SSH Connection Setup
The Secure Shell Protocol (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution.
Install SSH Server and Client
The SSH client is the software that makes an SSH connection to a remote instance. The SSH server is the software that accepts the connection no the remote instance. In case we don't need to connect to the client instance – i.e. it is laptop, we do not need to install the server.
sudo apt install openssh-server openssh-client
When the server is installed its service is automatically enabled and started, so if we have installed both packages above, we can test whether it is operational by an SSH to the loop-back interface.
ssh localhost
I normal case you would like to test the connection to a remote host, where, let's assume, the SSH server is also fresh installed.
ssh -p 22 <user>@<ip.address-or-host.name>
- The
-poption is not mandatory while the default SSH port at the server's side isn't changed.
By default, within the SSH server's configuration, the password login authentication is enabled. It is much safer to use key based authentication and once it is setup and operational we can safely disable the password authentication.
Setup Key Based Authentication
First we need to generate SSH key pair . This should be done at the client's side. It is preferable to use ED25519 based key, because it is more secure and also it is faster because is much shorten especially than 4096 bit RSA key. For more details read the references below.
Generate SSH Key Pair
To generate public and private SSH keys within your user's ~/.ssh directory use the following commands.
EMAIL="me@metalevel.tech"
SSH_KEY_DIR="${HOME}/.ssh/access-remote.host.name"
mkdir -m700 "$SSH_KEY_DIR"
ssh-keygen -t ed25519 -C "$EMAIL" -f "${SSH_KEY_DIR}/id_ed25519"
ls -la "$SSH_KEY_DIR"
total 16
drwx------ 2 <user> <user> 4096 Jul 20 21:36 .
drwx------ 12 <user> <user> 4096 Jul 20 21:28 ..
-rw------- 1 <user> <user> 3381 Jul 20 21:36 id_ed25519
-rw-r--r-- 1 <user> <user> 742 Jul 20 21:36 id_ed25519.pub
- You can add a passphrase to protect your private key in case it become stolen, otherwise leave it empty. You will need to enter the passphrase each tine the private key is used.
- Is's not mandatory to enter a real email address.
Copy the Public key to the Remote host
We need to copy the content of the generated public key – id_ed25519.pub, – to the remote hosts user's ~/.ssh/authorized_keys file. This could be done in various ways, but if you cold login to the remote in some way – i.e. with password authentication, the most easiest way is to use the command ssh-copy-id, which is a part of the openssh-client package and is already installed.
ssh-copy-id -p 22 -i ~/.ssh/access-remote.host.name/id_ed25519 <user>@<ip.address-or-host.name>
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/<user>/.ssh/<access-remote.host.name>/id_ed25519.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
<user>@<ip.address-or-host.name>'s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh -p '22' '<user>@<ip.address-or-host.name>'"
and check to make sure that only the key(s) you wanted were added.
At this point you should be able to establish a SSH connection to the remote host by a command as the following.
ssh -p 22 -i ~/.ssh/access-remote.host.name/id_ed25519 <user>@<ip.address-or-host.name>
Setup the ~/.ssh/config file at the Client's side
for easy access the remote instances, without needing type the whole command above, you can add an entry within the user's configuration file ~/.ssh/config at the client's side. In case the file isn't exist you must need to create it first.
touch ~/.ssh/config && chmod 600 ~/.ssh/config
nano ~/.ssh/config
Host remote.host.name
HostName <ip.address-or-host.name>
IdentityFile ~/.ssh/access-remote.host.name/id_ed25519
User <user>
Port 22
- note the
remote.host .namethat I've used several times is like a nickname for the remote instance.
At this point you should be able to connect to the remote host by the following synopsis.the remote host by the following command.
ssh remote.host.name
Setup the /etc/ssh/sshd_config file at the Server's side
/etc/ssh/sshd_config is the daemon's (server's) configuration file. The minimum security tweaks that should be done, once there is SSH key based authentication available, are at least: 1) Disable the password authentication, 2) Disable the root login, 3) Change the default port or add a second port to listen which will be forwarded through a NAT and will be publicly available.
For this purpose add or modify the relevant lines in your /etc/ssh/sshd_config file.
sudo nano /etc/ssh/sshd_config
Port 22
Port 10181
PermitRootLogin no
PasswordAuthentication no
sudo systemctl restart ssh.service
Important! When you makes changes to a remote server's configuration keep an additional SSH connection open to be sure you can access the instance in case there is something wrong.
Firewall Setup
This topic is out of the scope of this I'm placing this section as remainder of that, you need to open the SSH port(s) in use within the server's firewall.
References
