Comprehensive Guide to Connect and Configure Servers with OpenSSH

Comprehensive Guide to Connect and Configure Servers with OpenSSH

Checking OpenSSH Client Installation

To check whether you have the OpenSSH client installed, use the following commands:

$ which ssh
$ apt search openssh-client

Connecting to a Server

To connect to a server:

$ ssh [username]@[IP_address]

Enter the server password when prompted. On the first connection, you'll be asked to store the server's fingerprint (passphrase), which is stored in the known_hosts file in the .ssh directory.

Configuring the OpenSSH Client

Create a config file in your .ssh directory with the following content:

Host [myserver]
  Hostname [IP_address]
  Port [port_number]  # Default port is 22
  User [username]

Now, you can connect using:

$ ssh [myserver]

You can include multiple server configurations in a single config file.

Using Public/Private Keys

Generating SSH Keys

Before generating keys, ensure you won't overwrite existing ones:

$ ssh-keygen
$ ssh-keygen -t [key_type]  # e.g., ed25519, rsa

ed25519 is more secure and shorter than rsa.

Adding a Passphrase

Add a passphrase for additional security.

Setting Up the Server to Use Keys and bypass the password

  1. Copy the public key:

     $ cat [public_key_filename]
    
  2. Log in to the server:

     $ ssh [username]@[IP_address] or $ ssh [myserver]
    
  3. On the server, create a .ssh directory if it doesn't exist:

     $ mkdir -p ~/.ssh
    
  4. Create the authorized_keys file here and paste the public key into it.

Now when you log in again, the server will authenticate you using the private key.

Using ssh-copy-id

To easily copy the public key to the server:

$ ssh-copy-id -i ~/.ssh/id_rsa.pub [username]@[IP_address]

Managing SSH Keys

  • Use separate SSH keys for different clients.

  • Specify which key to use if you have multiple keys:

      $ ssh-keygen -t [key_type] -C 'comment'
    

    You can also add a comment, by default the comment is [username]@[machinename]

  • After this, you should not save keys directly as:

       home/da_virtualbox/.ssh/id_ed25519
    

    Save them as:

      /home/da_virtualbox/.ssh/[key_name]
    

    you can assign any name to your key. ex. key_name = acme_id_ed25519

  • Then copy this private key and paste it into the remote server as mentioned above

  • Now while logging into the server:

      $ ssh -i ~/.ssh/key_name [username]@[IP_address]
    

    And enter the passphrase

Use an SSH agent to cache your key in memory:

You have to enter the passphrase every time you try to log in. To avoid this, set the SSH AGENT which caches the key in memory so that a passphrase is needed to enter only once until the working terminal is closed.

  • On a server having no GUI, no SSH Agent is running by default.

  • To check whether SSH Agent is running or not

      $ ps aux | grep ssh-agent
    
  • If the SSH Agent is not running, start it and also configure it to automatically run when you open a terminal

      $ eval "$(ssh-agent)"
      $ ssh-add [key_path]
    

ex. $ shh-add '~/.ssh/acme_id_25519'

Configuring OpenSSH Server

Managing the SSH Service

$ systemctl status sshd
$ systemctl restart sshd
$ systemctl stop sshd
$ systemctl start sshd
$ systemctl enable ssh

Editing sshd.config

$ cd /etc/ssh, here we have the config file and the host keys, we should not delete the host keys as the user will not be able to log in.

Edit the server configuration file:

$ nano /etc/ssh/sshd_config
  • Set PermitRootLogin no to disable root login.

  • Disable password authentication for more security:

PasswordAuthentication no

Restarting the Server

After making changes, restart the SSH service and try logging in with a new terminal to ensure everything works:

To Change the Port Number

$ ssh -p [port_number] [username]@[IP_address]

The default port is 22

Troubleshooting SSH Connections

If you encounter issues while using SSH, here are some common problems, their causes, and solutions to help you troubleshoot:

1. Permission Denied (publickey)

Symptoms:

  • You see the error: Permission denied (publickey).

Causes:

  • The server doesn’t have your public key in the authorized_keys file.

  • The authorized_keys file or the .ssh directory has incorrect permissions.

  • The private key on your local machine is not found or is incorrect.

Solutions:

  • Ensure the Public Key is Added Correctly:

    Make sure that the contents of your local public key file (e.g., ~/.ssh/id_rsa.pub) are copied to the ~/.ssh/authorized_keys file on the server.

      $ cat ~/.ssh/id_rsa.pub | ssh [username]@[IP_address] 'cat >> ~/.ssh/authorized_keys'
    
  • Check File Permissions:

    On the server, ensure the permissions are correct:

       $ chmod 700 ~/.ssh 
       $ chmod 600 ~/.ssh/authorized_keys
    
  • Verify the Private Key Path:

    Ensure you are using the correct private key with the '-i ' option if not using the default key.

      $ ssh -i ~/.ssh/id_rsa [username]@[IP_address]
    
  • Check for Correct Key Use:

    Use verbose mode to check which key is being used:

      $ ssh -v [username]@[IP_address]
    

2. Connection Refused

Symptoms:

  • You see the error: ssh: connect to host [IP_address] port 22: Connection refused.

Causes:

  • The SSH service is not running on the server.

  • The SSH server is listening on a different port.

  • A firewall is blocking the connection.

Solutions:

  • Check SSH Service Status:

    Ensure the SSH service is running on the server:

      $ systemctl status sshd
    

    Start or restart the service if necessary:

      $ sudo systemctl start sshd 
      $ sudo systemctl restart sshd
    
  • Verify the SSH Port:

    Ensure you are connecting to the correct port:

      $ ssh -p [port_number] [username]@[IP_address]
    

    Check the port in the sshd_config file:

      $ nano /etc/ssh/sshd_config
    
  • Check Firewall Settings:

    Make sure that port 22 (or the custom port) is open:

      $ sudo ufw status
      $ sudo ufw allow 22/tcp
    

3. Host Key Verification Failed

Symptoms:

  • You see the error: Host key verification failed.

Causes:

  • The server’s host key has changed, or it is a new server.

  • The known_hosts file has incorrect or outdated entries.

Solutions:

  • Remove the Old Host Key:

    Remove the outdated key from the ~/.ssh/known_hosts file:

      $ ssh-keygen -R [IP_address]
    
  • Manually Update the Host Key:

    Connect to the server to add the new host key:

      $ ssh [username]@[IP_address]
    

4. SSH Connection Times Out

Symptoms:

  • You see the error: ssh: connect to host [IP_address] port 22: Connection timed out.

Causes:

  • The server is down or not reachable.

  • Network issues between the client and server.

Solutions:

  • Check Server Availability:

    Ensure the server is up and running:

      $ ping [IP_address]
    
  • Check Network Issues:

    Use telnet or nc to see if the port is accessible:

      $ telnet [IP_address] 22
      $ nc -zv [IP_address] 22
    

5. SSH Agent Not Running

Symptoms:

  • You see the error: Could not open a connection to your authentication agent.

Causes:

  • The ssh-agent process is not running.

Solutions:

  • Start the SSH Agent:

    Start the ssh-agent process:

      $ eval "$(ssh-agent)"
    
  • Add Your Key to the Agent:

    Add your private key to the ssh-agent:

      $ ssh-add ~/.ssh/id_rsa
    

6. Authentication Failure

Symptoms:

  • You see the error: Permission denied, please try again.

Causes:

  • Incorrect username or password.

  • SSH keys are not set up correctly.

Solutions:

  • Verify Credentials:

    Make sure you are using the correct username and password.

  • Check SSH Key Setup:

    Ensure that your public key is correctly added to the authorized_keys file on the server.

7. Too Many Authentication Failures

Symptoms:

  • You see the error: Received disconnect from [IP_address]: 2: Too many authentication failures

Causes:

  • Too many authentication attempts with different keys.

Solutions:

  • Specify the Correct Key:

    Use the -i option to specify the correct private key:

      $ ssh -i ~/.ssh/id_rsa [username]@[IP_address]
    
  • Clear Cached Keys:

    Clear the SSH agent’s list of keys:

      $ ssh-add -D
    

8. Too Many Failed Login Attempts

Symptoms:

  • You see the error: ssh_exchange_identification: read: Connection reset by peer

Causes:

  • The server might have blocked your IP due to too many failed login attempts.

Solutions:

  • Check /var/log/auth.log:

    Look for IP blocks or other issues:

      $ tail -f /var/log/auth.log
    
  • Unblock Your IP:

    If you are using fail2ban, you might need to unban your IP:

      $ sudo fail2ban-client unban [IP_address]
    

9. Incorrect Permissions on Private Key

Symptoms:

  • You see the error: Permissions 0644 for‘~/.ssh/id_rsa’are too open.

Causes:

  • Private key file permissions are too permissive.

Solutions:

  • Fix File Permissions:

    Set the correct permissions for the private key:

      $ chmod 600 ~/.ssh/id_rsa
    

10. SSH Client Not Installed

Symptoms:

  • You see the error: ssh: command not found

Causes:

  • The SSH client is not installed.

Solutions:

  • Install the SSH Client:

    Install the OpenSSH client package:

      $ sudo apt-get install openssh-client