SSH To Connect

SSH Access

You have a brand new server - naturally you want to log in.

Basic Mechanics

ssh root@45.55.209.211

I've spun up a Digital Ocean server, which gives us root access, so I login using the user "root" and the IP address provided.

When I try to login with the above, I get an error. Let's find out what's up by adding a few "v" flags (you can add up to 4 for various levels of verbose debuggin output):

ssh -vvvv root@45.55.209.211

You can see the output in the video. The ssh command is trying to use all the various keys I happen to have. I have a lot, so it's going over the keys and reaching the max allowed attempts, as set by the server we're connecting to.

Since Digital Ocean gives me a password to log in with, we don't want it to check any SSH keys.

Let's tell it to NOT use public key authentication, which will let it fallback to password based authentication (currently allowed by the remote server):

# Don't use public key authentication
ssh -o "PubkeyAuthentication no" root@45.55.209.211

The -o flag lets us add SSH options. We can see lots of options available when running the man ssh command.

SSH Key Access

SSH access is more secure than using a password. Password-based authentication sends the password to the remote server. SSH key access, even when it has a password, does not.

Note that you can set a password when creating an SSH keypair. If you use SSH key authentication with a password, you'll be protected in a few ways:

  1. You'll be using SSH keys (encrypted traffic, authentication based on having the correct private key)
  2. You'll have a password needed to use the SSH key (another layer of protection in case someone gets a hold of the SSH private key)
  3. You're server user will have their own password as well, often needed for running sudo commands, adding another layer of protection, assuming you disallow access to the root user

SSH key access is also a way to give access to one or more servers with the same set of credentials.

Let's create an SSH key on our local computer, which we'll use to connect to this server (and others!) in this video series.

cd ~/.ssh
ssh-keygen -t rsa -b 4096 -C "chris@serversforhackers.com" -f id_series

Create a password!

Next let's copy the public key to the remote server, in it's authorized_keys file. This authorizes our public/private key pair to be used to login for the remote server user's authorized_key file.

# On mac:
brew install ssh-copy-id

# Then do it
ssh-copy-id -o "PubkeyAuthentication no" \
    -i ~/.ssh/id_series.pub root@45.55.209.211

Now, in theory, we can login using our key! Because I have a lot of keys, I'll specify the key I want:

ssh -i ~/.ssh/id_series root@45.55.209.211

That still didn't work! We got the same error as when using no key! It turns out that you need to also tell it both to use a specific identity in addition to the key to use (sigh, computers). That looks like this:

ssh -o "IdentitiesOnly yes" \
    -i ~/.ssh/id_series root@45.55.209.211

And then we're in!

What we covered:

  1. Logging in via password, despite ssh trying to use key pairs
  2. Creating an SSH key pair
  3. Ensuring we can log into the remote server via SSH key
  4. Logging in via SSH key when you have many ssh keys