Questions tagged [ssh]

SSH (Secure shell) is a protocol for secure communication between computers to execute remote commands, transfer data and tunnel TCP connections.

SSH (Secure SHell) is a protocol to establish a secure channel (encrypted, authenticated and integrity-protected) and execute commands on a remote computer or transfer data between computers. It is the de facto standard protocol for remote command execution and secure file transfer in the unix world.

SSH allows running remote shell commands, transfering files with SCP (file copy) or SFTP (FTP-like protocol, not to be confused with FTP over SSH or FTP over SSL), and tunnelling TCP connections by forwarding ports. Notable applications that operate over SSH include rsync and similar data transfer tools, and SSHFS to mount remote file trees.

SSH is built on a secure channel protocol that is somewhat similar but not identical to SSL. SSH usually uses passwords or public keys to authenticate users (other mechanisms exist) and public keys to authenticate servers. Unlike SSL, SSH has no common public-key infrastructure to certify server or user keys.

The most common implementations of SSH are OpenSSH (servers and desktops), Dropbear (embedded devices) and PuTTY (Windows client).

For functional questions on configuring SSH, see the ssh tag on Unix & Linux, Server Fault (for IT professionals managing multiple machines), Ask Different (Mac OS X and iOS), Ask Ubuntu or Super User (home PC under any operating system)).

1220 questions
153
votes
11 answers

What alternatives are there when SSH is being actively filtered?

Unfortunately our government filters the SSH protocol so now we can't connect to our Linux server. They do the filtering by checking the header of each packet in the network layer (and not by just closing port). They also do away with VPN…
Moein Hosseini
  • 1,293
  • 2
  • 9
  • 7
90
votes
3 answers

Why is using an SSH key more secure than using passwords?

If people use a password to log in to a UNIX server, then it could be forced to expire the password, then they change it. If people use an ssh key and have no passwords, no password expiry, then nothing forces them to change their SSH key…
thequestionthequestion
  • 1,201
  • 2
  • 11
  • 9
68
votes
3 answers

SSH: benefits of using hashed known_hosts

What are the benefits of storing known_hosts in a hashed form? From what I read, it is supposed to protect the list of servers I am connecting to, presumably in a scenario where my account has been compromised (and known_hosts file stolen) If my…
Martin Vegter
  • 1,711
  • 4
  • 29
  • 41
61
votes
2 answers

What is the -sk ending for ssh key types?

ssh-keygen has the following options for a key type (-t): dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa I am not familiar with the -sk notation and it's not explained in the man page. What does it mean?
Corporal Touchy
  • 837
  • 1
  • 6
  • 10
59
votes
4 answers

Reusing Private/Public Keys

I have accounts on several third party sites - Bitbucket, Bluehost, etc. From what I've gathered, it is common practice to use one key pair for all [id_rsa, id_rsa.pub], but only to give out the public key Is that the correct usage, or is it…
SamGoody
  • 701
  • 1
  • 5
  • 5
48
votes
2 answers

How can SSH server know private key is incorrect if passphrase havent been provided yet?

I have server which I am accessing via SSH. I only allow the authentication to be made with private key. Normally when I login via PuTTY, I am first asked for username and then asked for passphrase for the key. Out of curiosity I have created new…
vakus
  • 3,853
  • 4
  • 23
  • 34
48
votes
5 answers

How often should an SSH key pair be changed?

I've been using a 1024-bit RSA key for passwordless SSH between my own systems for years. More recently I've also started using it for passwordless access to my hosting providers and to source code repositories. Is using the same key pair for an…
Tim Lesher
  • 593
  • 1
  • 4
  • 6
41
votes
3 answers

Is an SSH session to a mistaken site a security exposure?

A few minutes ago I attempted to ssh to a server I have at my office. Since it is a new server my public key has not been set up there so I had to type my password in manually. After three times of trying to log in unsuccessfully I notice that I…
AlanObject
  • 525
  • 3
  • 8
36
votes
10 answers

Managing multiple SSH private keys for a team

I have a medium-sized team (~10 people, but we expect to grow) that manages a set of EC2 servers on AWS (currently a few dozens, but this is also expected to grow). As EC2 requires you to have an AWS generated private SSH key, without a passphrase…
Guss
  • 481
  • 1
  • 5
  • 9
35
votes
5 answers

SSH from a shared workplace computer

The main question: How can I securely connect to my personal computer at home from a workplace computer? Background: I do much of my work on a university computer, but the computer itself is not fantastic, so I SSH into my home machine to run…
user5728491
  • 453
  • 4
  • 7
32
votes
2 answers

What are the risks of SSHing to an untrusted host?

When SSHing to a host that has been compromised (or outright replaced using the stolen server keys) by an attacker with root permissions, what is the worst that can happen to the client? It is well known that X forwarding poses some risks, and agent…
lxgr
  • 4,243
  • 3
  • 30
  • 37
30
votes
2 answers

understanding the "Offering RSA public key" step during SSH connection initialization

During SSHv2 connection initialization, there is a following debug message: debug1: Offering RSA public key: /home/user/.ssh/id_rsa Am I correct that actually no public key is sent to server? In addition, /home/user/.ssh/id_rsa is my private key.…
Martin
  • 411
  • 2
  • 8
  • 16
29
votes
3 answers

ECDSA Keys Changed, SSH insecure now?

I'm running some non-critical Ubuntu servers in my dorm room in college. Turned them off before break, come back, SSH in, and get a warning that the ECDSA keys have changed. It looked pretty much like this Warning: the ECDSA host key for ''…
TheLQ
  • 1,239
  • 1
  • 12
  • 21
21
votes
3 answers

Is ssh with public key authentication, no passwords secure enough?

I have a web server set up and would like to connect to it from outside using Tor. The web server simply serves up a simple webpage that will act as an interface for a program running on the machine. It is not meant to be accessible by anyone…
user942937
  • 983
  • 8
  • 14
19
votes
1 answer

Consequences of compromised /etc/ssh/moduli

Hypothetically, what could an attacker achieve if they have a copy of of /etc/ssh/moduli?
grifaton
1
2 3 4 5 6 7 8