How Does an ssh Command Work in Detail?

Question
You want an overview of how SSH works because it seems confusing. You want to comprehend how it works or know exactly what happens when you run an SSH command like ssh jdoe@acme.com. Where can you find a precise explanation on using ssh as well as some background information on SSH?

Solution
SSH is named after the secure shell way of remotely connecting to another server using encryption. You can use ssh commands to enter a shell or remotely execute ad hoc commands. The "ssh" command, and the tools that leverage SSH such as scp and sftp, come from the OpenSSH suite (https://www.openssh.com/). SSH supports GUI forwarding via X11 (according to this external posting).

When an SSH command is executed on a client, a binary file is found (often in /usr/bin/ssh) because of the $PATH environment variable. Then a TCP/IP request is made involving a hostname or an IP address. Routing happens starting from the client, and a request is ultimately made on the server with the address provided. This connection happens over port 22 by default; it can be configured to use a different IP TCP port number.

When this happens, the known_hosts file (normally in .ssh) on the server will look at the "fingerprint" of the client server. If the fingerprint is recognized, then authentication will proceed to happen as normal. If the fingerprint is not recognized, the client will be prompted to continue or abort the connection process. The fingerprint is a string of colon-separated hexadecimal pairs created when the public key is generated. This process helps the client from logging into a different server accidentally.

To see the details of an SSH operation, you can use the --v, --vv, or --vvv flags when you run the SSH command. Once the connection has been established, the user on the server can be different from the user on the client.

The identity file (aka the private key) is often in the .ssh directory of the user of the client. It often is named id_rsa. If it was configured with a passphrase*, the user on the client side will need to enter a passphrase interactively to authenticate to the server. In some configurations of SSH, only the keys need to authenticate and no password is needed. In other configurations of SSH, only a password needs to be entered correctly and no special file on the client side needs to be configured. The ssh-keygen command can create identity files; this utility comes with the OpenSSH suite. With SSH, everything is encrypted between the client and the server including the passphrase for the authentication process. However SSH can work without a passphrase.

To improve the speed of SSH (e.g., for Ansible or Hadoop), you could potentially do five things with the ssh_config file. We highly recommend you back up this file before modifying it! You could not use IPv6; you could turn off DNS lookups on the server of an SSH connection; you could reuse an existing SSH connection on the client; and you could use passwordless authentication. (The first four optimization techniques came from https://www.tecmint.com/speed-up-ssh-connections-in-linux/.)

You could also use the -o flag to override the ssh_config file and pass various directives to speed up, on an ad hoc basis, SSH commands. Finally you could eliminate SSH logging by changing the sshd_config file on the server. The ssh_config and/or sshd_config files can be found in the .ssh directory.

On the subject of optimizing the performance of SSH, encryption and decryption via SSH utilize CPU (according to an external site and other postings on the internet). (It is rare that the bottleneck is with the CPU and not the network in the context of optimizing SSH according to this external posting.)

The ssh-keygen command can generate a private and public key pair. Normally an id_rsa.pub will be the public key. The RSA stands for Rivest Shamir Adelman, a specific type of asymmetric cryptography that SSH supports; there are other types that SSH supports too.

The session key in SSH is symmetric, but it only lasts for the session itself. To read more, see this medium.com article.

The logging of the SSH process will normally happen in /var/log/auth.log for Ubuntu and Debian distributions of Linux. For CentOS/RHEL/Fedora, the file would be /var/log/secure.

SSH does use a three way handshake (SYN from the client to the server, SYN-ACK from the server to the client, and ACK from the client back to the server). To read more about this, see: https://www.inetdaemon.com/tutorials/internet/tcp/3-way_handshake.shtml

To harden SSH, ensure you are using a software firewall or have protection from a hardware firewall. Use the hosts.deny file to not allow connections from wide ranges of IP addresses. If you want tips on hardening a server in general, see this posting.

Use "man ssh" or "man ssh_config" for more information.

For even more information about the details of SSH see these three postings:

See also this book SSH, The Secure Shell.


For troubleshooting SSH, you may want to see these postings:


*A passphrase can accept spaces whereas a password may not accept them.

Leave a comment

Your email address will not be published. Required fields are marked *