Comprehensive Guide to Connect and Configure Servers with OpenSSH
Checking OpenSSH Client Installation
To check whether you have the OpenSSH client installed, use the following commands:
$ which ssh
$ apt search openssh-client
Connecting to a Server
To connect to a server:
$ ssh [username]@[IP_address]
Enter the server password when prompted. On the first connection, you'll be asked to store the server's fingerprint (passphrase), which is stored in the known_hosts
file in the .ssh
directory.
Configuring the OpenSSH Client
Create a config
file in your .ssh
directory with the following content:
Host [myserver]
Hostname [IP_address]
Port [port_number] # Default port is 22
User [username]
Now, you can connect using:
$ ssh [myserver]
You can include multiple server configurations in a single config
file.
Using Public/Private Keys
Generating SSH Keys
Before generating keys, ensure you won't overwrite existing ones:
$ ssh-keygen
$ ssh-keygen -t [key_type] # e.g., ed25519, rsa
ed25519 is more secure and shorter than rsa.
Adding a Passphrase
Add a passphrase for additional security.
Setting Up the Server to Use Keys and bypass the password
Copy the public key:
$ cat [public_key_filename]
Log in to the server:
$ ssh [username]@[IP_address] or $ ssh [myserver]
On the server, create a
.ssh
directory if it doesn't exist:$ mkdir -p ~/.ssh
Create the
authorized_keys
file here and paste the public key into it.
Now when you log in again, the server will authenticate you using the private key.
Using ssh-copy-id
To easily copy the public key to the server:
$ ssh-copy-id -i ~/.ssh/id_rsa.pub [username]@[IP_address]
Managing SSH Keys
Use separate SSH keys for different clients.
Specify which key to use if you have multiple keys:
$ ssh-keygen -t [key_type] -C 'comment'
You can also add a comment, by default the comment is [username]@[machinename]
After this, you should not save keys directly as:
home/da_virtualbox/.ssh/id_ed25519
Save them as:
/home/da_virtualbox/.ssh/[key_name]
you can assign any name to your key. ex. key_name = acme_id_ed25519
Then copy this private key and paste it into the remote server as mentioned above
Now while logging into the server:
$ ssh -i ~/.ssh/key_name [username]@[IP_address]
And enter the passphrase
Use an SSH agent to cache your key in memory:
You have to enter the passphrase every time you try to log in. To avoid this, set the SSH AGENT which caches the key in memory so that a passphrase is needed to enter only once until the working terminal is closed.
On a server having no GUI, no SSH Agent is running by default.
To check whether SSH Agent is running or not
$ ps aux | grep ssh-agent
If the SSH Agent is not running, start it and also configure it to automatically run when you open a terminal
$ eval "$(ssh-agent)" $ ssh-add [key_path]
ex. $ shh-add '~/.ssh/acme_id_25519'
Configuring OpenSSH Server
Managing the SSH Service
$ systemctl status sshd
$ systemctl restart sshd
$ systemctl stop sshd
$ systemctl start sshd
$ systemctl enable ssh
Editing sshd.config
$ cd /etc/ssh
, here we have the config file and the host keys, we should not delete the host keys as the user will not be able to log in.
Edit the server configuration file:
$ nano /etc/ssh/sshd_config
Set
PermitRootLogin no
to disable root login.Disable password authentication for more security:
PasswordAuthentication no
Restarting the Server
After making changes, restart the SSH service and try logging in with a new terminal to ensure everything works:
To Change the Port Number
$ ssh -p [port_number] [username]@[IP_address]
The default port is 22
Troubleshooting SSH Connections
If you encounter issues while using SSH, here are some common problems, their causes, and solutions to help you troubleshoot:
1. Permission Denied (publickey)
Symptoms:
- You see the error: Permission denied (publickey).
Causes:
The server doesn’t have your public key in the authorized_keys file.
The authorized_keys file or the .ssh directory has incorrect permissions.
The private key on your local machine is not found or is incorrect.
Solutions:
Ensure the Public Key is Added Correctly:
Make sure that the contents of your local public key file (e.g.,
~/.ssh/id_
rsa.pub
) are copied to the~/.ssh/authorized_keys
file on the server.$ cat ~/.ssh/id_rsa.pub | ssh [username]@[IP_address] 'cat >> ~/.ssh/authorized_keys'
Check File Permissions:
On the server, ensure the permissions are correct:
$ chmod 700 ~/.ssh $ chmod 600 ~/.ssh/authorized_keys
Verify the Private Key Path:
Ensure you are using the correct private key with the '-i ' option if not using the default key.
$ ssh -i ~/.ssh/id_rsa [username]@[IP_address]
Check for Correct Key Use:
Use verbose mode to check which key is being used:
$ ssh -v [username]@[IP_address]
2. Connection Refused
Symptoms:
- You see the error: ssh: connect to host [IP_address] port 22: Connection refused.
Causes:
The SSH service is not running on the server.
The SSH server is listening on a different port.
A firewall is blocking the connection.
Solutions:
Check SSH Service Status:
Ensure the SSH service is running on the server:
$ systemctl status sshd
Start or restart the service if necessary:
$ sudo systemctl start sshd $ sudo systemctl restart sshd
Verify the SSH Port:
Ensure you are connecting to the correct port:
$ ssh -p [port_number] [username]@[IP_address]
Check the port in the
sshd_config
file:$ nano /etc/ssh/sshd_config
Check Firewall Settings:
Make sure that port 22 (or the custom port) is open:
$ sudo ufw status $ sudo ufw allow 22/tcp
3. Host Key Verification Failed
Symptoms:
- You see the error: Host key verification failed.
Causes:
The server’s host key has changed, or it is a new server.
The known_hosts file has incorrect or outdated entries.
Solutions:
Remove the Old Host Key:
Remove the outdated key from the
~/.ssh/known_hosts
file:$ ssh-keygen -R [IP_address]
Manually Update the Host Key:
Connect to the server to add the new host key:
$ ssh [username]@[IP_address]
4. SSH Connection Times Out
Symptoms:
- You see the error: ssh: connect to host [IP_address] port 22: Connection timed out.
Causes:
The server is down or not reachable.
Network issues between the client and server.
Solutions:
Check Server Availability:
Ensure the server is up and running:
$ ping [IP_address]
Check Network Issues:
Use telnet or nc to see if the port is accessible:
$ telnet [IP_address] 22 $ nc -zv [IP_address] 22
5. SSH Agent Not Running
Symptoms:
- You see the error: Could not open a connection to your authentication agent.
Causes:
- The ssh-agent process is not running.
Solutions:
Start the SSH Agent:
Start the ssh-agent process:
$ eval "$(ssh-agent)"
Add Your Key to the Agent:
Add your private key to the ssh-agent:
$ ssh-add ~/.ssh/id_rsa
6. Authentication Failure
Symptoms:
- You see the error: Permission denied, please try again.
Causes:
Incorrect username or password.
SSH keys are not set up correctly.
Solutions:
Verify Credentials:
Make sure you are using the correct username and password.
Check SSH Key Setup:
Ensure that your public key is correctly added to the authorized_keys file on the server.
7. Too Many Authentication Failures
Symptoms:
- You see the error: Received disconnect from [IP_address]: 2: Too many authentication failures
Causes:
- Too many authentication attempts with different keys.
Solutions:
Specify the Correct Key:
Use the -i option to specify the correct private key:
$ ssh -i ~/.ssh/id_rsa [username]@[IP_address]
Clear Cached Keys:
Clear the SSH agent’s list of keys:
$ ssh-add -D
8. Too Many Failed Login Attempts
Symptoms:
- You see the error: ssh_exchange_identification: read: Connection reset by peer
Causes:
- The server might have blocked your IP due to too many failed login attempts.
Solutions:
Check /var/log/auth.log:
Look for IP blocks or other issues:
$ tail -f /var/log/auth.log
Unblock Your IP:
If you are using fail2ban, you might need to unban your IP:
$ sudo fail2ban-client unban [IP_address]
9. Incorrect Permissions on Private Key
Symptoms:
- You see the error: Permissions 0644 for
‘~/.ssh/id_rsa’
are too open.
Causes:
- Private key file permissions are too permissive.
Solutions:
Fix File Permissions:
Set the correct permissions for the private key:
$ chmod 600 ~/.ssh/id_rsa
10. SSH Client Not Installed
Symptoms:
- You see the error: ssh: command not found
Causes:
- The SSH client is not installed.
Solutions:
Install the SSH Client:
Install the OpenSSH client package:
$ sudo apt-get install openssh-client