RED HAT ENTERPRISE LINUX
Accessing Remote
Systems Using SSH
Access Remote Systems Using SSH
CIS126RH | RHEL System Administration 1
Mesa Community College
Linux administrators rarely sit in front of the systems they manage. SSH — the Secure Shell protocol — is the standard tool for remote access on every RHEL server. This module covers how SSH works, how to connect to remote systems, and how to configure key-based authentication so you never need to type a password again. These skills are tested on the RHCSA exam.
Learning Objectives
- Explain how SSH works — Describe the client-server model and how SSH encrypts connections
- Connect to a remote system with ssh — Use the ssh command with common options to open remote shell sessions
- Configure SSH key-based authentication — Generate a key pair with ssh-keygen and deploy the public key with ssh-copy-id
- Use the SSH client config file — Define host aliases and options in ~/.ssh/config to simplify connections
What is SSH?
SSH — the Secure Shell protocol — provides an encrypted channel for remote login and command execution over an untrusted network.
- Replaced insecure protocols:
telnet,rsh,rlogin - All traffic — including passwords and commands — is encrypted end-to-end
- Uses a client-server model: your workstation is the client, the remote system runs the server
- The server daemon is
sshd; the client command isssh - Default port: 22/TCP
| Component | Package | Role |
|---|---|---|
| Client | openssh-clients | The ssh, scp, sftp commands |
| Server | openssh-server | The sshd daemon that listens for connections |
Both packages are installed by default. The sshd service is enabled and started
automatically. Verify with: systemctl is-active sshd
Basic SSH Connection
The ssh command connects you to a remote host and opens a shell session.
# Connect as the same username you are logged in as locally
$ ssh servera
# Connect as a specific user
$ ssh student@servera
$ ssh -l student servera
# Connect to a non-default port
$ ssh -p 2222 student@servera
# Run a single command on the remote host — no interactive shell
$ ssh student@servera hostname
servera.lab.example.com
# End the session
$ exit
logout
Connection to servera closed.If no username is given, SSH uses your local username. Use student@servera
or -l student when the remote username differs from your local one.
Host Key Verification
The first time you connect to a new host, SSH asks you to verify its host key.
$ ssh student@servera
The authenticity of host 'servera (192.168.1.10)' can't be established.
ED25519 key fingerprint is SHA256:abc123...xyz789.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'servera' (ED25519) to the list of known hosts.- Type yes to accept and save the key — future connections skip this prompt
- The key is saved in
~/.ssh/known_hostson your local system - If the key changes unexpectedly, SSH warns you — this may indicate a security problem
If SSH shows a "Remote host identification has changed" error, do not ignore it.
It could mean the server was rebuilt — or that someone is intercepting your connection.
Remove the old entry with: ssh-keygen -R servera
SSH Authentication Methods
SSH supports two main ways to prove your identity to the remote server.
| Method | How it works | Recommended for |
|---|---|---|
| Password | You type the remote user's password — transmitted encrypted | First-time or one-off connections |
| Key-based | Your private key proves identity; no password sent over the network | Daily use, scripts, automation |
Why Prefer Key-Based Authentication?
- No password travels over the network — even encrypted
- Not vulnerable to brute-force password attacks
- Can be used without a password prompt (with a passphrase-less key or ssh-agent)
- Required for many automation tools: Ansible, scripts, cron jobs
The exam tests key-based authentication. Know how to generate a key pair and deploy the public key to a remote host.
Generating an SSH Key Pair
Use ssh-keygen to generate a public and private key pair on your local system.
# Generate a key pair — accept defaults or choose your own path
$ ssh-keygen
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/student/.ssh/id_ed25519): [Enter]
Enter passphrase (empty for no passphrase): [passphrase or Enter]
Enter same passphrase again: [passphrase or Enter]
Your identification has been saved in /home/student/.ssh/id_ed25519
Your public key has been saved in /home/student/.ssh/id_ed25519.pub
# View the public key — this is what you share
$ cat ~/.ssh/id_ed25519.pub
ssh-ed25519 AAAAC3Nza...long-string... student@workstation| File | Contents | Share? |
|---|---|---|
~/.ssh/id_ed25519 | Private key — kept secret | Never |
~/.ssh/id_ed25519.pub | Public key — copied to servers | Yes |
Never copy, email, or share your private key file. If it is compromised, anyone who has it can authenticate as you on every server that holds your public key.
Deploying the Public Key
To use key-based authentication, copy your public key to the remote server's
~/.ssh/authorized_keys file.
The Easy Way: ssh-copy-id
# Copy your public key to the remote host — prompts for password once
$ ssh-copy-id student@servera
Number of key(s) added: 1
Now try logging into the machine with: ssh 'student@servera'
# Confirm key-based login works — no password prompt
$ ssh student@servera
[student@servera ~]$The Manual Way
# On the remote server — create the directory and file if missing
$ mkdir -p ~/.ssh
$ chmod 700 ~/.ssh
$ cat id_ed25519.pub >> ~/.ssh/authorized_keys
$ chmod 600 ~/.ssh/authorized_keysssh-copy-id handles permissions automatically. Use it whenever possible.
If you append manually, always set 700 on ~/.ssh and
600 on authorized_keys — wrong permissions silently break key login.
SSH File Permissions
SSH is strict about file permissions. Wrong permissions silently disable key-based login without an error message that explains why.
| File or directory | Required permissions | Octal |
|---|---|---|
~/.ssh/ directory | Owner read, write, execute only | 700 |
~/.ssh/authorized_keys | Owner read and write only | 600 |
~/.ssh/id_ed25519 (private key) | Owner read only | 600 |
~/.ssh/id_ed25519.pub (public key) | Owner read and write | 644 |
~/.ssh/config | Owner read and write only | 600 |
# Check and fix SSH directory permissions
$ ls -la ~/.ssh/
$ chmod 700 ~/.ssh
$ chmod 600 ~/.ssh/authorized_keys
$ chmod 600 ~/.ssh/id_ed25519If key login is not working, add -v to the ssh command for verbose output.
Look for "bad permissions" or "Authentication refused" messages.
The SSH Client Config File
The file ~/.ssh/config lets you define settings for each host so you do not
have to type long options every time you connect.
# ~/.ssh/config — one Host block per remote system
Host servera
HostName servera.lab.example.com
User student
Port 22
IdentityFile ~/.ssh/id_ed25519
Host jump
HostName bastion.example.com
User admin
Port 2222With that config in place, ssh servera uses all of those settings automatically.
| Config option | Equivalent ssh flag |
|---|---|
HostName | The actual hostname or IP to connect to |
User | -l username |
Port | -p 2222 |
IdentityFile | -i ~/.ssh/id_ed25519 |
Common ssh Options
| Option | Effect | Example |
|---|---|---|
-l user | Login as this username | ssh -l admin servera |
-p port | Connect to a non-default port | ssh -p 2222 servera |
-i keyfile | Use a specific private key | ssh -i ~/.ssh/id_rsa servera |
-v | Verbose — show connection debug output | ssh -v servera |
-X | Enable X11 forwarding (graphical apps) | ssh -X servera |
-L local:host:remote | Forward a local port to the remote side | ssh -L 8080:localhost:80 servera |
-N | Do not open a shell — use with port forwarding | ssh -N -L 8080:... servera |
-l, -p, -i, and -v are the options
most likely to appear on or be needed during the RHCSA exam.
Copying Files with scp and sftp
SSH includes two tools for transferring files securely over the same encrypted channel.
scp — Secure Copy
# Copy a local file to a remote host
$ scp report.txt student@servera:/home/student/
# Copy a remote file to the current local directory
$ scp student@servera:/etc/hostname .
# Copy a directory recursively
$ scp -r mydir/ student@servera:/tmp/sftp — Interactive File Transfer
# Open an interactive sftp session
$ sftp student@servera
sftp> ls
sftp> get remotefile.txt
sftp> put localfile.txt
sftp> exitUse scp for quick single-file transfers in scripts.
Use sftp when you need to browse the remote filesystem interactively
before deciding what to transfer.
The sshd Server
The sshd daemon runs on the remote system and listens for incoming SSH connections.
Its behaviour is controlled by /etc/ssh/sshd_config.
# Check whether sshd is running
$ systemctl status sshd
# Start, stop, or restart the daemon
$ sudo systemctl restart sshd
# View active (non-comment, non-blank) config lines
$ grep -vE '^(#|$)' /etc/ssh/sshd_config| sshd_config option | Default | Effect |
|---|---|---|
Port | 22 | Port the daemon listens on |
PermitRootLogin | prohibit-password | Allows root key login but not password login |
PasswordAuthentication | yes | Allow password-based login |
PubkeyAuthentication | yes | Allow key-based login |
AllowUsers | (not set) | Whitelist specific usernames |
Hardening the SSH Server
Two configuration changes significantly improve SSH security on production servers.
Disable Direct Root Login
# In /etc/ssh/sshd_config
PermitRootLogin no
# Reload sshd to apply
$ sudo systemctl reload sshdDisable Password Authentication
# Only do this after confirming key-based login works!
PasswordAuthentication no
$ sudo systemctl reload sshdNever disable password authentication until you have confirmed that key-based login works in a separate terminal window. If you lock yourself out of a remote server, recovery requires console access.
You may be asked to configure sshd_config options on the exam. Always reload
or restart sshd after edits and verify the service is still running.
Using ssh-agent
If your private key has a passphrase, ssh-agent stores the unlocked key in memory
so you only type the passphrase once per session.
# Start the agent and set environment variables
$ eval $(ssh-agent)
Agent pid 12345
# Add your private key to the agent — prompts for passphrase once
$ ssh-add ~/.ssh/id_ed25519
Enter passphrase for /home/student/.ssh/id_ed25519:
Identity added: /home/student/.ssh/id_ed25519
# All subsequent ssh connections use the key without prompting
$ ssh student@servera
[student@servera ~]$
# List keys currently loaded in the agent
$ ssh-add -lOn RHEL with a graphical desktop, GNOME Keyring acts as an SSH agent automatically. You are prompted for the passphrase the first time you use a key, and it is remembered for the rest of the desktop session.
Troubleshooting SSH Connections
| Symptom | Likely cause | Where to check |
|---|---|---|
| Connection refused | sshd is not running or firewall blocks port 22 | systemctl status sshd, firewall-cmd --list-all |
| Connection timed out | Network unreachable or host down | ping servera, check routing |
| Permission denied (password) | Wrong username or password; PasswordAuthentication disabled | /var/log/secure on the server |
| Permission denied (publickey) | Key not in authorized_keys; wrong permissions on ~/.ssh | ssh -v, check permissions, check authorized_keys |
| Host key changed warning | Server rebuilt; possible MITM attack | ssh-keygen -R hostname |
# First step for any SSH problem: verbose output
$ ssh -v student@servera
# Check the server auth log for rejected attempts
$ sudo tail /var/log/secureKnowledge Check
Answer these before moving to the next slide.
- What command connects you to
serveraas useradmin? - What file on the remote server must contain your public key for key-based login to work?
- What permissions must the
~/.ssh/directory have, and why? - What is the purpose of
ssh-copy-id? - You changed a setting in
/etc/ssh/sshd_config. What must you do next? - Key-based login is failing. What is the first command you should run to diagnose the problem?
Knowledge Check — Answers
ssh admin@serveraorssh -l admin servera- The public key must be in
~/.ssh/authorized_keyson the remote server, in the home directory of the user you are logging in as. - The
~/.ssh/directory must be700— readable and writable by the owner only, with no group or world permissions. SSH refuses to use keys if the directory or files are too permissive, to protect against other users reading your keys. ssh-copy-idcopies your public key to a remote server'sauthorized_keysfile and sets the correct permissions automatically, using password authentication for the one-time setup.- Reload or restart the sshd service:
sudo systemctl reload sshdorsudo systemctl restart sshd. Then confirm it is still running:systemctl is-active sshd - Run
ssh -v student@serverafor verbose client-side output. Also checksudo tail /var/log/secureon the server for the server-side view.
Key Takeaways
-
SSH encrypts all traffic — login, commands, and file transfers.
It replaced insecure tools like telnet. The client command is
ssh; the server daemon issshdlistening on port 22. -
Key-based authentication is preferred.
Generate a key pair with
ssh-keygen, deploy the public key withssh-copy-id, and connect without a password prompt. -
Permissions are enforced silently.
The
~/.ssh/directory must be700andauthorized_keysmust be600. Wrong permissions disable key login with no clear error message. -
Always test before closing your session.
After editing
sshd_config, reload sshd and verify it is running from a second terminal window — before closing your current connection.
Graded Lab
- Connect to
serveraasstudentusing password authentication and confirm your hostname withhostname - Generate an Ed25519 key pair on your workstation using
ssh-keygen - Deploy your public key to
serverausingssh-copy-id - Confirm key-based login works — connect to
serverawithout a password prompt - Create a
~/.ssh/configentry forserverawith your username and key file, then connect using justssh servera - On
servera, view the active lines of/etc/ssh/sshd_configusinggrepto filter out comments and blank lines
"Access remote systems using SSH." Key-based authentication and sshd configuration are the two most commonly tested SSH topics.