How To Configure SSH on Linux
If you're hosting a website or blog on a hosting provider or in the cloud, there's a good chance at some point you may need to connect using SSH to a remote Linux server. In most cases, remote servers are usually Linux based and will require SSH Key-Based authentication to create a secured connection to the remote server.
In this article we'll take a look at how to connect using SSH to a remote Linux server using a SSH Key-Based authentication, including:
- How to create a Key-Based pair
- Where to store keys
- How to use advanced SSH config
- How to add your SSH key to a Linux server
What is SSH?
An SSH connection is the process of creating a Key-Pair of both a private and public key to establish a more secured connection versus using passwords.
It can also be used for non-interactive secured connections between backend systems.
Why is SSH important?
Here are some of the reasons and benefits for using SSH
- More secure than just using passwords which can be more easily hacked by brute force attacks.
- No password prompts when connecting to remote servers
- Non-interactive shell scripting capabilities for automated processes
- Easier to manage secured connections for many servers.
Types of SSH connections
Interactive SSH
When you want to log into a remote Linux server from your laptop.
Non-interactive SSH
When you have backend servers and services that need to connect to each other to run daily tasks like backups on CRON jobs.
How to setup SSH successfully
You will need the following information from the remote server environment:
username: with password that has sufficient level access, usually administrative level access.remote_host: which is usually not your domain name but a dns remote_host that points to your remote server and can be used for SSH/FTP/POP/IMAP. Your provider will usually put this information on the account details page.client: You'll need to have a Unix based Mac or Linux based computer. If you're using Windows, you'll need to use a 3rd party program like Putty to connect using SSH. This tutorial is not for Windows but for Unix or Linux systems which already have SSH command line support.port: You will need the SSH port number that your remote_host uses if it's not default.
How does SSH work?
SSH stands for Secured Shell or even Secured Shell Protocol, since it uses a secured protocol ssh in the terminal to establish a secured connection. In this case, for example, the connection will be between your laptop (client) and the remote server.
SSH uses the concept of a key pair, which consists of a public and private set of keys. The client will share the public key with the remote server but must keep the private key absolutely safe and secure.
Since the client will only share the public key, the two endpoints can use the public key to validate and verify the initial connection. Once that is established, the client will use its private key to create a cryptographic secured connection, which the remote_host server will be able to decrypt using the public key.
The client must keep the private key completely secured. Sharing the private key could compromise not only the connection itself but an attacker could log into other servers that might use the same public key.
SSH can also be used for server to server secured connections and the same techniques could be applied but for now we'll assume we're connecting a laptop to a remote Linux server.
Step 1 Creating SSH keys
To generate a SSH key pair, you can simply run the following command in terminal.
ssh-keygen -t rsa
For this tutorial, we'll assume that we are creating our first key pair.
The -t flag indicates the type of algorithm, we'll leave it at rsa for now but if you're system supports the newer algorithms, you could opt for -t ed25519.
You can just hit enter here since we're not entering a new name. However, if you're creating a key pair with a different name, make sure to also specify the path to the key, otherwise it will default to current directory. For example, ~/.ssh/id_rsa_azure. This way the key will be created in the ~/.ssh directory.
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
If the key name already exists, you will see the following message in the terminal. It's best to avoid overwriting existing keys. Just be sure that if you're ok with overwiting the key, that you're positive it is not in use by other processes.
/home/username/.ssh/id_rsa already exists.
Overwrite (y/n)?
CAUTION: Before creating a new SSH key pair, you should check if you already have an existing one. Overwritng an existing key pair might break other processes that use the key with that name. For example you could use something like id_rsa_dev to help separate it from other ssh keys to avoid issues.
All keys should be stored in the ~/.ssh directory. To do a quick check use ls ~/.ssh to see if an existing key already exists before creating.
Next it will prompt for a passphrase. This is optional and you can just hit the enter key without adding a passphrase for both of these entries.
Adding a passphrase will definitely add a lot more security and act as a second factor security check but it will also prompt you for a passphrase every time you connect using SSH.
Created directory '/home/username/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
You should now see the following output in the terminal.
Your identification has been saved in /home/username/.ssh/id_rsa
Your public key has been saved in /home/username/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:**************************jrvZJYBs username@remote_host
The keys randomart image is:
+---[RSA 3072]----+
|o ..oo.++o .. |
| o o +o.o.+... |
|. . + oE.o.o . |
| . . oo.B+ .o |
| . .=S.+ + |
| . o..* |
| .+= o |
| .=.+ |
| .oo+ |
+----[SHA256]-----+
Also, you should now see the following keys in your ~/.ssh directory.
~/.ssh/id_rsa
~/.ssh/id_rsa.pub
Step 2 - Adding the SSH key to your local
Now that the keys are generated, we'll need to add and register them with the following commands.
Start the ssh-agent so that it's running. You'll see it show a similar message with a pid indicating that it's running.
eval "$(ssh-agent -s)"
> Agent pid 35566
Now add the private key using the path ~/.ssh/id_rsa. If your key name path is different because you used a different key name, then make sure to use that path.
ssh-add ~/.ssh/id_rsa
You could also add it using the --apple-use-keychain flag on Mac to add it to the keychain.
ssh-add --apple-use-keychain ~/.ssh/id_rsa
Step 3 - Copy the Public Key to the Remote Host
The final step is to copy the SSH public key to the remote server. Remember, we only need to share the public key and in this case it's the file named id_rsa.pub.
Since the remote_host server is a Linux server, it will have a similar SSH directory structure as our local but it will contain the following additional file called authorized_keys. This is where all the public key entries need to be added.
Remote server:
~/.ssh/authorized_keys
So there are a couple of ways to copy the public key to the remote host.
Option 1
If you have the ssh-copy-id command available on your local client, you can run the following command in the terminal. This is definitely the best option, since it handles all of the writing to the file.
ssh-copy-id -p 7822 username@remote_host
If you're using a different key pair name, you'll need to use the -i flag to indicate the public key you want to copy to the remote server.
For example:
ssh-copy-id -i ~/.ssh/id_rsa_azure.pub -p 7822 username@remote_host
You should see the following output.
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
username@remote_hosts password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh -p 7822 username@remote_host"
and check to make sure that only the key(s) you wanted were added.
Option 2
If you do not have the ssh-copy-id command, then you'll need to manually copy it to the server.
pbcopy < ~/.ssh/id_rsa.pub
cat ~/.ssh/id_rsa.pub
Log into the remote server using SSH with password.
ssh -p 7822 username@remote_host
Using a terminal text editor, modify and paste your public key in the authorized_keys file. There may be other entries already in the file, so just paste your public key on the next line. Then save and exit.
nano ~/.ssh/authorized_keys
NOTE: The formatting of this file is important and based on OpenSSH requirements. So double check with the format requirements if the manual editing is not working as expected. The ssh-copy-id is the better option to avoid formatting issues.
Connecting with the new SSH key pair
After copying the SSH public key to the remote_host, you can now try it out.
It will ask for your password on the initial login but shouldn't ask for future passwords unless you set a passphrase for the key.
ssh -p 7822 username@remote_host
The first time you login it may not recognize the host as a known host, so you'll want to permanentaly add the host to the known hosts record. You'll see the following terminal message.
The authenticity of host '[remote_host]:7822 ([remote_ip]:7822)' can't be established.
ED25519 key fingerprint is SHA256:**************************.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[remote_host]:7822' (RSA) to the list of known hosts.
username@remote_host's password:
By accepting and typing yes, it will automatically recognize the remote host as a known host in the future.
You do not need to modify this file manually, because it's automatically added and saved.
~/.ssh/known_hosts
Add SSH Config
This part is generally optional but adding a config file to manage the details of all your SSH connections can really simplify connection management.
If you don't have a config file in the SSH directory, you can add one with the following commands.
touch ~/.ssh/config
nano ~/.ssh/config
Add the following entry with your connection details to the config file and press save and exit.
One thing to note is that the Host key is not the remote server host name, it's the name you'll give to your config. In this case we'll use dev but you could use something like cloud for example.
The HostName on the other hand is the actual remote server host name.
Host dev
HostName remote_host
AddKeysToAgent yes
UseKeychain yes
Port 7822
User username
IdentityFile ~/.ssh/id_rsa
This config entry sets all the details needed to connect to a remote_host server and gives it a simple name called dev.
Now you can just refer to this name when connecting, rather typing all the details every time you connect.
ssh dev
This is a huge time saver when using several SSH keys. It really helps to manage your key pairs.
Conclusion
I hope you now have a better understanding of the SSH key process and how to add new keys for future connections to your remote servers.
SSH key pair connections are more secure and easier to manage and also provide more capabilities for development purposes