Linux & PowerShell: Connecting to Server via SSH
Here we will learn how to connect to a remote host via OpenSSH, both with password authentication and key pair authentication. We will show you how to connect via SSH using PowerShell in Windows, but the procedure for connecting via a Linux terminal will be similar.
A password connection is a less secure solution than a passphrase protected key pair connection. For better security, we recommend disabling the ability to connect to the server by password after initial server configuration, after transferring the public key to the server and after you have successfully verified the ability to connect to the server using the private key.
Prerequisites
Client Requirements:
1. The client system must have access to a terminal if it is based on Linux, or have PowerShell installed if it is based on Windows. Instructions for installing PowerShell can be found in the guide "Installing PowerShell on Windows".
2. The client system must have OpenSSH Client installed. The installation process for OpenSSH Client is described in the section "Installing OpenSSH Client".
3. The client system must store the private key of a key pair, with the public key of that pair located on the server you are connecting to. Instructions for creating a key pair and copying the public key to the server are provided in the sections "Creating Key Pair" and "Copying Public Keys".
Server Requirements:
1. The server system must have OpenSSH Server installed. The installation process for OpenSSH Server is described in the section "Installing OpenSSH Server".
2. You must know the username and password of the server user account that will be used to connect from the remote client, such as the root user. The process for creating a new user is described in the section "Linux: Creating New User".
3. The server system’s authorized keys list must contain the public key that is part of the key pair, with the private key stored on the client system. Instructions for creating a key pair and copying the public key to the server are provided in the sections "Creating Key Pair" and "Copying Public Keys".
Connection with private key authentication
The primary way to connect to a remote host using OpenSSH is through a key pair connection.
To connect to a host using a key pair, use the following command:
ssh -i <path_to_private_key> <user_name>@<server_ip> [-p <port>]
where:
- <path_to_private_key> - Path to the private key of the key pair. How to create a key pair is described in "Creating Key Pair" section. By default, key pairs are created in the following folders: In Linux: /home/<username>/.ssh/; in Windows: C:\Users\<username>\.ssh\; in MacOS: /Users/<username>/.ssh/.
- <user_name> - The name you used when creating a new user on the server. How to create a new user is described in the section "Creating New User". You can also use the root user for connection, whose password is specified in the Password field of the "Instance Details" section of the Peerobyte virtual machine or server control panel.
- <server_ip> - The IP address of the virtual machine or server that is specified in the Main IP Address field of the "Public Network IPv4" section of the Peerobyte virtual machine or server control panel.
- [-p <port>] - The port number for SSH connection. This parameter is optional and applies only if the default port for SSH connection is changed in the server settings.
For example, an ssh command to connect using a private key might look like this:
ssh -i d:/test/mykey2 [email protected] -p 64743
This command will establish an SSH connection to the host at IP address 203.0.113.12. During the connection process, the passphrase of the mykey2 private key located in the d:/test/ folder will be requested, if such a passphrase has been set. Successful verification of the private and public keys will provide remote access to the server with the user myuser2. The connection will be established through TCP port 64743.
Connection with Password Authentication
With OpenSSH, you can connect to a remote server by user password without using a key pair.
Use the following command to connect by password:
ssh <user_name>@<server_ip> [-p <port>]
where:
- <user_name> - The name you used when creating a new user on the server. How to create a key pair is described in "Creating Key Pair" section. You can also use the root user for connection, whose password is specified in the Password field of the "Instance Details" section of the Peerobyte virtual machine or server control panel.
- <server_ip> - The IP address of the virtual machine or server that is specified in the Main IP Address field of the "Public Network IPv4" section of the Peerobyte virtual machine or server control panel.
- [-p <port>] - The port number for SSH connection. This parameter is optional and applies only if the default port for SSH connection is changed in the server settings.
For example, an ssh command to connect by password might look like this:
ssh [email protected]
This command will establish an SSH connection to a server that has an IP address of 203.0.113.12. Once the connection to the server is established, the password for the user myuser2 will be requested. If the password is correctly entered, remote access to the server will be granted on behalf of the user myuser2. The default TCP port 22 used for SSH will be used for the connection.
Possible Connection Issues
First-Time SSH Connection Warning
If this is the first time you are connecting to a host via SSH, you will see a similar message:
The authenticity of host '203.0.113.12 (203.0.113.12)' can't be established. ECDSA key fingerprint is SHA256:tXw8aipPPyyL4KBAjTtBvHU7K//HzkXuTtdLij2yJ2U. Are you sure you want to continue connecting (yes/no/[fingerprint])?
It indicates that your system does not know the host you want to connect to. This is a standard precaution to make sure you are not connecting to a fake or malicious server. Confirm your intention to connect to the host by typing yes on your keyboard and pressing Enter.
Host Key Fingerprint Mismatch Alert
You may also encounter this message when trying to connect to the host:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 4e:10:78:39:a6:cd:11:10:3a:cd:1b:a2:91:cd:e5:5c. Please contact your system administrator. Add correct host key in /home/user/.ssh/known_hosts to get rid of this message. Offending key in /home/user/.ssh/known_hosts:1 RSA host key for 203.0.113.12 has changed and you have requested strict checking. Host key verification failed.
This message indicates that the remote host's fingerprint saved in your known_hosts file no longer matches the fingerprint presented by the host when attempting to connect. This can be caused by legitimate changes on the server, such as after reinstalling the operating system or changing security settings.
There is also a risk of a "man-in-the-middle" attack, where an attacker could intercept or alter the data. This is a serious security threat.
If the host key change is confirmed to be legitimate, you need to remove the old, outdated fingerprint entry from the known_hosts file on the client system. The offending key entry is indicated in the message as Offending key. The path to the known_hosts file is also provided in the message. If you do not connect to other hosts, you can delete the entire known_hosts file; it will be recreated on the next successful connection. After deleting the known_hosts file or the specific оffending key, retry the connection — the error should not appear.
Additional
Disabling Password SSH Access
Once you have been able to connect to the server using a private key, it is recommended to disable password authentication. This significantly enhances security, as the key pair is a more reliable protection against unauthorized access compared to traditional password authentication.
Before disabling password authentication, ensure that:
- You can successfully connect to the server using a private key.
- You have a backup copy of your private key in secure storage.
Steps to Disable Password Authentication:
1. Connect to the server using your private key.
2. Open the server's SSH configuration file (sshd_config) for editing:
editor /etc/ssh/sshd_config
3. Find the line with the parameter PasswordAuthentication, set its value to no. If necessary, uncomment the line so that it reads as follows:
PasswordAuthentication no
4. Save the changes in the file and close the editor, for example, as follows:
- In Nano editor:
I. Press Ctrl+O to save changes.
II. Confirm the file name by pressing Enter.
III. Close the editor by pressing Ctrl+X. - In Vi or Vim editor:
I. Press Esc to exit insert mode.
II. Type :wq and press Enter to save changes and exit the editor.
5. Before restarting the SSH service to the server, verify its configuration with the command:
sshd -t
Если в результате выполнения команды какие-либо сообщения отсутствуют, то ошибок не выявлено. Если сообщения об ошибке отобразились, то ошибки необходимо устранить до перезагрузки службы или прекращения подключения к серверу, а затем повторно выполнить проверку конфигурации.
If there are no error messages as a result of executing the command, no errors were found. If error messages appear, resolve the errors before rebooting the service or ending the connection to the server, and then re-check the configuration.
6. Restart the SSH service on the server to apply the changes:
service sshd restart
After the service restarts, the changes will take effect.
More about the ssh command
You can learn more about the syntax of the ssh command and its full functionality in the "SSH Command Usage Guide".