--- title: SSH description: draft: false tags: - networking author: TrudeEH showToc: true --- SSH is a protocol for accessing a terminal remotely. For SSH to work, the remote machine needs to have an OpenSSH instance running and listening for connections, and port 22 must be allowed through any VPNs or firewalls between the client and host machines. An SSH client is also needed, be it any UNIX system (using the `ssh` command), or a Windows server using a client such as PuTTY. ## OpenSSH Client ### Connect to a Remote Server #### Connect Using a Password ```Shell ssh @ > ssh root@192.168.1.133 > Ctrl+D # Disconnect ``` > After connecting to a server for the first time, the fingerprint of that server is stored in the `~/.ssh/known-hosts` file. > > This is a security measure to prevent MitM attacks. (The client is notified if the server's fingerprint changes). #### Connect Using an SSH Key First, it is necessary to generate a private and public key to use with SSH. Always use a passphrase to keep your private key secure in case your machine is compromised in the future. ```Shell ssh-keygen # Create a private/public key pair. ``` > Make sure to back up your keys! Running the above command and saving the new keys would overwrite the previous ones, possibly locking you out of your servers. > After generating your keys, send the public key to your network administrator. #### Managing Multiple Keys Having separate SSH keys can ensure that if one of them leaks, not all machines it has access to would be compromised. ```Shell ssh-keygen -C "Comment" # The comment is optional, and defauls to your user/hostname > $HOME/.ssh/ # After sending the public key to the administrator... ssh -i @ ``` This method requires you to type your key's passphrase every time an SSH connection is started. To load the key into memory, an `ssh-agent` is needed. ```Shell eval "$(ssh-agent)" # Temporarily start the ssh-agent (already present if GUI) ssh-add # Load the key into memory ssh -i @ # The password won't be asked again ``` ### Configure The Client Edit the `~/.ssh/config` file to configure the client. #### Aliases ```Shell Host Hostname Port 22 User ``` Now, connecting to the server is as simple as typing: ```Shell ssh ``` ## OpenSSH Server Check whether the ssh server is running. ```Shell systemctl status sshd / ssh ``` ### Read Connection Logs ```Shell su root tail -f /var/log/auth.log journalctl -fu ssh / sshd # Preferred way to read logs ``` ### Configure SSH Keys By default, the OpenSSH server is configured to support both passwords and keys. #### Add a Client's Public Key ```Shell echo "PUBLIC_KEY" >> /home//.ssh/authorized_keys ``` If password login is enabled (or you are uploading someone else's key), there is a dedicated command to add a public key to the server, directly from the client: ```Shell ssh-copy-id -i ~/.ssh/id_rsa.pub @ ``` ### Configure The Server `/etc/ssh/sshd_config` ```Shell # Changing the port can help security slightly, but is less convenient Port 22 # Disable ssh into root (only after you have another user with sudo access) PermitRootLogin false # Disable password authentication (use keys exclusively) PasswordAuthentication no ```