Intro to SSH

SSH is a foundational topic for anyone working on the web, and at a minimum it's important to understand how SSH is used for authentication with Git and similar tools. In this episode we'll cover these basics as well as some of the more interesting tricks we can pull off using SSH.

Public Key Cryptography

SSH uses public-key cryptography, which involves generating a key pair, made up of one private and one public key. The public key is shared openly, for instance uploading to GitHub, while the private key is kept... private.

When you attempt to connect to GitHub (using git@github.com... repo address), your local SSH command will encrypt the message using your public key, and GitHub can use the public key to confirm that the message was sent by you.

Note, Git & GitHub can operate over https using a username and password, but we recommend using SSH for Git operations, and we require it on the Upcase exercises repositories.

Generating and Uploading a Key

If you don't already have an SSH key-pair, or if you want to generate a new one, we recommend following the steps outlined in GitHub's documentation on Generating an SSH key.

Uploading a key

In order to upload your key to a service like GitHub or the Upcase exercises system, you'll need to copy the contents of the ~/.ssh/id_rsa.pub file. The most reliable way to do this is via the command line, but each OS has a slightly different command for this. Borrowing from GitHub's great [Adding a new SSH key to your GitHub account][] article, you can copy your public key data with:

# Mac
$ pbcopy < ~/.ssh/id_rsa.pub

# Windows
$ clip < ~/.ssh/id_rsa.pub

# Linux
$ sudo apt-get install xclip
$ xclip -sel clip < ~/.ssh/id_rsa.pub

Note: On Upcase, you can upload your SSH key, or even multiple keys, by visiting the [Clone Help Page][].

[Adding a new SSH key to your GitHub account]: https://help.github.com/articles/adding-a-new-ssh-key-to-your-github-account/ [Clone Help Page]: https://exercises.upcase.com/clone_help_page

PGP is Like SSH For Communication

[Pretty Good Privacy (PGP)][] is another technology that uses public key cryptography to authenticate and secure communications (emails, chats, etc). If you're interested in learning more, check out the Giant Robots post [PGP and You][] to learn how to get started with PGP.

[Pretty Good Privacy (PGP)]: http://www.pgpi.org/ [PGP and You]: https://robots.thoughtbot.com/pgp-and-you

SSH Overview

Thus far we've focused on SSH as used to authenticate a user, especially in the context of Git, but it turns out we can go much further with SSH and use it to securely connect and run a shell session on a remote system.

SSH Directory

To start exploring broader uses of SSH, we can first look in the ~/.ssh directory where SSH configuration files are stored. This directory can contain configuration files like config and known_hosts which we cover below, but mostly what you'll find here are one or more public + private key pairs.

SSH known_hosts

The ~/.ssh/known_hosts file is where SSH will save off the SSH identity of servers you've connected with in the past. If you've ever run a git command or attempted to connect to a server and seen the following:

$ ssh user@server.example.com
The authenticity of host 'server.example.com (170.107.142.187)' can't be established.
RSA key fingerprint is 8c:a1:91:f4:b9:dc:84:7f:0f:a9:db:21:a7:1d:27:e2.
Are you sure you want to continue connecting (yes/no)?

Then it means that you have not connected to that particular server before, but typically this should not be a concern unless you're sure you've connected to the host before.

SSH config

The ~/.ssh/config is a very useful file if you find yourself regularly connecting to remote servers, especially if you need to specify the user, identity file, etc. The structure of the file looks something like the following:

Host *
  Compression yes
Host client-x-server
  IdentityFile ~/.ssh/ardrone.pem
  UserKnownHostsFile /dev/null
  HostName nightly.example.com
  User ec2-user
Host whetstone-gitolite-server
  HostName git.upcase.com
  User root
Host staging-whetstone-gitolite-server
  HostName 192.241.168.30
  User root

Here we can see that each server gets a configuration block where we can specify a short / memorable name for the server (via the Host setting), the HostName / IP address, the User, and even the specific key to use via the IdentityFile option.

With this configuration in place, rather than needing to type all of:

$ ssh -i ~/.ssh/ardrone.pem ec2-user@nightly.example.com

we can simply SSH via the alias

$ ssh client-x-server

We can even get tab completion of these short names making our lives that much better!

SCP uses SSH

scp is a command for securely copying files, using SSH for authentication and encryption. With scp, we can use all the configurations we have in the ~/.ssh/config file, and make it very easy to copy a remote file:

$ scp whetstone-gitolite-server:/path/to/file ./local-filename

Depending on the speed of your connection, you can even tab complete out the files and directories on the remote server as you build up an scp command, all without having to type a password!

Running a Command via SSH

In some cases we just want a bit of data from a remote server, and thankfully we can use ssh to run a one-off command and print out the results. For instance, the following will lists the contents of the remote directory, opening and closing the SSH connection as needed:

$ ssh whetstone-gitolite-server ls /var/lib/gitolite3/repositories/christoomey

This can be extremely handy if you're building a script locally that you need to incorporate some data into from a remote server.