๐ What Is SSH #
SSH (Secure Shell) is an encrypted network protocol used for secure communication between a client and a server over an untrusted network. By establishing an encrypted tunnel, SSH protects remote command execution and file transfers from eavesdropping and tampering.
SSH is the de facto standard for remote administration on Linux and Unix-like systems.
๐ Remote Login Basics #
# Basic login using username and host (IP or domain)
ssh user@hostname
# Connect using a custom port (default is 22)
ssh -p 10022 user@hostname
You can also execute commands immediately after logging in. For example, to log in and automatically switch to a specific directory:
# -t forces pseudo-terminal allocation
ssh -t user@hostname 'cd /data/www/h5 ; bash'
# Use $SHELL if the remote shell is unknown
ssh -t user@hostname 'cd /data/www/h5 ; exec $SHELL'
Alternatively, you can automate this behavior by modifying the remote startup file:
# Inside ~/.bash_profile on the remote host
cd /data/www/h5 >& /dev/null
๐ Authentication Methods #
SSH uses asymmetric cryptography for authentication. The two most common methods are:
-
Password Authentication The connection is encrypted, and the user enters a password. While simple, this method is more exposed to brute-force and MITM risks if host verification is ignored.
-
Public Key Authentication Authentication is performed using a public/private key pair. The private key remains on the client, while the public key is stored on the server, enabling secure password-less login.
๐ Password Login and Host Verification #
When connecting to a server for the first time, SSH prompts you to verify the serverโs identity:
ssh user@host
# The authenticity of host 'host (12.18.429.21)' can't be established.
# RSA key fingerprint is 98:2e:d7:e0:de:9f:ac:67:28:c2:42:2d:37:16:58:4d.
# Are you sure you want to continue connecting (yes/no)?
The fingerprint is a hash (MD5 or SHA256) of the serverโs public key. Once accepted, it is saved to:
~/.ssh/known_hosts
Future connections will verify the server against this stored fingerprint.
๐ Public Key Login (Password-less SSH) #
First, generate a key pair on your local machine:
ssh-keygen
This creates:
~/.ssh/id_rsa(private key)~/.ssh/id_rsa.pub(public key)
Next, copy the public key to the remote server:
ssh-copy-id user@host
After this step, the server adds your public key to:
~/.ssh/authorized_keys
Subsequent logins will authenticate automatically using your private key, without requiring a password.
๐ Troubleshooting SSH Issues #
REMOTE HOST IDENTIFICATION HAS CHANGED #
If a server is reinstalled or its SSH keys change, you may encounter this warning:
WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
Host key verification failed.
This indicates a mismatch with the stored fingerprint.
Fix the issue by removing the old key and adding the new one:
# Remove the old host key
ssh-keygen -R gitlab.xxx.com
# Fetch and store the new key
ssh-keyscan -t ECDSA gitlab.xxx.com >> ~/.ssh/known_hosts
๐ File Transfer via SSH #
Transferring files between local and remote systems is a common SSH task.
- scp: Ideal for Linux-to-Linux file transfers.
- rz / sz: Useful when working with Windows SSH clients such as SecureCRT or Xshell.
Command roles:
rzโ upload files from Windows to Linuxszโ download files from Linux to Windows
Note: Install the
lrzszpackage on the Linux server before usingrzandsz.
SSH combines strong security with flexibility, making it indispensable for remote administration. Mastering key-based authentication and host verification is essential for building a secure and efficient remote workflow.