SSH is by default configured to allow password login. You can disable password authentication if you’re in favour of public key authentication by following these steps;
SSH server is configured to not allow
root login mainly due to security and audit reason. You can disallow
root login to your server with these simple steps;
You can login to an
SSH server without password by using public key authentication via these steps;
SSHkey pair. Make sure to not set any passphrase for the key pair
SSHpublic key to the server
You will no longer be prompted for password the next time you log in to the server.
You can easily create an
SSH key pair by using
ssh-keygen as in the following example.
$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_rsa. Your public key has been saved in /home/user/.ssh/id_rsa.pub. The key fingerprint is: 1a:6c:a4:94:df:e0:19:ec:85:b0:3f:27:e4:a1:de:65 [email protected] The key's randomart image is: +--[ RSA 2048]----+ | | | . | | o E | | O o | | c @ S | | o A @ | | . E . | | . = | | . | +-----------------+
There are a few things that you might want need to take note;
RSAkey pair will be generated by default. You can use different key type by using
-toption and specify any of the supported key types
dsa ecdsa ed25519 rsa rsa1
~/.ssh/id_rsawhile the public key will be stored in
~/.ssh/id_rsa.pub. You can specify other location when prompted during the key generation process if you already have a key pair at the default location
You can make your
SSH server to run on multiple ports by adding more of the
Port options in your
SSHd the configuration file.
For example, having these lines in
/etc/ssh/sshd_config will make the
SSH server to run on both port 22 and 2222.
Port 22 Port 2222
You’ll need to reboot your
SSH server after making the change.
Ubuntu 16.10 and later, RedHat/CentOS 7 and later, fedora and other platform with
sudo systemctl restart sshd.service
Older platforms with
System V init scripts
sudo /etc/init.d/sshd restart
service command. Normally a wrapper to
System V init scripts or
sudo service ssh restart
SSH by default will check and keep key fingerprint of all the hosts you’ve connected to in
~/.ssh/known_hosts. You’ll get the following warning if the fingerprint changed from the last time you’ve connected to the host;
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 11:5b:16:56:a5:cd:9b:1e:11:aa:2b:1c:a2:91:cd:a2. Please contact your system administrator. Add correct host key in /home/user/.ssh/known_hosts to get rid of this message. Offending key in /home/user/.ssh/known_hosts:1 RSA host key for docs.oseems.com has changed and you have requested strict checking. Host key verification failed.
You can fix the problem by whether disabling the key check, or have the right key in your
The check is done for security reason. Proceed only if you know exactly what you’re into.
SSHd is by default configured to perform
DNS Lookup everytime you connect to the server. This is especially true for
Red Hat and could significantly increase login time.
Specifies whether sshd(8) should look up the remote host name
and check that the resolved host name for the remote IP address
maps back to the very same IP address. The default is “yes”.
To fix this you’ll have to disable the
UseDNS option on the server via the following steps;
SSHd config file.
UseDNSand set the value to
SSH SOCKS proxy is one of the way to have a secure tunnel for web browsing. It’s comes handy when we need to do secure browsing in a public network such as in a public WiFi environment, as the traffic between our host and the proxy is encrypted .
For this to work, we need to have an SSH server somewhere that we want to tunnel our traffic to, and an SSH client at our host.
Creating an SSH SOCKS tunnel is as simple as running the following command;
$ ssh -D 8080 [email protected]
The following command assumes we have a user account with the username user at the server with the address
8080 is our local port to be used for the tunnel.
The next step is to configure your applications to use the proxy you have just created.
This method is used to run X11 (GUI based) programs in remote machine, and output the display to the local machine. The purpose is almost similar to VNC and such, though they are technologically very different.
To use this feature, simply add the
-X option when running SSH. Below is a sample SSH command.
ssh -X [email protected]
To execute a program on the remote machine and output the display locally, just type the program name at the terminal and you sould get the forwarded display on your desktop.
If it fails, set the these options in the remote machine’s
/etc/ssh/sshd_config as the following and then restart the SSH service;
If it still doesn’t work, try to check your local machine’s
/etc/ssh/ssh_config and set these option as the following;
If you get permission error, run the following command at you terminal;