SSH and Remote Access

Now that you've mastered local system administration, let's explore how to securely manage Ubuntu systems remotely. SSH (Secure Shell) is the standard protocol for secure remote access to Linux systems, allowing you to execute commands, transfer files, and manage servers from anywhere with network connectivity.

Learning Goals:

Understand SSH fundamentals and key-based authentication
Connect to remote systems using SSH
Securely transfer files with SCP and SFTP
Configure SSH server settings
Use SSH tunneling for secure connections

What is SSH?

SSH (Secure Shell) is a cryptographic network protocol that provides secure communication over unsecured networks. It encrypts all traffic between client and server, preventing eavesdropping, connection hijacking, and other attacks.

SSH typically uses TCP port 22 and provides:

Secure remote command execution
Secure file transfers
Port forwarding and tunneling
X11 forwarding (for graphical applications)

Basic SSH Connection

The simplest way to connect to a remote system is using password authentication:

Basic SSH connection
ssh username@hostname-or-ip

For example, to connect to a server at 192.168.1.100 as user "admin":

Connect to specific server
ssh admin@192.168.1.100

If it's your first time connecting to a host, you'll see a fingerprint verification prompt:

First connection fingerprint
The authenticity of host '192.168.1.100 (192.168.1.100)' can't be established.
ECDSA key fingerprint is SHA256:AbCdEfGhIjKlMnOpQrStUvWxYz0123456789.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

tip

Type yes to accept the fingerprint and add it to your ~/.ssh/known_hosts file. This prevents man-in-the-middle attacks on subsequent connections.

SSH Key-Based Authentication

While password authentication works, key-based authentication is more secure and convenient. It uses cryptographic key pairs instead of passwords.

Generating SSH Key Pairs

Create a new SSH key pair on your local machine:

Generate SSH key pair
ssh-keygen -t ed25519 -C "your_email@example.com"

Or for broader compatibility:

Generate RSA key pair
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

You'll be prompted for:

File to save the key (default: ~/.ssh/id_ed25519)
Passphrase (recommended for extra security)

Copying Public Key to Remote Server

Transfer your public key to the remote server:

Copy public key using ssh-copy-id
ssh-copy-id username@hostname-or-ip

Or manually:

Manual key copy method
cat ~/.ssh/id_ed25519.pub | ssh username@hostname "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

warning

Ensure proper permissions on the remote server:

~/.ssh directory: 700 (drwx------)
~/.ssh/authorized_keys file: 600 (-rw-------)

SSH Configuration File

Create an SSH config file to simplify connections and manage multiple hosts:

~/.ssh/config example
Host myserver
    HostName 192.168.1.100
    User admin
    Port 22
    IdentityFile ~/.ssh/id_ed25519

Host github.com
    User git
    IdentityFile ~/.ssh/github_key

Host *.example.com
    User deploy
    Port 2222

With this configuration, you can simply use:

Simplified connection using config
ssh myserver

File Transfer with SCP and SFTP

Secure Copy (SCP)

Copy files to/from remote systems:

Copy file to remote server
scp localfile.txt username@hostname:/path/to/destination/

Copy file from remote server
scp username@hostname:/path/to/file.txt /local/destination/

Copy directory recursively
scp -r localdir/ username@hostname:/remote/path/

SSH File Transfer Protocol (SFTP)

Interactive file transfer session:

Start SFTP session
sftp username@hostname

Common SFTP commands:

Common SFTP commands
# Inside SFTP session
ls                    # List remote files
lls                   # List local files
cd /remote/path       # Change remote directory
lcd /local/path       # Change local directory
put localfile         # Upload file
get remotefile        # Download file
mkdir newdir          # Create remote directory
exit                  # End session

SSH Server Configuration

The SSH server configuration is in /etc/ssh/sshd_config. Key security settings:

Important sshd_config settings
# Disable root login
PermitRootLogin no

# Restrict allowed users
AllowUsers admin deploy backup

# Use key authentication only
PasswordAuthentication no

# Change default port (optional)
Port 2222

# Limit authentication attempts
MaxAuthTries 3

# Enable X11 forwarding
X11Forwarding yes

After modifying the configuration:

Reload SSH server configuration
sudo systemctl reload ssh

note

Always test SSH connections from another session before closing your current one when making security-related changes.

SSH Tunneling and Port Forwarding

SSH can create secure tunnels for other protocols.

Local Port Forwarding

Forward local port to remote service:

Local port forwarding
ssh -L 8080:localhost:80 username@hostname

This forwards your local port 8080 to the remote server's port 80.

Remote Port Forwarding

Make remote service accessible locally:

Remote port forwarding
ssh -R 9000:localhost:3306 username@hostname

This makes your local port 3306 accessible on the remote server as port 9000.

Common Pitfalls

Permission issues: SSH is very strict about file permissions. Ensure ~/.ssh is 700 and keys are 600
Host key changes: If you get "host key verification failed," the server's key may have changed legitimately (reinstall) or due to security issues
Firewall blocking: Ensure port 22 (or your custom port) is open in both local and remote firewalls
Authentication failures: Double-check usernames, ensure password authentication is enabled if using passwords, or verify key permissions
Connection timeouts: Verify network connectivity, DNS resolution, and that the SSH service is running on the remote host

Summary

SSH provides secure remote access to Linux systems through encrypted connections. Key-based authentication offers better security than passwords, while SSH config files simplify managing multiple connections. SCP and SFTP enable secure file transfers, and SSH tunneling can secure other network protocols. Proper SSH server configuration is crucial for maintaining system security.

Quiz

Show quiz

What command generates a new SSH key pair using the Ed25519 algorithm?
- A) ssh-keygen -a ed25519
- B) ssh-keygen -t ed25519
- C) ssh-keygen --type ed25519
- D) ssh-keygen -algo ed25519
Which permission should the ~/.ssh/authorized_keys file have?
- A) 644 (-rw-r--r--)
- B) 600 (-rw-------)
- C) 755 (drwxr-xr-x)
- D) 700 (drwx------)
What does the SSH config entry Host myserver followed by HostName 192.168.1.100 accomplish?
- A) Creates a new host called myserver
- B) Allows connecting with ssh myserver instead of ssh 192.168.1.100
- C) Blocks connections to 192.168.1.100
- D) Sets up port forwarding automatically
Which command securely copies a directory from a remote server to your local machine?
- A) scp -r username@hostname:/remote/dir/ /local/path/
- B) scp username@hostname:/remote/dir/ /local/path/
- C) sftp get -r /remote/dir/
- D) ssh-copy-dir username@hostname:/remote/dir/
What is the purpose of ssh -L 3306:localhost:3306 username@hostname?
- A) Forwards remote port 3306 to local port 3306
- B) Forwards local port 3306 to remote port 3306
- C) Connects to MySQL database directly
- D) Enables X11 forwarding for port 3306

Answers:

B) ssh-keygen -t ed25519
B) 600 (-rw-------)
B) Allows connecting with ssh myserver instead of ssh 192.168.1.100
A) scp -r username@hostname:/remote/dir/ /local/path/
B) Forwards local port 3306 to remote port 3306

What is SSH?​

Basic SSH Connection​

SSH Key-Based Authentication​

Generating SSH Key Pairs​

Copying Public Key to Remote Server​

SSH Configuration File​

File Transfer with SCP and SFTP​

Secure Copy (SCP)​

SSH File Transfer Protocol (SFTP)​

SSH Server Configuration​

SSH Tunneling and Port Forwarding​

Local Port Forwarding​

Remote Port Forwarding​

Common Pitfalls​

Summary​

Quiz​