title | description | published | date | tags |
---|---|---|---|---|
SSH - Secure Network Access |
true |
2020-02-06 22:19:01 UTC |
SSH, or Secure Shell, is a network protocol and suite of tools that enable secure communication over an untrusted network. We use SSH to connect to our physical and virtual computers
There are two endpoints for the SSH protocol, the client and the server. The computer you are connecting to must be running an SSH server, and the computer (whether laptop, phone, desktop, or virtual machine) you are using to connect must use an ssh client. If you are running an ssh server locally, the simplest connection using ssh is to your own computer: ssh localhost
. This is a good way to test if your ssh client and server are working.
If you are just trying to connect to a remote server, use your ssh client and specify the user and machine to which you are connecting. Example: ssh [email protected]
or ssh [email protected]
. If you do not specify a user, your current username will be used. You will be prompted for a password, if password authentication is enabled on the server and you are not using a public/private keypair.
SSH is available by default on these operating systems. You will need to open a terminal window to access the command line. For Linux use whatever your distribution provides, on a Mac use Terminal or download iTerm 2. Then, enter your ssh command as shown in the examples above: ssh USER@TARGET_COMPUTER
.
In Windows, you will need an application to start using SSH. PuTTY and MobaXterm are both popular - we will give instructions for MobaXterm, but the basics are the same for all SSH clients.
- Download and start your client
- In MobaXTerm, you can type the above ssh commands directly into their Home window. Setting up a session will let you save your configuration for next time.
- Click the Session icon in MobaXterm and choose SSH
- Fill out the Basic SSH settings section:
- Remote Host: Your VM’s IP address (given to you in the email)
- Username: Your username (given to you in the email)
- Port: 22
- Click OK. You will now be able to select this session in the Sessions sidebar on the left whenever you need a new session.
You can use whatever GUI client you wish - the settings will be the same.
You can avoid entering a password every time you connect by setting up public key auhentication. See below ↓
Public/Private Key Authentication is a powerful authentication pattern that uses modern cryptography. Each user creates a pair of keys: a private key that is known only to the user, and a public key that is shared everywhere that a user needs to authenticate.
Many services use public key authentication to ensure that only authorized users are able to access their applications. GitHub, Bitbucket, and many development tools have ways to authenticate without passwords by uploading your public keys to the application profile.
For SSH remote access, an authorized_keys
file is maintained in ~/.ssh/
with all of the public keys that can access a server. Locally, the private keys are stored and referenced in ssh as identity keys. You can specify a specific identity key for a particular server when you are logging in (e.g., ssh -i ~/.ssh/special-server-key myuser@special-server
), or you can configure this in your ssh configuration file, ~/.ssh/config
.
Anyone who has your private key can impersonate you, just as anyone with your password can. Do not share your private key! {.is-danger}
If you have never created a keypair before on your device, you will need to do so now. Otherwise you can use your existing public and private keys. Run the following commands in a terminal application (MobaXterm works for Windows).
Create a key: ssh-keygen
You can choose the defaults to save the file in ~/.ssh/
and with no passphrase, or you can choose a passphrase if you want to require a password as well as use key authentication. If you aren't sure, don't use a passphrase.
Copy ID to remote machine: ssh-copy-id USER@REMOTE_HOST
By default this will copy the id_rsa public key to the remote user's authorized_hosts
file. Use the -i /path/to/identitykey
option if you wish to copy a different key.
If you want your MobaXterm (or PuTTY) sessions to use public key authentication, you will need to change the appropriate settings. For MobaXterm:
- Open the Session settings
- Click on the Advanced SSH setting tab located at the bottom:
- Check the 'Use private key' box.
- Select your private key from above.
For PuTTY, you will need to use pageant.exe, which comes with the PuTTY binary. Here are instructions for using Pageant
These steps are only necessary if you are wanting to be able to connect to your local computer from somewhere else.
In modern Ubuntu, run sudo systemctl enable ssh
to enable it on startup, and sudo systemctl start ssh
to start it immediately. Server settings can be edited in /etc/ssh/sshd_config
. You will need to restart the ssh server for configuration changes to take effect.
In your 'Sharing' pane in System Preferences, enable Remote Login. Then, choose 'Only these users' and add your user to the box with the '+' button. Server settings can be edited in /etc/ssh/sshd_config
. You will need to restart the ssh server for configuration changes to take effect.
Follow this document. Good luck.
The first step in troubleshooting SSH issues is to turn on debugging. You can enable increasing levels of debugging output with the -v-
, -vv
, and -vvv
flags. Make another attempt with debugging turned on so you can see what part of the authentication protocol is failing.
A common error is that the permissions of the key files are bad. On Linux and Mac OS, this means that your .ssh/
directory and your private key files should only be readable and writeable by you. You can change this with chmod: chmod 600 your_key_file
.
If you are being prompted for a password even though you should be using a key, check that your public key is properly in the ~/.ssh/authorized_keys
file on the target machine. If it is, turn on debugging output to see if ssh is trying the right key for this server. Remember you can use -i /path/to/keyfile
to use a different key for a connection.
SSH Configuration - Make your life easier by customizing your ssh settings https://www.digitalocean.com/community/tutorials/how-to-configure-custom-connection-options-for-your-ssh-client https://linuxize.com/post/using-the-ssh-config-file/
SSH Tunneling - Communicate using insecure or banned protocols through a secure SSH connection. https://www.howtogeek.com/168145/how-to-use-ssh-tunneling/ http://www.augustcouncil.com/~tgibson/tutorial/tunneling_tutorial.html
X-Forwarding - View graphical applications locally that run on a server https://unix.stackexchange.com/questions/12755/how-to-forward-x-over-ssh-to-run-graphics-applications-remotely https://www.businessnewsdaily.com/11035-how-to-use-x11-forwarding.html
Explore - You can do a lot of cool stuff with SSH! https://www.exoscale.com/syslog/advanced-ssh-6-things/