SSH Connection Setup: Difference between revisions

From WikiMLT
Spas (talk | contribs)
Spas (talk | contribs)
Line 93: Line 93:
</syntaxhighlight>'''Important!''' When you makes changes to a remote server's configuration keep an additional SSH connection open to be sure you can access the instance in case there is something wrong.  
</syntaxhighlight>'''Important!''' When you makes changes to a remote server's configuration keep an additional SSH connection open to be sure you can access the instance in case there is something wrong.  


== Firewall ==
== Firewall Setup ==
This topic is out of the scope of this I'm placing this section as remainder of that, you need to open the SSH port(s) in use within the server's firewall.
This topic is out of the scope of this I'm placing this section as remainder of that, you need to open the SSH port(s) in use within the server's firewall.



Revision as of 18:00, 5 September 2022

The Se­cure Shell Pro­to­col (SSH) is a cryp­to­graph­ic net­work pro­to­col for op­er­at­ing net­work ser­vices se­cure­ly over an un­se­cured net­work. Its most no­table ap­pli­ca­tions are re­mote lo­gin and com­mand-line ex­e­cu­tion.

In­stall SSH Serv­er and Client

The SSH client is the soft­ware that makes an SSH con­nec­tion to a re­mote in­stance. The SSH serv­er is the soft­ware that ac­cepts the con­nec­tion no the re­mote in­stance. In case we don't need to con­nect to the client in­stance – i.e. it is lap­top, we do not need to in­stall the serv­er.

sudo apt install openssh-server openssh-client

When the serv­er is in­stalled its ser­vice is au­to­mat­i­cal­ly en­abled and start­ed, so if we have in­stalled both pack­ages above, we can test whether it is op­er­a­tional by an SSH to the loop-back in­ter­face.

ssh localhost

I nor­mal case you would like to test the con­nec­tion to a re­mote host, where, let's as­sume, the SSH serv­er is al­so fresh in­stalled.

ssh -p 22 <user>@<ip.address-or-host.name>
  • The -p op­tion is not manda­to­ry while the de­fault SSH port at the server's side isn't changed.

By de­fault, with­in the SSH server's con­fig­u­ra­tion, the pass­word lo­gin au­then­ti­ca­tion is en­abled. It is much safer to use key based au­then­ti­ca­tion and once it is set­up and op­er­a­tional we can safe­ly dis­able the pass­word au­then­ti­ca­tion.

Set­up Key Based Au­then­ti­ca­tion

First we need to gen­er­ate SSH key pair . This should be done at the client's side. It is prefer­able to use ED25519 based key, be­cause it is more se­cure and al­so it is faster be­cause is much short­en es­pe­cial­ly than 4096 bit RSA key. For more de­tails read the ref­er­ences be­low.

Gen­er­ate SSH Key Pair

To gen­er­ate pub­lic and pri­vate SSH keys with­in your user's ~/.ssh di­rec­to­ry use the fol­low­ing com­mands.

mkdir -m700 ~/.ssh/access-remote.host.name
ssh-keygen -t ed25519 -C 'your@email.com' -f ~/.ssh/access-remote.host.name/id_ed25519
ls -la ~/.ssh/access-remote.host.name
total 16
drwx------  2 <user> <user> 4096 Jul 20 21:36 .
drwx------ 12 <user> <user> 4096 Jul 20 21:28 ..
-rw-------  1 <user> <user> 3381 Jul 20 21:36 id_ed25519
-rw-r--r--  1 <user> <user>  742 Jul 20 21:36 id_ed25519.pub
  • You can add a passphrase to pro­tect your pri­vate key in case it be­come stolen, oth­er­wise leave it emp­ty. You will need to en­ter the passphrase each tine the pri­vate key is used.
  • Is's not manda­to­ry to en­ter a re­al email ad­dress.

Copy the Pub­lic key to the Re­mote host

We need to copy the con­tent of the gen­er­at­ed pub­lic key – id_ed25519.pub, – to the re­mote hosts user's ~/.ssh­/­autho­rized­_­keys file. This could be done in var­i­ous ways, but if you cold lo­gin to the re­mote in some way – i.e. with pass­word au­then­ti­ca­tion, the most eas­i­est way is to use the com­mand ssh-copy-id, which is a part of the openssh-client pack­age and is al­ready in­stalled.

ssh-copy-id -p 22 -i ~/.ssh/access-remote.host.name/id_ed25519 <user>@<ip.address-or-host.name>
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/<user>/.ssh/<access-remote.host.name>/id_ed25519.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
<user>@<ip.address-or-host.name>'s password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh -p '22' '<user>@<ip.address-or-host.name>'"
and check to make sure that only the key(s) you wanted were added.

At this point you should be able to es­tab­lish a SSH con­nec­tion to the re­mote host by a com­mand as the fol­low­ing.

ssh -p 22 -i ~/.ssh/access-remote.host.name/id_ed25519 <user>@<ip.address-or-host.name>

Set­up the ~/.ssh/config file at the Client's side

for easy ac­cess the re­mote in­stances, with­out need­ing type the whole com­mand above, you can add an en­try with­in the user's con­fig­u­ra­tion file ~/.ssh/config at the client's side. In case the file isn't ex­ist you must need to cre­ate it first.

touch ~/.ssh/config && chmod 600 ~/.ssh/config
nano ~/.ssh/config
Host remote.host.name
	HostName <ip.address-or-host.name>
	IdentityFile ~/.ssh/access-remote.host.name/id_ed25519
	User <user>
	Port 22
  • note the remote​.host .name that I've used sev­er­al times is like a nick­name for the re­mote in­stance.

At this point you should be able to con­nect to the re­mote host by the fol­low­ing synopsis.the re­mote host by the fol­low­ing com­mand.

ssh remote.host.name

Set­up the /​​​etc/​​​ssh/​​​sshd_​​​config file at the Server's side

/​​​etc/​​​ssh/​​​sshd_​​​config is the daemon's (server's) con­fig­u­ra­tion file. The min­i­mum se­cu­ri­ty tweaks that should be done, once there is SSH key based au­then­ti­ca­tion avail­able, are at least: 1) Dis­able the pass­word au­then­ti­ca­tion, 2) Dis­able the root lo­gin, 3) Change the de­fault port or add a sec­ond port to lis­ten which will be for­ward­ed through a NAT and will be pub­licly avail­able.

For this pur­pose add or mod­i­fy the rel­e­vant lines in your /​​​etc/​​​ssh/​​​sshd_​​​config file.

sudo nano /etc/ssh/sshd_config
Port 22
Port 10181
PermitRootLogin no
PasswordAuthentication no
sudo systemct restart ssh.service

Im­por­tant! When you makes changes to a re­mote server's con­fig­u­ra­tion keep an ad­di­tion­al SSH con­nec­tion open to be sure you can ac­cess the in­stance in case there is some­thing wrong.

Fire­wall Set­up

This top­ic is out of the scope of this I'm plac­ing this sec­tion as re­main­der of that, you need to open the SSH port(s) in use with­in the server's fire­wall.

Ref­er­ences