The ssh generally refers to as OpenSSH secure shell. It is a software program that is implemented in Linux systems for secure remote connections from one computer to another. It provides several options for authentication into the system and protects communication and file transfer security with strong encryption.

The OpenSSH secure shell is used in cooperate network organization for remotely
providing remote commands, securely transferring files, and managing the network
infrastructure and other mission-critical system components.

Before going into how to create a connection between systems securely, let’s understand how OpenSSH works.

The OpenSSH works in a client-server protocol, which means that a client establishes a connection to a server machine. The SSH client initiates the connection and uses a public key to authenticate to the server. After the connection, the OpenSSH protocol uses a strong encryption algorithm to securely protect the communication between the SSH client and the SSH server.

After going through this article, you will be able to connect to a remote Linux machine using SSH remotely.

HOW TO LOG IN TO A REMOTE SYSTEM USING SSH

To use the SSH, you need two Linux system; you need the OpenSSH software installed as a client on one machine, and as a server on the other machine, you need a network connection on both systems, you also need to know the IP address of the server you are connecting. Those are the basic things. Now let's kick-off to learning how to install our OpenSSH software on our client and server machine.

If you are using a Debian based system, make use of apt-get command to install your OpenSSH software. If you are using RedHat based systems, make use of yum command to install your OpenSSH software. I will be demonstrating on a Debian and Redhat Linux Enterprise system.

How to install software will be explained in a subsequent article.

Meanwhile, the below command is the installation process of OpenSSH software in a RedHat system which I'm using as a server

After installing OpenSSH for the server machine, you need to install on the client machine. I won’t be demonstrating how to install for the client. Just follow the syntax below

yum install [openssh-client] ||| For RedHat-Based Systems

Or

apt-get install [openssh-client] ||| For Debian Systems

After installation, verify if the service is active and running by entering systemctl [status] [sshd] on the terminal. In new systems, sshd service is always running immediately after installation.

Now go to your server machine to view the IP address

This is the IP address of our server machine

Then log in to a remote system using the ssh command alongside the private IP address of the server. It will prompt you for a password. Enter the password and hit enter.

If you are connecting for the first time, it will ask, “if you want to continue connecting,” type yes and continue.

If the computer you are trying to connect is not on the same network, it is best to use the public IP address

Now we are on another remote machine. You can see that our client machine hostname is “kali,” and our remote machine’s hostname is “localhost.”

HOW TO CLOSE CONNECTION

After connecting to a remote system, you can choose to close the connection by entering exit on the command line

HOW TO LOG IN AS ANOTHER USER

You can also choose to log in as another user using the syntax below

ssh [[email protected] address]

HOW TO LOG IN USING DIFFERENT PORT NUMBER

To strengthen the security of the remote connection, it is adviced always to change the default port which the sshd server listens to incoming connection from port 22 to something complex.

In other to accomplish this, you need to make an entry in the /etc/ssh/sshd_config configuration file. The configuration file defines the default settings for the SSH on the server system.

Please note that, before making any changes to this configuration file, first, create a backup incase things go sideways

Use the following command;

cp /etc/ssh/sshd_config{, .bak}

The syntax is shown below

ssh [–p] [PortNumber] [IP address]

I will be using the default port (22) to show an example. Go to the configuration file and change the port number to a port number of your choice. After the change, please restart the sshd service

You can see from the command below, I tried specifying the wrong port number, and the system denied me a connection to the system but when I specified the right port number the system granted me access to the system

HOW TO DISABLE ROOT LOGIN USING SSH

From the security point of view, it is very important to prevent the root user from having access to the system using the ssh command.

In every Linux system, there is a root user by default, and the root user has unrestricted access to every file in the system. So when a potential hacker wants to hack into your server, the hacker will only have to guess the password instead of the username and password.

The OpenSSH software has a configuration file that enables you to make some changes to improve the security of your system.

The file, /etc/ssh/sshd_config has an option to prohibit root user login, but it is commented out by default.

Edit the configuration file using any text editor of your choice

vim /etc/ssh/sshd_config. You will have something like this

Comment out the option that says “PermitRootLogin” and change the option to “no.”

Enabling this option in the /etc/ssh/sshd_config will prevent root user from authenticating to the system after the sshd service has been restarted.

Please note that, after making changes to the configuration file, the sshd service needs to be restarted for the changes to take effect.

You see, I tried to log in, but I got a “permission denied” message. That’s because I have disabled the root user from authenticating to the system. Whenever I want to log in to the system, I have to log in as a regular user. You can see that user “henry” was able to log in. After you log in as a regular user, you can choose to use sudo command to switch to root user in other to have the root privilege, that’s only if you are in the /etc/sudoers file. So with this, the system is more secured.

If you still want to allow root login. you can go back to the file and change the “no” to “yes.”

HOW TO VIEW REMOTELY LOGGED-IN USERS

To view all remotely logged in user in your system, you use the w command. The w command displays a list of users that are currently logged in to a system using ssh.

From the command above, focus on the last two users. The root user has a pseudo-terminal open (pts/1). In the terminal, the root user is logged-in from a remote machine using the ssh command as user henry with IP address 192.168.124.138 at 07:09 pm. The last user henry is logged-in from pseudo-terminal pts/2.

HOW TO USE SSH KEY-BASED TO AUTHENTICATE TO A REMOTE SYSTEM

To improve security among remote users**, SSH** was integrated with a private-public key scheme. Now users can authenticate to a remote system without a password by using a public key authentication. This means that two keys are generated; the public key and the private key. The private key file is used as the authentication key; just like a password, it must be kept secret and secure. The public key doesn’t need to be kept secret. It is copied to the remote system and is used to verify the private key.

This is how it works. Whenever a user uses the ssh to connect to a remote system for the first time, the ssh command stores the servers public key in the ~/.ssh/known_hosts file. So whenever the user wants to connect to the system the client makes sure it gets the same public key from the server by comparing the public key it receives from the client to the one stored in the ~/.ssh/known_hosts. If it matches, then the user will be allowed to use the server remotely. If it doesn’t work, access will be rejected, and the server and the client will have to get things sorted out as quickly as possible because the server must have been hijacked.

Please follow the instruction carefully to see how to generate and copy keys.

To generate the public and private key, we use the ssh-keygen command

Please note that during key generation, it will ask you to enter a file to save the key. You can just hit enter, and it will pick up the default file and save it there, and it also asks you to enter a passphrase, enter any sentence of your choice. Something you can always remember.

That’s all about key generation, next is to copy the key to a client machine which will be used for authentication

To copy the key to the destination system, we use the ssh-copy-id [IPAddress or Hostname]

By default, the key will be copied to /root/.ssh/id_rsa.pub.

Now we are in. The system will prompt for a password. This is part you enter the passphrase you entered while generating your keys. Once done, you will have to be logging in to the server without having to input your password all the time

Now we are in our Kali Linux from our RedHat Enterprise Linux

RECAP AND SECURITY TIPS

For better security in ssh remote communication, please it is necessary to do all this

Prevent root user from logging in using the ssh command. This can be done in the
/etc/ssh/sshd_config file by commenting out the “PermitRootLogin” and optioning it to “no.”
Edit the sudoers file to specific users to have root access. This is to avoid the intruder gaining root privilege with the sudo command

You can prohibit password authentication using ssh. That’s allowing remote users to login using public keys and not their password

This is very important as public keys are longer when compared to an average password. This adds more security, as it is hard to crack.

Less effort when authenticating to the server and with better security. You can do that by going to the /etc/ssh/sshd_config file and navigate to where you have PasswordAuthentication and set it to “no.”

Generated keys are stored in the .ssh/ directory in your home directory by default. Permissions set for the private key is 600, and that of public keys is 644.

If you are having issues logging in. is either you are doing one or all of the following

You are typing in the wrong IP address. Remember that you are probably using a dynamic IP address and IP addresses are expected to change whenever you have a new network connection.

You ssh service is not running on either system or not running at all

You didn’t install OpenSSH package for the client and the server specifications

You have no network connection at all

You are not getting expected result because of one of the following

You made changes to the configuration file, and you forgot to restart the service

You are trying to log in as root when you have configured on the configuration file not to permit root to login.

References

Crouthamel, A. (2018). Remote Server Host Access   And Root Login Using Ssh. Retrieved August 22, 2019, from   andrewcrouthamel.wordpress.com: https://andrewcrouthamel.wordpress.com/2018/10/31/remote-server-host-access and-root-login-using-ssh/

RedHat System Administrator I Course Module

Author

Comments