Comprehensive Guide to SSH: Tunneling, File Transfers, and Key-Based Authentication¶
SSH (Secure Shell) is a powerful protocol used for secure communication between computers, offering a wide range of functionalities including secure remote access, file transfers, and key-based authentication.
In this guide, we'll cover various aspects of SSH, including:
- Port tunneling for secure access to services like MySQL.
- Secure file transfer using SFTP and SCP.
- SSH agent forwarding and key-based authentication for enhanced security.
- Dynamic port forwarding (SOCKS proxy) for secure browsing.
This document provides detailed instructions and examples to help you harness the full potential of SSH for secure communication and efficient remote server management.
Port Tunneling¶
SSH port tunneling securely forwards network traffic from a local machine to a remote server. This is crucial for accessing services like MySQL databases running on remote servers.
Local Port Forwarding¶
Local port forwarding forwards a port on your local machine to a port on the remote server.
Example Command¶
To access a MySQL database on a remote server:
<local_port>: Local port to forward (e.g.,3306).<db_host>: Hostname or IP of the database server (oftenlocalhost).<db_port>: Port of the database service (e.g.,3306for MySQL).<SSH_USER>: Your SSH username.<SSH_HOST>: IP address or hostname of the remote server.
Example¶
This command forwards traffic from localhost:3306 on your local machine to localhost:3306 on remote-server.com. You can then connect to the remote MySQL database using a local MySQL client.
Remote Port Forwarding¶
Remote port forwarding forwards a port from the remote server to a local machine.
Example Command¶
<remote_port>: Port on the remote server to forward.<local_host>: Hostname or IP of your local machine (oftenlocalhost).<local_port>: Port on your local machine.
Example¶
This forwards traffic from remote-server.com:8080 to localhost:80 on your local machine.
MySQL Tunneling Example¶
Below is an example script to tunnel MySQL traffic using SSH. Ensure MySQL is installed on both the client and remote server and that necessary permissions are set up:
Prerequisites (Remote Server)¶
- MySQL installed and running on the remote server.
- Proper permissions set for SSH access and MySQL user (
dbuserin this example).
Example Script¶
# Configuration
SSH_PORT=22
HOST=example.com
USER=username
LOCAL_PORT=5523
REMOTE_DB_HOST=127.0.0.1
REMOTE_DB_PORT=3306
# Establish SSH Tunnel (Run on client machine)
ssh -f ${USER}@${HOST} -p ${SSH_PORT} -L ${LOCAL_PORT}:${REMOTE_DB_HOST}:${REMOTE_DB_PORT} -N
# Connect to MySQL (Run on client machine)
mysql -u dbuser -p -h 127.0.0.1 -P ${LOCAL_PORT}
Explanation¶
-
Variables:
SSH_PORT: Port used for SSH connections (default is22).HOST: Remote server’s address.USER: Your SSH username.LOCAL_PORT: Local port to forward MySQL traffic (e.g.,5523).REMOTE_DB_HOST: Remote database host (usually127.0.0.1).REMOTE_DB_PORT: Remote database port (default for MySQL is3306).
-
SSH Command:
-f: Runs command in the background.-L: Sets up local port forwarding fromLOCAL_PORTtoREMOTE_DB_HOST:REMOTE_DB_PORT.-N: Prevents execution of remote commands (only sets up the tunnel).
-
MySQL Connection:
Connects to MySQL using the local tunnel.
-u dbuser: Specifies MySQL username.-p: Prompts for password.-h 127.0.0.1: Connects to localhost (tunneled).-P ${LOCAL_PORT}: Specifies local port for the tunnel.
Usage¶
- Ensure MySQL is installed and accessible on both client and remote servers.
- Run the SSH tunneling script on the client machine to establish the tunnel.
- Use the MySQL command to connect to the remote database via the local tunnel (
localhost:5523in this example).
This method securely encrypts MySQL traffic, maintaining data privacy during transmission. Adjust ports and credentials as per your specific setup.
Secure File Transfer Protocol (SFTP)¶
SFTP 1 is a secure way to transfer files between your local machine and a remote server using SSH. It encrypts both commands and data, providing a high level of security.
Steps to Use SFTP¶
- Connect to the Remote Server
Use the following command to start an SFTP session:
- Replace
<SSH_USER>with your SSH username. -
Replace
<SSH_HOST>with your remote server's IP address or hostname. -
Common SFTP Commands
ls: List files on the remote server.cd <directory>: Change directory on the remote server.get <remote_file>: Download a file from the remote server.put <local_file>: Upload a file to the remote server.exit: Close the SFTP session.
Example Usage¶
sftp username@example.com
sftp> ls
sftp> cd /path/to/directory
sftp> get remote_file.txt
sftp> put local_file.txt
sftp> exit
Secure Copy (SCP)¶
SCP 2 allows you to securely transfer files between hosts using SSH. It's a straightforward way to copy files securely.
Example Commands¶
- Copy a file from local to remote:
- Copy a file from remote to local:
SSH Agent Forwarding¶
SSH agent forwarding 3 allows you to use your local SSH keys on remote servers, enabling seamless access to additional remote servers without copying keys.
Usage¶
Dynamic Port Forwarding (SOCKS Proxy)¶
Using SSH, you can create a SOCKS proxy 4 that routes traffic from applications through the SSH tunnel, allowing secure browsing.
Command¶
SSH Key-Based Authentication¶
For enhanced security, use SSH keys instead of passwords for authentication 5. This prevents unauthorized access and simplifies the login process.
Steps to Set Up¶
- Generate an SSH Key Pair
- Copy the Public Key to the Remote Server
This setup allows you to log in securely without entering a password.
Example: SSH Key-Based Authentication with GitHub¶
Setting up SSH key-based authentication with GitHub 6 enhances security while maintaining ease of use for your development workflows. Recently, GitHub deprecated the use of RSA keys with SHA-1 due to security concerns, requiring users to switch to more secure algorithms like ed25519 7.
Error Message¶
If you encounter the following error:
ERROR: You're using an RSA key with SHA-1, which is no longer allowed.
Please use a newer client or a different key type.
You need to switch to ed25519:
Steps to Set Up SSH Key-Based Authentication¶
- Generate an SSH Key Pair
Use ssh-keygen to generate a new SSH key pair with the Ed25519 algorithm:
Follow the prompts to save the key pair in the default location (~/.ssh/id_ed25519).
- Start the SSH Agent
To manage your SSH keys, start the SSH agent:
- Add the SSH Private Key to the SSH Agent
Add your SSH private key to the SSH agent:
- Copy the SSH Public Key to GitHub
Retrieve your SSH public key and copy its contents:
Copy the entire output.
-
Add the SSH Key to GitHub
-
Click on "New SSH key" or "Add SSH key", paste your SSH public key, and give it a descriptive title.
-
Verify SSH Connection to GitHub
Test your SSH connection to GitHub:
You should see a message indicating successful authentication.
Example: Clone a GitHub Repository Using SSH¶
To clone a repository from GitHub:
Replace your-username and your-repo with your GitHub username and repository name.
Configuration Update for ssh-ed25519¶
If your system does not support ed25519 by default, update your SSH configuration file (~/.ssh/config) to include it.
For example, i once changed from:
to:
This ensures compatibility with ed25519 keys, providing enhanced security for your connections.
Conclusion¶
SSH is a versatile tool that offers secure communication, file transfers, and more. By using SSH, you can protect your data and manage remote servers efficiently, especially with updated algorithms like ed25519 ensuring enhanced security.