Setup SSH connection

To access your server’s console, you will need to open an SSH tunnel connection. It’s a secure connection that will encrypt the dialogue between your computer and your server. For this, you must have an SSH client on your local computer and configure the SSH service on your server.

Summary of the tutorial

1. First connection

  1. Just open a terminal

  1. Simultaneously click on keys windows + r

  2. Enter cmd in the field of the window that appears at the bottom left of your screen then click OK

    > ssh root@server_ip

The following message is displayed : 

    The authenticity of host '138.68.87.113 (138.68.87.113)' can't be established.
    ECDSA key fingerprint is SHA256:RBuop6/a8DrySzRx+XSw2uhY38DKkmlrjfMY+55iGAo.
    Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

answer yes

    Warning: Permanently added '138.68.87.113' (ECDSA) to the list of known hosts.

The terminal now prompts you for the root password

    root@138.68.87.113's password:

Enter the password then confirm by pressing the enter key.

You are now connected to the terminal of your remote server! 

    root@v2202206177897232182:~#

2. Securing the server

We will now add some additional securities to your SSH connection.

2.1 Add user

The first thing to do is to reduce the execution rights of your login user. The root user has full control over the system and it can be dangerous if it falls into the wrong hands or if you do something wrong by mistake. We are therefore going to create a new user dedicated to this connection.

Log in as root to your server and enter the following commands :

    > adduser --gecos "" maintainer
  • The --gecos option will not display questions relating to the identity of the new user (Last name, First name, Telephone number, …)
    Adding user `maintainer' ...
    Adding new group `maintainer' (1000) ...
    Adding new user `maintainer' (1000) with group `maintainer' ...
    Creating home directory `/home/maintainer' ...
    Copying files from `/etc/skel' ...
    New password:
    Retype new password:
    passwd: password updated successfully

Choose your password then confirm with the enter key.

Let’s add the newly created user to the “sudoers” group to raise its execution level

    > usermod -aG sudo maintainer

You can now log in as user maintainer !

2.2 Change SSH port

For this we will edit the configuration file of the SSH service

Connect as user maintainer to your server and enter the following commands :

    > sudo nano /etc/ssh/sshd_config

Replace line

    #Port 22

by (or any other available port of your choice)

    Port 22123

To save with nano: Ctrl+x and validate with the y key then the enter key

To apply the modification :

    > sudo systemctl restart ssh

In the future to connect to the server you will have to enter from your local terminal :

    > ssh maintainer@server_ip -p 22123

2.3 Create a public/private key (client side)

To secure our SSH connection a little more, we are now going to create a public/private key pair to encrypt our exchanges with the server.

  1. Just open a terminal

  1. Simultaneously click on the windows + r key

  2. Enter powershell in the field of the window that appears at the bottom left of your screen then click OK

  3. In the terminal that appears

    > start-process PowerShell -verb runas

this will launch a new shell in admin mode

  1. Enter the following command to enable the SSH service on your machine
    > Get-Service -Name sshd | Set-Service -StartupType Automatic

then the command

    > Start-Service sshd

We will create a pair of public key / private key

    > ssh-keygen -t RSA -C "tuto@bitgen.com"

You can press enter to accept the default or specify a path and/or filename where you would like your keys to be generated.

The passphrase is optional

    Generating public/private RSA key pair.
    Enter file in which to save the key (C:\Users\hlavi/.ssh/id_rsa):
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:
    Your identification has been saved in id_rsa.
    Your public key has been saved in id_rsa.pub.
    The key fingerprint is:
    SHA256:mvNMWgMO+QbD9GTQuSjD556wYK63kwMp3nyZzRVftGU tuto@bitgen.com
    The key's randomart image is:
    +---[RSA 3072]----+
    |    .. .         |
    |     .o      . E |
    | .  ..o.    . +  |
    |  +oo=.  .   o   |
    | . =* o S o .    |
    |=.. .* + . .     |
    |=oo= .% =        |
    | o*oo= X .       |
    |o..+. . o        |
    +----[SHA256]-----+

Then, we need to copy the public key to the server.

Let’s create the /home/maintainer/.ssh folder for the maintainer user on the server :

    > ssh maintainer@server_ip -p 22123 mkdir /home/maintainer/.ssh

Enter the password to validate the creation of the file

    > ssh-copy-id -p 22123 -i ~/.ssh/id_rsa.pub maintainer@server_ip

Always in the PowerShell console

Let’s copy the key in the directory just created

    > scp -P 22123 C:\Users\your_windows_user/.ssh/id_rsa.pub maintainer@server_ip:/home/maintainer/.ssh/authorized_keys

Enter the password to validate the copy of the file

2.4 Key authentication (server side)

Now that we have created a new user, changed the connection port of our SSH service and transferred the public key from our local computeur to the server, we will prohibit the direct connection by password as well as the user root and rather prefer an authentication key.

Edit the SSH service configuration file

    > sudo nano /etc/ssh/sshd_config

replace line

PermitRootLogin yes

by

PermitRootLogin no

then replace line

PasswordAuthentication yes

by

PasswordAuthentication no

and finally, uncomment the line

#PubkeyAuthentication yes

by

PubkeyAuthentication yes

To save with nano: Ctrl+x and validate with the y key then the enter key

Then validate the configuration by restarting the SSH service

    > sudo systemctl restart ssh

You can now log in without a password, directly from your SSH key !