Install ssh server on Ubuntu with OpenSSH
What is ssh – Secure Shell
Secure shell is a secure communication protocol that can be used for remote administration (like a webserver) over a terminal. It is technically a secure version of telnet. A shell or console on any system is meant to execute commands on it and control it. Telnet used to do this. But telnet transmitted all data in plain text format and hence is insecure by design. To overcome this, the communication is wrapped with ssl encryption and this new scheme is called secure shell.
Ssh (Secure Shell) is a program for logging into a remote machine and for executing commands on a remote machine. It provides secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. It can be used to provide applications with a secure communication channel.
For secure shell, we need 2 components. First is the secure shell server that runs on the machine that is to be controlled remotely. And the other part is an ssh client that can speak the ssh protocol and communicate with the ssh server. In this post we are going to see how to setup the ssh server and client on ubuntu and do some secure communication.
Install OpenSSH server on ubuntu
On ubuntu install the package openssh-server. It provides the sshd server.
$ sudo apt-get install openssh-server
This is the portable version of OpenSSH, a free implementation of the Secure Shell protocol as specified by the IETF secsh working group.
Once installed the ssh server should be up and running. Verify it with the service command
$ service ssh status
ssh start/running, process 29422
Now connect to the ssh server using the ssh command. The ssh command is the “openssh client”. The syntax is of ssh is like this
ssh username@hostname
OR
ssh -l username hostname
Connect to our ssh server.
$ ssh enlightened@localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is f2:81:02:29:0b:84:69:d4:71:35:e0:2f:d7:3b:cd:3e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
enlightened@localhost's password:
Once logged in it will show a welcome message similar to this
Welcome to Ubuntu 12.10 (GNU/Linux 3.5.0-17-generic x86_64)
* Documentation: https://help.ubuntu.com/
New release '13.04' available.
Run 'do-release-upgrade' to upgrade to it.
*** System restart required ***
Last login: Thu May 30 20:58:33 2013 from localhost
$
The ssh server works on port 22 by default. If you want to change the default port of ssh server then edit the file
/etc/ssh/sshd_config
It has a line for specifying the port number.
# What ports, IPs and protocols we listen for
Port 22
After changing the port number restart the ssh server using the service command
$ sudo service ssh restart
ssh stop/waiting
ssh start/running, process 30751
To learn more about how to configure the ssh server using the configuration file check the man page by running the following command
man sshd_config
Putty ssh client
On ubuntu the terminal ssh command is the easiest way to connect to any ssh server. However if you are looking for an alternative then try putty. Putty is a free ssh/telnet client that is available for both linux and windows. On ubuntu install it from synaptic
sudo apt-get install putty
Password less login to ssh server
The ssh server setup by default asks for the username/password to login. However it is possible to setup passwordless login by using key based authentication.
Resources
http://www.openssh.org/
Setup password-less login to ssh on Linux
SSH login without password
SSH (Secure Shell) is commonly used when administering remote servers. If you are working on some server regularly and find it tiring to type in the ssh password again and again, then it might be a good option to configure the login to not ask for the password. It is possible to make ssh shell login without password. However this does not mean that the login would not be authenticated. Instead a different authentication scheme would be used.
Key based authentication
The solution is to setup and use key based authentication. In key based authentication, the authentication is done by a file that is present on your system, instead of you having to type the password again and again.
This key based authentication is based on using public key cryptography. In this authentication scheme there are 2 key files, one is kept on the server and other on your local machine. These are called public and private keys respectively. The keys always exist in unique pairs such that you must have the right private key in order to authenticate with the public key present on the server.
OpenSSH, the most common ssh package used on Linux, can be easily configured to use the key based authentication mechanism. And it takes only a few steps to configure.
Generate the keys
On ubuntu we are going to use the ssh-keygen command to generate the pair of keys.
# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/john/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/john/.ssh/id_rsa.
Your public key has been saved in /home/john/.ssh/id_rsa.pub.
The key fingerprint is:
86:0c:a6:8d:c1:35:91:ab:b2:09:b8:b0:55:2f:58:2c john@localhost
The key's randomart image is:
+--[ RSA 2048]----+
| +o |
| . ... |
| o.o. |
| E*=o . |
|. o*..o S |
|= + . .. |
|oB . |
|= |
| |
+-----------------+
While generating the keys, it will ask for some information like where to save the key files, whether to set a passphrase or not. The keys are by default saved in the “.ssh” directory in your home directory. It can be any other location, but we use the default one to keep it simple.
Once the keys are generated you might want to peek into the “.ssh” directory. Take a look in there. You would find 2 files called
id_rsa
id_rsa.pub
The first file is the private key file. This file must always stay on your computer and is meant to be kept hidden from the outer world. The second file id_rsa.pub file is the public key file, that is meant to be distributed to everyone out there who wants to authenticate your identity in some form (which in this case is the webserver).
Give the public key to the server
Now its time to give the public key file id_rsa.pub to the webserver, so that it can authenticate using the key and not ask for password again and again. To copy the public key file, we use the ssh-copy-id command which will take our public key and copy it into the ~/.ssh/authorized_keys file on the remote server.
$ ssh-copy-id -i ~/.ssh/id_rsa.pub remoteuser@remote_web_server
The authenticity of host 'remote_web_server (69.101.52.13)' can't be established.
RSA key fingerprint is 26:50:b5:51:3d:06:a8:10:52:f8:8a:60:23:a7:31:a8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'remote_web_server' (RSA) to the list of known hosts.
remoteuser@remote_web_server's password:
stdin: is not a tty
Now try logging into the machine, with "ssh 'remoteuser@remote_web_server'", and check in:
~/.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
$
So now our public key has been copied over to the remote server. The output of the above command asks us to login using ssh to test if it works fine or not.
Login to the server
So now login to the remote machine without password
$ ssh remoteuser@remote_web_server
Last login: Wed Jan 2 11:26:14 2013 from 117.194.228.166
remoteuser@remote_web_server [~]#
Great, we logged in without the password.
Setup key based authentication in openssh on linux
SSH – Secure Shell
SSH provides terminal access to control a remote web server over a secure encrypted connection. It is similar to telnet except that the entire communication is encrypted so its more secure. To connect to a webserver using ssh there are 2 things needed. First is a ssh server running on the server and another is an ssh client. Openssh is a popular ssh server used on linux based webservers.
SSH by default uses username/password based authentication. While connecting to the ssh server the user is asked to enter a password.
$ ssh root@remote_web_server
root@remote_web_server's password:
However this is not the only way to authenticate to an ssh server. Authentication can also be done using keys. The key exists as a file on the local system and when connecting to the ssh server the key is send automatically and no password is asked for.
The key actually has 2 parts which exist as a pair. The first is the public key and second is the private key. The combination is unique. No 2 pairs can have the same public or private keys. The key pair is first generated on local machine using a command like ssh-keygen. Then the public key is stored on the server in a list of “authorized users”.
Now whenever we connect to server using our private key the server is able to detect if a corresponding public key exists in the list of authorized users or not. If yes then authentication is complete. Read about public key cryptography if you want to know more about how it works.
Generate keys
Assuming that you already have openssh installed and setup and that you are able to login using keys, its time to move on to setup key based authentication. The first thing to do is to generate our key pair. On ubuntu we can use the ssh-keygen command
# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/john/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/john/.ssh/id_rsa.
Your public key has been saved in /home/john/.ssh/id_rsa.pub.
The key fingerprint is:
86:0c:a6:8d:c1:35:91:ab:b2:09:b8:b0:55:2f:58:2c john@localhost
The key's randomart image is:
+--[ RSA 2048]----+
| +o |
| . ... |
| o.o. |
| E*=o . |
|. o*..o S |
|= + . .. |
|oB . |
|= |
| |
+-----------------+
There are mainly 2 types of keys, RSA and DSA. Each has a different algorithm to generate and match the keys. Read up the wikipedia articles to learn about them. In this example we use RSA.
Note that on ubuntu the keys are by default created in the .ssh directory inside the home directory. You can specify any directory. The key pair consists of 2 files, first is id_rsa (this is the private key) and the other is id_rsa.pub (this is the public key).
Install the public key on server
Now 1 part of the pair, that is the public key needs to be given to the server so that it can identify us when we present the private key. This is done by copying the contents of the public key files in the following file on the remote server
~/.ssh/authorized_keys
The public key may as well be copied into the authorized_keys2 file. It works the same way.
To copy the public key into the file, the easiest way is to use the ssh-copy-id command which will take the public key and copy it to the remote server in the path mentioned above.
$ ssh-copy-id -i ~/.ssh/id_rsa.pub remoteuser@remote_web_server
The authenticity of host 'remote_web_server (69.101.52.13)' can't be established.
RSA key fingerprint is 26:50:b5:51:3d:06:a8:10:52:f8:8a:60:23:a7:31:a8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'remote_web_server' (RSA) to the list of known hosts.
remoteuser@remote_web_server's password:
stdin: is not a tty
Now try logging into the machine, with "ssh 'remoteuser@remote_web_server'", and check in:
~/.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
$
Now try to login to the remote server again from your local terminal.
$ ssh root@remote_web_server
It should login without asking for a password. Note that if you create the keys in a location different from ~/.ssh then you need to specify the path to the private key file using the “-i” option.
$ ssh -i /path/to/id_rsa root@remote_web_server
If you do not have the ssh-copy-id command then copy the public key file manually.
First copy the id_rsa.pub key file onto the server using scp command.
$ scp id_dsa.pub serverusername@192.168.1.40:./id_dsa.pub
The file would get copied to the home directory. Now login to the server through ssh password. Then copy the contents of the id_rsa.pub file to .ssh/authorized_keys file.
$ cd .ssh
$ touch authorized_keys
$ chmod 600 authorized_keys
$ cat ../id_dsa.pub >> authorized_keys
$ rm ../id_dsa.pub
Thats all. Now the public key is installed on the server. Trying logging in from the terminal.
$ ssh enlightened@localhost
Welcome to Ubuntu 12.10 (GNU/Linux 3.5.0-32-generic x86_64)
* Documentation: https://help.ubuntu.com/
0 packages can be updated.
0 updates are security updates.
New release '13.04' available.
Run 'do-release-upgrade' to upgrade to it.
Last login: Fri May 31 09:27:59 2013 from localhost
Disable password based login
Now that key based authentication is setup, you might want to disable password based logins. This can be done by configuring the ssh server (daemon). The openssh server configuration file is
/etc/ssh/sshd_config
Open the file and look for the “PasswordAuthentication” setting and set it to no.
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
Save and restart the openssh server. Now the ssh server will only allow key based authentication
$ sudo service ssh restart
[sudo] password for enlightened:
ssh stop/waiting
ssh start/running, process 10890
Also ensure that the following 2 options are set to yes for the the key based login to work
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
Login with putty
In the above exmaples we used the openssh ssh client that is available on linux. Putty is another useful ssh client that is available for both linux and windows and supports key based authentication.
However putty cannot use the private key generated by the ssh-keygen command directly. It uses its own format. So first the private key (on your local machine) has to be converted to putty format. This is done using the puttygen command. It converts the key file from openssh format to putty format.
$ puttygen ~/.ssh/id_rsa -o ~/.ssh/putty_id_rsa
The above command will convert the private key to putty format which can be used with putty to connect to the server. Launch putty and go to Connection > SSH > Auth tab on the left and select the key file in the box labelled “Private key for authentication”.
Never Ending Security 