I’ve seen a lot of ssh tutorial sites, and each has a little bit of information, or way too much detail. I’ve also helped a lot of people troubleshoot ssh connection issues. Although I love to help, I tend to see the same issues over and over. Here, I’m going to highlight the important stuff. In a future post I will demonstrate how to troubleshoot some of the more common problems.
If you have troubleshooting questions, look at: SSH Troubleshooting
Connection:
>> ssh <username>@<servername>In its simplist form, you send a username, a servername or ip. The prompt will request a password. Enter it than you are connected to the server.
That being said, there are a lot of options that can and are regularly used by ssh. To make it easier for us, we create an ssh config file.
ssh config
Create a file named: ~/.ssh/config
Host <hostname> # Name use to reference this server
HostName <ip or dns>
User <username>
# Ex:/
Host acc63
HostName 10.9.8.1
User ubuntuTo connect using the above statement:
>> ssh acc63This will connect you to the server at pmi-qa with the username ubuntu
Ok, this is great, but where do I put my password?, and should I even use passwords?, a lot of servers don’t even allow that! Using keys is a much more secure way to connect to servers, that is why we can easily configure ssh to use public and private keys.
Public/Private Keys
Public and Private Keys allow users to authenticate to a server, without passwords. Instead you have a key. The key is much longer and more secure than a password. There are different types of keys. Here is one way to create a public/private key pair to be used with a server.
>> ssh-keygen -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key
(/Users/user1/.ssh/id_rsa):
# Leave the Passphrase empty
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
#.... The keys will be generated and saved in the location specified above.The command above will create 2 keys, a public one (which is ok to share with anyone), and a private one, which should not be shared.
id_rsa
id_rsa.pubIn order to use these keys to access another server, 2 things need to happen:
- The private key needs to be defined in the ssh config
- The public key needs to be added to the Authorized_keys on the connecting server.
ssh config
Host acc63
HostName 10.9.8.7
User ubuntu
IdentityFile ~/.ssh/id_rsaAuthorized Keys
An administrative user on the server must logon and grant access to the server. The admin user would do the following:
>> scp id_rsa.pub acc63:~/. # Copy the public key to the #server
>> ssh acc63 # Connect to the server
>> cat id_rsa.pub >> ~/.ssh/authorized_keys # Append the # public key to the end of the authorized keys fileOnce an administrator has done this, you should be able to logon to the server:
>> ssh acc63Note: There is an authorized_keys file for each account. I common problem is that the key is added to a different user account than specified in the ssh_config
SSH Passthrough
Also called using a jump server or a bastion host. Due to network and security measures, direct connections are usually blocked. In these cases you need to connect to a Jump or Bastion Host. Once you connected to the jump server, you can then connect directly from there.
When setup correctly, you can connect to the final server, through the jump server, with little to no user interaction with the jump server. It will seem like you are are directly connected, but when in reality you are going through the jump server the entire time.
Steps:
- Setup Connection to the jump server via ssh_config
- Setup Connection the final server, using the Proxy Command
Example:
# Jump Server Connectsion
Host jump02
HostName 54.242.111.111
User ubuntu
IdentityFile ~/.ssh/id_rsa
# Final Server Connection
Host acc63
HostName 10.9.8.1
User ubuntu
ForwardAgent yes
ProxyCommand ssh jump02 -W %h:%p 2> /dev/null
IdentityFile ~/.ssh/id_rsaKeys need to be setup for each server. In the case above, each server is setup with the users private/public keypair. Any valid set of keys can be used.
>> ssh acc63
# connects
[ubuntu-10.9.8.1] The above command will connect you to the final server, through the jump. However, you won’t notice the jump server at all!
rm -rf /* 