SSH – Secure Remote Access

What is SSH?

Definition: SSH (Secure Shell) is a cryptographic network protocol enabling secure remote login and other network services over unsecured networks.
Purpose: SSH replaces insecure protocols (like Telnet), providing confidentiality, integrity, and authenticity for management, file transfer, and tunneling.

How SSH Provides Secure Remote Access

Encryption: All data (including passwords) is encrypted, preventing eavesdropping.
Authentication: Users/devices are verified via passwords, keys, or certificates.
Integrity: Message authentication codes protect against tampering.

SSH Versions

SSH-1: Obsolete, insecure—never use in production.
SSH-2: Modern, secure standard—always use SSH-2.

SSH Components

Component	Description
SSH Client	Device or program (e.g., `ssh`, PuTTY) initiating the connection.
SSH Server	Remote device/service listening for SSH (usually port 22).
Key Pairs	Public/private keys for secure, passwordless authentication.

SSH Authentication Methods

Method	Description
Password	User enters password at login.
Public Key	User proves identity with private key; server stores public key.
Certificate	Trusted certificate authorities for large deployments.

SSH Key Management

Key Generation: ssh-keygen -t rsa -b 4096 (creates private & public keys)
Deploy Public Key: ssh-copy-id user@server (adds key to ~/.ssh/authorized_keys)
Key Passphrases: Protect private keys with a passphrase.

Configuring SSH on Network Devices

Cisco Example:

conf t
hostname Router1
ip domain-name example.com
crypto key generate rsa
ip ssh version 2
username admin secret password123
line vty 0 4
 login local
 transport input ssh

SSH Client Usage

Basic Syntax: ssh user@hostname_or_ip
Example: ssh john@192.168.1.10
Config file for shortcuts: Use ~/.ssh/config to define host aliases, ports, users.

SSH Tunneling and Port Forwarding

Type	Syntax Example	Use Case
Local	`ssh -L 8080:localhost:80 john@server`	Forward local port to remote
Remote	`ssh -R 8080:localhost:80 john@server`	Forward remote port to local
Dynamic	`ssh -D 1080 john@server`	SOCKS proxy tunnel

Security Features and Best Practices

Always use SSH-2.
Restrict access (users, groups, ACLs).
Use strong encryption algorithms (AES, Ed25519).
Optionally change the default port (from 22) to reduce scanning attacks.
Set idle timeout/session limits.

Troubleshooting SSH Connections

Issue	Possible Cause
Connection refused	SSH server down, firewall blocks port 22
Authentication failed	Wrong password, missing key, open permissions
Network unreachable	Routing or DNS problems

Verbose Mode: Use ssh -v user@host for debugging. Add -vv or -vvv for even more detail.

Advanced SSH Features

Multiplexing: Share a single SSH connection for multiple sessions.
Agent forwarding: Use local keys on remote servers.
SSHFS: Mount remote filesystem securely via SSH.

Alternatives to SSH

Protocol	Security	Use Case
Telnet	Insecure	Testing, legacy troubleshooting
RDP	Encrypted	Windows GUI remote desktop
VNC	Can encrypt	Remote GUI access

Example Scenario

Situation: John needs to configure a remote switch securely from home.
Step 1: Connect using SSH:

ssh admin@203.0.113.2

Step 2: Authenticate with password or private key.
Step 3: All session data is encrypted.

Exam Tips and Key Points

Always use SSH-2 over SSH-1.
Know how to generate and deploy key pairs.
Understand password vs. public key authentication.
Know Cisco IOS SSH configuration syntax.
Be able to use SSH tunnels and explain best practices.
Troubleshoot using ssh -v and explain SSH’s advantages over Telnet.

Visual SSH Workflow (Step-by-Step)

User (John's Laptop)
       │
       │ 1. User runs: ssh john@192.168.1.10
       │
───────┼─────────────────────────────────────────
       │
       ▼
Remote Server/Switch (192.168.1.10)

Step-by-Step Process:
- John runs the SSH command.
- TCP connection established (default port 22).
- SSH handshake: protocol version, cipher/MAC agreement.
- Authentication: Server sends public key, John authenticates (password/private key).
- Secure channel established (all data encrypted).
- John can run commands, transfer files, tunnel ports.
- Session ends securely.

Sample Exam Questions

Which of the following statements about SSH is TRUE?
A) SSH-1 is preferred over SSH-2 for security.
B) SSH encrypts all session data by default.
C) SSH transmits passwords in plain text.
D) Telnet is more secure than SSH.
To generate an SSH key pair on Linux, the command is: ssh-keygen
Name two authentication methods supported by SSH.
Answer: Password authentication, Public key authentication

Enable SSH v2 and configure user "admin" with password "cisco123" on a Cisco router.

conf t
hostname Router1
ip domain-name example.com
username admin secret cisco123
crypto key generate rsa
ip ssh version 2
line vty 0 4
 login local
 transport input ssh
end

John tries ssh admin@10.0.0.5 but gets "Permission denied (publickey,password)." List two possible causes.
Answer:
- Incorrect username or password
- Public key not in ~/.ssh/authorized_keys on the server

Common SSH Troubleshooting Q&A

Q1. "Connection refused" error.
Possible causes: SSH server not running, firewall blocks port 22, wrong IP/hostname.
Q2. How to debug SSH connection issues?
Answer: Use ssh -v user@host (add more v's for detail).
Q3. SSH asks for a password instead of key?
Answer: Private key missing/wrong permissions, public key not installed, wrong key used.
Q4. Limit SSH access to specific users?
Answer: Use AllowUsers username in /etc/ssh/sshd_config and restart sshd.
Q5. How to disable SSH-1 and force SSH-2 on Cisco IOS?
Answer: ip ssh version 2
Q6. Risk of leaving SSH-1 enabled?
Answer: Vulnerable to interception, man-in-the-middle attacks.

Summary Table: SSH vs. Telnet

Feature	SSH (Secure Shell)	Telnet
Encryption	Yes (secure)	No (plain text)
Port	22	23
Authentication	Password, keys, cert	Password only
Use for Management	Yes	No (not secure)
File Transfer	Yes (SCP/SFTP)	No

SSH – Secure Remote Access Quiz

1. What does SSH stand for?

A. Secure System Host B. Secure Shell C. Secure Socket Host D. Safe Shell

Correct answer is B. SSH stands for Secure Shell, a cryptographic protocol for secure remote access.

2. Which version of SSH is recommended for secure deployments?

A. SSH-1 B. SSH-0 C. SSH-2 D. SSH-3

Correct answer is C. SSH-2 is the modern, secure standard replacing SSH-1.

3. Which port does SSH use by default?

A. 22 B. 23 C. 21 D. 80

Correct answer is A. SSH listens on TCP port 22 by default.

4. Which SSH authentication methods are commonly supported?

A. Password only B. Certificate only C. Public key only D. Password, Public key, and Certificate

Correct answer is D. SSH supports password, public key, and certificate authentication methods.

5. What is the command to generate an RSA SSH key pair with 4096 bits?

A. ssh-keygen -t dsa -b 2048 B. ssh-keygen -t rsa -b 4096 C. ssh-keygen -t ecdsa -b 256 D. ssh-copy-id -t rsa

Correct answer is B. This command creates a 4096-bit RSA key pair for SSH.

6. Which command is used to copy your SSH public key to a server?

A. ssh-copy-id user@server B. ssh-keygen -i user@server C. ssh-add user@server D. ssh user@server -key

Correct answer is A. ssh-copy-id copies your public key to the server's authorized keys file.

7. What is a major security advantage of SSH over Telnet?

A. Uses port 23 B. Supports multiple sessions C. Encrypts all data during transmission D. Faster connection setup

Correct answer is C. SSH encrypts all data, protecting credentials and session data.

8. How can you enable SSH version 2 on a Cisco router?

A. ip ssh enable B. enable ssh 2 C. crypto ssh version 2 D. ip ssh version 2

Correct answer is D. The Cisco IOS command to enable SSH version 2 is ip ssh version 2.

9. What does the command `ssh -v user@host` do?

A. Enables verbose debug output for troubleshooting SSH connection B. Connects without encryption C. Forces SSH version 1 D. Connects with default settings

Correct answer is A. The -v option enables verbose mode for debugging SSH connection issues.

10. Which of these is NOT a recommended security best practice for SSH?

A. Use strong encryption algorithms like AES B. Keep SSH-1 enabled for compatibility C. Restrict SSH access via user/group or ACL D. Use key-based authentication with passphrases

Correct answer is B. SSH-1 is insecure and should be disabled; always use SSH-2.

← Back to Home