Please enable JavaScript.
Coggle requires JavaScript to display documents.
SSH (Secure Shell) - Coggle Diagram
SSH (Secure Shell)
Important Interview Questions
What is SSH
Difference between SSH and Telnet
Difference between SSH host key and user key
Difference between private key and public key
How does SSH public key authentication work
What is authorized_keys
What is known_hosts
What is ssh-agent
What is ssh-copy-id
Difference between RSA and Ed25519
Why disable root login
Why disable password authentication
How do you troubleshoot SSH login failures
How do you secure SSH in enterprise environments
What are SSH tunnels
What is a Bastion Host
What file configures the SSH server
What permissions should ~/.ssh and private keys have
How do you verify SSH configuration before restarting the service
How do you integrate SSH with Ansible
Important Enterprise Commands
systemctl status ssh
systemctl restart ssh
sshd -t
ssh-keygen
ssh-copy-id
ssh-add
ssh-agent
ssh
user@host
ssh -v
ssh -vvv
scp
sftp
ssh-keygen -R hostname
ssh-keygen -F hostname
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_ed25519
chmod 600 ~/.ssh/authorized_keys
journalctl -u ssh
ss -tulpn
Enterprise Implementation Steps
Install OpenSSH Server
Generate server host keys
Create administrator accounts
Generate Ed25519 user keys
Deploy public keys
Configure sshd_config
Disable password authentication
Disable root login
Restrict AllowUsers and AllowGroups
Configure firewall
Enable logging
Configure Fail2Ban
Test key authentication
Test rollback access
Integrate with Ansible
Audit SSH configuration
Rotate keys periodically
Monitor authentication logs
SSH Security Best Practices
Use Ed25519 keys
Use passphrase protected keys
Never share private keys
Disable password authentication
Disable root login
Enable MFA
Restrict users and groups
Use Bastion hosts
Rotate keys periodically
Remove unused keys
Audit authorized_keys regularly
Patch OpenSSH
Monitor login logs
Restrict firewall access
Use least privilege
Use separate admin accounts
Avoid shared accounts
Enterprise SSH Hardening
Disable Root Login
PermitRootLogin no
Disable Password Authentication
PasswordAuthentication no
Enable Public Key Authentication
PubkeyAuthentication yes
Limit Users
AllowUsers admin ansible
Limit Groups
AllowGroups linuxadmins
Disable Empty Passwords
PermitEmptyPasswords no
Change Default Port
Security through obscurity only
Not replacement for hardening
Idle Session Timeout
ClientAliveInterval
ClientAliveCountMax
Strong Algorithms Only
Ed25519
Modern ciphers
Logging Enabled
Monitor SSH logins
Audit access
Banner
Legal warning
Firewall Protection
Allow trusted IPs only
Fail2Ban
Block brute-force attacks
Multi Factor Authentication
SSH Key plus OTP
Regular Updates
Patch OpenSSH
Patch Linux
Enterprise Use Cases
Linux server administration
Ansible automation
DevOps deployments
Git repository authentication
Backup servers
Network device management
Cloud administration AWS Azure GCP
Bastion Jump Host access
Database administration
Secure file transfers with SCP and SFTP
SSH Login Process
Client requests connection
Server presents host key
Client checks known_hosts
User authenticity verified
Public key challenge
Client signs challenge
Server validates signature
Secure encrypted session starts
Common SSH Commands
Connect
ssh
user@server
Custom Port
ssh -p 2222
user@server
Remote Command
ssh
user@server
hostname
Verbose Mode
ssh -v
user@server
ssh -vv
ssh -vvv
Copy File
scp file.txt
user@server
:/tmp
Copy Directory
scp -r directory
user@server
:/tmp
Secure File Transfer
sftp
user@server
SSH Troubleshooting
Check Service
systemctl status ssh
Verify Port
ss -tulpn
Test Configuration
sshd -t
Client Debug
ssh -vvv
user@server
Check Logs
journalctl -u ssh
tail -f /var/log/auth.log
Verify Permissions
ls -ld ~/.ssh
ls -l ~/.ssh
Verify Connectivity
ping
nc
telnet port test
Purpose
Secure remote administration
Secure command execution
Secure file transfer
Secure tunneling and port forwarding
Encrypted replacement for Telnet
Industry standard for Linux administration
SSH Keys
Purpose
Authenticate users without passwords
Stronger security
Automation support
Key Pair
Private Key
Secret
Never share
Stored on client
Permissions 600
Public Key
Safe to share
Stored on server
authorized_keys
Supported Algorithms
Ed25519
Recommended
Fast
Strong security
Small key size
RSA 4096
Legacy compatibility
Widely supported
ECDSA
Less common
Generate SSH Key
Ed25519
ssh-keygen -t ed25519 -C
"admin@example.com
"
RSA
ssh-keygen -t rsa -b 4096 -C
"admin@example.com
"
Files Created
id_ed25519
Private key
id_ed25519.pub
Public key
SSH Permissions
~/.ssh
chmod 700
Private Key
chmod 600
Public Key
chmod 644
authorized_keys
chmod 600
Home Directory
Not writable by others
SSH Authentication Methods
Password Authentication
Username
Password
Less secure
Disable in enterprise
Public Key Authentication
Most recommended
Passwordless login
Strong authentication
Required for automation
Multi Factor Authentication
SSH Key
OTP
Hardware Token
Enterprise recommendation
Kerberos Authentication
Active Directory environments
Enterprise SSO
Host Keys
Purpose
Identify server
Prevent impersonation
Stored On Server
/etc/ssh/ssh_host_ed25519_key
Verified By Client
~/.ssh/known_hosts
First Connection
Verify fingerprint
Accept only trusted server
Known Hosts
Stores trusted server fingerprints
Prevents Man In The Middle attacks
File
~/.ssh/known_hosts
Commands
ssh-keygen -F hostname
ssh-keygen -R hostname
SSH Server Configuration
File
/etc/ssh/sshd_config
Important Directives
Port
ListenAddress
PermitRootLogin
PasswordAuthentication
PubkeyAuthentication
AllowUsers
AllowGroups
MaxAuthTries
LoginGraceTime
ClientAliveInterval
ClientAliveCountMax
X11Forwarding
AllowTcpForwarding
PermitTunnel
Validate Configuration
sshd -t
Restart Service
systemctl restart ssh
Enterprise SSH Access Model
User Workstation
SSH Client
Bastion Jump Server
Central access point
MFA enabled
Logging enabled
Internal Linux Servers
Accessible only through Bastion
Automation Server
Ansible
Uses SSH keys only
SSH Port Forwarding
Local Forwarding
Access remote internal service
Remote Forwarding
Expose local service remotely
Dynamic Forwarding
SOCKS proxy
Enterprise Uses
Secure database access
Internal web application access
Secure tunnels
SSH Architecture
SSH Client
User initiates connection
Commands
ssh
scp
sftp
SSH Server
sshd daemon
Listens on TCP Port 22
Accepts authenticated users
Executes remote commands
Communication Flow
Client sends connection request
Server presents host key
Client verifies server identity
Encryption negotiated
User authentication performed
Secure session established
SSH Components
SSH Client
OpenSSH Client
ssh command
SSH Server
OpenSSH Server
sshd service
Configuration Files
Client Configuration
~/.ssh/config
Server Configuration
/etc/ssh/sshd_config
Host Keys
/etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_ed25519_key
User Keys
~/.ssh/id_ed25519
~/.ssh/id_ed25519.pub
~/.ssh/id_rsa
~/.ssh/id_rsa.pub
Authorized Keys
~/.ssh/authorized_keys
Known Hosts
~/.ssh/known_hosts
SSH Key Deployment
Copy Public Key
ssh-copy-id
user@server
Manual Method
Create ~/.ssh
Create authorized_keys
Paste public key
Correct permissions
Permissions
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
SSH Config File
File
~/.ssh/config
Benefits
Aliases
Default username
Identity file
Custom ports
Automation
Example Concepts
Host alias
HostName
User
Port
IdentityFile
SSH File Transfer
SCP
Secure copy
SFTP
Interactive secure file transfer
Rsync over SSH
Efficient backups
Synchronization
SSH Encryption
Provides
Confidentiality
Integrity
Authentication
Cryptography
Symmetric Encryption
AES
ChaCha20
Asymmetric Encryption
RSA
Ed25519
ECDSA
Hash Algorithms
SHA256
SHA512
SSH Agent
Purpose
Stores decrypted private keys in memory
Avoid repeated passphrase entry
Commands
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519
ssh-add -l
Bastion Host
Purpose
Secure gateway
Central auditing
Restrict direct server access
Benefits
Logging
Monitoring
MFA
Access control