SSH Overview

SSH is a secure way to connect to another computer. All communication is encrypted so eavesdropping is (next to) impossible.

The 2 most widely used authentication protocols used with SSH are username/password and public/private key. When authenticated, the SSH connection is established and access is granted.

Departmental SSH servers

Most departmental Intranet machines can be accessed with SSH from known, trusted networks. This includes most Belgian ISP's.

From other networks or when you need to connect to a machine that is not publicly accessible, you can first connect to one of the public departmental SSH servers and from there to the machine you want.

The list of public departmental SSH servers, including their fingerprint and how to check that fingerprint before actually connecting, is described on this web page.

Username/password

Username/password authentication is very simple: you tell your ssh client which username to use in/for the connection, ssh will ask for your password and give both to the (remote) computer you are (trying to) connecting with. The remote computer checks with whatever authentication scheme is it configured for (LDAP, Kerberos, plain password file, ...) whether the given password is indeed the one for the given username. If so, access is granted.

Public/private key

Public/private key authentication is equally simple, except you have to prepare the remote computer in advance to accept your key: you must add your public key to the authorized_keys file, such that the remote computer knows which keys it can/must trust.

Once your public key is added to your authorized_keys file on the remote computer, you can establish a SSH connection by telling your ssh client which (private) key to use in/for the connection. The remote computer checks whether the given private key matches with (one of) the public key in your authorized_keys file. If so, access is granted.

Your password and/or private key

With username/password authentication, if somebody else get's a hold on your password and with public/private key authentication, if somebody else get's a hold on private key, he/she can connect to the remote computer with your account and do all sorts of nasty things (download illegal material, harass other people, ...) for which you will be accounted for.

Most people already know that keeping a password private is important ... most succeed in doing so, but sometimes passwords do leak.

Likewise, keeping your private key private is important too. Unfortunately, private SSH keys are rather long (nowadays best at least 2048 characters ;-) and thus are impossible to remember. You therefore must keep your private key in some file on your computer.

Luckily the SSH protocol provides for a mechanism to keep the contents of that file protected even if somebody else can get to it: SSH can encrypt your private key file, such that the real key can only be decyphered if you know the right decryption key ... such a decryption key is called the passphrase.

Passphrases are thus much alike passwords: you do need to remember them and they are very important in protecting your privacy and/or identity.
Passphrases are typically much longer than passwords; where most passwords are between 8 and 16 characters, passphrases can and should be much longer: why not use a complete sentence, including capitalization and punctuation marks ... the more the better ;-)

As far as we know, there is no practical limit to the size/length of a passphrase, which is their main advantage over passwords: most password schemas only use the first 8 to 16 characters for real authentication (albeit you can give more, the excessive characters are just dropped for authentication).

Key agents

When using username/password authentication, you need to give your password each and every time you connect to a remote computer.
When using public/private key authentication, your private key needs to be decrypted each and every time you connect to a remote computer.

There are some ssh clients that allow to remember a password for subsequent connections, but once you close/terminate the client, your password is (and should be!) forgotten.

With public/private key authentication, there exist key agents that keep your private key decrypted in RAM for as long as you keep the key agent running (typically as long as your interactive login session). All ssh clients can use the key agent to ask for the (decrypted) private key to use in/for a SSH connection.

In this way, you only need to give your passphrase once for each interactive login session, whereas you need to give your password for each and every SSH connection.

Tunnels

A cool feature of SSH is that it provides a mechanism to use services that are available at the remote end of your connection even if these services are not accessible from where you are connecting from.

In this way you can, for instance, access departmental web services or print on departmental printers that are protected by a firewall.

A specific case of this tunneling feature is the use of (tunneling the) X11 protocol with which you can start GUI applications on the remote machine and display the windows on your local machine (provided of course your local machine has an active X11 server service).