Regalis Technologies log

Regalis Technologies

technical blog about GNU/Linux, C++, security, electronics

Wed 07 December 2022 in ssh by Regalis

Using SSH - the right way


The Secure Shell Protocol (SSH) is probably the most used protocol by devops/sysadmins around the world.

Most people think of the SSH as a method of accessing a shell on a remote host. The fact is that this is just one tiny usage example of the SSH. Some other examples include:

Being familiar with all the above features is absolutely essential for any SSH user - both for the sake of convenience and for the security.

Which client should I use?

Well, the answer is simple - you should use the simplest and the most powerful one - the text-based ssh from the OpenSSH suite. It follows the KISS principle and, as a result - enables a user to use simple, straight and well-known tools to perform even very complex tasks.


KISS, an acronym for keep it simple, stupid. The KISS principle states that most systems work best if they are kept simple rather than made complicated; therefore, simplicity should be a key goal in design, and an unnecessary complexity should be avoided.

What about the PuTTY and similar tools? 🐒

The following example should be both sufficient and self-explanatory...

Let's say we have a gpg-encrypted, compressed tar archive stored on the local station. We need to copy a single file called secret.config from the archive above directly into the /etc/xyz/ directory on the host What's more - the is not directly accessible from our local station; instead, we need to use a jump host (let's say

A diagram illustrating the above task

What could go wrong?

The amount of things which could go wrong during execution of this task could be overwhelming. To name just a few of them:

Depending on the context, any of the user's action above may lead to a serious security incident. The key is to be aware of what could go wrong, this is possible only if the user has deep knowledge about the protocols and the internals of tools he uses.

Unfortunetly, it is very likely that laziness, and desire to take shortcuts are one of the main reasons why someone chooses these types of tools (PuTTY etc.). It is widely recognized that it is simply not possible to be good at something if one is looking for shortcuts.

I strongly advice anyone not to follow this path.

More info

Tools like the PuTTY may look convenient at first. The fact is that they do not even allow you to use more advanced features of SSH. You can expect more details about this topic in the next articles of this series.

A better solution

We can easly solve this task with the ssh executed from the local station:

$ gpg --decrypt archive.tar.gz.gpg | \
    tar --extract --gzip --file - secret.config | \
    ssh -J 'cat > /etc/xyz/secret.config'

What is very importat to notice is the fact that the solution above is both secure, efficient and a convinient way to perform these kind of operations. It does not start (or even require to start) the shell on the jump host, communication is encrypted, and the secret.config file has not been leaked into the non-volatile memory (neither on the local machine, nor on the jump-host).

The SSH series

This was an introduction to the series about the Secure Shell Protocol, the next articles will cover the following topics in details: