One of the most attractive features of Linux is the ability to skillfully use a computer with nothing but commands entered on the keyboard, and better yet, be able to do so on computers anywhere in the world. Thanks to OpenSSH, POSIX users can open a secure shell on any computer they have permission to access and use from a remote location. It’s a daily task for many Linux users, but it can be confusing for someone who hasn’t tried it yet. This article explains how to configure two computers for Secure Shell (SSH) connections and how to securely connect to each other without a password.
When
talking about more than one computer, it can be confusing to identify one from the other. The IT community has well-established terms to help clarify descriptions of the networking process of computers.
- Service: A service is software that runs in the background so that it can be used by computers other than the one it is installed on. For example, a web server hosts a web sharing service. The term implies (but does not insist) that it is software without a graphical interface.
- Host: A host is any computer. In IT, computers are called hosts because technically any computer can host an application that is useful to another computer. You may not think of your laptop as a “host,” but chances are you’re running some service that’s useful to you, your mobile, or some other computer.
- Local: The local computer is the one you or some software is using. Each computer refers to itself as localhost, for example.
- Remote: A remote computer is one that is not physically in front of or physically using. It is a computer in a remote location.
Now that the terminology is settled, you can get started
. Enable SSH on each host For two computers to connect via SSH,
each host
must have SSH installed. SSH has two components: the command you use on your local machine to initiate a connection and a server to accept incoming connection requests. Some computers come with one or both SSH parts already installed. The commands vary, depending on your system, to check if you have both the command and the server installed, so the easiest method is to search for the relevant configuration files
: $ file /etc/ssh/ssh_config /etc/ssh/ssh_config: ASCII text
If this returns a No such file or directory error, then you do not have the SSH command installed
.
Do a similar check for the SSH service (note the d in the file name): $ file
/etc/ssh/sshd_config /etc/ssh/sshd_config: ASCII text
Install one or the other, as needed
: $ sudo dnf install openssh-clients openssh-server On the remote computer, enable the SSH service with systemd: $ sudo systemctl enable -now sshd Alternatively, you can enable
the SSH service
from System Settings in
GNOME or System Preferences in macOS. On the GNOME desktop, you are located in the Sharing pane:
Start a secure shell
Now that ‘ve installed and enabled SSH on the remote computer, you can try logging in with a password as a test. To access the remote computer, you must have a user account and password.
Your remote user does not have to be the same as your local user. You can log in like any user on the remote machine as long as you have that user’s password. For example, I’m sethkenlon on my work computer, but I’m seth on my personal computer. If I am on my personal computer (making it my current local machine) and I want SSH on my work computer, I can do so by identifying myself as sethkenlon and using my work password.
For SSH on the remote computer, you need to know its Internet Protocol (IP) address or its resolvable hostname. To find the IP address of the remote machine, use the ip command (on the remote computer): $ ip
addr show | grep “inet ” inet 127.0.0.1/8 scope host lo inet 10.1.1.5/27 brd 10.1.1.31 […]
If the remote computer does not have the ip command, try ifconfig instead (or even ipconfig in Windows).
The address 127.0.0.1 is special and is, in fact, the address of localhost. It is a “loopback” address, which your system uses to reach itself. That’s not useful when logging into a remote machine, so in this example, the correct IP address of the remote computer is 10.1.1.5. In real life, I would know because my local network uses the 10.1.1.0 subnet. If the remote computer is on a different network, then the IP address could be almost anything (however, never 127.0.0.1), and some special routing is probably necessary to reach it through various firewalls. Suppose your remote computer is on the same network, but if you’re interested in reaching computers more remote than your own network, read my article on opening ports on your firewall.
If you can
ping the remote machine by its IP address or hostname, and you have a login account on it, then you can SSH on it: $ping
-c1 10.1.1.5 PING 10.1.1.5 (10.1.1.5) 56 (84) bytes of data. 64 bytes of 10.1.1.5: icmp_seq=1 ttl=64 time=4.66 ms $ ping -c1 akiton.local PING 10.1.1.5 (10.1.1.5) 56(84) bytes of data.
That’s a success. Now use
SSH to log in: $whoami seth$ssh sethkenlon@10.1.1.5 bash$ whoami sethkenlon Test login
works, so now you’re ready to activate passwordless login
. Create an SSH key To securely log on to another computer without a password, you must have
an SSH key
. You may already have an SSH key, but it doesn’t hurt to create a new one. An SSH key starts its life on your local machine. It consists of two components: a private key, which is never shared with anyone or anything, and a public key, which is copied to any remote machine you want to access without a password.
Some people create an SSH key and use it for everything from remote logins to GitLab authentication. However, I use different keys for different task groups. For example, I use one key at home to authenticate to local machines, a different key to authenticate to web servers I maintain, a separate one for Git hosts, another for Git repositories I host, and so on. In this example, I’ll create a unique key to use on computers within my local area network.
To create a new SSH key, use the command
ssh-keygen: $ ssh-keygen -t ed25519 -f ~/.ssh/lan
The -t option stands for type and ensures that the encryption used for the key is greater than the default. The -f option stands for file and sets the file name and location of the key. You will be prompted to create a password for your SSH key. You must create a password for the key. This means that you will have to enter a password when you use the key, but that password remains local and is not transmitted over the network. After running this command, you’re left with an SSH private key called lan and an SSH public key called lan.pub.
To get the public key on your remote machine, use the ssh-copy-id. For this to work, you need to verify that you have SSH access to the remote machine.
If you cannot log on to the remote host with a password, you also cannot configure passwordless logon: $ ssh-copy-id -i ~/.ssh/lan.pub sethkenlon@10.1.1.5
During this process, you will be prompted for your login password on the remote host.
If successful, try logging in again, but this time using the -i option to point the SSH command to the appropriate key (lan, In this example):
$ ssh -i ~/.ssh/lan sethkenlon@10.1.1.5 bash$ whoami sethkenlon
Repeat this process for all computers on your network, and you’ll be able to wander through each host without having to think about passwords again. In fact, once you have set up passwordless authentication, you can edit the /etc/ssh/sshd_config file to disallow password authentication. This prevents anyone from using SSH to authenticate to a computer unless they have their private key. To do this, open /etc/ssh/sshd_config in a text editor with sudo permissions and look for the string PasswordAuthentication. Change the default line to this:
PasswordAuthentication do not
save it and restart the SSH server (or just reboot):
$ sudo systemctl restart sshd && echo “OK” OK $
Using SSH every day
OpenSSH changes your view of computing. You are no longer tied only to the computer in front of you. With SSH, you have access to any computer in your home, or servers you have accounts on, and even mobile devices and the Internet of Things. Unlocking the power of SSH also unlocks the power of the Linux terminal. If you’re not using SSH every day, start now. Get comfortable with him, pick up some keys, live more safely, and expand your world.