SSH Connection Setup: Difference between revisions
mNo edit summary |
|||
(22 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
<noinclude>{{ContentArticleHeader/Linux_Server|toc=off}}{{ContentArticleHeader/Linux_Desktop}}</noinclude> | <noinclude>{{ContentArticleHeader/Linux_Server|toc=off}}{{ContentArticleHeader/Linux_Desktop|toc=off}}{{ContentArticleHeader/DevOps and SRE|toc=off}}{{ContentArticleHeader/Network_and_Security}}</noinclude> | ||
The [[wikipedia:Secure_Shell|Secure Shell Protocol]] ('''[https://manpages.ubuntu.com/manpages/jammy/man1/ssh.1.html SSH]''') is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution. | |||
== Install SSH Server and Client == | |||
The SSH client is the software that makes an SSH connection to a remote instance. The SSH server is the software that accepts the connection no the remote instance. In case we don't need to connect to the client instance - i.e. it is laptop, we do not need to install the server.<syntaxhighlight lang="shell" line="1"> | |||
sudo apt install openssh-server openssh-client | |||
</syntaxhighlight>When the server is installed its service is automatically enabled and started, so if we have installed both packages above, we can test whether it is operational by an SSH to the loop-back interface.<syntaxhighlight lang="shell" line="1"> | |||
ssh localhost | |||
</syntaxhighlight>I normal case you would like to test the connection to a remote host, where, let's assume, the SSH server is also fresh installed.<syntaxhighlight lang="shell" line="1"> | |||
ssh -p 22 <user>@<ip.address-or-host.name> | |||
</syntaxhighlight> | |||
* The <code>-p</code> option is not mandatory while the default SSH port at the server's side isn't changed. | |||
By default, within the SSH server's configuration, the password login authentication is enabled. It is much safer to use key based authentication and once it is setup and operational we can safely disable the password authentication. | |||
== Setup Key Based Authentication == | |||
First we need to generate SSH key pair . This should be done at the client's side. It is preferable to use '''ED25519''' based key, because it is more secure and also it is faster because is much shorten especially than 4096 bit RSA key. For more details read the references below. | |||
=== Generate SSH Key Pair === | |||
To generate public and private SSH keys within ''your'' user's <code>'''~/.ssh'''</code> directory use the following commands. | |||
<syntaxhighlight lang="shell" line="1" class="mlw-shell-gray code-continue"> | |||
EMAIL="me@metalevel.tech" | |||
SSH_KEY_DIR="${HOME}/.ssh/access-remote.host.name" | |||
</syntaxhighlight> | |||
<syntaxhighlight lang="shell" line="1" class="code-continue"> | |||
mkdir -m700 "$SSH_KEY_DIR" | |||
ssh-keygen -t ed25519 -C "$EMAIL" -f "${SSH_KEY_DIR}/id_ed25519" | |||
</syntaxhighlight> | |||
<syntaxhighlight lang="shell" line="1" class="mlw-shell-gray"> | |||
ls -la "$SSH_KEY_DIR" | |||
</syntaxhighlight> | |||
<syntaxhighlight lang="bash"> | |||
total 16 | |||
drwx------ 2 <user> <user> 4096 Jul 20 21:36 . | |||
drwx------ 12 <user> <user> 4096 Jul 20 21:28 .. | |||
-rw------- 1 <user> <user> 3381 Jul 20 21:36 id_ed25519 | |||
-rw-r--r-- 1 <user> <user> 742 Jul 20 21:36 id_ed25519.pub | |||
</syntaxhighlight> | |||
*You can add a passphrase to protect your private key in case it become stolen, otherwise leave it empty. You will need to enter the passphrase each tine the private key is used. | |||
*Is's not mandatory to enter a real email address. | |||
=== Copy the Public key to the Remote host === | |||
We need to copy the content of the generated public key - <code>id_ed25519.pub</code>, - to the remote hosts user's <code>~/.ssh­/­autho­rized­_­keys</code> file. This could be done in various ways, but if you cold login to the remote in some way - i.e. with password authentication, the most easiest way is to use the command <code>ssh-copy-id</code>, which is a part of the <code>openssh-client</code> package and is already installed.<syntaxhighlight lang="shell" line="1" class="code-continue"> | |||
ssh-copy-id -p 22 -i ~/.ssh/access-remote.host.name/id_ed25519 <user>@<ip.address-or-host.name> | |||
</syntaxhighlight> | |||
<syntaxhighlight lang="terraform"> | |||
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/<user>/.ssh/<access-remote.host.name>/id_ed25519.pub" | |||
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed | |||
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys | |||
<user>@<ip.address-or-host.name>'s password: | |||
Number of key(s) added: 1 | |||
Now try logging into the machine, with: "ssh -p '22' '<user>@<ip.address-or-host.name>'" | |||
and check to make sure that only the key(s) you wanted were added. | |||
</syntaxhighlight>At this point you should be able to establish a SSH connection to the remote host by a command as the following.<syntaxhighlight lang="shell" line="1" class="code-continue"> | |||
ssh -p 22 -i ~/.ssh/access-remote.host.name/id_ed25519 <user>@<ip.address-or-host.name> | |||
</syntaxhighlight> | |||
== Setup the <code>'''~/.ssh/config'''</code> file at the Client's side == | |||
for easy access the remote instances, without needing type the whole command above, you can add an entry within the user's configuration file <code>[https://manpages.ubuntu.com/manpages/jammy/man5/ssh_config.5.html ~/.ssh/config]</code> at the client's side. In case the file isn't exist you must need to create it first.<syntaxhighlight lang="shell" line="1" class="code-continue mlw-shell-gray"> | |||
touch ~/.ssh/config && chmod 600 ~/.ssh/config | |||
</syntaxhighlight> | |||
<syntaxhighlight lang="shell" line="1" class="code-continue"> | |||
nano ~/.ssh/config | |||
</syntaxhighlight> | |||
<syntaxhighlight lang="terraform"> | |||
Host remote.host.name | |||
HostName <ip.address-or-host.name> | |||
IdentityFile ~/.ssh/access-remote.host.name/id_ed25519 | |||
User <user> | |||
Port 22 | |||
</syntaxhighlight> | |||
* note the <code>remote.host .name</code> that I've used several times is like a ''nickname'' for the remote instance. | |||
At this point you should be able to connect to the remote host by the following synopsis.the remote host by the following command.<syntaxhighlight lang="shell" line="1" class="code-continue"> | |||
ssh remote.host.name | |||
</syntaxhighlight> | |||
== Setup the <code>'''/etc/ssh/sshd_config'''</code> file at the Server's side == | |||
<code>[https://manpages.ubuntu.com/manpages/jammy/man5/sshd_config.5.html /etc/ssh/sshd_config]</code> is the daemon's (server's) configuration file. The minimum security tweaks that should be done, once there is SSH key based authentication available, are at least: 1) Disable the password authentication, 2) Disable the root login, 3) Change the default port or add a second port to listen which will be forwarded through a NAT and will be publicly available. | |||
For this purpose add or modify the relevant lines in your <code>/etc/ssh/sshd_config</code> file.<syntaxhighlight lang="shell" line="1" class="code-continue"> | |||
sudo nano /etc/ssh/sshd_config | |||
</syntaxhighlight> | |||
<syntaxhighlight lang="bash" class="code-continue"> | |||
Port 22 | |||
Port 10181 | |||
PermitRootLogin no | |||
PasswordAuthentication no | |||
</syntaxhighlight> | |||
<syntaxhighlight lang="shell" line="1" class="code-continue"> | |||
sudo systemctl restart ssh.service | |||
</syntaxhighlight>'''Important!''' When you makes changes to a remote server's configuration keep an additional SSH connection open to be sure you can access the instance in case there is something wrong. | |||
== Firewall Setup == | |||
This topic is out of the scope of this I'm placing this section as remainder of that, you need to open the SSH port(s) in use within the server's firewall. | |||
== References == | == References == | ||
* [[SSH Persistent Tunnel and SSHFS Mount via "systemd" units]] | |||
* | * [[GitHub SSH key based authentication]] | ||
Line 12: | Line 111: | ||
| Прндл = Linux Server | | Прндл = Linux Server | ||
| Прндл1 = Linux Desktop | | Прндл1 = Linux Desktop | ||
| Стадий = | | Прндл2 = DevOps and SRE | ||
| Фаза = | | Прндл3 = Network and Security | ||
| Статус = | | Стадий = 6 | ||
| Фаза = Утвърждаване | |||
| Статус = Утвърден | |||
| ИдтПт = Spas | | ИдтПт = Spas | ||
| РзбПт = {{REVISIONUSER}} | | РзбПт = Spas | ||
| АвтПт = Spas | |||
| УтвПт = {{REVISIONUSER}} | |||
| ИдтДт = 5.09.2022 | | ИдтДт = 5.09.2022 | ||
| РзбДт = {{Today}} | | РзбДт = 5.09.2022 | ||
| АвтДт = 5.09.2022 | |||
| УтвДт = {{Today}} | |||
| ИдтРв = [[Special:Permalink/31155|31155]] | | ИдтРв = [[Special:Permalink/31155|31155]] | ||
| РзбРв = {{REVISIONID}} | | РзбРв = [[Special:Permalink/31178|31178]] | ||
| АвтРв = [[Special:Permalink/31180|31180]] | |||
| УтвРв = {{REVISIONID}} | |||
}} | }} | ||
</div> | </div> | ||
</noinclude> | </noinclude> |
Latest revision as of 12:24, 9 April 2023
The Secure Shell Protocol (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution.
Install SSH Server and Client
The SSH client is the software that makes an SSH connection to a remote instance. The SSH server is the software that accepts the connection no the remote instance. In case we don't need to connect to the client instance – i.e. it is laptop, we do not need to install the server.
sudo apt install openssh-server openssh-client
When the server is installed its service is automatically enabled and started, so if we have installed both packages above, we can test whether it is operational by an SSH to the loop-back interface.
ssh localhost
I normal case you would like to test the connection to a remote host, where, let's assume, the SSH server is also fresh installed.
ssh -p 22 <user>@<ip.address-or-host.name>
- The
-p
option is not mandatory while the default SSH port at the server's side isn't changed.
By default, within the SSH server's configuration, the password login authentication is enabled. It is much safer to use key based authentication and once it is setup and operational we can safely disable the password authentication.
Setup Key Based Authentication
First we need to generate SSH key pair . This should be done at the client's side. It is preferable to use ED25519 based key, because it is more secure and also it is faster because is much shorten especially than 4096 bit RSA key. For more details read the references below.
Generate SSH Key Pair
To generate public and private SSH keys within your user's ~/.ssh
directory use the following commands.
EMAIL="me@metalevel.tech"
SSH_KEY_DIR="${HOME}/.ssh/access-remote.host.name"
mkdir -m700 "$SSH_KEY_DIR"
ssh-keygen -t ed25519 -C "$EMAIL" -f "${SSH_KEY_DIR}/id_ed25519"
ls -la "$SSH_KEY_DIR"
total 16
drwx------ 2 <user> <user> 4096 Jul 20 21:36 .
drwx------ 12 <user> <user> 4096 Jul 20 21:28 ..
-rw------- 1 <user> <user> 3381 Jul 20 21:36 id_ed25519
-rw-r--r-- 1 <user> <user> 742 Jul 20 21:36 id_ed25519.pub
- You can add a passphrase to protect your private key in case it become stolen, otherwise leave it empty. You will need to enter the passphrase each tine the private key is used.
- Is's not mandatory to enter a real email address.
Copy the Public key to the Remote host
We need to copy the content of the generated public key – id_ed25519.pub
, – to the remote hosts user's ~/.ssh/authorized_keys
file. This could be done in various ways, but if you cold login to the remote in some way – i.e. with password authentication, the most easiest way is to use the command ssh-copy-id
, which is a part of the openssh-client
package and is already installed.
ssh-copy-id -p 22 -i ~/.ssh/access-remote.host.name/id_ed25519 <user>@<ip.address-or-host.name>
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/<user>/.ssh/<access-remote.host.name>/id_ed25519.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
<user>@<ip.address-or-host.name>'s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh -p '22' '<user>@<ip.address-or-host.name>'"
and check to make sure that only the key(s) you wanted were added.
At this point you should be able to establish a SSH connection to the remote host by a command as the following.
ssh -p 22 -i ~/.ssh/access-remote.host.name/id_ed25519 <user>@<ip.address-or-host.name>
Setup the ~/.ssh/config
file at the Client's side
for easy access the remote instances, without needing type the whole command above, you can add an entry within the user's configuration file ~/.ssh/config
at the client's side. In case the file isn't exist you must need to create it first.
touch ~/.ssh/config && chmod 600 ~/.ssh/config
nano ~/.ssh/config
Host remote.host.name
HostName <ip.address-or-host.name>
IdentityFile ~/.ssh/access-remote.host.name/id_ed25519
User <user>
Port 22
- note the
remote.host .name
that I've used several times is like a nickname for the remote instance.
At this point you should be able to connect to the remote host by the following synopsis.the remote host by the following command.
ssh remote.host.name
Setup the /etc/ssh/sshd_config
file at the Server's side
/etc/ssh/sshd_config
is the daemon's (server's) configuration file. The minimum security tweaks that should be done, once there is SSH key based authentication available, are at least: 1) Disable the password authentication, 2) Disable the root login, 3) Change the default port or add a second port to listen which will be forwarded through a NAT and will be publicly available.
For this purpose add or modify the relevant lines in your /etc/ssh/sshd_config
file.
sudo nano /etc/ssh/sshd_config
Port 22
Port 10181
PermitRootLogin no
PasswordAuthentication no
sudo systemctl restart ssh.service
Important! When you makes changes to a remote server's configuration keep an additional SSH connection open to be sure you can access the instance in case there is something wrong.
Firewall Setup
This topic is out of the scope of this I'm placing this section as remainder of that, you need to open the SSH port(s) in use within the server's firewall.
References