Introduction
SSH (Secure Shell) is a cryptographic protocol for securely connecting to a remote server over an unsecured network. It is essential for managing remote systems, networking, and communicating with remote servers.
The protocol provides a secure connection between a client and a server. It enables managing other computers, transferring files, and executing commands on a remote machine.
This guide explains how to SSH to a remote server from Windows, Linux, or Mac.
Prerequisites
- The remote computer must be turned on and have a network connection.
- The IP address or the name of the remote machine.
- Permission to access the remote computer.
- Firewall settings to allow SSH connections.
What Is SSH?
Secure Shell, sometimes called Secure Socket Shell, is a protocol that allows you to securely connect to a remote computer or a server using a text-based interface.
When a secure SSH connection is established, a shell session starts. It enables manipulating the server by typing commands within the client on your local computer.
System and network administrators use this protocol to manage remote servers and machines. Anyone who requires managing a computer remotely in a highly secure manner uses SSH.
Note: SSH and SFTP protocols are frequently conflated, but have unique and distinct roles. Learn about the similarities and differences between SSH and SFTP.
How Does SSH Work?
Both the client and server participate in establishing a secure SSH communication channel. Creating an SSH connection relies on the following components and steps:
- Client-side component. A client-side component is an application or program used to connect to another machine. The client uses remote host information to initiate the connection through the program. If the credentials are verified, the program establishes an encrypted connection.
- Server-side component. On the server's side, an SSH daemon constantly listens to a specific TCP/IP port (the default SSH port number is 22) for possible client connection requests. Once a client initiates a connection through the defined port, the SSH daemon responds with the software and the protocol versions it supports. The default protocol version for SSH communication is version 2.
- Key exchange. The client and server exchange cryptographic keys to create a secure communication channel. The keys help encrypt subsequent communication.
- Authentication. When establishing a connection, the client provides identification data to the server (as a username/password or SSH keys). If the provided credentials are correct, SSH creates a new encrypted communication session.
Note: For more details, check out our comprehensive guide on how SSH works.
How to Enable an SSH Connection
Since creating an SSH connection requires both a client and a server component, ensure they are installed on the local and remote servers. The sections below demonstrate how to install a client-side and server-side component depending on the OS.
Install SSH Component on Mac
macOS typically has the SSH client preinstalled. Open the terminal and check with the following command:
ssh -v
The command shows the installed SSH version. To use a third-party SSH application, such as OpenSSH, use the following Homebrew command:
brew install opensshNote: If you don't have Homebrew installed, check out our guide on how to install Homebrew on Mac.
The installation allows managing a separate version from the system's default SSH component. Alternatively, install PuTTY on macOS to use a GUI-based SSH client.
To enable SSH server remote login on a macOS, do the following:
1. Go to System Settings.
2. Click General in the left menu.
3. Locate and open Sharing.
4. Enable Remote Login to allow SSH access to the device.
Install SSH Component on Linux
Some Linux distributions do not have an SSH component installed by default. Typical solutions are installing OpenSSH or a GUI solution, such as the PuTTY client for Ubuntu.
Installing OpenSSH requires access to the terminal on the server and the computer you use for connecting. The steps for installing and setting up the OpenSSH client and server component are below:
1. To install the client component, run one of the following commands on the client machine:
For Debian/Ubuntu-based Systems:
sudo apt install openssh-clientFor Red Hat-based systems (such as CentOS or Fedora):
sudo dnf install openssh-clientssudo yum install openssh-clients2. Next, install the server component on the server machine:
For Debian/Ubuntu-based Systems:
sudo apt install openssh-serverFor Red Hat-based systems (such as CentOS or Fedora):
sudo dnf install openssh-serversudo yum install openssh-server3. After installing the components, the SSH service automatically starts. View the service status with:
systemctl status sshd
In case the service is not running, run it with the following command:
sudo systemctl start sshdThe command does not print an output.
4. To have the service start automatically on boot, run:
sudo systemctl enable sshdEnabling the sshd service starts it during the boot process.
Note: On some systems, sshd is the service name alias, and the commands will not work. In that case, replace sshd with ssh in the previous commands.
Install SSH Component on Windows
SSH is not a default component on Windows systems. Windows 10 and later versions include a native OpenSSH app.
To enable SSH, do the following:
1. Open Settings -> Apps & features -> Optional features.
2. Click the Add a feature button.
3. Search for and install the OpenSSH app.
Alternatively, a popular option is to install PuTTY on Windows or to use a Linux distribution through the WSL (Windows Subsystem for Linux) feature.
How to Connect via SSH
After installing and setting up the SSH client and server on each machine, you can establish a secure remote connection. To connect to a server, do the following:
1. Open the command line/terminal window and run the following ssh command:
ssh [username]@[host_ip_address]Provide the username and host IP address. If the username is the same as the local machine, omit the username from the command. To test if SSH is installed correctly, try creating an SSH connection to localhost.
2. When connecting to the server for the first time, a message appears asking to confirm the connection. Type yes and press Enter to confirm the remote server identification on the local machine.
3. Provide the password when prompted and press Enter. The screen does not display characters as you are typing.
A digital signature ECDSA key fingerprint helps authenticate the machine and establishes a connection to the remote server.
If the computer you are trying to connect to is on the same network, then it is best to use a private IP address instead of a public IP address.
Note: Learn about the differences between a private and public IP address and the roles of each.
Additionally, ensure the correct TCP port listens for connection requests and that port forwarding settings are correct. The default port number is 22 unless the configuration has been changed. You may also append the port number after the host IP address.
When using a port number, the following two examples are valid:
ssh [username]@[host_ip_address]:[port]ssh [username]@[host_ip_address] -p [port]If there are any issues connecting to the remote server, make sure that:
- The IP address of the remote machine is correct.
- The port the SSH daemon is listening to is not blocked by a firewall or forwarded incorrectly.
- The username and password are correct.
- The SSH software is installed correctly.
Note: If SSH responds with a message "Connection refused", please refer to our article How To Fix The SSH "Connection Refused" Error for possible reasons and solutions.
SSH Further Steps
After establishing a connection to your server using SSH, there are additional steps to improve SSH security. Default values should always be changed; not changing them leaves a server vulnerable to attacks. Some of the suggestions require editing the SSH configuration file.
Below is a list of practical steps to secure the SSH connection:
Change the Default TCP Listening Port
Instead of using the default port 22, try a higher number. Avoid using a port number that is easy to guess, such as 222, 2222, or 22222.
Use SSH Key Pairs for Authentication
Passwordless SSH login is safer and allows logging in without using an SSH key pair (which is faster and more convenient).
Disable Password-Based Logins on Your Server
If your password gets cracked, this will eliminate the possibility of using it to log into your servers. Before you turn off the option to log in using passwords, ensure that authentication using key pairs works.
Disable Root Access
Removing default root access to your server makes accessing the root account harder for unwanted solicitors. Instead, use a regular account with the su - command to switch to a root user.
Use TCP Wrappers
TCP wrappers enable restricting access to specific IP addresses or hostnames. Configure which host can connect by editing the /etc/hosts.allow and /etc/hosts.deny files. Note that the first file has higher authorization than the second.
For example, to allow SSH access to a single host, first deny all hosts by adding these two lines in the /etc/hosts.deny file:
sshd : ALLALL : ALL
Then, in the /etc/hosts.allow file, add a line with the allowed hosts for the SSH service:
sshd : 10.10.0.5, LOCAL
The host can be an IP address, an IP range, or a hostname.
Secure Login Information and Employ Multilayer Security
Use different methods to limit SSH access to your servers, or use services that block anyone using brute force to gain access. Fail2ban is one example of such a service.
VNC Over SSH
In a Virtual Network Computing (VNC) environment, it is possible to encrypt connections using SSH tunneling via the ssh command and through PuTTY.
To tunnel VNC connections over SSH, run the following command in the command line/terminal:
ssh -L [local_address]:[local_port]:[VNC_server_address]:[VNC_server_port] -N -f -l [username] [hostname_or_IP]The command does the following:
ssh. Starts the SSH client program on your local machine and enables secure connection to the SSH server on a remote computer.-L [local_address]:[local_port]:[VNC_server_address]:[VNC_server_port]. The local address and port for the client on the local machine are to be forwarded to the specified server host and port of the remote machine.-N. Forwards ports without executing a remote command.-f. Sends SSH to the background after the password is provided. This allows typing commands in the local terminal.-l [username]. The username for connecting to the SSH server.[hostname_or_IP]. The hostname or IP of the SSH server.
You can also connect to a remote server via SSH tunnel using PuTTY. In the PuTTY configuration window, do the following:
1. Go to Connection -> SSH -> Tunnels.
2. Type in the source port number in the Source port field.
3. Type the VNC server address and port in the Destination field.
4. Start the SSH session as you normally would.
5. Connect to your server with a VNC client of your choice.
Conclusion
You should now be able to connect to a remote server with SSH. There are many other methods to establish a connection between two remote computers, but the ones covered here are most common and secure.
Next, see how to mount a remote file system using SSH with the SSHFS client.
As an enthusiast with a deep understanding of SSH (Secure Shell) and its applications, let me provide you with comprehensive insights into the concepts discussed in the article.
SSH Overview: SSH, or Secure Shell, is a cryptographic protocol designed for secure communication over an unsecured network. It plays a crucial role in managing remote systems, facilitating secure connections, file transfers, and command execution on remote machines.
Purpose of SSH: The primary purpose of SSH is to establish a secure connection between a client and a server. This secure connection allows system and network administrators to manage remote servers and machines securely. SSH is widely used by anyone who needs to remotely manage a computer in a highly secure manner.
SSH vs. SFTP: While SSH and SFTP (Secure File Transfer Protocol) are sometimes conflated, it's crucial to recognize their unique roles. SSH is a protocol for secure connections, whereas SFTP is specifically designed for secure file transfers. Understanding the distinctions between the two is essential for effective system administration.
How SSH Works: SSH works through a series of steps, involving client-side and server-side components:
- Client-side component: Initiates the connection using remote host information.
- Server-side component: Listens on a specific TCP/IP port for client connection requests.
- Key exchange: Involves the exchange of cryptographic keys to establish a secure communication channel.
- Authentication: The client provides identification data (username/password or SSH keys) to the server, and if credentials are correct, an encrypted communication session is established.
Enabling SSH Connection: The article provides detailed steps for enabling SSH connections on different operating systems:
- Mac: Checking SSH version, installing OpenSSH using Homebrew, and enabling remote login.
- Linux: Installing OpenSSH on both client and server machines.
- Windows: Enabling OpenSSH via system settings or installing PuTTY.
Connecting via SSH:
After setting up the SSH client and server, connecting to a remote server involves running the ssh command with the username and host IP address. The article emphasizes checking for correct IP addresses, firewall settings, and SSH software installation.
SSH Security Best Practices: The article outlines crucial steps to enhance SSH security:
- Changing the default TCP listening port.
- Using SSH key pairs for authentication.
- Disabling password-based logins.
- Disabling root access and using a regular account.
- Implementing TCP wrappers to restrict access based on IP addresses.
- Employing multi-layer security and monitoring tools like Fail2ban.
VNC Over SSH: The article introduces tunneling VNC connections over SSH, enhancing the security of Virtual Network Computing environments. It provides command-line instructions and details on configuring PuTTY for this purpose.
Conclusion: The comprehensive guide concludes with the assurance that readers should now be able to connect to a remote server securely using SSH. It hints at further topics, such as mounting a remote file system using SSH with the SSHFS client, suggesting a continued exploration of secure remote management techniques.
In summary, this article serves as a valuable resource for individuals seeking to understand, implement, and optimize SSH connections for secure remote server management across various operating systems.
