Master SSH Remote Login: From Basics to Advanced Security Practices

SSH Remote Login and Control

What is an SSH server

SSH (Secure Shell) is a secure channel protocol used for remote login, remote copying, and other functions. It encrypts data transmission, including user passwords, and operates at the application and transport layers, providing compression to speed up transfers.

SSH client <--- network ---> SSH server

1. Protocol Types

SSH (Secure Shell): encrypted network protocol for remote access, command execution, and file transfer.

Telnet: insecure, used for simple text interaction.

RDP (Remote Desktop Protocol): Windows graphical remote access.

VNC (Virtual Network Computing): cross‑platform graphical remote desktop.

X11: remote graphical access on UNIX/Linux.

ICA (Independent Computing Architecture): Citrix application and desktop virtualization.

2. SSH Protocol Advantages

Data transmission is encrypted, preventing information leakage.

Data transmission is compressed, improving speed.

Encrypted communication : ensures data security against eavesdropping or tampering.

Remote login : allows command‑line operations and file management on remote machines.

Encrypted authentication : supports public‑key authentication, which is more secure than password‑based methods.

Port forwarding : enables secure tunnels between computers.

Remote command execution : useful for automation scripts and remote management.

File transfer : secure file transfer and management between client and server.

SSH daemon (sshd) uses the SSH protocol for remote control and file transfer between computers.

The SSH server provides two main services: remote login and SFTP (file transfer).

3. SSH Software

SSH clients: Xshell, PuTTY, SecureCRT, MobaXterm, FinalShell.

SSH server: OpenSSH (default on CentOS 7).

4. Related Programs

OpenSSH: free open‑source implementation of SSH server and client.

PuTTY: popular free SSH/Telnet client for Windows.

WinSCP: free SFTP/SCP/FTP client for Windows supporting SSH.

SecureCRT: commercial SSH client with advanced features.

5. Public‑Key Transfer Principle

1) Client initiates connection request.

2) Server returns its public key and a session ID.

3) Client generates a key pair.

4) Client computes a value (Res) using its public key or session ID and encrypts it with the server’s public key.

5) Client sends the encrypted value to the server; the server decrypts it to obtain Res.

6) Server uses the decrypted Res or session ID to compute the client’s public key.

7) Both sides now hold three keys: their own key pair and the other party’s public key, and all subsequent communication is encrypted.

6. Encrypted Communication Principle

SSH generates a key pair on the client; the public key is sent to the server while the private key remains local. When connecting, the client presents its public key, and the server verifies it, establishing a secure encrypted session.

7. SSH Remote Login Files

Each SSH login creates a known_hosts file in ~/.ssh/known_hosts storing the server’s public key.

8. Verifying the Remote Machine

ssh [options] user@host # specify login user and target host.

ssh -p port user@host # specify non‑default port.

SSH Commands for Remote Connection

1) Direct connection

ssh IP

On first connection, the server asks to verify its public key.

Verify the server’s public key to ensure correct connection.

2) Connect as specific user

ssh username@IP

ssh -l username IP

3) Specify port

Edit /etc/ssh/sshd_config to change the port (default 22). Use -p to connect to a non‑default port.

Example:

# vim /etc/ssh/sshd_config
# change port
Port 123

Restart the service:

# systemctl restart sshd

Jump Host Login

Use a jump host to securely manage internal network machines.

# iptables -A INPUT -s 192.168.11.5 -j REJECT
# ssh -t 192.168.11.9 ssh 192.168.11.5

Remote Command Execution

ssh host ifconfig

White‑list: only allowed users can access.

Black‑list: deny listed users.

Modify Server Configuration

Edit /etc/ssh/sshd_config to adjust settings such as PermitRootLogin, ClientAliveInterval, ClientAliveCountMax, ListenAddress, and MaxStartups for security hardening.

# vim /etc/ssh/sshd_config
Port 123                # non‑default port
Protocol 2              # disable protocol 1
AllowUsers mcb          # whitelist users
ClientAliveInterval 300
ClientAliveCountMax 2
ListenAddress 192.168.11.10
PermitEmptyPasswords no
PermitRootLogin no
MaxStartups 10

Strong Password Policy

Generate random passwords, e.g.:

tr -cd a-zA-Z0-9

Key‑Based Authentication

Generate RSA key pair:

Copy public key to remote host:

Login without password:

Agent‑Based Non‑Interactive Login

# ssh-agent bash        # start agent
# ssh-add               # add private key to agent
Enter passphrase for /root/.ssh/id_rsa:
Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)
# ssh 192.168.11.6      # login without password (valid until reboot)

SSH Service Best Practices

Use a non‑default port (e.g., 123).

Disable protocol 1; use protocol 2 only.

Restrict login to specific users (whitelist).

Set idle session timeout via ClientAliveInterval and ClientAliveCountMax.

Configure firewall rules to limit access.

Listen on specific IP addresses only.

Enforce strong passwords and disable empty passwords.

Prohibit direct root login.

Limit concurrent SSH connections with MaxStartups.

Use PAM modules for advanced access control.