You own a hosting account, and you’ve already learned how to launch a website and manage it through your control panel. You’re also handy with an FTP client and have a decent understanding of how the service works.
The project is growing, though, and you want to dig deeper into the technical wizardry that powers the World Wide Web. Where do you start?
Learning to use SSH to manage your website more efficiently is as good a place as any.
TL;DR: A Powerful Protocol for Power Users
Before we get to the nitty-gritty, let’s outline a few of the key points we’ll discuss today.
- SSH (or Secure Shell) is a communication protocol that enables you to remotely control your hosting account through a command-line interface.
- It’s the default remote access mechanism on most Linux distributions, and to use it, you need to learn some Linux commands.
- SSH uses encryption to fully protect the data exchange between your computer and the server.
- SSH access may not be enabled by default, but server administrators using platforms like WHM/cPanel or SPanel can turn it on with a couple of clicks.
- Windows, Linux, and macOS have built-in command-line utilities that support SSH. There are also specialized SSH clients that offer more features.
- SSH authentication can be done either via a password or through a pre-generated SSH key pair.
Now, let’s delve into the details.
SSH: A Remote Server Management Protocol
Most web hosting servers use Linux. It’s not the Linux you might find on a laptop, though. That one usually has a desktop environment with a graphical user interface. Linux distros for servers are different.
There are no icons to click or buttons to push. Everything, from file editing and management to configuration changes, is done using commands. Tasks must also be completed remotely, which is why you need SSH.
SSH stands for Secure Shell, and it’s a communication protocol.
Long story short, it’s the translator that turns commands into actions. Opening a remote shell is like plugging in a keyboard and using your server’s Terminal (Linux’s default command-line interface). The only difference is that you’re doing it from your personal computer.
So, put simply, SSH is a communication protocol that allows you to execute commands on your web hosting server remotely.
It’s far from the first technology of its kind, though. Before it, protocols like Telnet, Rlogin, and FTP in command-line mode offered similar functionality. Why, then, did they die out while SSH rose to become the industry standard for remote server management?
The answer is simple: security.
How Does SSH Work?
SSH traces its roots back to 1995, when Finnish researcher Tatu Ylönen was fighting off a password sniffing attack targeting Helsinki University’s network. Popular communication protocols at the time established a plaintext connection between clients and servers. They transmitted all the data, including usernames and passwords, in a human-readable format.
This environment made it easy for hackers to intercept login credentials and infiltrate the targeted network. Ylönen realized that he could create a much more secure connection using encryption. The Internet Engineering Task Force further developed the idea, releasing version 2 of the Secure Shell protocol in 2006.
Although it’s nearly twenty years old, SSH-2 is still the standard we use today. It’s faster and more secure than its predecessor thanks to a combination of symmetric encryption, asymmetric encryption, and hashing. If you want to know how SSH works, you have to understand the differences between these encryption techniques.
Symmetric encryption
In symmetric encryption, your computer uses a cryptographic key to turn the information you’re sending (e.g., a command you’re trying to execute on the server) into a jumbled string of letters and digits.
Upon reception, the server uses an identical key to decrypt the command. Your computer and the server follow a predetermined key exchange algorithm to generate the symmetric key. They do this independently without sharing the key with a third party.
Asymmetric encryption
Asymmetric encryption relies on two keys. Upon establishing a connection, the client and the server generate a pair of mathematically linked encryption keys. One is public and freely transmitted over the Internet, while the other is private and remains securely stored on the two devices.
In asymmetric encryption, the public key encrypts the data, and the private key decrypts it.
Hashing
Hashing is a different concept altogether. Similar to symmetric and asymmetric encryption, it’s a function that scrambles up information so it becomes unreadable to attackers who intercept it.
Every message that passes through the hashing algorithm produces a unique string called a hash value. There is no key to decrypting and restoring the data, though. It’s a one-way cryptographic function that doesn’t allow the retrieval of the original information.
How does SSH use these encryption techniques?
Establishing an SSH connection takes no more than a couple of seconds, but under the surface, there’s quite a lot going on. The process has three stages.
- Establishing a TCP connection and an SSH version check
Transmission Control Protocol (TCP) is at the core of the Internet Protocol (IP) suite and is crucial for every SSH connection. First, the client contacts the server on the predetermined port. For SSH, the default one is port 22, but the server owner can assign a custom one.
Next, there’s a TCP three-way handshake – a standard procedure for all platforms using the protocol that ensures the connection is stable and reliable.
After that, the client and the server check whether they support the same SSH version. These days, this is more of a formality since pretty much all systems work with SSH-2. Nevertheless, the connection is terminated at this stage if there’s a compatibility issue.
- Key exchange
The first step is determining the key exchange algorithm to generate shared secrets between the two machines. The client presents a list of supported algorithms, the server picks one, and the client acknowledges the choice.
Before the negotiated algorithm is executed, the server sends the client its public key, which, along with its IP, is added to a list of trusted hosts.
Next, the client and the server simultaneously execute the algorithm and generate what’s known as a shared secret. The same algorithm produces identical values on the two machines, so there’s no need to transfer the secret over the Internet.
Next, the shared secret, along with the other information the client and the server have exchanged so far, is put into a hash algorithm, which generates the session identifier.
The session identifier, the shared secret, and other data generated by the encryption algorithm are then entered into a function that produces four cryptographic keys. This is known as the key derivation process.
You have two private encryption keys and two MAC (Message Authentication Code) keys.
The first encryption key secures server-to-client traffic, and the second scrambles client-to-server communication.
There’s one MAC key for the client and one for the server. They are built on top of a hash function and act as authentication tags that ensure the integrity and authenticity of every message. Basically, they guarantee that the data hasn’t been tampered with.
- Client authentication
All the stages so far have focused on ensuring that the communication tunnel between the client and the server is fully secured. Now, all that’s left is to check whether the client is authorized to access the server.
It sounds simple enough, but SSH’s focus on security makes it less straightforward. There are two primary authentication methods: traditional password-based authentication and key-based authentication.
- Password-based authentication
It’s the straightforward method everyone is familiar with. The server prompts you for your account password, and if you provide the correct one, you open your remote shell. If not, access is denied.
As always, you must use a strong, unique password for your account. Ideally, you’ll store it in a password manager, but if you do that, don’t forget that the Ctrl+v keyboard combination rarely works in the command line. Usually, if your password is in the clipboard, you can paste it with a simple right-click.
Also, don’t forget that the command line doesn’t display asterisks when you’re typing a password. There is no visual indication that you’ve entered anything in the password prompt, but this doesn’t mean it’s not there.
- Key-based authentication
Instead of a password, key-based authentication uses a pair of pre-generated cryptographic keys to ensure you are authorized to open a remote shell. The mechanism employs asymmetric encryption, meaning there are public and private keys. The keys must be properly stored on the server and the client, and to set them up, you most likely need to use password-based SSH authentication.
When you try to log in, the server encrypts a challenge using the public key and sends it back to the client. They can then decrypt the message and solve the challenge only with the private key. When the server sees the challenge solved, it opens a remote shell.
This is considered a much safer authentication mechanism, as unlike a password, a cryptographic key can’t be brute-forced or guessed. It’s also commonly used by applications and automated scripts.
Establishing an SSH Connection
Given all the complex cryptographic functions and mechanisms we’ve discussed so far, you’d be forgiven for thinking that opening an SSH connection is a complicated process. It’s anything but. However, before you can do it, you must first check whether SSH access is available.
Ensuring SSH access is enabled
SSH could be restricted on some shared hosting services, so if you use a shared account, you can check your plan’s features list or ask your host’s support team whether that’s the case.
SSH should be available on a virtual or physical server, as should options for choosing who can access it.
Self-managed servers usually come with root access, giving you complete freedom to install software, modify system settings, and do pretty much whatever you want with the server. With a managed service, your host’s technical experts are responsible for things like the core setup and software configuration, so often, you don’t really need root access. That said, if you use a ScalaHosting managed cloud VPS, you can request it from our support team.
As a server administrator (regardless of whether root is available), you can decide which accounts can open a remote shell. Thanks to modern server management platforms, doing it is as easy as clicking the mouse a couple of times. Here’s how to do it with two of the most popular web hosting control panels.
WHM/cPanel
- Log in to WHM.
- From the menu on the left, locate the Account Functions section and select Modify an Account.
- Find the account you want to change and click Modify.
- Scroll down to the bottom of the page and select the checkbox that says Shell Access.
- Click Save.
- A pop-up asks you whether you want to update the package and make SSH access available for all users in this group. Select the most appropriate option and click Proceed.
SPanel
- Log in to SPanel’s Admin Interface.
- Under Account Management, click Manage SSH Access.
- You’ll see a list of all the accounts deployed on your SPanel server. Locate the one you’d like to give shell access to.
- Flip the toggle switch next to it to the ON position.
Opening a remote shell
Now that you’re sure your account can access the server via SSH, it’s time to open the remote shell. There are a couple of options, but the steps are fairly straightforward.
Through a built-in command-line utility
In Windows, you can use either the old command prompt or the more modern equivalent – PowerShell. Both are available in the Start menu.
With Linux and macOS, the Terminal or any other third-party command-line utility will do the job.
Regardless of the operating system, the line you need to enter to connect to your server is:
ssh [your account’s username]@[your server’s IP]
If your hosting provider uses a custom SSH port, you have to add -p followed by the port number. For example, ScalaHosting uses port 6543 for SSH connections, so the required line looks like this:
ssh user@123.123.123.123 -p6543
The server asks for your account’s password, and the SSH session is opened after successful authentication.
Through an SSH client
SSH client applications are designed to help you connect to your server more quickly and easily, and are especially useful if you have multiple servers or hosting accounts.
They usually support a range of communication protocols and offer nifty features like the ability to save sessions for easy access later.
PuTTY is by far the world’s most popular SSH client. Although its interface may seem complicated at first, it’s actually fairly easy to get used to.
The Hostname (or IP address) field is for the server’s IP address, but to save yourself a few seconds, you can enter your username followed by an @ and the IP. If your host uses a custom SSH port, you can specify it in the respective field. In the Saved Sessions field, you can enter a name for the session you’re about to open and click Save for later use.
When you click Open, PuTTY opens a new command-line window and asks you for your account password.
PuTTY also supports key-based authentication and provides one of the easiest ways to set it up.
The SSH client comes bundled with PuTTYgen – a utility that creates cryptographic key pairs.
Open PuTTYgen, click Generate, and shake the mouse cursor inside the gray field. The keys will be ready within a few seconds, and thanks to your random mouse movements, they will be genuinely unique.
PuTTYgen lets you create different types of keys, but you most likely don’t need to research them all. The default parameters work perfectly well for standard SSH setups.
At this point, you can assign a passphrase for additional security. If you do, you’ll need to enter it every time you use your SSH key to log in to your server.
First, click the Save private key option and save the newly generated PPK file on your computer’s hard drive.
The random string of symbols in the grey field is the public key. You can save it on your computer for safekeeping, but its ultimate destination is the ~/.ssh/authorized_keys file on your server.
To set it up, you need to open a separate SSH session using your username and password. To ensure you’re in the account’s home folder, run cd~ and double-check using pwd (more on these two commands in a minute). The output should be /home/[your username]/.
With mkdir .ssh, you’ll set up the .ssh directory (the . at the beginning means it’s hidden). Next, open the GNU nano text editor and create the authorized_keys file with nano ~/.ssh/authorized_keys.
Go back to PuTTYgen and copy the public key from the grey field.
To paste it into GNU nano, right-click anywhere in the text editor. Ctrl+O saves the changes, and Ctrl+X closes the GNU nano editor.
For now, you can end the SSH session (the exit command can be handy). In a moment, we’ll open a new one, this time using our SSH keys for authentication.Open PuTTY (not PuTTYgen) and from the menu on the left, go to SSH > Auth. Click the Browse button next to the Private key file for authentication field and select the PPK private key file you saved a minute ago.
Now, go back to the Session screen in PuTTY’s interface. If you’ve configured the client to work with the correct private key and if the public one is properly stored on the server, you should be able to open a remote shell using your key pair.
Linux Commands 101
So far, so straightforward.
We’ve established that opening a secure remote shell on your hosting account isn’t rocket science. But what do you actually do after the white cursor starts blinking on the black screen?
The answer depends on multiple factors, like your access level, technical skills, and needs. Even the cleanest, most basic Linux distribution can be managed with the help of over 1,000 commands. Add to it the web server, the database management system, the PHP interpreter, and the flurry of other utilities and platforms typically available on web hosting servers, and you suddenly have quite a lot of information to take in.
The truth is, learning server management via the command line isn’t something you can do in a day. However, to get there, you need to know where to start, and to help you, we put together a list of a few basic commands that will give you a glimpse into how SSH can help you manage your account and the projects deployed on it. To keep things organized, we divided them into a few separate categories.
Navigation
There’s no mouse cursor you can use to move and double-click on folders and files, so you have to know how to navigate around your server’s filesystem using the command line. Here are some of the most basic commands:
$ pwd
The pwd command shows your current directory. By default, after you open a new remote shell, you’re in your home directory – /home/[your account’s username]/.
$ cd
The cd command allows you to change your current directory. For example, if you’re in your home directory and want to open the public_html folder, you need to enter cd public_html. Run pwd, and the output would be /home/[your account’s username]/public_html/.
$ cd ..
In Unix-based operating systems, “..” stands for parent directory. So, for example, if you’re working in the /home/[your account’s username]/public_html/wp-content/, and you want to go back up one level, you enter cd .. and you’ll be back in /home/[your account’s username]/public_html/.
$ cd ~
The tilde sign in Unix systems is a shortcut to your home directory. For example, if you’re in /home/[your account’s username]/public_html/wp-content and enter cd ~, you’re going straight to /home/[your account’s username]/.
$ ls
The ls command shows you the contents of your current directory. Most SSH clients and command-line utilities color-code the output to help you distinguish between types of files and folders. By default, directories are displayed in blue, symbolic links in light blue, archives in red, executable files in green, and regular files in white (or the default color).
File and directory management
$ mkdir
The mkdir command creates a new folder. To set it up in your current directory, simply add the new folder’s name (e.g., mkdir new_folder). You can also enter the full path (e.g., mkdir ~/public_html/new_folder) and place it elsewhere.
$ touch
The touch utility is used to create new empty files or update the timestamps of existing ones. For example, if you want to set up a new text file in your current directory, you can run touch new_file.txt. The utility is mainly used by applications and automated scripts, but it’s still a good idea to have the command in mind, just in case.
$ cat
If you run the cat command followed by the name of an existing file, Linux will display the file’s contents. You can also use cat to link together multiple files (e.g., cat file1.txt file2.txt > file3.txt).
$ nano
GNU nano is one of the most popular and user-friendly editors in Linux. It lets you view and edit text, configuration files, and logs. To open a file with GNU nano, simply add the file name after the nano command.
$ cp
The cp command copies a file from one place to another. The syntax is as follows: cp file.txt path/to/file.txt.
$ mv
The mv command can rename files and be the equivalent of the cut-and-paste action in Windows and other GUI-based OSs. For example, mv file.txt file1.txt renames file.txt to file1.txt. Meanwhile, mv file.txt ~/public_html/file.txt removes the file from your current directory and places it in the public_html folder.
$ rm
The rm command is used to delete items. If you want to remove a file, follow it up with the file name (e.g., rm file.txt). To delete a folder, you need to add the -r attribute (e.g., rm -r folder_name).
$ chmod
With the chmod command, you change the file and folder permissions. On a properly configured hosting account, you probably won’t need to use it that much, but if you do, the syntax is pretty straightforward. The command is followed by the numeric expression of the permissions you want to set and the file name (e.g., chmod 755 file.txt).
Server and software management
$ uptime
The command is pretty much self-explanatory. It shows you how long your server has been online for.
$ sudo reboot
You can reboot the server with this command if you have root access.
$ sudo apt-get/dnf install
In Linux, software is usually installed using packages. Different distributions use different package managers, so the commands for installing new applications differ from server to server. For example, distros based on Debian use APT (or Advanced Package Tool), while those based on Red Hat are equipped with DNF (abbreviated from Dandified YUM).
So, if you want to install a new package on a Ubuntu (a Debian-based distribution) server, you’ll run sudo apt-get install [package name]. If your server runs on Rocky Linux (a Red Hat-based distro), you’ll need sudo dnf install [package name]. As you can see from the sudo prefix, installing new software on the server requires root access.
Conclusion
Technically, you can build and maintain a website without ever opening an SSH session. Modern control panels and management systems provide an intuitive graphical interface for any task you can imagine. If your technical background is limited, mastering the command line isn’t exactly something you can do in an afternoon, which is why many website owners prefer not to bother with it.
However, if you get the hang of it, you’ll see that it’s a powerful tool that can make every project management task quicker and more efficient. The boost in speed and productivity can be significant enough to push your project to the next level.
FAQ
Q: What do people use SSH for?
A: SSH can be used for anything from software installation to tweaking the server’s core configuration and straightforward file management. How you use it depends on your needs, technical skills, and access level.
Q: How do I use SSH?
A: If you use a command-line utility, accessing your server via SSH is done via a command that looks like this: ssh [your username]@[your server’s IP]. Windows users can use either the old command prompt or the modern PowerShell. On Linux and macOS, the standard Terminal does the job, and SSH clients like PuTTY offer a few extra features.
Q: How do I generate an SSH key?
A: In the command line, you can enter the following: ssh-keygen -t rsa -b 4096 -C “[your email address]”. The SSH utility will ask whether you’d like to add a passphrase, and you’ll need to specify where you’d like to save your private key. If you use PuTTY, you can generate a key pair using the PuTTYgen utility.
What is a VPS – Everything you need to know!
