Migrating notes from Notion - Initial stage

content/notes/ssh.md

@@ -0,0 +1,123 @@
+---
+tags:
+  - networking
+  - notes
+author: TrudeEH
+draft: false
+showToc: true
+title: SSH
+---
+*SSH* is a protocol for accessing a terminal remotely.  
+For *SSH* to work, the remote machine needs to have an *OpenSSH* instance running and listening for connections, and port 22 must be allowed through any VPNs or firewalls between the client and host machines. An *SSH* client is also needed, be it any UNIX system (using the `ssh` command), or a Windows server using a client such as *PuTTY*.
+
+## OpenSSH Client
+
+### Connect to a Remote Server
+
+#### Connect Using a Password
+
+```Shell
+ssh <user>@<ip>
+> <password>
+ssh root@192.168.1.133
+> Ctrl+D # Disconnect
+```
+
+> After connecting to a server for the first time, the fingerprint of that server is stored in the `~/.ssh/known-hosts` file.
+> 
+> This is a security measure to prevent MitM attacks. (The client is notified if the server's fingerprint changes).
+
+#### Connect Using an SSH Key
+
+First, it is necessary to generate a private and public key to use with SSH. Always use a passphrase to keep your private key secure in case your machine is compromised in the future.
+
+```Shell
+ssh-keygen  # Create a private/public key pair.
+```
+
+> Make sure to back up your keys! Running the above command and saving the new keys would overwrite the previous ones, possibly locking you out of your servers. 
+> After generating your keys, send the public key to your network administrator.
+
+#### Managing Multiple Keys
+
+Having separate SSH keys can ensure that if one of them leaks, not all machines it has access to would be compromised.
+
+```Shell
+ssh-keygen -C "Comment" # The comment is optional, and defauls to your user/hostname
+> $HOME/.ssh/<name>
+# After sending the public key to the administrator...
+ssh -i <path_to_private_key> <user>@<host>
+```
+
+This method requires you to type your key's passphrase every time an SSH connection is started.  
+To load the key into memory, an `ssh-agent` is needed.
+
+```Shell
+eval "$(ssh-agent)" # Temporarily start the ssh-agent (already present if GUI)
+ssh-add <path_to_private_key> # Load the key into memory
+ssh -i <path_to_private_key> <user>@<host> # The password won't be asked again
+```
+
+### Configure The Client
+
+Edit the `~/.ssh/config` file to configure the client.
+
+#### Aliases
+
+```Shell
+Host <alias>
+	Hostname <ip>
+	Port 22
+	User <remote user>
+```
+
+Now, connecting to the server is as simple as typing:
+
+```Shell
+ssh <alias>
+```
+
+## OpenSSH Server
+
+Check whether the ssh server is running.
+
+```Shell
+systemctl status sshd / ssh
+```
+
+### Read Connection Logs
+
+```Shell
+su root
+tail -f /var/log/auth.log
+journalctl -fu ssh / sshd # Preferred way to read logs
+```
+
+### Configure SSH Keys
+
+By default, the *OpenSSH* server is configured to support both passwords and keys.
+
+#### Add a Client's Public Key
+
+```Shell
+ echo "PUBLIC_KEY" >> /home/<user>/.ssh/authorized_keys
+```
+
+If password login is enabled (or you are uploading someone else's key), there is a dedicated command to add a public key to the server, directly from the client:
+
+```Shell
+ssh-copy-id -i ~/.ssh/id_rsa.pub <user>@<server>
+```
+
+### Configure The Server
+
+`/etc/ssh/sshd_config`
+
+```Shell
+# Changing the port can help security slightly, but is less convenient
+Port 22
+# Disable ssh into root (only after you have another user with sudo access)
+PermitRootLogin false
+# Disable password authentication (use keys exclusively)
+PasswordAuthentication no
+```