Linux remote access using SSH
SSH offers a secure way, to have a telnet-like connection. It can also be used for transferring files or X11 window data.
Using SSH is quite simple and straightforward. The server system needs to run a program called sshd. This application can be started with /etc/init.d/sshd start.
To connect to the server, use the ssh-client from the command line.
- Connecting to the local system:
Port 22 needs to be open in the firewall.
The following example demonstrates a text-based login from the Linux command line. The user connects to the remote system, runs two commands, and logs out again.
- An SSH login example:
diederik@pts/2 ~ $ssh diederik@hal9000 Hi, You are connected with hal9000 Unauthorized access will be logged
Password:Last login: Mon Apr 4 22:05:43 2005 from hal9000.lan Have a lot of fun...
diederik@hal9000 ~ $uptime 10:06pm up 14:46, 5 users, load average: 0.03, 0.07, 0.09
diederik@hal9000 ~ $ps uxf USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND diederik 12362 0.0 0.2 8384 2540 ? S 22:08 0:00 sshd: diederik@pts/3 diederik 12363 1.5 0.1 4236 1896 pts/3 Ss 22:08 0:00 \_ -bash diederik 12392 0.0 0.0 2364 664 pts/3 R+ 22:08 0:00 \_ ps uxf
diederik@hal9000 ~ $logout Connection to hal9000 closed.
diederik@pts/2 ~ $
There are various good SSH applications:
- The OpenSSH suite is installed at most Linux systems by default. It also comes with command-line tools like scp and sftp to transfer files over SSH.
- PuTTY is a free, small and feature rich SSH client for Windows. It does not require any installation, simply download and run PuTTY.exe.
- WinSCP is a nice complement to PuTTY, it can be used to transfer files over SSH. This tool is also free to use, and like PuTTY, it consists of just one .exe file that does not require any installation.
- KDE/GNOME filemanager
- The file managers of KDE and GNOME are able to transfer files from SSH, using the sftp:// or fish:// protocols.
SSH Server Security
There are a few settings that can make the SSH server a bit more secure:
- Making sshd more secure: /etc/ssh/sshd_config
Protocol 2 PermitRootLogin no AllowUsers username
These settings enforce protocol version 2 only, and restrict the number of users who may login. Also consider changing the port number, to avoid automated login attempts.
By default, most servers are configured with "Protocol 2,1". This allows users to connect with both protocol version 1, and 2. It's better to disable version 1 of the SSH protocol, it's less secure and rarely used anyway.
By default, every system user can login remotely with SSH. This is not a desired situation. There is no control to whom can login. The PermitRootLogin no line forces clients to login with a normal user account, and use su - manually. This might be inconvenient, but prevents people from breaking into the root account! The AllowUsers restriction also prevents people from breaking into the system using a standard user name, like root or nobody.
The AllowUsers line also accepts tokens in the form user@host, and wildcards like * and ? to define more specific access rules. As an alternative to AllowUsers, use AllowGroups to permit access to certain system groups (for example, a group called "sshusers").