Feedback Form
Home Open Source Tips and Tutorials Connecting to a remote machine via SSH

Connecting to a remote machine via SSH

Wednesday, 08 April 2009 16:15

If you want to connect to a remote machine's OpenSSH server from your locale Debian machine using Terminal, Nautilus or GFTP, you must have the openssh-client

This package provides the ssh, scp and sftp clients, the ssh-agent and ssh-add programs to make public key authentication more convenient, and the ssh-keygen, ssh-keyscan, ssh-copy-id and ssh-argv0 utilities.

 

If you did not install it yet, install it now:

apt-get install openssh-client

Read the OpenSSH SSH client manual pages here

RSA Key Authentication

If you want to use passwordless login to the remote machine, you need a public/private key pair (RSA or DSA) for authentication.

I usually use 2048 bits RSA key pair with passphrase for SSH2 protocol connection. Use SSH2 protocol both in your local machine and in the remote machine.

You can generate RSA key pair for SSH2 protocol with OpenSSH's ssh-keygen, or puttygen (but putty private key .ppk is not compatible with OpenSSH key format, so you have to convert it to OpenSSH's key format. How to convert it?)

Since ssh-keygen generates 2048 bits RSA key pair with passphrase by default, open a terminal and type:

ssh-keygen

ssh-keygen generates the key and asks the file in which to save the key, enter:

/home/user/.ssh/id_rsa

This is the default location of the RSA private key.

ssh-keygen asks the passphrase for this key:

enter your prassphrase
confirm your prassphrase

Now your RSA key pair has been generated and saved. Private key is stored in /home/user/.ssh/id_rsa and public key is stored in /home/user/.ssh/id_rsa.pub

If you want to use a RSA key pair which has been generated by an other system's keygen, simply copy the key pair to your local machine. RSA private key to /home/user/.ssh/id-rsa and public key to /home/user/.ssh/id-rsa.pub

Important!

Your private key should be readable only by you, but not accessible by others:

chmod 600 /home/user/.ssh/id-rsa

Your public key can (but need not) be readable by anyone:

chmod 644 /home/user/.ssh/id-rsa.pub

Your public key should be added to the remote machine's authorized_keys file /home/user/.ssh/authorized_keys

Read the ssh-keygen manual here

ssh-agent

OpenSSH's ssh-agent holds private keys used for public key authentication (RSA, DSA).
ssh-agent is started in the beginning of an X-session or a login session, and all other windows or programs are started as clients to the ssh-agent program.
Through use of environment variables the agent can be located and automatically used for authentication when logging in to other machines using SSH.
The agent initially does not have any private keys. Keys are added using ssh-add.

Read the ssh-agent manual here

ssh-add

Private keys are added to the ssh-agent using ssh-add. When executed without arguments, ssh-add adds the files ~/.ssh/id_rsa, ~/.ssh/id_dsa and ~/.ssh/identity.
If the private key has a passphrase, ssh-add asks for the passphrase (using a small X11 application if running under X11, or from the terminal if running without X).
It then sends the private key to the agent. Several private keys can be stored in the agent; the agent can automatically use any of these private keys.
Private keys should not be readable by anyone but the user. Note that ssh-add ignores private keys if they are accessible by others.

Read the ssh-add manual here

Add your private key to the ssh-agent

Now, you should add your private key to the ssh-agent, open a terminal and type:

ssh-add
ssh-add asks the passphrase for your (default) private key /home/user/.ssh/id-rsa, then adds the key to the ssh-agent.

One RSA key pair

If you use only one RSA key pair to connect to the remote machine(s)'s ssh server(s), it is simple.

In the previous step you added your private key to the ssh-agent using ssh-add , now open a terminal and connect to the remote machine:

ssh user@servername
This command takes the SSH port number from the ssh_config file /etc/ssh/ssh_config, default port number is 22

If you want to use other port number, type:
ssh user@servername -p portnumber

Or edit /etc/ssh/ssh_config and change the port number.

That's all, you are logged in to the remote machine.

If you want to connect out from the remote machine, type exit and press enter.

Multiple RSA key pairs

Most people can survive perfectly well with just one RSA key pair, but you can use multiple key pairs, like me, if you want.

If you have different RSA key pairs to login to one remote machine (e.g. one key pair for adminuser, one for sftpuser, one for backupuser etc.), or you have different RSA key pairs to login to different remote machines, you can add all desired private keys to the ssh-agent using ssh-add.

For example, if you have different RSA key pairs for adminuser, sftpuser, backupuser to connect to 2 remote machines, and the private keys are stored in:
home/user/.ssh/id-server1-adminuser
home/user/.ssh/id-server1-sftpuser
home/user/.ssh/id-server2-backupuser
Type in a terminal:

ssh-add home/user/.ssh/id-server1-adminuser
ssh-add home/user/.ssh/id-server1-sftpuser
ssh-add home/user/.ssh/id-server2-backupuser

ssh-add asks the passphrase for each private keys, enter them.

Now all your private keys are added to the ssh-agent.

You can list the added private keys:

ssh-add -l

lists fingerprints of all private keys currently represented by the agent.

ssh-add -L

lists public key parameters of all private keys currently represented by the agent.

ssh-agent holds these private keys for the current login session, you don't have to enter the passphrase for each connections again. But when you logout, your private keys will be removed from the agent.
Only the default private key /home/user/.ssh/id_rsa will be added to the ssh-agent in the next login (or you can specify more private key file to the ssh_config file's IdentityFile option), you have to enter the passphrase for this private key once, when the first SSH connection will be launched.

If you added the private key(s) to ssh-agent, you can start SSH connection with any of your private keys.

For example, if you have a user identity, adminuser to connect to server1 and you added adminuser's private key to the ssh-agent using ssh-add, type in a terminal:

ssh adminuser@server1

This command takes the SSH port number from the ssh_config file /etc/ssh/ssh_config, default port number is 22

If you want to use other port number, type:

ssh adminuser@server1 -p portnumber

Or edit /etc/ssh/ssh_config and change the port number.

If you don't want to add your private key to the ssh-agent, you can use -i option. -i option selects a private key.

ssh adminuser@server1 -i home/user/.ssh/id-server1-adminuser

Now enter the passphrase for this private key, because it is not stored in the ssh-agent.

If passphrase is OK, you are logged in to the remote machine.

If you want to connect out from the remote machine, type exit and press enter.

You can also use sftp and scp commands, but I cannot give you any useful information regarding this, because I don't use scp and I use Gftp and Nautilus as sftp client.

ssh_config file

In the ssh_config file /etc/ssh/ssh_config you can specify system-wide parameters regarding your SSH connections, e.g. you can add different parameters to different remote machines (address, username, port number, private key, etc).

Since I usually use ssh_config file's default parameters, I cannot give you any useful suggestions regarding ssh_config file.

Read the ssh_config manual pages here

Gftp

Gftp is able to work as a sftp client.

You are able to connect to the remote machine only if the user's private key has been added to the ssh-agent.

Setup Gftp

Go to FTP>Options..>Network in the Default Protocol field select SSH2

Because you use passwordless, RSA key pair authentication to login your remote machine,

go to FTP>Options..>SSH and click out Need SSH User/Pass

In the main Gftp window add the following:

Host: the remote machine's address
Port: the remote machine's SSH port number
User: username

Now, you can connect to the remote machine.

Gnome/Nautilus

Nautilus is also able to work as a sftp client.

You are able to connect to the remote machine only if the user's private key has been added to the ssh-agent.

1. Go to Places>Connect to server.... or open File Browser and go to File>Connect to server...

In the popup window add the following:

Service Type: SSH
Server: remote machine's address
Port: remote machine's SSH port number
Username: username

If you use the default port (it is specified in the ssh_config file), you don't have to add the port number.

Now Click connect.

2. Go>Location...

Open Nautilus and go to Go>Location...

In the Location bar type your remote machine's address and SSH port number in the following format:

sftp://user@servername:ssh-port-number (e.g sftp:// This e-mail address is being protected from spambots. You need JavaScript enabled to view it :22)

If you use the default port (it is specified in the ssh_config file), you don't have to add the port number.

If you are connected to the remote machine, you are able to move, copy, etc. files and directories between your remote and locale machine.

Oh God, this howto has been so long and complicated. Embarassed

 

Tags: SSH - RSA - ssh-keygen - ssh-agent - ssh-add - OpenSSH - sftp - Terminal - Gftp - Nautilus - Gnome - Linux - Debian - tip - tutorial - howto
Last Updated ( Friday, 22 January 2010 21:53 )
 

Visitor Map

Recent Readers