How To Enable SSH on Linux
November 28, 2020
November 27, 2020
Linux shines in the command line. As a Windows user, I always appreciated the GUI, as shown by my emphasis on DeskThemePacks. There is more flexibility and versatility when you use the command line interface on either, including the ability to roll tasks together or create unique instructions. Secure shell (SSH) is a way for a user to remotely, and safely (if configured correctly), administer their Linux workstation. You could run mainteance tasks, write documents, install and update programs, to name a few actions. This tutorial will be split into two sections: "Layman", which is how to get it running, and "Foreman", which digs into the more secure preferences. If you plan to use this over a remote address, please read the "Foreman" section as well.
First, you'll need to make sure "OpenSSH" is installed on the machine. Not every Linux package is a graphcial program - some of it compliments or adds functionality to the system's existing app suite. If you don't need a feature, you can typically live without its package. The ability to connect with SSH FROM your PC is installed by default in Linux Mint Ulyana and Debian Edition 4. However, you'll need to install the component that alllows users to connect TO you as well. Open your mint menu, type "Synaptic P" and select the resulting program from the list, which resembles a teal square with white arrows pointing in opposite directions. Enter your privileged password.
On the top right portion of the window, enter "openssh" as a search query using the "Description and Name" modifier and press "Search". Once you do, scroll down until you see packages that start with "o". If my earlier remarks are valid for your installation, you'll see a green square (meaning it's already installed) for "openssh-client" but NOT for "openssh-server". "openssh-server" is the one we want to install. Click its nearby square, and select the option "Mark for Installation". Synaptic will also install its dependencies for you (if any exist). During my installation, at least six dependencies were missing. Consent to these and select "Mark". Then on the top left portion of the window, click "Apply". Review the summary, and then click "Apply". Cold feet? You can check "download package files only" and resume this tutorial at another time.
Still here? Let's go on. Assuming you did install the server end, you'll need to enable port 22 in the Linux Firewall on both ends so that the computers can talk to each other. This tutorial assumes you're not doing this from a remote address and that you have two Linux machines on the same local network. Open the mint menu, type "Firewall" and then select the result, which should be an icon that resembles a brick wall. Enter your privileged password when prompted. When you do, the Firewall home page will appear. Press the "+" icon on the bottom left side of the window. Then, click the "Simple" tab on the next window that appears and enter "Both" for "Direction" and "Protocol", "Allow" for "Policy", and "22" for "Port". The description is optional and not needed, but can help sift through a list of rules better.
These instructions are for users who would prefer a more secure, paranoia-friendly setup. I followed these instructions in my setup and if you do care about access control, so should you. Otherwise you're welcome to stop reading. There's a config file on the system that allows you to specify how SSH connections are handled on this PC. If you plan to have these PCs talk to each other, you will need to make sure those settings are the same on both PCs so that it does not affect your ability to connect.
Open your terminal, and type the following command:
sudo xed /etc/ssh/sshd_config
A text editor will appear with a red banner indicating you're editing a file with root privileges. To change the default port, navigate to line 15 and remove the hash sign next to it. You can enter any unprivileged port above 1023 you like that isn't already in use. If there are other parameters you would like to enable, scroll down the document and remove the hash sign next to each one you want to activate. Save and close when you're done. Also, type this command in the terminal:
sudo service ssh restart
This will cause the service to restart, which will put the settings you enabled into effect. To utilize access control on this PC for SSH and other resources, you'll need to make modifications to /etc/hosts.allow, which specifies which hosts can connect, and /etc/hosts.deny, which excludes connections. Entries in hosts.allow supersede entries in hosts.deny. Open a terminal and enter the following command(s), depending on which file you need to edit:
sudo xed /etc/hosts.deny
Pick this file if you would like to start banning everything at first. This is the most secure, but most inconvenient option. The syntax for entries is:
protocol_type : ip_address_or_dns_domain, wildcard_type
Using ALL : ALL is the surefire way to start from restricting everyone. But of course, you'll need to allow some users. To allow a user on the local network you trust, you'll need to find out their private IP address. On a Linux machine, you can type hosts in a terminal window and use the "inet" value. Use this value and add it to hosts.allow. For example, if I wanted to allow 10.100.0.4 and I was on 10.200.0.6, I would write sshd : 10.100.0.4, LOCAL in the next available line, save the file and restart the ssh service. DNS Domains are compatible (like sccc.sunysccc.local, LOCAL) with the allow and deny lists. If it's a local resolver, you should include the LOCAL wildcard.
Now that you've read both tutorials, it's time to start a session! Open your terminal or a new tab with CTRL+SHIFT+T and type the following (substitute #### for the port number you specified in /etc/ssh/sshd_config) and press enter:
ssh username@device_private_ip -p####
If it's your first time communicating, you will be asked whether or not to confirm you want to connect. If you're sure, type yes. Then, type the password of the account you named in the ssh command, NOT the one you're logged into this computer with. Then press Enter. Your cursor will change from localuser@thismachine to remoteuser@othermachine, and you'll be able to run commands as if you were logged in. To test my success, I created a text document on my REMOTE desktop:
echo -e I figured out SSH"\r"Yay me! > ~/Desktop/ssh_success.txt
I reccommend that you set up SSH keypairs between the devices you're connecting with. Once you have, your ability to connect will be more straightforward, and you won't need a password. This step was done between a DigitalOcean droplet and a Linux Mint 20 installation. If you haven't already, create an SSH key in terminal using the following command - OpenSSH should be installed:
You will then be asked where you want to save it. The default filename is fine, but if you're paranoid, I'd change it. But you would have to edit the sshd_config file to reflect this. I strongly recommend a passphrase. It should differ from your user account password and will be needed in the next step. Now, log in to your droplet using SSH. Type nano ~/.ssh/authorized_keys and paste the contents of your public SSH key, located in ~/.ssh/id_rsa.pub on the CLIENT, and add this as a single line to the authorized_keys file on the SERVER. Then click Save.
Log out of your droplet or server. Then log back in. You will see a prompt asking for the passphrase of your SSH key. If you use a password manager, make sure it's in the clipboard before you attempt to log on, because Linux will erect a Secure Desktop scenario where no other app can be clicked except the prompt. Paste it, click "Remember this password" if you'd like, and then click "OK". Now you will no longer need the password. As it stands, the default behavior for refusing to enter the private passphrase is a fallback to Unix authentication. To disable this, open /etc/ssh/sshd_config, navigate to Line 56, uncomment it, and type "no" in place of yes. Clear text tunneled passwords will be turned off. I have verified that this method works.
Do not forget to restart ssh on BOTH sides by typing the following command in terminal - if you are not running root interactively, then you must enter your privileged password if asked in the secure dialog prompt:
systemctl restart ssh
Sometimes, you will need to keep certain ports open to the internet in order to facilitate some online services. Based on some beta testing on my own NAT, I've discovered that you need to enable Gateway Ports, Tunnel and a Keepalive timeout by editing the /etc/ssh/sshd_config file, which is for openssh-server. Drop the D if you need to edit the client. Uncomment "Permit Tunnel" and type "yes" as the paramter. Uncomment "Gateway Ports" and type "yes" as the parameter. Then restart ssh using systemctl. You still need to allow these ports through your firewall, and if you use a Wireguard NAT, these rules should also be active on the designated endpoint.
We're not done yet. Go to an always-on client and start an ssh tunnel using the following command syntax: Hover over each flag to see why it is there:
ssh -D [portnumber] -N -f [username]@[host_ip_or_fqdn]
The reason you need an always-on client is because when the client reboots or shuts down, the tunnel breaks. The designated endpoint is the best choice to initiate the tunnel. Log in as you would any other session, but instead of seeing a TTY window, nothing else will happen. To test whether the port you specified is now open, use nmap on your own server using the following command:
nmap -p [sameportnumber] [same_host_ip_or_fqdn]
You will be told whether or not it is open, closed, or filtered. Using nmap on anyone else's devices could be misconstrued as an attack, so please DON'T, unless you have written permission.
© 2020-2021 Mass Transit Honchkrow | Last modified Saturday, 06-Nov-2021 14:05:13 EDT