SSH is a network protocol that establishes a secure encrypted channel between your computer and a remote computer. By default, SSH supports the use of password, key, and Kerberos authentication. The standard method of SSH authentication is to supply a user name and password as login credentials. Key-based authentication is more secure than password authentication, because it requires that you have the private key file and know the password that lets you access that key file. A key must be generated for each user account that needs to use ssh. Key-based authentication is helpful for such tasks as automating file transfers and backups and for creating failover scripts because it allows computers to communicate without a user needing to enter a password.
Important: Key-based authentication has risks. If the private key you generate becomes compromised, unauthorized users can access your computers. You must determine whether the advantages of key-based authentication are worth the risks.
SSH is frequently used to log in to a remote machine to execute commands, but you can also use it to create a secure data tunnel, forwarding through an arbitrary TCP port. You can also use SSH to transfer files using SFTP and SCP. By default, an SSH server uses the standard TCP port 22.
OS X Server uses OpenSSH as the basis for its SSH tools. Notably, Open Directory replication is provided through SSH.
SSH works by setting up encrypted tunnels using public and private keys. Here’s a description of an SSH session:
The local and remote computers exchange public keys. If the local computer has never encountered a given public key, SSH and your web browser prompt you to accept the unknown key.
The two computers use the public keys to negotiate a session key used to encrypt subsequent session data.
The remote computer attempts to authenticate the local computer using RSA or DSA certificates. If this isn’t possible, the local computer is prompted for a local user name and password.
After successful authentication, the session begins. A remote shell, a secure file transfer, a remote command, or other action can take place through the encrypted tunnel.
The following are SSH tools:
Tool | Description |
|---|---|
sshd | A daemon that acts as a server to all other commands |
ssh | The primary user tool, which includes a remote shell, remote command, and port-forwarding sessions |
scp | Secure copy, a tool for automated file transfers |
sftp | Secure FTP, a replacement for FTP |