Setup SSH to manage your home-server remotely

- **Technical difficulty:** ★★★☆☆ - **Server OS covered:** Debian, Ubuntu - **Client operating systems covered:** Any Unix-like system (macOS, Linux, FreeBSD) One of the most essential things you need to have for your server is the ability to control it remotely. You may not (and you don't want to) always depend on connecting directly to the machine with a keyboard and monitor. The best and most versatile tool is SSH. SSH allows you to access your server remotely through a command-line shell, and do basically anything on that machine, which is very handy in a variety of occasions. This guide will show you how to setup SSH on your machine. # Prerequisite knowledge - [[Using Unix 101]] # How to do it? ## Installing the SSH server ### Debian/Ubuntu From the server's terminal, you can install the OpenSSH server package with the following steps: 1. **Update Package Index**: Begin by updating the package index. Open a terminal and run: ``` sudo apt update ``` 2. **Install OpenSSH Server**: Install the OpenSSH server package by running: ``` sudo apt install openssh-server ``` 3. **Check SSH Service Status**: After installation, you should ensure the SSH service is running. You can do this with: ``` sudo systemctl status ssh ``` If it's not running, you can start it with: ``` sudo systemctl start ssh ``` ## Accessing the server 1. **Open a terminal**: Open a terminal on your local machine. 2. **Connect to the server**: Run the following command, replacing `username` with your username and `server_ip` with the IP address or domain name of your server: ``` ssh username@server_ip ``` You will be shown a warning about the authenticity of the host, similar to this: ``` The authenticity of host 'server_ip (server_ip)' can't be established. ECDSA key fingerprint is SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. Are you sure you want to continue connecting (yes/no)? ``` If you are sure your connection with the server is secure *(e.g. If you are connected to the server through an ethernet cable or a secure network)*, type `yes` and press `Enter`. **If you want extra security, follow the steps in the next section ([[#Verifying the server's fingerprint]]) before proceeding.** 3. **Enter your password**: You will be prompted to enter your password. Type it and press `Enter`. If you have entered the correct password, you will be logged into the server and you will see a command prompt. ## Verifying the server's fingerprint When you connect to a server for the first time, your computer cannot know if the server is the one you think it is, or another machine impersonating it. The fingerprint is a way to verify the server's identity. To verify the server's fingerprint, follow these steps: 1. **Take note of the cryptographic algorithm**: The fingerprint is a hash of the server's [[Asymmetric cryptography basics|public key]]. The algorithm used to generate the fingerprint is shown in the warning message. For example, take this warning message: ``` The authenticity of host 'server_ip (server_ip)' can't be established. ECDSA key fingerprint is SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. Are you sure you want to continue connecting (yes/no)? ``` The algorithm used is `ECDSA`. 2. **Find all the server's public keys**: Run the following command to list all the server's public keys: ``` ls /etc/ssh/ssh_host_*.pub ``` You will see a list of files with names like `ssh_host_ecdsa_key.pub`, `ssh_host_ed25519_key.pub`, etc. The part after `ssh_host_` is the algorithm used to generate the key. In this case, you are looking for the file `ssh_host_ecdsa_key.pub`. 3. **Generate the fingerprint**: Run the following command to generate the fingerprint of the server's public key: ``` ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key.pub ``` Replace `/etc/ssh/ssh_host_ecdsa_key.pub` with the path of the file you found in step 2. You will see the fingerprint of the server's public key. Compare it with the fingerprint shown in the warning message. If they match, you can be sure the server is the one you think it is. If they don't match, please check: - If you are connecting to the correct server. - If you have the correct IP address or domain name. - If you have selected the correct file in step 2. - If the hashing algorithm is the same in the warning message and the command in step 3. (In this case, `SHA256`) # Easier logins with SSH keys Typing your password every time you connect to your server can be cumbersome. You can use SSH keys to authenticate yourself without a password (And make it more secure at the same time!). To do this, you need to generate a [[Asymmetric cryptography basics|pair of keys]] from your local machine and copy the public key to the server so that it can authenticate you. Follow these steps to set up SSH key login: ## 1. Generate a key pair A [[Asymmetric cryptography basics|key pair]] consists of a public key and a private key. The public key is copied to the server, and the private key is kept on your local machine. Here is how you can generate an SSH key pair: 1. **Open a terminal**: Open a terminal on your local machine. 2. **Generate a key pair**: Run the following command to generate a key pair: ``` ssh-keygen -t ed25519 ``` You will be asked to enter a file to save the key. Press `Enter` to save it in the default location (`~/.ssh/id_ed25519`). You will also be asked to enter a passphrase. You can enter a passphrase to add an extra layer of security, but it's optional. If you don't want to enter a passphrase, just press `Enter`. You will see an output similar to this: ``` user@ubuntu:/Users/user$ ssh-keygen -t ed25519 Generating public/private ed25519 key pair. Enter file in which to save the key (/home/user/.ssh/id_ed25519): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_ed25519 Your public key has been saved in /home/user/.ssh/id_ed25519.pub The key fingerprint is: SHA256:pvPyhtDkHJSJeciTMV0XjVeeY6cLMVjpQh47HyMlHJk user@ubuntu The key's randomart image is: +--[ED25519 256]--+ | .oB +..+B.o. | | B.* .Eo=. . | | + o.Bo = .| | o * ++ + | | = .S =.o. | | . +o .. . | | .o. . | | oo. | | +o | +----[SHA256]-----+ ``` This means the key pair has been generated successfully: - The private key is saved in `~/.ssh/id_ed25519`. Do not share this file with anyone. - The public key is saved in `~/.ssh/id_ed25519.pub`. This is the file you will copy to the server, so that it can authenticate you. ## 2. Copy the public key to the server 1. **Copy the public key contents**: Run the following command to copy the public key to the clipboard: ``` cat ~/.ssh/<YOUR_KEY_NAME>.pub ``` Replace `<YOUR_KEY_NAME>` with the name of your public key file. The contents will usually look like this: ``` ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ6(...) user_name@local_machine ``` Copy the contents to the clipboard or keep them handy. 2. **Login to the server**: Log in to the server through SSH using your password. 3. **Add the public key to the authorized keys file**: Run the following command to add the public key to the authorized keys file: ``` echo "<YOUR_PUBLIC_KEY_CONTENTS>" >> ~/.ssh/authorized_keys ``` Replace `<YOUR_PUBLIC_KEY_CONTENTS>` with the contents of your public key that you got from step 2 _(You can also [[Using a text editor through SSH|use a text editor]] and manually paste the contents into the file)_. 4. **You're done!**: You can now log in to the server without a password. Try logging out and logging in again to see if it works.