Last modified: March 25, 2021
This article is written in: 🇺🇸
SSH, SFTP, and SCP are network protocols that provide secure data communication and file transfer over insecure networks. Here's a brief overview of each:
SSH (Secure Shell) is a protocol and a tool suite that facilitates secure communications and file transfers between computers over a potentially unsafe network such as the internet. It is commonly utilized by system administrators and developers for the following purposes:
Client Server
| |
| 1. Request to Connect (via SSH) -> |
| |
| <- 2. Sends Server's Public Key ----|
| |
| 3. Creates Encrypted Session Key --> |
| (using server's public key) |
| |
| <- 4. Decrypts Session Key (using |
| private key) & establishes session |
| |
| 5. Client Authenticates using -> |
| its private key |
| |
| <- 6. Verifies using stored public |
| key of the client & grants access |
| |
| 7. Secure Communication Channel |
| (both ways using session key) |
|______________________________________|
SSH leverages public-key cryptography to authenticate users and to secure the data being transferred. This ensures that only authorized users can connect, and the data cannot be intercepted in a readable format by malicious actors.
To initiate a connection using SSH, you require several details and credentials which include:
Utilize the following command syntax to connect:
ssh username@serverhost
Depending upon the authentication method chosen, the server will either prompt you for a password (password authentication) or verify the cryptographic key presented (key authentication).
The ssh command accommodates various flags that allow you to customize your connection further. Here are some notable options:
-l
option specifies the username for the SSH connection. An alternative way to include the username is by using the format ssh -l username serverhost
.-i
option, you can designate the path to the private key file used for key authentication. By default, SSH looks for the key file in the ~/.ssh/id_rsa
directory.-F
option indicates the path to the SSH connection configuration file. Each user typically has a personal configuration file at ~/.ssh/config
, while a global configuration file is located at /etc/ssh/ssh_config
.-p
option, you can specify a different port number if the SSH server is not using the default port 22.-v, -vv, -vvv
options increase the verbosity of the SSH command, providing more detailed output, which is particularly useful for troubleshooting connection issues.For example SSH usually uses port 22, but you can use another port for better security. To use a different port, like 561, do this:
ssh -p 561 username@serverhost
SSH employs a public-key cryptography system, not only to ascertain the identity of the remote machine but also to facilitate the remote computer in authenticating the user. In this mechanism, each user generates a pair of cryptographic keys: a private key (kept secret and safe) and a public key (shared with the remote systems). This key-based authentication method significantly bolsters security by minimizing the risk associated with password brute-force attacks.
To initiate the process of generating a new key pair, you use the ssh-keygen
command. The -t
flag allows you to specify the type of key to generate. Common choices are RSA (a widely used algorithm) and Ed25519 (a modern algorithm with enhanced security features). You can also specify the key's bit size using the -b
flag for added security, as demonstrated below:
ssh-keygen -t rsa -b 2048
# or for a more secure option
ssh-keygen -t ed25519
Post-creation, your keys will be housed in the ~/.ssh directory. Utilize the ls -a ~/.ssh/ command to enumerate the files in this directory and locate your fresh key pair.
In order to harness your newly created key pair for secure connections, the remote server needs to be aware of your public key. This can be achieved by employing the ssh-copy-id command, which securely copies your public key to the remote host's authorized keys. Here’s how you can execute it:
ssh-copy-id -i ~/.ssh/id_rsa.pub username@serverhost
# or if you used the ed25519 algorithm
ssh-copy-id -i ~/.ssh/id_ed25519.pub username@serverhost
Make sure to replace username, serverhost, and the key file name (if you named your key file something other than the default) with the appropriate values. This step is essential to pave the way for passwordless, secure connections to the remote host.
Remember, protect your private key meticulously as it acts as your cryptographic signature, and losing control over it can compromise the security of your remote connections.
Once the public key is shared, you can establish connections seamlessly and securely using your SSH key. The command to connect incorporates the key file and resembles the structure below:
ssh -i ~/.ssh/id_rsa username@serverhost
# or if you used the ed25519 algorithm
ssh -i ~/.ssh/id_ed25519 username@serverhost
This method enhances the security and efficiency of your remote connections, fostering a secure and streamlined workflow.
Before connecting, ensure that the SSH daemon (sshd) is up and running on your server. On Debian-based systems, you can set up and start the SSH service using the following commands:
sudo apt update
sudo apt install openssh-server
sudo systemctl enable ssh
sudo systemctl start ssh
These commands will install the SSH server package, enable the SSH service to start at boot, and initiate the SSH service immediately, making your server ready to accept secure connections.
SCP (Secure Copy Protocol), which utilizes SSH for data transfer, offers a secure method for transferring files between computers over a network. Here's how you can leverage SCP for various tasks:
To upload a file from your local machine to a remote server, use the following syntax:
scp /local/path/to/file username@server:/remote/path/to/file
To retrieve a file from a remote server to your local machine, utilize the command below:
scp username@server:/remote/path/to/file /local/path/to/file
SCP also supports additional flags that can enhance your file transfer operations:
-r
option enables the recursive copying of directories, allowing you to copy entire directories along with their contents.-P
option, you can specify a different port if the server is not using the default SSH port, which is 22.
For example, to copy a directory recursively over a specified port, use:
scp -P 80 -r root@server:/remote/path/to/directory /local/path/to/directory
Secure File Transfer Protocol (SFTP) is a secure method for transferring files between a local and a remote computer. It operates over the SSH protocol, providing encrypted network communication. SFTP is preferred over older protocols like FTP due to its enhanced security features, including secure data transfer and manipulation capabilities within the remote file system.
I. SSH as the Underlying Protocol
II. Configure SSH Server
/etc/ssh/sshd_config
) should have an entry like Subsystem sftp /usr/lib/openssh/sftp-server
to enable SFTP service.III. Apply the changes by restarting the SSH service (sudo systemctl restart ssh
).
To connect to a remote server using SFTP, follow these steps:
I. Open Terminal or Command Line
II. Use the command sftp username@serverhost
where username
is your account on the remote server, and serverhost
is the hostname or IP address of the server.
sftp username@serverhost
III. Authenticate
Once connected, you can use several commands to manage files:
ls
command lists files and directories in the current directory on the remote server, providing an overview of the contents.cd
command changes the current directory on the remote server, allowing navigation through different folders.put local_file
uploads a file from your local machine to the current directory on the remote server, enabling file transfer.get remote_file
command downloads a file from the current directory on the remote server to your local machine, retrieving the specified file.mkdir directory_name
, you can create a new directory on the remote server, allowing for organization and storage of files.rmdir directory_name
command removes a directory on the remote server, which is useful for cleaning up unused directories.rm file_name
command, you can delete a file on the remote server, removing unwanted or unnecessary files.exit
command closes the SFTP session, terminating the connection with the remote server.Here's how you might use these commands in a session:
sftp> ls
sftp> cd /path/to/directory
sftp> put /local/path/to/file
sftp> get /remote/path/to/file
sftp> mkdir new_directory
sftp> rmdir old_directory
sftp> rm unwanted_file
sftp> exit
Aside from SCP and SFTP, numerous other protocols and tools can be utilized for transferring files, each with their own characteristics:
-r
). Document any differences in transfer times and discuss scenarios where SCP is advantageous for quick file transfers.sftp
). Use SFTP to upload and download files, create directories, and change permissions. Discuss the additional file management capabilities that SFTP provides over SCP.