SSH: Architecture, Configuration, And Applications (SSH, SCP, SFTP, Tunneling)

Even BitBucket is now using the power of SSH by enabling APP Passwords

Login into the server terminal using my mac-computer (Credit: Aayush Ostwal)

Content

The following topics will be covered in this article.

- Bitbucket Use Case for SSH
- Why Bitbucket Usecase?
- SSH: Secure Shell Protocol
- SSH: Architecture
     - Terminology
     - Key-pair
     - Architecture
- SSH: Applications
     - Login into Terminal
     - File transfer using SCP and SFTP
     - Port Forwarding

Bitbucket, the most used git-based and CI/CD (Continuous Integration and Development) tool, has recently changed the way to authenticate with its API. Previously we used account passwords for authentication, while today, we need to create app passwords for authentication or set up SSH Keys.

Bitbucket provides two main reasons behind this architectural change and how it ensures more security.

• Access Control: Every app password in bitbucket has a checklist for access control. You can modify the permissions associated with it.

App Password Permissions in Bitbucket. (Credit: Aayush Ostwal)

• Encryption: App passwords are stored in an encrypted form in the Bitbucket database. Even people working directly with these databases cannot use these passwords.

Why Bitbucket Usecase?

According to the Right Scale Annual report on the State of Cloud:

• 91% of the organizations are using the public cloud
• 72% of the organizations are using private cloud

As the popularity of cloud computing is rising at a massive rate, so is the risk of data leakage. Data Leakage is a process where data on a server, somehow, gets deleted or becomes corrupted or unreadable for any user or application.

But why are we talking about BitBucket in SSH Article?

What App passwords does to bitbucket API, SSH does to the server we use.

By implementing SSH, you can add another level of safety and authentication to the process of using servers.

SSH: Secure Shell Protocol

SSH is Secure Sheel Protocol. It is a network protocol that allows you to use network services (interacting with server) more securely (encryption and authentication) over an unsecured network (the internet).

Breaking this technical definition, SSH provides a more encrypted, password-less, and secured way of communicating with your server. Now, as the password is hidden, the risk involved also gets suppressed.

SSH: Architecture

SSH Protocol contains a pair of keys and is based on server-client architecture.

Terminology:

Before starting any technical architecture of SSH, I want to specify some terms:

• SSH-Client: Machine or Server to which you have access at present. This can be your computer.
• SSH-Server: Server you want to connect to. Any AWS EC2 Instance can act as an ssh-server.

Key-pair

The first step is to generate key pairs. When you run ssh-keygen in the terminal of ssh-client, a key pair is generated.

Key Pair in .shh Folder (Credit: Aayush Ostwal)

• Public Key (id_rsa.pub): Key which can be shared publically. This key is copied to ssh-server, which will be used for authentication when we request from a connection using ssh.
• Private Key (id_rsa): Key which resides on ssh-client. This is used for authentication and decrypting data coming from the server.

The Architecture

When you run ssh username@host in the terminal of ssh-client, the following things happen

• This terminal, where you run commands, acts as an application layer for SSH. This could be your terminal or any software like MobaXterm (windows), or iTerm (mac).
• Transport layer on ssh-client: It creates a message containing information of username, host, private key, etc, and sends it to ssh-server in form of encrypted packets.
• Transport layer on ssh-server: It receives the packets and recovers the message. Once a private key is obtained, it looks for the other pair in authorized_keys file present on the ssh-server.
• Once authenticated, a user-authentication layer is established between client and server.

User Authentication Layer is used to interaction between ssh-server and ssh-client. You can:

• Run Commands on terminal
• Send or receive files.
• Tunnel or forward a port.

Diagrammatic Representation of SSH Architecture (Credits: Aayush Ostwal)

SSH: Applications

For setting up SSH, first, you need to send your public key (.ssh/id_rsa.pub) to your server. For that, there are two methods:

• Manual Copy: Login into your server using a password, and copy your public key to the .ssh/authorized_keys file. If a authorized_keys file does not exist, feel free to create one.

cat "ssh-rsa {a encoded key} aayushostwal@Aayush-MacBook-Air.local" >> .ssh/authorized_keys

• SSH Copy ID: There is a command line package for sending your file to the server. ssh-copy-id . This will automatically add the public key to authorized_keys the file present on the server.

ssh-copy-id -i ~/.ssh/is_rsa.pub username@host

Note: While using “ssh-copy-id”, you will require to enter the server password.

Now the authentication is established, we can start exploring the applications of SSH.

Login to Terminal

• Command: ssh ec2-user@18.208.214.183
• This command will directly connect you to the terminal of your server
• Expected Output:

ssh ec2-user@18.208.214.183
ED25519 key fingerprint is SHA256:9QLdfWE/3wtszmctrlM8uoPgyBw1XWYSBDM3gbqsesY.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:1: ec2-18-208-214-183.compute-1.amazonaws.com
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '18.208.214.183' (ED25519) to the list of known hosts.
Last login: Sun Aug 14 13:14:02 2022 from <your_computer_ip>
__|  __|_  )
_|  (     /   Amazon Linux 2 AMI
___|\___|___|
https://aws.amazon.com/amazon-linux-2/
2 package(s) needed for security, out of 10 available
Run "sudo yum update" to apply all updates.
-bash: warning: setlocale: LC_CTYPE: cannot change locale (UTF-8): No such file or directory
[ec2-user@ip-172-31-20-80 ~]$

File Transfer using SCP: Secure Copy

• Command: scp file.txt ec2-user@18.208.214.183:/home/ec2-user
• This command will send file.txt to a specified location on your server. Also, there will be a progress bar showing the progress of uploading files.
• Expected Output:

scp file.txt ec2-user@18.208.214.183:/home/ec2-user
/etc/profile.d/lang.sh: line 19: warning: setlocale: LC_CTYPE: cannot change locale (UTF-8): No such file or directory
file.txt                                                                                             100% 2321     9.6KB/s   00:00

File Transfer using SFTP: Secure File Transfer Protocol

• For file transfer using SFTP, first, you need to open an SFTP terminal.
• Command: sftp ec2-user@18.208.214.183
• Then you can use SFTP commands for sending or receiving files from the server. Here also you will see the progress bar.
• Expected Output:

sftp ec2-user@18.208.214.183
Connected to 18.208.214.183.
sftp> put file.txt
Uploading file.txt to /home/ec2-user/file.txt
file.txt                                                                                             100% 2321     9.6KB/s   00:00
sftp> exit

DIFFERENCE BETWEEN SCP AND SFTP:
SCP is only used as a tool for file transfer, whereas, SFTP is used for file transfer and file management. In a nutshell, SFTP can be used to delete or create files/directories along with file transfer.
Also, SFTP is faster than SCP.

Tunneling (Port Forwarding)

• When you run an application on the server, on a port, and you want users to access the application without accessing the server itself, tunneling is the solution. In this article, we are going to discuss two types of tunneling.
• Remote Port Forwarding: Port is forwarded from client to server. If any application is running on the client, you can access it on your server.
• Local Port Forwarding: Port is forwarded from server to client. If any application is running on the server, you can access it on your client.

Remote and Local Port Forwarding (Credit: Aayush Ostwal)

• The command for Remote Port Forwarding: ssh -R server_ip_address:server_port:client_ip_address:client_port username@server_ip
• Expected Output for Remote Port Forwarding: (application running on the client’s port 8888 gets forwarded to server’s port 8080)

ssh -R localhost:8888:localhost:8080 ec2-user@18.208.214.183
Last login: Sun Aug 14 13:14:02 2022 from <your_computer_ip>
__|  __|_  )
_|  (     /   Amazon Linux 2 AMI
___|\___|___|
https://aws.amazon.com/amazon-linux-2/
2 package(s) needed for security, out of 10 available
Run "sudo yum update" to apply all updates.
-bash: warning: setlocale: LC_CTYPE: cannot change locale (UTF-8): No such file or directory
[ec2-user@ip-172-31-20-80 ~]$

• The command for Local Port Forwarding: ssh -L client_ip_address:client_port:server_ip_address:server_port username@server_ip
• Expected Output for Local Port Forwarding: (application running on the server’s port 8888 gets forwarded to client‘s port 8080)

ssh -L localhost:8080:localhost:8888 ec2-user@18.208.214.183
Last login: Sun Aug 14 13:17:03 2022 from <your_computer_ip>
__|  __|_  )
_|  (     /   Amazon Linux 2 AMI
___|\___|___|
https://aws.amazon.com/amazon-linux-2/
2 package(s) needed for security, out of 10 available
Run "sudo yum update" to apply all updates.
-bash: warning: setlocale: LC_CTYPE: cannot change locale (UTF-8): No such file or directory
[ec2-user@ip-172-31-20-80 ~]$

Watch this Article on Youtube:

(Video by Aayush Ostwal)

That's it!

All things you need to know about SSH are accomplished. Now you can just plug into any server with a more secured connection.

I think the best use case for SSH is seen when it comes to automation. When you need to send or receive files between multiple servers. The most critical part is you do not need to keep the password in a config file. SSH keeps track of every communication.

Please let me know your use case of SSH and how you used the power of SSH.

Thanks for reading!!!