How to SSH into a Server: A Comprehensive Guide

Updated on April 15, 2024

By Justin Ellingwood and Anish Singh Walia

Introduction

For anyone working with servers, especially system administrators, mastering SSH is indispensable. SSH, short for Secure Shell, is a cryptographic network protocol that enables secure connections to remote systems over an unsecured network. It’s the backbone of remote server management, particularly for Linux-based servers.

This guide will provide a detailed walkthrough on how to use SSH to connect to a remote server, covering everything from basic connection syntax to advanced configuration and security practices. Whether you’re a beginner or looking to deepen your understanding, this tutorial will equip you with the knowledge to effectively utilize SSH.

Deploy your backend applications effortlessly using DigitalOcean App Platform. Focus on building, and let DigitalOcean handle the scaling and infrastructure.

Core Syntax of SSH Command

The fundamental command for initiating an SSH connection is ssh.

For Windows users, OpenSSH might not be installed by default. To use ssh from your terminal, you’ll need to install an OpenSSH client. Microsoft provides documentation on how to add OpenSSH to PowerShell. Alternatively, for a more comprehensive Linux-like environment, you can set up WSL (Windows Subsystem for Linux), which includes ssh pre-installed. A lighter option is Git for Windows, which offers a Bash terminal environment including the ssh command. Choose the method that best suits your workflow.

macOS and Linux users will find the ssh command readily available in their terminal.

The simplest form of the SSH command is as follows:

ssh <remote_host>

Here, <remote_host> refers to the target server’s IP address or domain name.

This command assumes your username on the remote server is identical to your local username. If they differ, specify the remote username using this syntax:

ssh <remote_username@remote_host>

Upon establishing a connection, you’ll likely be prompted for a password to authenticate your identity. Later, we will explore setting up SSH keys for passwordless authentication, enhancing both convenience and security.

To terminate the SSH session and return to your local shell, simply type:

exit

Understanding How SSH Works

SSH operates by establishing a secure connection between a client program and an SSH server, known as sshd.

In the commands mentioned above, ssh is the client program initiating the connection. The SSH server (sshd) is expected to be running and listening for connections on the <remote_host>.

In most Linux distributions, the sshd server is configured to start automatically upon system boot. However, if the SSH server isn’t running, you might need to access your server through a web-based console provided by your hosting provider or a local serial console to start it.

The command to start the SSH server varies depending on your Linux distribution. On Ubuntu, you can start the SSH server using:

sudo systemctl start ssh

This command should initiate the sshd server, allowing you to connect remotely.

SSH Configuration: Customizing Your Server

Modifying SSH configuration involves adjusting the settings of the sshd server.

On Ubuntu systems, the primary configuration file for sshd is located at /etc/ssh/sshd_config.

Before making any changes, it’s crucial to back up the original configuration file:

sudo cp /etc/ssh/sshd_config{,.bak}

Now, open the configuration file using nano or your preferred text editor:

sudo nano /etc/ssh/sshd_config

While most default options should remain untouched, certain settings are worth reviewing and potentially modifying for security or specific needs.

Port 22

The Port directive specifies the port number on which the sshd server listens for incoming connections. The default port is 22. It is generally recommended to keep this default unless you have a strong reason to change it, as changing the SSH port can offer a slight security benefit through obscurity. If you decide to change the port, remember to specify it during client connection, as we’ll discuss later.

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key

These HostKey declarations point to the locations of the server’s host keys. Host keys are crucial for verifying the server’s identity and preventing man-in-the-middle attacks.

SyslogFacility AUTH
LogLevel INFO

These settings control the logging behavior of SSH. SyslogFacility specifies the system logging facility used for SSH logs, and LogLevel defines the verbosity of the logs. If you encounter SSH connection issues, increasing the LogLevel to DEBUG temporarily can provide more detailed information for troubleshooting.

LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

These parameters govern login-related aspects.

LoginGraceTime sets the maximum number of seconds the server waits for a successful login attempt after a connection is established. Adjust this value if you routinely need more time to log in.

PermitRootLogin determines whether direct root login is allowed. For enhanced security, it is highly recommended to set this to no. Instead, create a regular user account with sudo privileges and use SSH to log in with that account. You can then escalate to root privileges using sudo after login.

StrictModes is a security feature that ensures proper file permissions for user’s .ssh directory and authorized keys file. It prevents logins if these files have overly permissive permissions, which could indicate a security risk.

X11Forwarding yes
X11DisplayOffset 10

These options configure X11 Forwarding, which allows you to run graphical applications on the remote server and display their windows on your local machine securely over the SSH connection. To use X11 forwarding, it must be enabled on both the server and client side (using the -X or -Y flag with the ssh command).

After making your desired changes to /etc/ssh/sshd_config, save the file and exit the text editor. If using nano, press Ctrl+X, then Y, and finally Enter.

For the configuration changes to take effect, you need to reload the sshd server:

sudo systemctl reload ssh

It is essential to test your changes thoroughly to ensure they function as expected and haven’t inadvertently locked you out of your server. Keeping a separate, active SSH session open during configuration changes is a good practice, allowing you to revert changes quickly if necessary.

Secure Passwordless Login with SSH Keys

While password-based SSH login is functional, using key-based authentication offers significant advantages in terms of both security and convenience. SSH keys enable passwordless logins and are more secure against brute-force attacks.

How Key-Based Authentication Enhances Security

Key-based authentication relies on cryptographic key pairs: a private key and a public key.

The private key is stored securely on your client machine and must be kept secret. Think of it as your digital secret key.

The public key is designed to be shared and can be placed on any server you want to access. It’s derived from the private key but cannot be used to deduce the private key.

When you attempt to connect to a server using SSH keys, the server uses the public key to generate a challenge that only your private key can correctly respond to. If the response is valid, the server authenticates you without requiring a password.

This entire process is handled automatically by SSH once keys are correctly set up.

Generating SSH Key Pairs

SSH keys are generated on the client machine—the computer you’ll be connecting from.

Open your terminal and execute the following command:

ssh-keygen -t rsa

You’ll be prompted to choose a location to save the keys (the default is usually fine) and optionally set a passphrase to protect the private key itself. While a passphrase adds an extra layer of security, it’s often skipped for convenience. If you choose not to use a passphrase, simply press Enter when prompted.

Your key pair will be generated, typically creating two files in the .ssh directory within your user’s home directory: id_rsa (the private key) and id_rsa.pub (the public key).

Navigate to the .ssh directory:

cd ~/.ssh

List the files and their permissions:

ls -l

You’ll notice that id_rsa (private key) has very restrictive permissions (readable and writable only by the owner), ensuring its secrecy. id_rsa.pub (public key) has more open permissions as it’s meant to be shared.

Transferring Your Public Key to the Remote Server

If you currently access your server using password authentication, you can easily copy your public key to it using the ssh-copy-id command:

ssh-copy-id <remote_host>

This command initiates an SSH connection to the <remote_host>. After you enter your password, it appends your public key to the authorized_keys file on the server, which is located in the .ssh directory within your user’s home directory on the server. This action enables passwordless SSH login from your client machine in the future.

SSH Client Options: Tailoring Your Connection

The ssh command supports various command-line options to customize your connection behavior.

For instance, if you modified the default SSH port on the server, you need to specify the custom port during connection using the -p option:

ssh -p <port_number> <remote_host>

Note: Changing the default SSH port (port 22) is a form of security through obscurity. While not a robust security measure on its own, it can reduce automated brute-force password attempts, especially when combined with key-based authentication. For internet-facing servers, using key-based authentication and a non-standard SSH port can be considered a basic security hardening step.

To execute a single command on the remote server without opening an interactive shell, you can append the command after the <remote_host>:

ssh <remote_host> <command_to_run>

This will connect to the server, authenticate you, execute the specified <command_to_run>, and then close the connection.

To enable X11 forwarding (if configured on both client and server), use the -X option:

ssh -X <remote_host>

Provided you have an X server running on your local machine, graphical applications launched on the remote server will display their windows on your local desktop.

Disabling Password Authentication for Enhanced Security

Once you’ve successfully set up SSH key-based authentication, a significant security improvement is to disable password-based authentication altogether. This further hardens your server against brute-force attacks, as the only way to log in (besides the server console) will be using a valid private key corresponding to an authorized public key on the server.

Warning: Before proceeding, ensure you have successfully configured and tested SSH key-based authentication. Disabling password authentication without working SSH keys will lock you out of your server!

As root or a user with sudo privileges, open the sshd configuration file:

sudo nano /etc/ssh/sshd_config

Locate the PasswordAuthentication line. It might be commented out (preceded by a #). Uncomment it by removing the # and change its value to no:

PasswordAuthentication no

Also, ensure that PubkeyAuthentication is set to yes and ChallengeResponseAuthentication is set to no. These are typically the default settings:

PubkeyAuthentication yes
ChallengeResponseAuthentication no

Save the changes and close the file.

Reload the SSH daemon to apply the new configuration:

sudo systemctl reload ssh

Password authentication is now disabled. Your server will only accept SSH logins via key-based authentication.

Conclusion

Becoming proficient with SSH is an invaluable skill for anyone managing servers or working in cloud environments. As you explore its features, you’ll discover advanced functionalities that streamline your workflows and enhance security. SSH’s enduring popularity stems from its security, efficiency, and versatility in a wide range of scenarios.

To further expand your command-line server management skills, consider learning about SFTP (Secure File Transfer Protocol) for secure file transfers.

Adding SSH Keys to your DigitalOcean virtual machines is simplified through our platform. Learn more here.