Using Secure Shell to Connect to Remote Machines
Secure Shell, or SSH, is an encrypted and secure method for logging in to remote machines. You can also use it to execute commands remotely, and use related tools to copy files securely.
This is the standard way to log into remote Linux servers, either in your own data center or in the cloud. In this section, you’ll use your local machine to connect to your Ubuntu virtual machine.
First, on your Ubuntu machine, install the openssh-server package and enable SSH connections:
| | (ubuntu)$ sudo apt install openssh-server |
This installs and activates the SSH server on port 22.
Identify the IP address of your Ubuntu machine using the ip addr command, and use grep to look for inet in the output, filtering out inet6 so you don’t see the IPv6 addresses:
| | (ubuntu)$ ip addr | grep inet | grep -v inet6 |
| | inet 127.0.0.1/8 scope host lo |
| | inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic enp0s3 |
| | inet 192.168.99.100/24 brd 192.168.99.255 scope global dynamic enp0s8 |
If you followed the steps in Configuring a Network, then you’re looking for the IP address that starts with 192.168.99. In this case, the IP to connect to the server is 192.168.99.100, the private Host-only IP address.
Then, on your local machine, you’ll use the ssh command-line tool to connect. This tool is already installed on macOS and the Windows Subsystem for Linux.
To use it, specify the username and server address to which you wish to connect:
| | (local)$ ssh [email protected] |
| | The authenticity of host '192.168.99.100 (192.168.99.100)' can't be established. |
| | ECDSA key fingerprint is SHA256:CDDYS4MsIVrWehucVVwaBpbRKD8Xs9ON5rkjm/U5/Qc. |
| | Are you sure you want to continue connecting (yes/no)? yes |
| | Warning: Permanently added '192.168.99.100' (ECDSA) to the list of known hosts. |
The first time you connect to a remote host, SSH asks you to verify the authenticity of the host. Answering yes saves the fingerprint of the remote server to a file named ~/.ssh/known-hosts. If the server’s fingerprint changes, you won’t be able to connect to it because SSH will assume the machine has either been compromised or it’s a different machine. It’s just an extra security precaution; the fingerprint shouldn’t change without you expecting it.
Once you add the server to the list of known hosts, you’ll be prompted for your remote user’s password. Once you enter it, you’ll be logged in:
| | [email protected]'s password: |
| | Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-45-generic x86_64) |
| | |
| | ... |
| | |
| | brian@puzzles:~$ |
Your prompt changes, indicating that you’re now executing commands against the remote server instead of your local machine.
Execute the ls command to see the contents of your home directory:
| | brian@puzzles:~$ ls |
| | data.json Desktop Documents Downloads examples.desktop |
| | Music Pictures Public setup_11.x Templates Videos |
Type exit or press Ctrl+d to log out of the remote machine and return to your local prompt.
Now let’s set up public key authentication so that you can log in without a password.
Connecting with Public Keys Instead of Passwords
If you are going to log in to a remote machine with SSH, you can increase your security by using a public key instead of a password. You generate a public and private keypair on your local machine, and then copy the public key to the ~/.ssh/authorized_keys file on the remote machine. When you connect, SSH will perform authentication using the key and won’t prompt you for a password.
First, check if you already have a public key on your local machine. The default filename is id_rsa.pub and it’s located in the .ssh folder of your home directory. Use the ls command to see if it exists:
| | (local)$ ls ~/.ssh/id_rsa.pub |
If you don’t see any results, generate a new RSA keypair using the ssh-keygen command and press Enter for each prompt to accept the defaults:
| | (local)$ ssh-keygen -t rsa |
| | Generating public/private rsa key pair. |
| | Enter file in which to save the key (/Users/brian/.ssh/id_rsa): |
| | Enter passphrase (empty for no passphrase): |
| | Enter same passphrase again: |
| | Your identification has been saved in /Users/brian/.ssh/id_rsa. |
| | Your public key has been saved in /Users/brian/.ssh/id_rsa.pub. |
| | ... |
This creates the private key, located in ~/.ssh/id_rsa, which you should never provide to anyone. The public key, located in .ssh/id_rsa.pub, is something you can provide to any other service that supports public keys.
To use your public key to log in to your Ubuntu server, you have to place the contents of the public key on the server in a file named authorized_keys, which is located in the .ssh directory inside the home directory of the user you want to log in as. Additionally, the .ssh directory and the authorized_keys file need to have specific permissions set so that only that user can access them.
The command ssh-copy-id can perform all of these tasks. On macOS, you’ll have to install it with brew install ssh-copy-id.
To use it, execute this command:
| | (local)$ ssh-copy-id [email protected] |
You will be prompted for the password for your user. Enter the password and your key will copy.
If you don’t have ssh-copy-id, you can still copy the key manually with this command:
| | (local)$ cat ~/.ssh/id_rsa.pub |
| | > | ssh [email protected] "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys" |
This command connects to the server, creates the directory, and pushes the content of the key into the file.
Then, log in to the server again:
| | (local)$ ssh [email protected] |
If you are still prompted for a password, you will need to fix the permissions on the .ssh directory and the authorized_keys file. Enter your password so you can proceed. Then, once logged in, execute these commands to tighten up permissions:
| | brian@puzzles:~$ chmod go-w ~/ |
| | brian@puzzles:~$ chmod 700 ~/.ssh |
| | brian@puzzles:~$ chmod 600 ~/.ssh/authorized_keys |
Log out with exit, and then connect again. This time, you’ll be logged in without being prompted for your password.
You can follow this procedure with any remote machine, including a shell account on a shared web host, a virtual private server, or a cloud server.
Let’s look at how to copy files from your local machine to a server.