After completing the work in this module you will be able to:
Secure SHell (SSH) creates a secure connection over an insecure network using public key encryption. In this section you will learn how to log into a remote system and run commands.
[student@workstation ~]$ ssh student@servera student@servera's password: ...output omitted... [student@servera ~]$
Since student has the same user name on servera the command can be shortened to ssh servera
.
[student@servera ~]$ exit Connection to servera closed. [student@workstation ~]$
Typing the exit
command closes the connect and returns the user to the host where the connection was initiated.
[student@workstation ~]$ ssh developer1@servera developer1@servera's password: ...output omitted... [developer1@servera ~]$
[student@workstation ~]$ ssh servera uptime 20:06:13 up 2 min, 0 users, load average: 0.18, 0.06, 0.02 [student@workstation ~]$
You can run a command without logging into the remote host by including the command after the host.
[developer1@servera ~]$ w 16:13:38 up 36 min, 1 user, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT developer2 pts/0 172.25.250.10 16:13 -bash developer1 pts/1 172.25.250.10 16:24 -w [developer1@servera ~]$
Here the w
command shows that there are two remote logins.
To establish a SSH connection remote server sends a copy of its public key to the client before logging in. Public keys end in a .pub
extension. The private key must not be shared.
[student@workstation ~]$ ls ~/.ssh/ config known_hosts lab_rsa lab_rsa.pub [student@workstation ~]$
Since student has previously logged into servera a copy of servera's public key will be in the known_hosts
file in the ~/.ssh/
directory.
If the StrictHostKeyChecking
parameter is set to yes
, then the ssh
command always aborts the SSH connection if the public and private keys do not match. Otherwise ssh
will ask for a password.
Log into a remote system as different users and execute commands.
Configure a user account to use key-based authentication to log in to remote systems securely without a password.
Using keys to log into a remote host can be more secure that typing in a password. The ssh-keygen
command generates a mathematically related key pair - a secret private key and a sharable public key with a .pub
extension. The command suggests a default name but you can use a custom name if you want. Optionally, you can secure that private key with a passphrase for added security.
[student@workstation ~]$ ls ~/.ssh/ config id_rsa id_rsa.pub known_hosts lab_rsa lab_rsa.pub [student@workstation ~]$
The newly generated key pair is placed in the hidden ~/.ssh/
directory in student's home directory.
Once the key pair is generated the public key is uploaded to the remote host using ssh-copy-id
. The public key can be uploaded to multiple hosts or a new key pair with a different name can be generated for each hosts.
If needed start the agent.
[student@workstation ~]$ eval $(ssh-agent) Agent pid 10155
The ssh-agent
is started in the background.
Then add the key.
[student@workstation ~]$ ssh-add Identity added: /home/student/.ssh/id_rsa
The ssh-agent
command will cache keys for the duration of about 5 minutes.
[user@host ~]$ ssh -v user@remotehost OpenSSH_8.7p1, OpenSSL 3.0.1 14 Dec 2021 1 debug1: Reading config. data ssh_config 2 debug1: Reading config. data ssh_config.d/01-train.conf
Use the -v
option to show the connection process in detail.
[dennisk@sahuaro ~]$ cat ~/.ssh/config host sdf HostName sdf.org User dennisk IdentityFile ~/.ssh/id_rsa_sdf host ec2 HostName 54.232.200.77 User ec2-user IdentyFile ~/.ssh/id_rsa_ec2
A SSH config file containing information needed to log into remote hosts greatly simplies the process. In this example two hosts are listed, sdf and ec2 along with information needed to complete the connection.
[dennisk@sahuaro ~]$ ssh ec2
Login can now be done with only the host name from the ~./ssh/config
file.
In this exercise, you configure a user to use key-based authentication for SSH. When asked to enter a passphrase just press the Enter key twice. No passphrase will be used in this lab unless asked for.
/etc/ssh/sshd_config
The /etc/ssh/sshd_config
can be customized by uncommenting and changing default values.
You can configure the service by editing the /etc/ssh/sshd_config
file. Disable direct logins as root
by uncommenting PermitRootLogin
and changing prohibit-password
to no
.
Disable password logins by uncommenting PasswordAuthentication
and changing yes
to no
.
A best practices is to disable remote root
logins in /etc/ssh/sshd_config
.
[student@servera ~]$ sudo systemctl restart sshd.service
After changing /etc/ssh/sshd_config
the service must be either restarted or reloaded.
In this exercise, you disable direct logins as root and disable password-based authentication for the OpenSSH service on one of your servers.
/etc/ssh/known_hosts
and .ssh/known_hosts
.In this lab, you set up key-based authentication for users, and disable direct login as root and password authentication for all users for the OpenSSH service on one of your servers.
Thanks for watching. This is the end of the presentation.
Created on 17 February 2025 by Dennis Kibbe. Last modified on 9 June 2025 09:21:00 by DNK.
Keyboard Shortcuts
This slide presentation was created by B6Plus. The audio accompanying this presentation is AI-generated.