Linux – Advanced SSH
SSH or Secure Shell is a network protocol that enables secure connections. It is heavily used to connect to servers, make changes, upload things, and exit. Sometimes these actions happen via tools and sometimes directly via the terminal. If you are tired of repeatedly entering your password or need to do something more interesting than just logging in, read on.
In order to change the configuration of SSH server-side, you will need root access either via logging in as root or via a user with sudo rights. In order for your system-wide changes in /etc/ssh/sshd_config to take effect, you will need to reload or restart the SSH service. SSH keypairs are a way to authenticate to your Linux virtual machine without using a
password with the added security of Public-Key authentication.
Create an SSH key pair
Use the ssh-keygen command on your PC (if Linux) to generate public and private key files that are by default created in the ~/.ssh directory. You can specify a different location and an additional passphrase (a password to access the private key file) when prompted. If a key pair exists in the current location, those files are overwritten. The key is generated for the user who invokes the command.
ssh-keygen -t rsa -b 2048
Copy your key
If you’re not familiar with the format of a public key, you can see your public key by running
cat as follows, replacing ~/.ssh/id_rsa.pub with your own public key file location:
Copy the key that is displayed after the previous command and paste it on a new line in the ~/.ssh/authorized_keys file on your VPS.
There is also an easier option if using ssh from a Linux PC. You can simply type in the following:
You will get the usual password prompt, but if things work then it will be the last time you need to type it in.
Sometimes you need to keep a connection alive because your firewall wants to terminate the connection. There are three directives that can prevent a connection from being dropped too early.
- TCPKeepAlive can be used in both the SSH client and daemon configuration files. It decides whether to send TCP messages to keep a connection standing. The default argument is “TCPKeepAlive yes”. If the TCP messages are sent, a crash or connection drop will be noticed. This might not always be wanted and some users will want to set this to “TCPKeepAlive no” if their firewall keeps terminating the session or they are using a connection that suffers from connection drops.
- ServerAliveInterval in the client configuration specifies the seconds that the client will wait before sending a packet to the server to verify whether the connection is still alive. Setting the value to 0 disables this option which disconnects the session after some idle time. The directive ServerAliveCountMax specifies how many times this packet will get sent before a connection is cancelled if no response from the server is available.
- ClientAliveInterval is a directive to be used in the SSH daemon configuration file /etc/ssh/sshd_config. It specifies the seconds that the server will wait until it sends a packet to the client. Setting this to 0 disables the option. The directive ClientAliveCountMax is an integer value of how often the packet will get sent before terminating a connection if no response from the client is received.
A client’s SSH config file that has the same keep-alive settings for all hosts looks like this:
Host * ServerAliveInterval 30 ServerAliveCountMax 10
This configuration means that the client will wait 30 seconds before sending a null packet and will try that for 10 times until it will accept that the connection can be dropped if the server does not reply.
A common and valid security practice is to encrypt your private key and use a passphrase to decrypt it. The downside of this is that you have to retype your passphrase every time you initiate a connection which can be burdensome, it is essentially a password to retype repeatedly. In order to solve this, you can use ssh-agent. It is a tool that keeps private keys in memory during a session. When the agent is started, all windows and applications that need a connection will refer to the agent to get your private key, so you only have to type your passphrase once at the beginning of your session.
On most Linux systems, ssh-agent is running by default, so no further installation is needed. If you want to check whether ssh-agent is running, you can do so via the terminal:
ps x | grep ssh-agent
If it is not running yet, you can start it with:
Once it is running, you can list all keys currently available to the ssh-agent with:
If the key you want to use is missing, you can add it via ssh-add /path/to/your/ssh/privatekey. When you are trying to connect to a host and get the error Too many authentication failures for user, it means that the ssh-agent is trying to go through all keys available. The best option is to define an IdentityFile /path/to/your/ssh/privatekey/forthishost in your config file. If you want to make sure that your connection will only allow the IdentityFile you define, you can use the directive IdentitiesOnly yes in your config, which tells SSH to use only those keys that are provided via the terminal or config file. An example of this is as follows:
The Settings, again….
Host yourserver HostName yourserver.tld IdentityFile ~/.ssh/yourprivatekeyname IdentitiesOnly yes User user