If you work in the IT field, you’ll know that establishing a connection to remote machines is really necessary. To ensure a secure link between two computers, Secure Shell (SSH) is one of the most common methods. This protocol enables safe remote login from one server to another, offering multiple authentication options while safeguarding communication through strong encryption. It operates on a client-server model, where the connection is initiated by the client reaching out to the host system. In this article, we’ll explore various ways to connect to a Linux remote server and how to enhance security.
Prerequisites
Installation and setup of secure shell software for remote servers and local clients.
You need the IP address of the remote machine.
Firewall setting on the ssh server machine which allows our ssh client machine to access.
Username and password authentication
This is a really basic authentication that most people often use if the security is not really strict. In order to allow ssh client login with username/password. The ssh server needs to modify or add the following line in “/etc/ssh/sshd_config”.
PasswordAuthentication yesTo make this change effective, we have to restart the ssh service with this command .
sudo service ssh restartAfter that, the following command should be executed to connect to the remote machine.
ssh [username]@[remote server IP address]When your local machine and the remote machine are in the same network, the private IP address can be used in the SSH command.
If this is the first time the client establishes a connection to the remote server, it will ask if you want to continue connecting. Because this is a security feature designed to verify the identity of a remote system when establishing a session. When this option is enabled, the client will automatically reject any key from the server that does not match the one stored in its known_hosts file. This helps protect against main-in-the-middle attacks, where the attacker may attempt to impersonate the SSH server by providing a different hostkey. This feature is applied by changing the option “StrictHostKeyChecking” in path /etc/ssh/ssh_config. By default, It has the value of “ask”. So just type yes and hit Enter, the SSH server will be identified on the local machine. [2]
💡 If the username on the local machine matches with the one on the remote machine, you won’t need to define it, just type: ssh [remote server IP address].
Following this way of establishing a connection, the remote server side needs to share the username and password with all the users who want to access. Though it is a simple and easy to set up solution, let’s see what more secure alternative we can use in the next session.
Key authentication
For key authentication, you need to prepare a key pair—one is the public key, which is stored on the remote server, and the other is the private key, which is kept on the local machine.
Step 1: Generate a SSH key pair
The first step is to generate a SSH key pair on your local computer if you haven’t already done so. To generate a SSH key pair, you can use the following command in your terminal.
ssh-keygen -t rsa -b 4096This command will generate a new SSH key pair using the RSA algorithm with a key length of 4096 bits. The most common key size is actually 2048 bits, but I highly recommend using a larger key size 4096 bits for added security level. The key size refers to the length of the cryptographic key used to encrypt and decrypt data during an SSH session. The longer key size generally means that it is more difficult for an attacker to guess or crack the key and gain unauthorized access to the system.
💡 If you don’t really care about the compatibility, another type of key that you can consider to apply for SSH connections is Ed25519 which performs much faster and provides the same level of security with significantly smaller keys.
Step 2: Copy the public key to remote machine
Once you have generated a SSH key pair, you need to copy the public key to the remote server. In order to perform this action, you have to have username and password to access the remote server. And execute bellow command:
ssh-copy-id [username]@[remote server IP address]This command will send your public key that is created by above command to remote server. From the remote server side, the public key is stored in path “~/.ssh/authorized_keys”.
Step 3: SSH into the remote machine
Once you have sent the public key to the remote server, you can SSH into the remote server using the private key on the user’s SSH client. To do this, you can use the following command:
ssh -i [path to private key] [username]@[remote server IP address]
The user’s SSH client uses the private key to sign the challenge and sends the signature back to the server, then the SSH server verifies the signature using the public key which is stored in authorized_keys file. If this signature is valid, the server grants the user access without requiring a password.
After successfully log in the remote machine you can disable allow SSH connection through username and password by changing configuration in “/etc/ssh/sshd_config”.
PasswordAuthentication noApply SSH Connection with bastion host
Both of the methods that I have introduced still require the remote machine to have a public connection and open SSH port. Instead of all servers inside the network have to have public access to the internet, we public only one machine and use it to connect to all machines in the private network.This specific machine is called bastion host. I will get the example on aws cloud and show how it works:
This method uses two steps of SSH connection.
- A user logs in to the bastion host using SSH (Secure Shell) through a public IP address.
- Once logged in, the user can ssh to target a machine in a private subnet.
The use of a bastion host provides several advantages
- The private network is protected from unauthorized access from the external network.
- All traffic between the bastion host and the private network is controlled and monitored, providing an additional layer of security.
In order to authenticate into the target machine (private instance in the diagram), we could use the private key to access it. It means the bastion host needs to have the key to access the target machine. The easiest method is to keep a copy of the private key of the target machine in the bastion host. But there are two problems:
- If the bastion host is compromised, the private keys associated with the target machines will also be compromised. So we can no longer access it.
- If the bastion host is accessed by external users ( for some reasons), they can access all the servers inside the network.
This can be addressed by using ssh-agent forwarding.
SSH agent forwarding
The ssh-agent is a program that keeps track of a machine’s private keys. The agent can then use the keys to log into other servers without having the user type in a password. By default, the agent uses SSH keys in the ~/.ssh path. The ‘ssh-add’ command is then used to add new private keys to the agent that are stored outside the ~/.ssh path.
After having the key on the local machine, port forwarding via SSH should be applied. This mechanism allows us to forward our local ssh traffic to the bastion host that acts as a proxy and forwards our SSH traffic to the machine in the private network.
Setup ssh-agent forwarding
Step 1: Start SSH agent
ssh-agent -sStep 2: Adding private key
ssh-add -k [private_key_file]It allows the local machine access to private target machines without copying the private key to the bastion host. You can launch this command with the option -L to show the key has been stored.
Step 3: Access to the bastion host
ssh -A [username]@[bastion host public IP]
This command will login to the bastion host server through key authentication.
Step 4: Access target machine
After successfully login to the bastion host, we are already inside the remote machine network, so the private ip address of target machine can be used for ssh connection. The private key of target machine has been added to ssh-agent through step 2. Without any more authentication steps, just launch bellow command and we can login.
ssh -A [username]@[private ip of target machine]Conclusion
In conclusion, connecting to a remote server using SSH is an essential skill for anyone who wants to manage a server or access remote resources securely. SSH provides a secure, encrypted channel for communication, which helps to protect against unauthorized access. So SSH is a standard and reliable tool to establish connection to remote server.
Would you like to read more articles by Tekos’s Team? Everything’s here.
References
- https://www.ssh.com/academy/ssh/protocol
- https://www.howtouselinux.com/post/ssh-stricthostkeychecking-option
Author
