as follows:

Initial IV client to server: HASH(K H A session_id)

Initial IV server to client: HASH(K H B session_id)

Encryption key client to server: HASH(K H C session_id)

Encryption key server to client: HASH(K H D session_id)

Integrity key client to server: HASH(K H E session_id)

Integrity key server to client: HASH(K H F session_id)

where HASH() is the hash function determined during algorithm negotiation.

TheUser Authentication Protocolprovides the means by which the client is authenticated to the server.

Three types of messages are always used in the User Authentication Protocol. Authentication requests from the client have the format:

Sorry, no results matched your search criteria(s). Please try again.

whereusernameis the authorization identity the client is claiming,service nameis the facility to which the client is requesting access (typically the SSH Connection Protocol), andmethod nameis the authentication method being used in this request. The first byte has decimal value 50, which is interpreted asSSH_MSG_USERAUTH_REQUEST.

If the server either rejects the authentication request or accepts the request but requires one or more additional authentication methods, the server sends a message with the format:

Sorry, no results matched your search criteria(s). Please try again.

where thename-listis a list of methods that may productively continue the dialog. If the server accepts authentication, it sends a single-byte message,SSH_MSG_USERAUTH_SUCCESS (52).

The message exchange involves the following steps:

The server checks to determine if the username is valid. If not, the server returns

with the partial success value of false. If the username is valid, the server proceeds to step 3.

with a list of one or more authentication methods to be used.

The client selects one of the acceptable authentication methods and sends a

with that method name and the required method-specific fields. At this point, there may be a sequence of exchanges to perform the method.

If the authentication succeeds and more authentication methods are required, the server proceeds to step 3, using a partial success value of true. If the authentication fails, the server proceeds to step 3, using a partial success value of false.

When all required authentication methods succeed, the server sends a

message, and the Authentication Protocol is over.

The server may require one or more of the following authentication methods:

The details of this method depend on the public-key algorithm chosen. In essence, the client sends a message to the server that contains the clients public key, with the message signed by the clients private key. When the server receives this message, it checks to see whether the supplied key is acceptable for authentication and, if so, it checks to see whether the signature is correct.

The client sends a message containing a plaintext password, which is protected by encryption by the Transport Layer Protocol.

Authentication is performed on the clients host rather than the client itself. Thus, a host that supports multiple clients would provide authentication for all its clients. This method works by having the client send a signature created with the private key of the client host. Thus, rather than directly verifying the users identity, the SSH server verifies the identity of the client hostand then believes the host when it says the user has already authenticated on the client side.

The SSH Connection Protocol runs on top of the SSH Transport Layer Protocol and assumes that a secure authentication connection is in use. That secure authentication connection, referred to as atunnel,is used by the Connection Protocol to multiplex a number of logical channels.

RFC 4254, The Secure Shell (SSH) Connection Protocol, states that the Connection Protocol runs on top of the Transport Layer Protocol and the User Authentication Protocol. RFC 4251, SSH Protocol Architecture, states that the Connection Protocol runs over the User Authentication Protocol. In fact, the Connection Protocol runs over the Transport Layer Protocol, but assumes that the User Authentication Protocol has been previously invoked.

All types of communication using SSH, such as a terminal session, are supported using separate channels. Either side may open a channel. For each channel, each side associates a unique channel number, which need not be the same on both ends. Channels are flow-controlled using a window mechanism. No data may be sent to a channel until a message is received to indicate that window space is available. The life of a channel progresses through three stages: opening a channel, data transfer, and closing a channel.

When either side wishes to open a new channel, it allocates a local number for the channel and then sends a message of the form:

Sorry, no results matched your search criteria(s). Please try again.

whereuint32means unsigned 32-bit integer. Thechannel typeidentifies the application for this channel, as described subsequently. Thesender channelis the local channel number. Theinitial window sizespecifies how many bytes of channel data can be sent to the sender of this message without adjusting the window. Themaximum packet sizespecifies the maximum size of an individual data packet that can be sent to the sender. For example, one might want to use smaller packets for interactive connections to get better interactive response on slow links.

If the remote side is able to open the channel, it returns aSSH_MSG_CHANNEL_OPEN_CONFIRMATIONmessage, which includes the sender channel number, the recipient channel number, and window and packet size values for incoming traffic. Otherwise, the remote side returns aSSH_MSG_CHANNEL_OPEN_FAILUREmessage with a reason code indicating the reason for failure.

After a channel is open,data transferis performed using aSSH_MSG_CHANNEL_DATAmessage, which includes the recipient channel number and a block of data. These messages, in both directions, may continue as long as the channel is open.

When either side wishes to close a channel, is sends aSSH_MSG_CHANNEL_CLOSEmessage, which includes the recipient channel number. Figure 4 provides an example of Connection Protocol Exchange.

Figure 4: Example SSH Connectioin Protocol Message Exchange

Four channel types are recognized in the SSH Connection Protocol specification:

Session refers to the remote execution of a program. The program may be a shell, an application such as file transfer or e-mail, a system command, or some built-in subsystem. When a session channel is opened, subsequent requests are used to start the remote program.

This channel type refers to the X Window System, a computer software system and network protocol that provides a GUI for networked computers. X allows applications to run on a network server but be displayed on a desktop machine.

This channel type is remote port forwarding, as explained subsequently.

This channel type is local port forwarding, as explained subsequently.

One of the most useful features of SSH isport forwarding.Port forwarding provides the ability to convert any insecure TCP connection into a secure SSH connection. It is also referred to as SSH tunneling. We need to know what a port is in this context. A port is an identifier of a user of TCP. So, any application that runs on top of TCP has a port number. Incoming TCP traffic is delivered to the appropriate application on the basis of the port number. An application may employ multiple port numbers. For example, for theSimple Mail Transfer Protocol(SMTP), the server side generally listens on port 25, so that an incoming SMTP request uses TCP and addresses the data to destination port 25. TCP recognizes that this address is the SMTP server address and routes the data to the SMTP server application.

Figure 5: SSH Transport Layer Packet Exchanges

Figure 5 illustrates the basic concept behind port forwarding. We have a client application that is identified by port numberxand a server application identified by port numbery.At some point, the client application invokes the local TCP entity and requests a connection to the remote server on porty.The local TCP entity negotiates a TCP connection with the remote TCP entity, such that the connection links local port x to remote porty.

To secure this connection, SSH is configured so that the SSH Transport Layer Protocol establishes a TCP connection between the SSH client and server entities with TCP port numbersaandb,respectively. A secure SSH tunnel is established over this TCP connection. Traffic from the client at portxis redirected to the local SSH entity and travels through the tunnel where the remote SSH entity delivers the data to the server application on porty.Traffic in the other direction is similarly redirected.

SSH supports two types of port forwarding: local forwarding and remote forwarding.Local forwardingallows the client to set up a hijacker process. This process will intercept selected application-level traffic and redirect it from an unsecured TCP connection to a secure SSH tunnel. SSH is configured to listen on selected ports. SSH grabs all traffic using a selected port and sends it through an SSH tunnel. On the other end, the SSH server sends the incoming traffic to the destination port dictated by the client application.

The following example should help clarify local forwarding. Suppose you have an e-mail client on your desktop and use it to get e-mail from your mail server through thePost Office Protocol(POP). The assigned port number for POP3 is port 110. We can secure this traffic in the following way:

The SSH client sets up a connection to the remote server.

Select an unused local port number, say 9999, and configure SSH to accept traffic from this port destined for port 110 on the server.

The SSH client informs the SSH server to create a connection to the destination, in this case mailserver port 110.

The client takes any bits sent to local port 9999 and sends them to the server inside the encrypted SSH session. The SSH server decrypts the incoming bits and sends the plaintext to port 110.

In the other direction, the SSH server takes any bits received on port 110 and sends them inside the SSH session back to the client, which decrypts and sends them to the process connected to port 9999.

Withremote forwarding,the users SSH client acts on the servers behalf. The client receives traffic with a given destination port number, places the traffic on the correct port, and sends it to the destination the user chooses.

A typical example of remote forwarding follows: You wish to access a server at work from your home computer. Because the work server is behind a firewall, it will not accept an SSH request from your home computer. However, from work you can set up an SSH tunnel using remote forwarding.

This process involves the following steps:

From the work computer, set up an SSH connection to your home computer. The firewall will allow this, because it is a protected outgoing connection.

Configure the SSH server to listen on a local port, say 22, and to deliver data across the SSH connection addressed to remote port, say 2222.

You can now go to your home computer and configure SSH to accept traffic on port 2222.

You now have an SSH tunnel that you can use for remote logon to the work server.

SSH is one of the most commonly used cryptographic applications. It provides great flexibility and versatility for a wide variety of tasks, including remote administration, file transfer, web development, and penetration testing.

WILLIAM STALLINGS is a consultant, lecturer, and author of more than a dozen books on data communications and computer networking. His latest book isCryptography and Network Security(Prentice Hall, 2010). He maintains a computer science resource site for computer science students and professionals at m/StudentSupport.html and is on the editorial board of Cryptologia. He has a Ph.D. in computer science from M.I.T. He can be reached

SSH Secure Shell-Secure Shell Client


Secure Shell Client – Quick Connect

Authentication Profile Settings

Connect -Enter your Password- OK

Secure File Transfer Client

/  …  usr    apache2      …      conf        …        httpd.conf      bin        …        apachectl    tomcat5      …      conf        …        server.xml      bin        …    webapps      …      eWebEditor

cd /usr/tomcat5/bin  tomcat5 bin

cd /usr/apache2/bin apache2 bin

./apachectl startstoprestartgraceful    apache


ps -efgrep java    tomcat,ID


Host     debug=0     appBase=     unpackWARs=true     autoDeploy=true  Context path=       docBase=/usr/webapps/eWebEditor/       debug=0       privileged=true       reloadable=true/ /Host


DocumentRoot /usr/webapps/eWebEditor/

ErrorLog logs/

CustomLog /usr/local/sbin/cronolog /usr/logs/apache_logs/ combined

VirtualHost * LocationMatch /WEB-INF/ AllowOverride None deny from all /LocationMatch LocationMatch /META-INF/ AllowOverride None deny from all /LocationMatch RewriteEngine on RewriteCond %REQUEST_METHOD ^(TRACETRACK) Rewriterule .* – [F] ServerAdmin DocumentRoot /usr/webapps/eWebEditor/ ServerName ErrorLog logs/ CustomLog /usr/local/sbin/cronolog /usr/logs/apache_logs/ combined /VirtualHost


linux,  linuxwindo…

SSH Secure Shell File Transfer

SSH Secure Shell File Transfer


Ubuntuopenssh-client,apt-get sshserver ps -e grep ss…

WindowsSSH Secure Shell ClientLinux

SSHTELNETFTPR SSH Secure Shell Client     …

WindowsSSH Secure Shell Client doc

SSH Secure Shell Client  linux SSH Secure Shell Client Pos…

SSH Secure Shell Clientlinux

LinuxLinuxLinuxWindows SSH Secure Shell Client…

SSH Secure Shell ClientLinux

SSH Secure Shell ClientSSH Secure ShellLinuxserver res…


SSH Secure Shell-Secure Shell Client

SSH Secure Shell-Secure Shell Client