This is our first video on SSH! We love the SSH protocol at Charm and are finding more creative ways it can be leveraged for businesses. We have libraries for SSH featured in this article, so scroll down or click on the video to learn more!
For details, check out the video above. For those who prefer to read rather than watch, see the transcript below.
Let’s Get Into It
Most of you have probably seen SSH either used at work, or to clone GitHub repos, but maybe you aren’t quite sure how it works or you’re curious to know why we think it’s so cool. This one’s for you.
Don’t forget to like and subscribe if you enjoy SSH and terminal-related content!
Now let’s talk about SSH. SSH is the go-to for authorizing access to remote servers and services. You authenticate with an SSH private key that has an authorized public key on the server.
SSH Binary vs SSH Protocol
First off, let’s preface this by stating that SSH != OpenSSH. OpenSSH, AKA the ssh binary, is “a suite of secure networking utilities based on the Secure Shell (SSH) protocol, which provides a secure channel over an unsecured network in a client–server architecture“. Interestingly, OpenSSH actually started out as a fork of SSH, but has since become proprietary software, according to Wikipedia. OpenSSH specializes in tools for remote systems administration, while SSH is a flexible protocol with an open architecture that makes it suitable to various use-cases.
You probably see SSH commonly used for:
- Administrating a server remotely (with OpenSSH)
- Authorizing remote processes, SCP for example, which allows you to send files via an SSH tunnel so the data is encrypted in transit.
- Providing secure access for users
- Securely mounting a directory on a remote server as a file system
- Port forwarding And less commonly used for:
- Browsing the web through an encrypted proxy connection with SSH clients (extra nerd points for that)
- But there are plenty more.
Now, before we jump into Charm stuff, we need to break down the layers of SSH.
- The transport layer
- The user authentication layer
- The connection layer
The transport layer uses the TCP port to handle initial key exchange as well as server authentication, and set up encryption, compression, and integrity verification. It exposes to the upper layer an interface for sending and receiving plaintext packets.
The user authentication layer is responsible for client authentication,. Because authentication for SSH is client-driven, you may get asked for your key password by the client while the server responds to authentication requests. The most common authentication method I’ve seen is public-key authentication, though there are other methods of authentication supported by SSH.
The connection layer handles different channels in your SSH connections. You might have multiple channels per connection as they work to transfer data bi-directionally. Some examples of channels include:
- Shell for terminal shells, SFTP and exec requests (including SCP transfers)
- Direct-TCPIP for client-to-server forwarded connections
- Forwarded-TCPIP for server-to-client forwarded connections
Charm × SSH
Now, let’s talk about how we use SSH at Charm. First off, we don’t touch OpenSSH on our servers, so you are not being given shell access, period. We serve a TCP connection using the SSH protocol, and you (the app developer) can do whatever you want with it. It’s pretty much like reading from STDIN and writing to STDOUT/STDERR. With Wish, you can define what kind of authentication you might want for your SSH apps, and you can define what users are authorized to interact with the application, etc.
Now, we are also using SSH for identity management with Charm Cloud. How this works is the first time you run charm it creates an SSH key-pair for you. From then on, it uses those keys to verify your identify so you can access the hosted file system, encryption and decryption functions, and your key-value stores.
If you’re ever worried you might lose your SSH keys, fear no more: we have Melt, which allows you to back up and recover your SSH key-pairs with seed phrases so you can keep a hard copy in a safe place.
Learn more about our SSH tools:
You can check out our Soft Serve TUI
TUI over ssh by running
ssh git.charm.sh from your terminal for an