This is the second post in a series of blog posts on SSH. You can find the series index here. In the last blog post, we had overview of SSH protocol and how SSH authentication works. Then we discussed how to generate an SSH Key pair. As we discussed previously, we need to copy the SSH public key to the remote server and few other connection options. In this blog post, we are going to discuss the same.

Copying SSH Keys to the remote server

There are many ways to copy the public key generated to the remote machine. Below are some of the ways to copy the key.

Copy using ssh-copy-id utility

ssh-copy-id utility is included by default in many linux distributions. This utility makes it very simple to copy your ssh keys to the remote servers. You can easily do this by running below command:

ssh-copy-id -i ~/.ssh/rsa_lon_4096 username@remote_host

We can specify the file containing public key using the -i option. If this is not specified, it will look for the default file, ~/.ssh/id_rsa.pub. Once you run above command, it will ask you for the password associated with the current account. After typing in the password, the contents of your public key will be appended to the end of the user account’s ~/.ssh/authorized_keys file:

Once its done, you can login into remote machine using command:

ssh username@remote_host

Copy without using ssh-copy-id utility

If you do not have the ssh-copy-id utility available, but still have password-based SSH access to the remote server, you can copy the contents of your public key in a different way. For this, first you need to output the contents of the public key and pipe it into the ssh command. On the remote side, you can ensure that the ~/.ssh directory exists, and then append the piped contents into the ~/.ssh/authorized_keys file:

cat ~/.ssh/id_rsa.pub | ssh username@remote_host "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

Rest of the process is similar. You will be asked to supply the password for the remote account. After entering the password, your key will be copied, allowing you to log in without a password.

ssh username@remote_host

Copying SSH key manually

If you do not have the access to the remote server at all, you can ask the team responsible for performing system administration related tasks on the server. Once they agree to do this for you, you need to find a way to share public key so that they can copy the key on your behalf. Alternatively, the system admins, once they create the user account for you to login to the server, can perform the steps from their side and share private key with you secretly.

Displaying the SSH Key Fingerprint

Each SSH key pair share a single cryptographic fingerprint which can be used to uniquely identify the keys. This can be useful in a variety of situations.

To find out the fingerprint of an SSH key, type:

ssh-keygen -l

Verify the correct location of the public key file. You will be given a string which contains the bit-length of the key, the fingerprint, and account and host it was created for, and the algorithm used:

2048 SHA256:qjomH4xoiInUbqj/EpB90339vHgUUXSF/z0/zLUw mgoyal@desktop (RSA)

Connecting to Remote Server using SSH

As we have mentioned previously, that to ssh, you can use the ssh command. In its simplest form, all you need is the IP address of fully qualified domain name of the remote machine:

ssh remote_host

In this case, it assumes that the username on the server is the same as the current user on the local machine and will try to authenticate against it. However, it may happen that the username on the remote machine is not the same as the current user on the local machine. In such a scenario, you can connect using command:

ssh username@remote_host

Most of the SSH servers runs on the default port 22. However if the SSH server is running on a different port, you can specify the same using -p option:

ssh -p port username@remote_host

Your first time connecting to a new host, you will see a message that looks like this:

If you are using password authentication, you will be prompted for the password for the remote account. If you are using SSH keys, you will be prompted for your private key’s passphrase if one is set, otherwise you will be logged in automatically.

At this point, the system administrators may have configured server to perform some additional actions, such as forcing user to change password for very first login, displaying warning/information in the form of banner, etc.

Running a Single Command on a Remote Server

To run a single command on a remote server instead of spawning a shell session, you can add the command after the connection information, like this:

ssh username@remote_host command_to_run

This will connect to the remote host, authenticate with your credentials, and execute the command you specified. The connection will immediately close afterwards.

Adding the Key to SSH Agent

ssh-agent is a program that can hold a user’s private key, so that the private key passphrase only needs to be supplied once.  It will be available for the duration of your terminal session, allowing you to connect in the future without re-entering the passphrase.

Using this utility, a connection to the agent can also be forwarded when logging into a server, allowing SSH commands on the server to use the agent running on the user’s desktop.

To start the SSH Agent, type the following command into your terminal in the local machine:

eval $(ssh-agent)

This will start the agent program and place it into the background. Now, we can add private keys to it using ssh-add command:

ssh-add

Afterwards, your identity file is added to the agent, allowing you to use your key to sign in without having to re-enter the passphrase again. When run without arguments, it adds the files ~/.ssh/id_rsa, ~/.ssh/id_dsa,
~/.ssh/id_ecdsa, and ~/.ssh/id_ed25519. After loading a private key, ssh-add will try to load corresponding certificate information from the filename obtained by appending -cert.pub to the name of the private key file. Alternative file names can be given on the command line.

Forwarding your SSH credentials

SSH agent can also be used to forward ssh credentials/keys on your behalf to the remote machine. This can be useful in the situations, where you need to connect to another remote server, from the current remote server you are already connected to. It will allow you to authenticate to another server through the server you are connected to, using the credentials on your local computer.

To start, you must have your SSH agent started and your SSH key added to the agent. After this is done, you need to connect to your first remote server using the -A option. This forwards your credentials to the server for this session:

ssh -A username@remote_host

From here, you can SSH in to any other host that your SSH key is authorized to access. You will connect as if your private SSH key were located on this server.

Kill SSH Agent

You can kill ssh-agent using the below command:

ssh-agent -k

It will identify current agent PID running and then proceed to kill the same.

This covers our basics of establishing SSH connection. In next few blog posts, we’ll discuss few options to customize SSH server using various configuration options and SSH clients configuration options as well.