You can build your own web server from scratch using your computer, but it is common for developers to utilize remote servers maintained and provided by services such as AWS, Google Cloud, Microsoft Azure, and DigitalOcean. To configure remote servers for serving websites or web applications, you will need to send shell scripts to be executed on the command line of the remote server and receive the results of the execution through secure communication channels. To accomplish this, we can use Secure Shell (SSH).

SSH

SSH is a network communication protocol built on top of TCP and IP, enabling secure connections between computers. SSH multiplexes multiple channels within a single connection, supporting secure shell access, file transfer, port forwarding, and more. This allows for secure and holistic administration of remote machines.

Encryption

Every SSH connection requires encryption to be set up. This process is similar to what TLS uses, where both parties exchange specifications, agree on an encryption algorithm, and exchange public keys to encrypt a shared secret. This shared secret is then decrypted with the respective private keys and used to produce a symmetric key. This key exchange process is known as the Diffie-Hellman key exchange (other variants like RSA and ECDH exist). If you're interested in the mathematics behind this, I recommend checking out Diffie Hellman -the Mathematics bit- Computerphile.

The key exchange happens whenever a new session is created, allowing the requests and responses to be encrypted. In HTTPS, we only encrypt the messages and verify the server's identity using a CA (Certificate Authority), while user authentication is left to the web applications. This is because websites and web applications often don't need to verify the client's identity (though it can be configured at the application level), while the client cares about the identity of the web server.

However, when establishing an SSH connection with a server, the server is private to the client, so verifying the server's identity is less of a concern. Instead, the server must confirm that the client is the one who purchased or was granted access to the server. Therefore, SSH includes a user authentication layer to verify the client's identity.

User Authentication

SSH supports both password-based authentication and public key authentication. Password-based authentication involves setting up a username and password for user verification. However, this method is generally considered less secure since passwords are prone to human error and social engineering attacks.

Public key authentication uses asymmetric keys, where the client generates a key pair (public and private keys). The public key is sent to the server, which stores it. During the authentication process, the server encrypts data with the client’s public key, and the client decrypts it with their private key to prove their identity. Public key authentication is considered more secure because no passwords are involved, reducing the risk of human error. The asymmetric key used for authentication is stored long-term on the client machine, and the public key is registered with the server, allowing it to be used over multiple sessions.

Conclusion

For those who have encountered the term SSH when spinning up virtual private servers with EC2 on AWS, the above explanation should clarify what SSH is and why it comes up so often. It facilitates secure communication between your computer and a remote server, and the SSH key is used for secure user authentication. Before we dive into building actual web servers, there's much to learn about networking and some automation tools, which we will cover in future articles.

Resources

• Computerphile. 2018. Secret Key Exchange (Diffie-Hellman) - Computerphile. YouTube.