SSH Fundamentals#

Prerequisite — Asymmetric Cryptography: SSH uses a key pair — a public key (shareable, like a padlock) and a private key (secret, like the key to that padlock). Anyone can encrypt data with your public key, but only your private key can decrypt it. SSH uses this to verify identity: the server challenges the client with the public key, and only the holder of the matching private key can respond correctly.

Concepts#

What Is SSH?#

SSH (Secure Shell) lets you securely log into a remote machine and execute commands over an encrypted connection. It replaces insecure protocols like Telnet and rsh.

SSH is the primary way Linux servers are managed — you rarely sit at the physical machine.

SSH Architecture#

Your machine (client)  ──SSH──→  Remote machine (server)
      ssh command                    sshd daemon (port 22)

• Client: the ssh command (pre-installed everywhere)
• Server: the sshd daemon (needs to be installed and running)

Installing the SSH Server#

The SSH client is pre-installed. The server may or may not be:

# Install SSH server
sudo apt install -y openssh-server

# Verify it's running
sudo systemctl status ssh
sudo systemctl enable --now ssh

# Check it's listening
sudo ss -tlnp | grep 22

Connecting#

# Basic connection
ssh user@hostname
ssh user@192.168.1.100

# Specify port
ssh -p 2222 user@hostname

# Run a command without interactive shell
ssh user@hostname "ls -la /etc"
ssh user@hostname "df -h && free -h"

On first connection, SSH asks you to verify the server’s fingerprint:

The authenticity of host '192.168.1.100' can't be established.
ED25519 key fingerprint is SHA256:xyzABC...
Are you sure you want to continue connecting (yes/no)?

Type yes. The fingerprint is saved in ~/.ssh/known_hosts. If it changes in the future, SSH warns you (potential man-in-the-middle attack).

File Transfer#

scp — Secure Copy#

# Copy local file to remote
scp file.txt user@host:/path/to/destination/

# Copy remote file to local
scp user@host:/path/to/file.txt ./

# Copy a directory (recursive)
scp -r localdir/ user@host:/path/

# Specify port
scp -P 2222 file.txt user@host:/path/

sftp — Interactive File Transfer#

sftp user@host
# Commands inside sftp:
# ls, cd, pwd         — navigate remote
# lls, lcd, lpwd      — navigate local
# get file.txt        — download
# put file.txt        — upload
# exit                — quit

rsync — Efficient Sync (Recommended)#

# Sync a directory (only transfers changes)
rsync -avz localdir/ user@host:/path/to/remotedir/

# Sync with delete (mirror — removes files on remote that don't exist locally)
rsync -avz --delete localdir/ user@host:/path/to/remotedir/

# Dry run (show what would happen)
rsync -avzn localdir/ user@host:/path/to/remotedir/

rsync is preferred over scp for large transfers because it only sends differences.

SSH Authentication Methods#

1. Password — you type the remote user’s password (default, less secure)
2. Key-based — you present a cryptographic key pair (more secure, can be passwordless)

Key-based authentication is covered in the next lesson.

Lab#

Exercise 1: SSH Server Status#

# Check if SSH server is installed and running
systemctl status ssh

# If not installed:
# sudo apt install -y openssh-server
# sudo systemctl enable --now ssh

Exercise 2: Connect to Yourself#

# SSH into your own machine (for practice)
ssh $(whoami)@localhost
# Type your password, then:
hostname
whoami
exit

Exercise 3: Run Remote Commands#

# Run a command without entering a shell
ssh $(whoami)@localhost "uname -a"
ssh $(whoami)@localhost "df -h /"

Exercise 4: File Transfer#

# Create a test file
echo "test data" > /tmp/sshtest.txt

# Copy to "remote" (localhost)
scp /tmp/sshtest.txt $(whoami)@localhost:/tmp/sshtest_copy.txt

# Verify
ssh $(whoami)@localhost "cat /tmp/sshtest_copy.txt"

# Clean up
rm -f /tmp/sshtest.txt
ssh $(whoami)@localhost "rm -f /tmp/sshtest_copy.txt"

Review#

Previous: LVM and Swap | Next: Keys, Config, and Tunnels