SSH Connection Setup: Difference between revisions
| Line 2: | Line 2: | ||
== Install SSH Server and Client == | == Install SSH Server and Client == | ||
The SSH client is the software that makes an SSH connection to a remote instance. The SSH server is the software that accepts the connection no the remote instance. In case we don't need to connect to the client instance - i.e. it is laptop, we do not | The SSH client is the software that makes an SSH connection to a remote instance. The SSH server is the software that accepts the connection no the remote instance. In case we don't need to connect to the client instance - i.e. it is laptop, we do not need to install the server.<syntaxhighlight lang="shell" line="1"> | ||
sudo apt install openssh-server openssh-client | sudo apt install openssh-server openssh-client | ||
</syntaxhighlight>When the server is installed its service is automatically enabled and started, so if we have installed both packages above, we can test whether it is operational by an SSH to the loop-back interface.<syntaxhighlight lang="shell" line="1"> | </syntaxhighlight>When the server is installed its service is automatically enabled and started, so if we have installed both packages above, we can test whether it is operational by an SSH to the loop-back interface.<syntaxhighlight lang="shell" line="1"> | ||
ssh localhost | |||
</syntaxhighlight>By default within the SSH server's configuration the password login is enabled. It is much safer to use key based authentication and once it is setup and operational we can safely disable the password authentication. | </syntaxhighlight>I normal case you would like to test the connection to a remote host, where, let's assume, the SSH server is also fresh installed.<syntaxhighlight lang="shell" line="1"> | ||
ssh -p 22 <user>@<ip.address-or-host.name> | |||
</syntaxhighlight> | |||
* The <code>-p</code> option is not mandatory while the default SSH port at the server's side isn't changed. | |||
By default, within the SSH server's configuration, the password login authentication is enabled. It is much safer to use key based authentication and once it is setup and operational we can safely disable the password authentication. | |||
== Setup Key Based Authentication == | == Setup Key Based Authentication == | ||
| Line 38: | Line 44: | ||
*Is's not mandatory to enter a real email address. | *Is's not mandatory to enter a real email address. | ||
=== Copy | === Copy the Public key to the Remote host === | ||
We need to copy the content of the generated public key - <code>id_ed25519.pub</code>, - to the remote hosts user's <code>~/.ssh­/­autho­rized­_­keys</code> file. This could be done in various ways, but if you cold login to the remote in some way - i.e. with password authentication, the most easiest way is to use the command <code>ssh-copy-id</code>, which is a part of the <code>openssh-client</code> package and is already installed.<syntaxhighlight lang="shell" line="1" class="mlw-continue"> | We need to copy the content of the generated public key - <code>id_ed25519.pub</code>, - to the remote hosts user's <code>~/.ssh­/­autho­rized­_­keys</code> file. This could be done in various ways, but if you cold login to the remote in some way - i.e. with password authentication, the most easiest way is to use the command <code>ssh-copy-id</code>, which is a part of the <code>openssh-client</code> package and is already installed.<syntaxhighlight lang="shell" line="1" class="mlw-continue"> | ||
ssh-copy-id -p 22 -i ~/.ssh/access-remote.host.name/id_ed25519 <user>@<ip.address-or-host.name> | ssh-copy-id -p 22 -i ~/.ssh/access-remote.host.name/id_ed25519 <user>@<ip.address-or-host.name> | ||
| Line 53: | Line 59: | ||
and check to make sure that only the key(s) you wanted were added. | and check to make sure that only the key(s) you wanted were added. | ||
</syntaxhighlight> | </syntaxhighlight>At this point you should be able to the remote host | ||
== References == | == References == | ||
* | * [[SSH Persistent Tunnel and SSHFS Mount via "systemd" units]] | ||
* | * [[GitHub SSH key based authentication]] | ||
Revision as of 18:12, 5 September 2022
Install SSH Server and Client
The SSH client is the software that makes an SSH connection to a remote instance. The SSH server is the software that accepts the connection no the remote instance. In case we don't need to connect to the client instance – i.e. it is laptop, we do not need to install the server.
sudo apt install openssh-server openssh-client
When the server is installed its service is automatically enabled and started, so if we have installed both packages above, we can test whether it is operational by an SSH to the loop-back interface.
ssh localhost
I normal case you would like to test the connection to a remote host, where, let's assume, the SSH server is also fresh installed.
ssh -p 22 <user>@<ip.address-or-host.name>
- The
-poption is not mandatory while the default SSH port at the server's side isn't changed.
By default, within the SSH server's configuration, the password login authentication is enabled. It is much safer to use key based authentication and once it is setup and operational we can safely disable the password authentication.
Setup Key Based Authentication
First we need to generate SSH key pair . This should be done at the client's side. It is preferable to use ED25519 based key, because it is more secure and also it is faster because is much shorten especially than 4096 bit RSA key.
Generate SSH Key Pair
To generate public and private SSH keys within your user's ~/.ssh directory use the following commands.
mkdir -m700 ~/.ssh/access-remote.host.name
ssh-keygen -t ed25519 -C 'your@email.com' -f ~/.ssh/access-remote.host.name/id_ed25519
ls -la ~/.ssh/access-remote.host.name
total 16
drwx------ 2 <user> <user> 4096 Jul 20 21:36 .
drwx------ 12 <user> <user> 4096 Jul 20 21:28 ..
-rw------- 1 <user> <user> 3381 Jul 20 21:36 id_ed25519
-rw-r--r-- 1 <user> <user> 742 Jul 20 21:36 id_ed25519.pub
- You can add a passphrase to protect your private key in case it become stolen, otherwise leave it empty. You will need to enter the passphrase each tine the private key is used.
- Is's not mandatory to enter a real email address.
Copy the Public key to the Remote host
We need to copy the content of the generated public key – id_ed25519.pub, – to the remote hosts user's ~/.ssh/authorized_keys file. This could be done in various ways, but if you cold login to the remote in some way – i.e. with password authentication, the most easiest way is to use the command ssh-copy-id, which is a part of the openssh-client package and is already installed.
ssh-copy-id -p 22 -i ~/.ssh/access-remote.host.name/id_ed25519 <user>@<ip.address-or-host.name>
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/<user>/.ssh/<access-remote.host.name>/id_ed25519.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
<user>@<ip.address-or-host.name>'s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh -p '22' '<user>@<ip.address-or-host.name>'"
and check to make sure that only the key(s) you wanted were added.
At this point you should be able to the remote host
References
