Master SSH Remote Login: Protocol Basics, Commands, and Security Best Practices

SSH Remote Login and Control

1. What is an SSH server

SSH (Secure Shell) is a secure channel protocol mainly used for character‑based remote login, remote file copying and other functions. It encrypts all data transferred, including passwords, and can compress data to accelerate transmission.

SSH client <--- network ---> SSH server

1. Protocol types

SSH (Secure Shell): encrypted network protocol for remote access and management, providing encrypted sessions, remote command execution and file transfer.

Telnet: insecure but still used for simple text interaction.

RDP (Remote Desktop Protocol): Windows graphical remote access.

VNC (Virtual Network Computing): cross‑platform graphical remote desktop.

X11: remote graphical access on UNIX/Linux.

ICA (Independent Computing Architecture): Citrix application and desktop virtualization.

2. Advantages of SSH protocol

Data transmission is encrypted, preventing information leakage.

Data transmission is compressed, improving speed.

Encrypted communication : ensures data is secure during transfer.

Remote login : users can log in to other machines to run commands, manage files, etc.

Encrypted authentication : supports public‑key authentication, which is more secure than password‑based login.

Port forwarding : allows secure tunnelling between two computers.

Remote command execution : useful for automation scripts and remote management.

File transfer : secure file transfer between client and server.

sshd service uses the SSH protocol to provide remote control or file transfer between computers.

SSH server mainly provides two services: remote login and SFTP (file transfer).

3. SSH software

SSH clients: Xshell, PuTTY, SecureCRT, MobaXterm, finalshell.

SSH server: OpenSSH (default installed on CentOS 7).

4. Related programs

OpenSSH: free open‑source implementation of SSH, includes client and server.

PuTTY: popular free SSH/Telnet client for Windows.

WinSCP: free SFTP/SCP/FTP client for Windows.

SecureCRT: commercial SSH client with many features.

5. Public‑key exchange principle

1) Client initiates connection request.

2) Server returns its public key and a session ID.

3) Client generates a key pair.

4) Client uses its public key or session ID to compute a value Res and encrypts it with the server’s public key.

5) Client sends the encrypted value to the server; the server decrypts it to obtain Res.

6) Server uses the decrypted Res or session ID to compute the client’s public key.

7) Both sides now hold three keys: their own key pair and the other side’s public key, and all subsequent communication is encrypted.

6. Encryption communication principle

SSH generates a key pair on the client, sends the public key to the server, and uses the key pair for secure verification and encrypted communication.

7. SSH remote login files

Each time sshd logs into another host, both sides generate a known_hosts file that stores the remote host’s public key under ~/.ssh/known_hosts.

8. How to verify the remote machine

ssh [options] user@host

ssh -p 20 user@host # -p specifies port

2. SSH commands for remote connection

① Direct connection

First connection asks whether to trust the server’s public key; confirming adds it to known_hosts.

② Connect as specific user

ssh username@IP

ssh -l username IP

③ Specify port

Edit /etc/ssh/sshd_config to change the port; default is 22, use -p to specify a non‑default port.

# vim /etc/ssh/sshd_config
# systemctl restart sshd

Jump host login

# Simulate firewall rejecting direct client connection on target host
iptables -A INPUT -s 192.168.11.5 -j REJECT
# Use jump host to reach target
ssh -t 192.168.11.9 ssh 192.168.11.5

3. Execute commands directly after login

ssh 192.168.11.9 ifconfig

Whitelist: default deny all, only users on whitelist can access.

Blacklist: default allow all, only users on blacklist are denied.

Modify server configuration file

# vim /etc/ssh/sshd_config

Example: allow only user mcb to log in (whitelist).

Disable root login

# PermitRootLogin no

Restrict login users (whitelist)

Configure AllowUsers or AllowGroups in sshd_config.

Set idle session timeout

ClientAliveInterval 300
ClientAliveCountMax 2

Limit SSH access with firewall

# iptables -A INPUT -s 172.16.12.10 -j REJECT

Listen on specific IP address

ListenAddress 192.168.11.10

Enforce strong passwords

Generate random passwords, e.g. tr -cd '[a-zA-Z0-9]'...

Disable empty passwords

PermitEmptyPasswords no

Limit concurrent connections

MaxStartups 10

Use PAM for advanced control

Configure PAM modules to limit concurrent logins, etc.

4. SSH service best practices

Use a non‑default port instead of 22.

Disable protocol version 1; use version 2 only.

Restrict login users with whitelist.

Set idle session timeout.

Configure firewall rules for SSH.

Listen only on required IP addresses.

Enforce strong password policies.

Prefer key‑based authentication.

Disable empty passwords.

Prohibit direct root login.

Limit connection rate and concurrent sessions.

Separate and rotate SSH logs.

5. OpenSSH server configuration

OpenSSH implements the SSH protocol on most UNIX/Linux systems. Start the service with systemctl start sshd. The daemon is /usr/sbin/sshd, configuration file /etc/ssh/sshd_config, client config /etc/ssh/ssh_config.

1. sshd configuration file location

/etc/ssh/sshd_config

6. Key pair non‑interactive authentication

1 Create RSA key pair

2 Transfer public key to remote host

3 Login verification

7. Password‑less login with ssh‑agent

# ssh-agent bash          # start agent
# ssh-add                 # add private key to agent
Enter passphrase for /root/.ssh/id_rsa:
Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)
# ssh 192.168.11.6        # login without password (lost after reboot)