“Secure Shell” (in short SSH) on one hand is a network protocol, on the other hand it is the software to create a secure, encrypted connection between 2 distant computers.
Requirements for SSH connectsions
The first requirement is a sever, which has an active and configured “SSH daemon” (short sshd) so a remote client can request an SSH session.
The second requirement is a client, which (dependent on your OS) is already preinstalled or has to be installed afterwards. MacOS and Linux have an SSH client pre installed, Windows needs something like Putty.
The third requirement is a network, which connects the server and the client so they can speak with each other. This connection can be directly over a LAN network or via the internet through many many routers.
How to create an SSH connection?
Lets define our example network:
Server: 192.168.0.1/24 Client: 192.168.0.2/24
Now we need the username and password which allows us to connect to the server.
Username: kevin Password: ********
On Linux or MacOS you can just open a terminal and enter the following command:
The username is entered before the @ symbol, the host IP or domain name is entered after the @
After that you are asked to enter the password of the required user. Don’t get confused if you don’t see any letters or * on the screen, the terminal knows what you are typing, its just not outputting the content on the terminal for security reasons.
If you put in the correct password you are now logged in on the server via SSH.
Alternative authentication method – Public-Key-Auth
As we all know a username and password can be “leaked” very quickly and therefore is not the safest way to authenticate a user.
A good alternative is the method of “Public-Key Authentication”.
Basic principal is the following:
The client creates a key pair – a “public” and a “private” Key. As you can probably image, the private key should NOT be shared in any way possible. The public key will be configured on the server to grant you access to a given user without having to know the password.
Creating a key pair (Linux and MacOS)
ssh-keygen -t rsa
After entering the command you will be asked where the key pair should be saved and if the private key should have an additional password to use it. Usually you should keep the default path for the SSH key pair (~/.ssh/), if you want to use a password for your private key is on you.
The folder ~/.ssh/ now has 2 files:
You can choose which type of cryptography is used behind each key pair when you create the SSH key pair.
Most common methods are:
But dependent on how up2date your server and or client are you can only use some older or newer cryptography methods.
How to add my public key to my server?
As seen above you can find your public key in ~/.ssh/id_rsa.pub
MacOS or Linux only: You can also copy the content of a file to your clipboard via the command pbcopy:
pbcopy < ~/.ssh/id_rsa.pub
Now connect to your server (via username and password or something like FTP) and create the following file:
Now can enter your previously copied public key into this file. Here it is important that one line in this file should be one public key. So if you have multiple public keys (because you have many computers having access to your server) just enter each public key in a new line.
On the client (192.168.0.2) we created a key pair in ~/.ssh/ and we already copied the public key.
Now we connect to our server via ssh firstname.lastname@example.org and the predefined password.
Now we open the file ~/.ssh/authorized_keys with for example VIM and input our copied public key – save and quit the file after that.
If everything is working correctly you should be able to login to the server WITHOUT ENTERING YOUR PASSWORD.
You can check that via the “verbose output” of the ssh command:
The basis for the communication in a network is a way to uniquely identify different devices. For exactly that purpose the “Internet Protocol” (short IP) has been developed.
An IP-Address is a unique number, which identifies a device inside the currently used network. This number can be something like:
IPv4: 192.168.0.10 IPv6: fe80::884:34ae:8eaf:a586
The detailed difference between IPv4 and IPv6 can be looked up in the linked posts.
But let’s keep it simple. An IP-Adresse can be seen as a “postal address” of your house to differentiate your house from your neighbours house. The only difference is that its not “Mainstreet 3, 8430 Leibnitz”, instead its “192.168.0.2” and that its not about houses, its about IT devices.
Why did we have to develop IPv6?
Basically IPv4 allows a maximum of 4.294.967.296 (232) devices, which in the grand scheme of the planet earth and its currently 7.7 billion people is not quite sufficient.
Therefore IPv6 was developed and allows a maximum of 340.282.366.920.938.463.463.374.607.431.768.211.456 (2128) devices which should suffice for quite some time.
Why was the internet protocol developed anyway?
Before the internet protocol it was not possible to connect 2 different network systems or let 2 computers from 2 difference network systems communicate with each other.
With the internet protocol it should be as easy as possible to connect multiple computers and networks with each outer without having to adjust things like baud rates or the need to “hardcode” specific address codes.
Main tasks of the internet protocol
Commands to build and breakdown connections
Control of data flow via start und stopp commands
Error detection via checksums, time-outs etc.
Automatic error correction when an error has been detected
Main traits of the internet protocol
Its independent on the architecture
Connection to and from all network clients possible
The main tasks of the internet protocol have been split up into single “layers” – which build the Open Systems Interconnection model, in short OSI.
The typical subnet sizes are present between /32 and /64.
Basically you can create more subnets after /64 but you will lose a pretty important feature – the “Stateless Address Autoconfiguration” (SLAAC). See bellow for further information.
Link Local and Global address
After connecting an interface to a network it is now default In IPv6 to automatically create a “link local” and (if a IPv6 prefix is present) a “global” address.
The “Link Local” address is used – as you probably already expected – only for the locally connected network. This address is always a part of the subnet fe80::/64
The “Global” address is used – as you probably already expected too – for the “global” network aka the “Internet”. But this address only appears if the connected router has a correctly configured IPv6 prefix.
Additionally there are “temporary” and “secured” IPv6 addresses for security reasons. What these are and why they are needed can be looked up right HERE.
New features of IPv6
Larger amount of available addresses
An IPv6 address has 128 bits – IPv4 only has 32 bits.
In comparison IPv6 has 340.282.366.920.938.463.463.374.607.431.768.211.456 (2128) and IPv4 only 4.294.967.296 (232) total available addresses.
Stateless Address Autoconfiguration (SLAAC)
To automatically get an IPv4 address assigned to your device there needs be a “DHCP” server present in the current network. Most of the time this is built into everyones wireless router.
But in a IPv6 network with at least a subnet size of /64 the MAC address of each client can be used as part of the IPv6 address. This is used for the “link-local” as well as the “global” address.
The following illustration just shows how a 48 bit MAC address and the 64 bit “link-local” prefix is used to automatically create an IPv6 address.
Implementation of security measures (IPsec)
The “Internet Protocol Security” (IPsec) is a protocol residing in the 3rd layer of the OSI-Layer Models which allows the encryption and authentication of IP packets.
Basically everyone know what HTTPS, SSL and TLS are but these protocols work on higher OSI layers (HTTPS in the 7th and TLS in der 4th). Thats why “someone” can still manipulate data in the 3rd layer.
Thats why the IPsec protocol has been integrated into the IPv6 standard.
Conservation of the “Point-to-Point principal“
The “Point-to-Point principal” says, that only the endpoints in a connection are allowed to perform active protocol operations, not the stations between the 2 clients. A global unique IP address per client is a requirement for that.
In the current state of the IPv4 network this is not possible since not every client in the world has a unique IPv4 address.
Reserved IPv6 spaces
As well as in IPv4 there are reserved spaces, which are used for specific “functionalities“.
Die Cookie-Einstellungen auf dieser Website sind auf "Cookies zulassen" eingestellt, um das beste Surferlebnis zu ermöglichen. Wenn du diese Website ohne Änderung der Cookie-Einstellungen verwendest oder auf "Akzeptieren" klickst, erklärst du sich damit einverstanden.