Introduction
One essential tool to lớn master as a system administrator is SSH.
SSH, or Secure Shell, is a protocol used to lớn securely log onto remote systems. It is the most common way to lớn access remote Linux servers.
In this guide, we will discuss how to lớn use SSH to lớn connect to lớn a remote system.
Deploy your frontend applications from GitHub using DigitalOcean App Platform. Let DigitalOcean focus on scaling your ứng dụng.
Core Syntax
To connect to lớn a remote system using SSH, we’ll use the ssh command.
If you are using Windows, you’ll need to lớn install a version of OpenSSH in order to lớn be able to lớn ssh from a terminal. If you prefer to lớn work in PowerShell, you can follow Microsoft’s documentation to lớn add OpenSSH to lớn PowerShell. If you would rather have a full Linux environment available, you can mix up WSL, the Windows Subsystem for Linux, which will include ssh by mặc định. Finally, as a lightweight third option, you can install Git for Windows, which provides a native Windows bash terminal environment that includes the ssh command. Each of these are well-supported and whichever you decide to lớn use will come down to lớn preference.
If you are using a Mac or Linux, you will already have the ssh command available in your terminal.
The most straightforward size of the command is:
ssh remote_host
The remote_host in this example is the IP address or domain name name that you are trying to lớn connect to lớn.
This command assumes that your username on the remote system is the same as your username on your local system.
If your username is different on the remote system, you can specify it by using this syntax:
ssh remote_username@remote_host
Once you have connected to lớn the server, you may be asked to lớn verify your identity by providing a password. Later, we will cover how to lớn generate keys to lớn use instead of passwords.
To exit the ssh session and return back into your local shell session, type:
exit
How Does SSH Work?
SSH works by connecting a client program to lớn an ssh server, called sshd.
In the previous section, ssh was the client program. The ssh server was already running on the remote_host that we specified.
On nearly all Linux environments, the sshd server should start automatically. If it is not running for any reason, you may need to lớn temporarily access your server through a web-based console or local serial console.
The process needed to lớn start an ssh server depends on the distribution of Linux that you are using.
On Ubuntu, you can start the ssh server by typing:
sudo systemctl start ssh
That should start the sshd server, and you can then log in remotely.
How To Configure SSH
When you change the configuration of SSH, you are changing the settings of the sshd server.
In Ubuntu, the main sshd configuration tệp tin is located at /etc/ssh/sshd_config.
Back up the current version of this tệp tin before editing:
sudo cp /etc/ssh/sshd_config{,.bak}
Open it using nano or your favorite text editor:
sudo nano /etc/ssh/sshd_config
You will want to lớn leave most of the options in this tệp tin alone. However, there are a few you may want to lớn take a look at:
/etc/ssh/sshd_config
Port 22
The port declaration specifies which port the sshd server will listen on for connections. By mặc định, this is 22. You should probably leave this setting alone unless you have specific reasons to lớn bởi otherwise. If you do change your port, we will show you how to lớn connect to lớn the new port later on.
/etc/ssh/sshd_config
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
The host key declarations specify where to lớn look for global host keys. We will discuss what a host key is later.
/etc/ssh/sshd_config
SyslogFacility AUTH
LogLevel INFO
These two items indicate the level of logging that should occur.
If you are having difficulties with SSH, increasing the amount of logging may be a good way to lớn discover what the issue is.
/etc/ssh/sshd_config
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
These parameters specify some of the login information.
LoginGraceTime specifies how many seconds to lớn keep the connection alive without successfully logging in.
It may be a good idea to lớn mix this time just a little bit higher phàn nàn the amount of time it takes you to lớn log in normally.
PermitRootLogin selects whether the root user is allowed to lớn log in.
In most cases, this should be changed to lớn no when you have created a user trương mục that has access to lớn elevated privileges (through su or sudo) and can log in through SSH in order to lớn minimize the risk of anyone gaining root access to lớn your server.
strictModes is a safety guard that will refuse a login attempt if the authentication files are readable by everyone.
This prevents login attempts when the configuration files are not secure.
/etc/ssh/sshd_config
X11Forwarding yes
X11DisplayOffset 10
These parameters configure an ability called X11 Forwarding. This allows you to lớn view a remote system’s graphical user interface (GUI) on the local system.
This option must be enabled on the server and given to lớn the SSH client during connection with the -X option.
After making your changes, save and close the tệp tin. If you are using nano, press Ctrl+X, then when prompted, Y and then Enter.
If you changed any settings in /etc/ssh/sshd_config, make sure you reload your sshd server to lớn implement your modifications:
sudo systemctl reload ssh
You should thoroughly test your changes to lớn ensure that they operate in the way you expect.
It may be a good idea to lớn have a few terminal sessions open while you are making changes. This will allow you to lớn revert the configuration if necessary without locking yourself out.
How To Log Into SSH with Keys
While it is helpful to lớn be able to lớn log in to lớn a remote system using passwords, it is faster and more secure to lớn mix up key-based authentication.
How Does Key-based Authentication Work?
Key-based authentication works by creating a pair of keys: a private key and a public key.
The private key is located on the client’s machine and is secured and kept secret.
The public key can be given to lớn anyone or placed on any server you wish to lớn access.
When you attempt to lớn connect using a key pair, the server will use the public key to lớn create a message for the client computer that can only be read with the private key.
The client computer then sends the appropriate response back to lớn the server, which will tell the server that the client is legitimate.
This process is performed automatically after you configure your keys.
How To Create SSH Keys
SSH keys should be generated on the computer you wish to lớn log in from. This is usually your local machine.
Enter the following into the command line:
ssh-keygen -t rsa
You may be prompted to lớn mix a password on the key files themselves, but this is a fairly uncommon practice, and you should press enter through the prompts to lớn accept the defaults. Your keys will be created at ~/.ssh/id_rsa.pub and ~/.ssh/id_rsa.
Change into the .ssh directory by typing:
cd ~/.ssh
Look at the permissions of the files:
ls -l
Output
-rw-r--r-- 1 phác thảo demo 807 Sep 9 22:15 authorized_keys
-rw------- 1 phác thảo demo 1679 Sep 9 23:13 id_rsa
-rw-r--r-- 1 phác thảo demo 396 Sep 9 23:13 id_rsa.pub
As you can see, the id_rsa tệp tin is readable and writable only to lớn the owner. This helps to lớn keep it secret.
The id_rsa.pub tệp tin, however, can be shared and has permissions appropriate for this activity.
How To Transfer Your Public Key to lớn the Server
If you currently have password-based access to lớn a server, you can copy your public key to lớn it by issuing this command:
ssh-copy-id remote_host
This will start an SSH session. After you enter your password, it will copy your public key to lớn the server’s authorized keys tệp tin, which will allow you to lớn log in without the password next time.
Client-Side Options
There are a number of optional flags that you can provide when connecting through SSH.
Some of these may be necessary to lớn match the settings in the remote host’s sshd configuration.
For instance, if you changed the port number in your sshd configuration, you will need to lớn match that port on the client side by typing:
ssh -p port_number remote_host
Note: Changing your ssh port is a reasonable way of providing security through obscurity. If you are allowing SSH connections to lớn a widely known server deployment on port 22 as normal and you have password authentication enabled, you will likely be attacked by many automated login attempts. Exclusively using key-based authentication and running SSH on a nonstandard port is not the most complex security solution you can employ, but you should reduce these to lớn a minimum.
If you only want to lớn execute a single command on a remote system, you can specify it after the host lượt thích so:
ssh remote_host command_to_run
You will connect to lớn the remote machine, authenticate, and the command will be executed.
As we said before, if X11 forwarding is enabled on both computers, you can access that functionality by typing:
ssh -X remote_host
Providing you have the appropriate tools on your computer, GUI programs that you use on the remote system will now open their window on your local system.
Disabling Password Authentication
If you have created SSH keys, you can enhance your server’s security by disabling password-only authentication. Apart from the console, the only way to lớn log into your server will be through the private key that pairs with the public key you have installed on the server.
Warning: Before you proceed with this step, be sure you have installed a public key to lớn your server. Otherwise, you will be locked out!
As root or user with sudo privileges, open the sshd configuration file:
sudo nano /etc/ssh/sshd_config
Locate the line that reads Password Authentication, and uncomment it by removing the leading #. You can then change its value to lớn no:
/etc/ssh/sshd_config
PasswordAuthentication no
Two more settings that should not need to lớn be modified (provided you have not modified this tệp tin before) are PubkeyAuthentication and ChallengeResponseAuthentication. They are mix by mặc định and should read as follows:
/etc/ssh/sshd_config
PubkeyAuthentication yes
ChallengeResponseAuthentication no
After making your changes, save and close the tệp tin.
You can now reload the SSH daemon:
sudo systemctl reload ssh
Password authentication should now be disabled, and your server should be accessible only through SSH key authentication.
Conclusion
Learning your way around SSH will greatly benefit any of your future cloud computing endeavors. As you use the various options, you will discover more advanced functionality that can make your life easier. SSH has remained popular because it is secure, lightweight, and useful in diverse situations.
Next, you may want to lớn learn about working with SFTP to lớn perform command line tệp tin transfers.