How to use SSH to connect to a remote server

Introduction

One of the essential tools to master as a system administrator is SSH. SSH or Secure Shell is a protocol used to securely log in to remote systems. It is the most common way to access Linux servers remotely. In this guide, we will discuss how to use SSH to connect to a remote system.

Core syntax

To connect to a remote system using SSH, we use the ssh command. If you are using Windows, you will need to install a version of OpenSSH so that you can ssh from the terminal. If you prefer to work in PowerShell, you can follow Microsoft's documentation for adding OpenSSH to PowerShell. If you prefer to have a full Linux environment available, you can set up WSL, the Windows Subsystem for Linux, which includes ssh by default. Finally, as a third lightweight option, you can install Git for Windows, which provides a Windows bash terminal environment that includes the ssh command. Each of these is well supported, and which one you decide to use depends on your preference. If you are using Mac or Linux, you will already have the ssh command in your terminal.

The simplest form of the command is:

ssh remote_host

remote_host in this example is the IP address or domain name you want to connect to. This command assumes that your username on the remote system is the same as your username on your local system.

If your username is different on the remote system, you can specify it using this syntax:

ssh remote_username@remote_host

After connecting to the server, you may be asked to verify your identity by providing a password. We'll look at how to generate keys to use instead of passwords later.

To exit ssh and return to your local shell, type:

exit

How does SSH work?

SSH works by connecting a client program to an ssh server called sshd. In the previous section, ssh was the client program. The ssh server was already running on the remote_host that we specified. In almost all Linux environments, the sshd server should start automatically. If it is not running for some reason, you may need to temporarily access your server through a web-based console or local serial console. The process required to start the ssh server depends on the Linux distribution you are using.

On Ubuntu, you can start the ssh server by typing:

sudo systemctl start ssh

This should start the sshd server and then you can log in remotely.

How to configure SSH

When you change the SSH configuration, you change the settings of the sshd server. On Ubuntu, the main sshd configuration file is located at /etc/ssh/sshd_config. Before editing, make a backup copy of the current version of this file:

sudo cp /etc/ssh/sshd_config{,.bak}

Open it using nano or your favorite text editor:

sudo nano /etc/ssh/sshd_config

You'll want to leave most of the options in this file as is, but there are a few you might want to take a look at:

Port 22

The port declaration specifies which port the sshd server listens on for connections. By default, this is 22. You should probably leave this setting alone unless you have specific reasons to do so. If you change your port, we'll show you how to connect to the new port below.

HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key

Host key declarations specify where to look for global host keys. We will discuss what a host key is later.

SyslogFacility AUTH LogLevel INFO

These two items indicate the level of logging that should occur.

If you're having problems with SSH, increasing the logging rate may be a good way to discover the problem.

LoginGraceTime 120 PermitRootLogin yes StrictModes yes

These parameters specify some login information.

LoginGraceTime specifies how many seconds to keep the connection open without a successful login. It may be a good idea to set this time to just a little longer than the time it takes for a normal login. PermitRootLogin selects whether the root user is allowed to log in. In most cases, this should be changed to no when you have created a user account that has elevated privileges (via su or sudo) and can log in via ssh to minimize the risk of root access to your server. .strictModes is a security guard that refuses to allow login attempts if the authentication files are publicly readable. This prevents login attempts when the configuration files are not secure.

X11Forwarding yes X11DisplayOffset 10

These parameters configure a feature called X11 Forwarding. This allows you to view a remote system's graphical user interface (GUI) on the local system. This option must be enabled on the server and given when connecting with the -X option with an SSH client. After making your changes, save and close the file. If you are using nano, press Ctrl+X, then press Y and then Enter when prompted. If you changed any settings in /etc/ssh/sshd_config, make sure you reload your sshd server to apply your changes:

sudo systemctl reload ssh

You should test your changes thoroughly to make sure they work as you expect. It may be a good idea to have several terminal sessions open while you make changes. This will allow you to revert the configuration if necessary without locking yourself out.

How to log in to SSH with keys

Although remote login using passwords is useful, setting up key-based authentication is faster and more secure.

How does key-based authentication work?

Key-based authentication works by creating a pair of keys: a private key and a public key. The private key resides on the client machine and is kept secure and secret. The public key can be given to anyone or placed on any server you want to access. When you try to connect using a key pair, the server uses the public key to create a message for the client computer that can only be read by the private key. The client computer then sends the appropriate response to the server, and the server knows that the client is legitimate. This process is done automatically after you configure your keys.

How to create SSH keys

SSH keys must be created on the computer you want to log in from. This is usually your local machine.

Enter the following at the command line:

ssh-keygen -t rsa

You may be asked to set a password for the key files themselves, but this is a fairly uncommon practice and you should press enter through the commands to accept the defaults. Your keys will be created in ~/.ssh/id_rsa.pub and ~/.ssh/id_rsa.

Change to the .ssh directory by typing the following code:

cd ~/.ssh

Look at the file permissions:

ls -l

Output -rw-r--r-- 1 demo demo 807 Sep 9 22:15 authorized_keys -rw------- 1 demo demo 1679 Sep 9 23:13 id_rsa -rw-r--r-- 1 demo demo 396 Sep 9 23:13 id_rsa.pub

As you can see, the id_rsa file is readable and writable only by the owner. This helps keep it secret.

However, the id_rsa.pub file can be shared and has the appropriate permissions for this activity.

How to transfer the public key to the server

If you currently have password-based access to a server, you can copy your public key to it by issuing this command:

ssh-copy-id remote_host

This will initiate an SSH session. After you enter your password, it will copy your public key to the server's authorized keys file, allowing you to log in without a password the next time.

Client-side options

There are a number of optional commands you can provide when connecting via SSH. Some of these may be required to match the settings in the remote host's sshd configuration.

For example, if you changed the port number in your sshd configuration, you need to match that port on the client side by typing:

ssh -p port_number remote_host

If you want to run just one command on a remote system, you can specify it after the host like so:

ssh remote_host command_to_run

You connect to the remote device, authenticate, and the command is executed.

As we said before, if X11 Forwarding is enabled on both computers, you can access that functionality by typing the following:

ssh -X remote_host

Provided you have the right tools on your computer, the GUI programs you use on the remote system will now open their own window on your local system.

Disable password authentication

If you have created SSH keys, you can increase the security of your server by disabling password-only authentication. Other than the console, the only way to log into your server is through the private key, which is paired with the public key you installed on the server.

As root or a user with sudo privileges, open the sshd configuration file:

sudo nano /etc/ssh/sshd_config

Find the line that reads password authentication and delete it by removing the leading #. You can then change its value to no:

PasswordAuthentication no

Two other settings that don't need to be changed (assuming you haven't already modified this file) are PubkeyAuthentication and ChallengeResponseAuthentication. They are set by default and should read as follows:

PubkeyAuthentication yes ChallengeResponseAuthentication no

After making changes, save and close the file.

You can now reload the SSH daemon:

sudo systemctl reload ssh

Password authentication should now be disabled and your server should only be accessible via SSH key authentication.

Result

Learning how to use SSH will be very useful for any of your future cloud computing endeavors. As you use the different options, you will discover more advanced functions that can make your life easier. SSH has remained popular because it is secure, lightweight, and useful in a variety of situations.