How to remotely log into a server using SSH
If you’re a developer, there’s a good chance you have run into SSH. Secure Shell, also known as SSH, securely connects you to a remote computer. It is most commonly used among administrators to access Linux servers.
Connecting
The command to start a connection is pretty simple. It's just ssh
followed by the remote host’s username and IP address. Like this:
ssh username@ip_addr
If you are on Windows, then you will need to install an OpenSSH version in order to use the ssh
command from a terminal. You can follow Microsoft’s documentation for this. Or if you have WSL, Windows Subsystem for Linux, enabled then you will already have access to SSH by default.
The above command will only work if you are on the same network as the server unless you have the SSH port ( 22
is the default ) exposed. I highly suggest not port forwarding port 22 without taking some extra precautions. I will get to those in a moment.
To find your server’s local IP use this command:
ifconfig
This command will display ALL network connections on your server, including the internal ones. Look for one labeled <UP,BROADCAST,RUNNING,MULTICAST>
. Under that will be inet <your_ip>
.
On your client machine ( not the server ), you should be able to log in via SSH using this information. If it’s your first time logging into the server from that client, then it will ask if you want to save the fingerprint. Type yes
when prompted. It will then prompt you to provide the user password. I’ll show you how to do a passwordless login later using SSH keys.
When you are done with your SSH session type exit
to return to your local shell session.
What’s happening behind the scenes?
The simplest way to explain SSH is that the remote host has a service called sshd
running all the time. This is also called the SSH Server. The client program ssh
is connecting to this.
If the service isn’t available you might have to start it manually. You can do this in Debian or Ubuntu like this:
sudo systemctl start ssh
It might be sshd
on some systems, so try that if the above command outputs an error saying that the service can’t be found.
You can check the status of SSH in a similar way. This can be done without root privilege.
systemctl status ssh
Logging in without a password
Typing in a password every time you want to log into the server can be tedious and annoying. A better way is to use a Public and Private key pair. This method is also more secure.
How can a passwordless login be more secure?
Using a Public/Private key pair is also called Key-based authentication. The private key is stored on the client machine. It can only be read and written by the owner in order to keep it private.
The public key can be given to anyone and placed on any server you want to access. There’s no need to hide this key. You can even put it on a highway billboard if you wish.
When you connect using a key pair the server will use the public key to create a message. This message can only be decoded and read by the client’s private key. The client then sends the appropriate message back so that the server knows that the client is correct. This process happens automatically.
Creating a key pair
To create a key pair, make sure you are logged into the client computer, not the server. Enter this command to get started:
ssh-keygen -b 4096 -t rsa
You will be prompted for a custom path and name, and then a password for the key files. You can press enter on all of these so you have the default name and no password for the keys. If you do have a password on the files then you will still need a password to log into the server.
After creating the file you can go into the .ssh
directory and check the files it created.
ls -l ~/.ssh
You should have a id_rsa
and a id_rsa.pub
key, unless you manually set a name.
If you have a current password-based login method to access the server, then you can run this command:
ssh-copy-id user@ip_addr
This will copy the id_rsa.pub
key to the server. If you specified a name for the key then you will have to do so here too. It will then start an SSH session. Enter your password (hopefully for the last time) and then the command will automatically copy over the public key. Next time you log into the server you shouldn't be prompted for a password.
Removing Password Login
WARNING: This next part should only be done if you have copied the public key to the server. If you do this without having key pair authentication, then you will be locked out.
This step will increase the security of your server by only allowing clients with the right private keys to join.
On your server, with root or sudo privilege, edit the sshd
configuration file:
sudo nano /etc/ssh/sshd_config
Find the line that says Password Authentication
and uncomment it. Then you can change the value to no
.
Before you continue, make sure the PubkeyAuthentication
is set to yes
and ChallengeResponseAuthentication
is set to no
.
Other changes you might want to make
While you’re here there are a few other things you might want to look into.
#/etc/ssh/sshd_config
SyslogFactility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
If you are having issues with SSH then increasing the logging amount might help you diagnose the problem.
LoginGraceTime
is the amount of time (in seconds) the connection will remain open without a successful login.
PermitRootLogin
is whether or not the root user is allowed to log in. I suggest setting this to no
if you already have a user with sudo
privileges. This lowers the risk of anyone getting root access to the server.
StictModes
is another safety net that will refuse login attempts if the key pair files are readable by everyone on the client. If the files are readable by everyone with access to the client machine then they are not secure.
Another section you might want to change is the port declaration.
Port 22
By default, the port number is 22. I normally change this as a lot of malicious users will scan for SSH connections through port 22. The precautions of changing the above settings and using a key pair login should make your server secure enough, especially if you are only accessing a server on your local network and nowhere else.
However, if you do change this and want to troll potential hackers or script kiddies then you can set up a Honeypot. Wolfgang’s Chanel on YT made a good video on this. I recommend you check him out!
With /etc/ssh/sshd_config
edited how you wish, go ahead and save the file. To enable the changes, just reload the SSH server.
sudo systemctl reload ssh
Password login should now be disabled! The reload should close your connection to the server, so when you log back in it shouldn’t ask for a password.
On the client side
With the server side configured, there are some cool things you can do on the client side. If you changed the port number in your sshd_config
then you will need to specify the port number when using the ssh
command.
shh -p <portNum> user@ip_addr
But typing out the port number, username, and IP address every time can get annoying and hard to remember if you have a bunch of servers. To fix this we can make a config file! Make sure that the config can only be accessed by the user.
touch ~/.ssh/config && chmod 600 ~/.ssh/config
In the config file, we can create aliases for servers really easily.
# This is just an example.
# Use the right hostname, port, & user for your server
Host serverOne
HostName 192.168.0.10
Port 2222
User alex
Host serverTwo
HostName 192.168.0.200
Port 4019
User bob
IdentityFile ~/.ssh/somethingElse
After saving that you should be able to access the server using the alias you defined here.
ssh serverOne
Another cool thing you can do from the client is run a single command without going through the hassle of logging in and then exiting.
ssh serverOne <command you want to execute>
You can also copy files to and from the server to your client.
# copy a file from a server to your current directory
scp serverOne:/home/username/file.txt .
# or copy a file from your local machine to the server's home
scp filename serverOne:/home/username
# use the -r flag to copy a directory
scp -r directory serverOne:/home/username/