SSH Connection Setup: Difference between revisions

The Se­cure Shell Pro­to­col (SSH) is a cryp­to­graph­ic net­work pro­to­col for op­er­at­ing net­work ser­vices se­cure­ly over an un­se­cured net­work. Its most no­table ap­pli­ca­tions are re­mote lo­gin and com­mand-line ex­e­cu­tion.

In­stall SSH Serv­er and Client

The SSH client is the soft­ware that makes an SSH con­nec­tion to a re­mote in­stance. The SSH serv­er is the soft­ware that ac­cepts the con­nec­tion no the re­mote in­stance. In case we don't need to con­nect to the client in­stance – i.e. it is lap­top, we do not need to in­stall the serv­er.

sudo apt install openssh-server openssh-client

When the serv­er is in­stalled its ser­vice is au­to­mat­i­cal­ly en­abled and start­ed, so if we have in­stalled both pack­ages above, we can test whether it is op­er­a­tional by an SSH to the loop-back in­ter­face.

ssh localhost

I nor­mal case you would like to test the con­nec­tion to a re­mote host, where, let's as­sume, the SSH serv­er is al­so fresh in­stalled.

ssh -p 22 <user>@<ip.address-or-host.name>

• The -p op­tion is not manda­to­ry while the de­fault SSH port at the server's side isn't changed.

By de­fault, with­in the SSH server's con­fig­u­ra­tion, the pass­word lo­gin au­then­ti­ca­tion is en­abled. It is much safer to use key based au­then­ti­ca­tion and once it is set­up and op­er­a­tional we can safe­ly dis­able the pass­word au­then­ti­ca­tion.

Set­up Key Based Au­then­ti­ca­tion

First we need to gen­er­ate SSH key pair . This should be done at the client's side. It is prefer­able to use ED25519 based key, be­cause it is more se­cure and al­so it is faster be­cause is much short­en es­pe­cial­ly than 4096 bit RSA key. For more de­tails read the ref­er­ences be­low.

Gen­er­ate SSH Key Pair

To gen­er­ate pub­lic and pri­vate SSH keys with­in your user's ~/.ssh di­rec­to­ry use the fol­low­ing com­mands.

EMAIL="me@metalevel.tech"
SSH_KEY_DIR="${HOME}/.ssh/access-remote.host.name"

mkdir -m700 "$SSH_KEY_DIR"
ssh-keygen -t ed25519 -C "$EMAIL" -f "${SSH_KEY_DIR}/id_ed25519"

ls -la "$SSH_KEY_DIR"

total 16
drwx------  2 <user> <user> 4096 Jul 20 21:36 .
drwx------ 12 <user> <user> 4096 Jul 20 21:28 ..
-rw-------  1 <user> <user> 3381 Jul 20 21:36 id_ed25519
-rw-r--r--  1 <user> <user>  742 Jul 20 21:36 id_ed25519.pub

• You can add a passphrase to pro­tect your pri­vate key in case it be­come stolen, oth­er­wise leave it emp­ty. You will need to en­ter the passphrase each tine the pri­vate key is used.
• Is's not manda­to­ry to en­ter a re­al email ad­dress.

Copy the Pub­lic key to the Re­mote host

We need to copy the con­tent of the gen­er­at­ed pub­lic key – id_ed25519.pub, – to the re­mote hosts user's ~/.ssh­/­autho­rized­_­keys file. This could be done in var­i­ous ways, but if you cold lo­gin to the re­mote in some way – i.e. with pass­word au­then­ti­ca­tion, the most eas­i­est way is to use the com­mand ssh-copy-id, which is a part of the openssh-client pack­age and is al­ready in­stalled.

ssh-copy-id -p 22 -i ~/.ssh/access-remote.host.name/id_ed25519 <user>@<ip.address-or-host.name>

/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/<user>/.ssh/<access-remote.host.name>/id_ed25519.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
<user>@<ip.address-or-host.name>'s password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh -p '22' '<user>@<ip.address-or-host.name>'"
and check to make sure that only the key(s) you wanted were added.

At this point you should be able to es­tab­lish a SSH con­nec­tion to the re­mote host by a com­mand as the fol­low­ing.

ssh -p 22 -i ~/.ssh/access-remote.host.name/id_ed25519 <user>@<ip.address-or-host.name>

Set­up the ~/.ssh/config file at the Client's side

for easy ac­cess the re­mote in­stances, with­out need­ing type the whole com­mand above, you can add an en­try with­in the user's con­fig­u­ra­tion file ~/.ssh/config at the client's side. In case the file isn't ex­ist you must need to cre­ate it first.

touch ~/.ssh/config && chmod 600 ~/.ssh/config

nano ~/.ssh/config

Host remote.host.name
	HostName <ip.address-or-host.name>
	IdentityFile ~/.ssh/access-remote.host.name/id_ed25519
	User <user>
	Port 22

• note the remote​.host .name that I've used sev­er­al times is like a nick­name for the re­mote in­stance.

At this point you should be able to con­nect to the re­mote host by the fol­low­ing synopsis.the re­mote host by the fol­low­ing com­mand.

ssh remote.host.name

Set­up the /​​​etc/​​​ssh/​​​sshd_​​​config file at the Server's side

/​​​etc/​​​ssh/​​​sshd_​​​config is the daemon's (server's) con­fig­u­ra­tion file. The min­i­mum se­cu­ri­ty tweaks that should be done, once there is SSH key based au­then­ti­ca­tion avail­able, are at least: 1) Dis­able the pass­word au­then­ti­ca­tion, 2) Dis­able the root lo­gin, 3) Change the de­fault port or add a sec­ond port to lis­ten which will be for­ward­ed through a NAT and will be pub­licly avail­able.

For this pur­pose add or mod­i­fy the rel­e­vant lines in your /​​​etc/​​​ssh/​​​sshd_​​​config file.

sudo nano /etc/ssh/sshd_config

Port 22
Port 10181
PermitRootLogin no
PasswordAuthentication no

sudo systemctl restart ssh.service

Im­por­tant! When you makes changes to a re­mote server's con­fig­u­ra­tion keep an ad­di­tion­al SSH con­nec­tion open to be sure you can ac­cess the in­stance in case there is some­thing wrong.

Fire­wall Set­up

This top­ic is out of the scope of this I'm plac­ing this sec­tion as re­main­der of that, you need to open the SSH port(s) in use with­in the server's fire­wall.

Ref­er­ences

• SSH Per­sis­tent Tun­nel and SSHFS Mount via "sys­temd" units

• GitHub SSH key based au­then­ti­ca­tion