Using SSH to connect to a remote server

What is SSH and how does it work?

SSH, or Secure Shell, is a protocol used for secure remote access to computer systems over unsecured networks. It provides an encrypted connection between client and server, which eliminates the possibility of third parties intercepting data. The principle of SSH is based on asymmetric encryption: when establishing a connection, the client creates a pair of keys - public and private. The public key is transmitted to the server, which uses it to encrypt the data sent to the client. The private key remains on the client's side and is used to decrypt the received information. This provides a high level of security, because even in case of data interception, attackers will not be able to decrypt it without the private key. SSH also supports user authentication, which makes sure that only authorized persons can access the system. The protocol is widely used by system administrators to remotely manage servers, as well as for secure file transfers using SCP and SFTP. Understanding how SSH works is an important step to securing your data and systems in today's digital world.

Connecting to a remote server using SSH

Connecting to a remote server using SSH (Secure Shell) is an important part of work for system administrators and developers. SSH provides a secure and encrypted network link between your local computer and the remote server, allowing you to manage, transfer files, and execute commands without the risk of data interception. To establish a connection, you'll need an SSH client such as PuTTY for Windows or the built-in terminal on Linux and macOS. The connection process begins by entering a command:
ssh hostnamewhere hostname is the IP address or domain name of the server.

This command assumes that your username on the remote system is the same as on the local system. If your local username is different from your remote username, you can specify it using the following command format:
ssh username@hostnamewhere username is the username on the remote server.

The system will then prompt for a password if authentication is not configured using SSH keys.

To end the SSH session and return to the local shell on your device, enter the following command:
exit

SSH server configuration

Configuring an SSH server is a key process to secure remote access to your server. The SSH server configuration file is located at /etc/ssh/sshd_config. Proper SSH server configuration will not only protect your data, but also provide reliable and convenient server management.

It is highly recommended that you make a backup copy of the configuration file before making any changes:
cp /etc/ssh/sshd_config{,.orig}This command will copy the /etc/ssh/sshd_config file to /etc/ssh/sshd_config.orig, allowing you to revert the source at any time if you have problems.

You can open the file in the nano editor:
nano /etc/ssh/sshd_config
First of all, we advise you to pay attention to the port on which SSH works. By default, it is port 22.

Port 22

For security reasons, in some cases it is the port change that is the best solution.

SyslogFacility AUTH
LogLevel INFO

These lines in the config indicate the event logging levels.

LoginGraceTime 120

This parameter specifies the time, in seconds, that the server will retain the connection if there are no successful login attempts.

PermitRootLogin yes

Indicates whether SSH authorization is allowed for the root user.

StrictModes yes

Activating strict mode prevents authorizations on the system when authentication files are readable by everyone.

To make changes, save the file by typing CTRL+O and then CTRL+X. After that it is necessary for the SSH service to reread the new parameters. You can do this with the command:
systemctl reload ssh

Using keys for SSH authentication

Using keys for SSH authentication is an important aspect of security when accessing servers remotely. SSH allows users to securely connect to systems over unsecured networks. Instead of the traditional password authentication method, which is susceptible to attacks, the use of SSH keys provides a higher level of protection. Keys consist of two parts: a private key and a public key. The private key is stored on the local device and the public key is uploaded to the server. When connecting, a verification takes place: the server encrypts the message with the public key, and only the owner of the private key can decrypt it, which confirms his identity. SSH key creation is easier than it seems: with the ssh-keygen command, you can quickly generate a key pair. It is also important to customize the SSH configuration file to improve security by disabling password authentication and allowing key-only access. This approach not only protects your data, but also simplifies the process of logging into servers, which is especially useful for administrators and developers. Implementing SSH keyed authentication is a step toward more secure and efficient systems management.

We recommend to use longer keys:
ssh-keygen -b 4096The minimum RSA key size is 1024 bits, the default is 3072 bits.

By default, the RSA key type is created, but you can specify another type, such as ecdsa:
ssh-keygen -t ecdsaBut it is recommended to use RSA keys.

The ssh-keygen utility saves the keys to the ~/.ssh directory. Check to see if the key pair you just created is there:
ls -l ~/.ssh

Transferring the public key to the server

Transmitting the public key to the server is an important step in securing data and establishing a strong encrypted connection. This process involves generating a key pair, where the public key is used to encrypt the information and the private key is used to decrypt it. It is important to ensure that the public key is sent to the server in a secure manner, such as through secure channels or using digital certificates that authenticate the key. Once the key has been successfully transmitted, the server verifies its integrity and correctness, allowing an encrypted connection to be established between the client and the server. As a result, all data transmitted through this connection is protected from unauthorized access. By transferring the public key, you significantly increase the level of security of your service and protect the confidential information of users. The use of modern encryption methods and regular key updates will help you maintain a high level of protection and client trust.

Only one command is required to transmit the key to the server:
ssh-copy-id username@hostnameWhen you open an SSH session, you will be prompted to enter the user's password.

If the client has multiple SSH keys, you must specify which one you want to pass:
ssh-copy-id -i ~/.ssh/id_rsa.pub username@hostnamewhere ~/.ssh/id_rsa.pub is the path to the public certificate. The following command format is also acceptable:
ssh-copy-id -i ~/.ssh/id_rsa username@hostnameDo not be afraid that a private key will be passed. This will not happen, the command will automatically append .pub to the file name.

Disabling password authentication

Disabling password authentication is becoming an increasingly hot topic in the world of cybersecurity. Many are beginning to realize that traditional passwords can be vulnerable to hackers and phishing attacks. By disabling password authentication, you reduce the risk of unauthorized access to your accounts.

Warning: Make sure that the public key is installed on the server and authentication is error-free. Otherwise, you may block access to the server.

To disable it, we will need to open the configuration file:
nano /etc/ssh/sshd_config
Next, you should set PasswordAuthentication to no. You should also check the following parameters and their values:

• PubkeyAuthentication yes - includes public key authentication;
• ChallengeResponseAuthentication no (or a newer value KbdInteractiveAuthentication no) - specifies whether keyboard-interactive authentication should be used.

The SSH service should then be reloaded again.

Other options when connecting over SSH

When connecting to remote servers via SSH, it is also worth considering the ability to create a configuration file ~/.ssh/config that allows you to set connection parameters for different hosts, such as user, port, and key path. This is especially useful if you are working with multiple servers. And to monitor connections and debug problems, you can use tools like ssh -v to get detailed information about the connection process. These options make working with SSH more efficient and secure, which is especially important for system administrators and developers. A few more examples below.

To connect to a port other than port 22, use the -p parameter:
ssh -p12345 username@hostname
To execute a command on a remote server in the same command as opening a session, you can simply write:
ssh username@hostname commandwhere command is a remote command on the server.