This page is word-editable, please edit if you find an error.
- SSH (Secure Shell) is installed on most systems (here GnuLinuxUbuntu and MacOsX) so don't panic about compilations (try Putty on Windows). Try a simple
ssh -Vto check version or
which sshto locate the binary.
- Thanks to
ssh, you can transport all your data (accessing files, merging repositories, lauching remote X programs) transparently using a secure connection. Thanks to tunneling, this is also simpler thus more secure for your computer and your provider. Having all security located in one interface sure is a big advantage: once your SSH communication channel is set-up, you should only focus on what you wish to do (SVN, etc...).
- Most documentation may be found in
man ssh-keygen(remember that thanks to the underlying pager system, you can search for a keyword, for instance
hello, by typing
\hello[ENTER]). Many other sources of help exist, such as this FAQ
Setting up SSH: spreading the good keys
- There are many ways to authenticate your session, but mainly password or keys. Keys are to be preferred to avoid typing your password 10 times a day. It is also most secure (you type your key's password locally and not remotely).
- Generate a private/public key pair. Simple command to do this:
ssh-keygen -t rsa
- Copy the key to the
ssh-copy-id -i ~/.ssh/id_rsa.pub username@host
. this can be also be done using
scp ~/.ssh/id_rsa.pub username@host:~/mykey.pub ssh username@host cat mykey.pub >> .ssh/authorized_keys
- Now try logging into the remote machine again from local
- Check that your public key is in the list of authorized keys:
- Change password regularly:
It is not advised to put an empty pass-phrase, rather use key agent (see below).
- it is possible to create alias of the ssh binary to hostnames... but more simply, you may put
alias myserver='ssh -Y -p2221 email@example.com'
where 2221 is here the port used by the SSH server on
- more cleanly, you may edit your
Host myserver.domain.com User myuser Port 2221
Be careful that properties are right :
chmod 600 ~/.ssh/config
- An agent loads your keys on the local machines:
- it's more secure, since all passwords are typed locally, you only send encrypted authentifications
- it's more practical, since you type your password once per session
- GUI interface on MacOsX : http://www.sshkeychain.org/
- install with macports using
sudo port install SSHKeychain, you'll find it in
- install with macports using
securing the server
- Robots usually try common name / password combinations on your SSH server. If you're the only user
admin_nameof your server you may use in the SSH server configuration file (usually
/etc/ssh/sshd_config) the option
AllowUsers admin_nameto restrict access to user
admin_nameand avoid brute force attacks. Since robots are most of the time dumb, they'll get an immediate
acces deniedresponse to any connection request.
- Robots usually sniff port
22. To change the port which is listened by the SSH server, either modify the default port in the SSH server configuration file (usually
/etc/ssh/sshd_config). Another way is to use your router to redirect the outside port (for instance
2221) to the default port of your server.