Difference between revisions of "Use SSH to remotely access a device"
| (22 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
[[File:Cat_remote_login.jpeg|right|600px]] | |||
[[SSH: Secure Shell]] is an encrypted protocol for a remote shell login. | |||
See [[wikipedia:Secure shell]] | |||
= Ways to SSH = | |||
Using a terminal, you may SSH through: | Using a terminal, you may SSH through: | ||
| Line 8: | Line 11: | ||
* generating and authorising matching public and private keys | * generating and authorising matching public and private keys | ||
== SSH over a local network == | |||
To find the IP address of a computer on the local network, such as a Raspberry Pi, | To SSH to a computer on a local network, first find the local, or private [[IP address]]. To find the IP address of a computer on the [[LAN: Local Area Network|local network]], such as a Raspberry Pi, boot it and connect it to a screen. Type the command: | ||
< | <syntaxhighlight lang="bash"> | ||
ifconfig | ifconfig | ||
</ | </syntaxhighlight> | ||
If connected over wifi, you should look for the IP listed next to <code>wlan0</code> | If connected over wifi, you should look for the IP listed next to <code>wlan0</code> | ||
In this instance it is 192.168.1.101 | In this instance it is 192.168.1.101 | ||
< | <syntaxhighlight lang="bash"> | ||
inet 192.168.1.101 | inet 192.168.1.101 | ||
</ | </syntaxhighlight> | ||
Now, on another machine you can remotely SSH to a user account on the Raspberry Pi (one that you know the password of). | Now, on another machine you can remotely SSH to a user account on the Raspberry Pi (one that you know the password of). | ||
| Line 26: | Line 29: | ||
In this instance, we SSH to the Pi user account on the Raspberry Pi by typing: | In this instance, we SSH to the Pi user account on the Raspberry Pi by typing: | ||
< | <syntaxhighlight lang="bash"> | ||
ssh pi@192.168.1.101 | ssh pi@192.168.1.101 | ||
</ | </syntaxhighlight> | ||
The first time you do this, an ECDSA key fingerprint is created on your machine, and 192.168.1.101 (ECDSA) is added to a list of known hosts in the file | The first time you do this, an ECDSA key fingerprint is created on your machine, and 192.168.1.101 (ECDSA) is added to a list of known hosts in the file | ||
| Line 42: | Line 45: | ||
Using a public IP address is much the same as a local IP address; however: | Using a public IP address is much the same as a local IP address; however: | ||
* to access it you have to use the Internet which means going "outside" your local network | * to access it you have to use the Internet which means going "outside" your local area network. This can be confusing when you are self-hosting a service on a machine that is sitting right next to you physically, but has an IP address located on the wide area network. | ||
You can always SSH by entering the public IP address and the correct user credentials each time, however if it is something you have to do often it may be more convenient to generate public and private key pairs using Open SSH. | You can always SSH by entering the public IP address and the correct user credentials each time, however if it is something you have to do often it may be more convenient to generate public and private key pairs using Open SSH. | ||
== Generating SSH key pairs == | |||
{{:Creating,_using_and_managing_SSH_keys}} | |||
== SSH configuration file== | |||
The SSH configuration file makes it a lot simpler to <code>ssh</code> <code>scp</code> or <code>sshfs</code>. It is especially convenient when you have keys for different servers. It helps you to keep them organised and to <code>ssh</code> into servers with easy to remember shortcuts. | |||
Rather than typing | |||
<syntaxhighlight lang="bash"> | |||
scp myfile username@host:/path/to/copy/file/to | |||
</syntaxhighlight> | |||
We can simply do with | |||
<syntaxhighlight lang="bash"> | |||
scp myfile hostname:/path/to/copy/file/to | |||
</syntaxhighlight> | |||
=== Location of the .ssh directory === | |||
On Linux-based distributions: <code>/home/<your username>/.ssh</code> | |||
On MacOS: <code>Users/<your username>/.ssh</code> | |||
=== Create SSH configuration file ~/.ssh/config/ === | |||
Create the file: | |||
<syntaxhighlight lang="bash"> | |||
touch ~/.ssh/config | |||
</syntaxhighlight> | |||
Open the file in your favourite text editor and insert: | |||
<syntaxhighlight lang="bash" line> | |||
Host hostname // name for the shortcut you use to ssh into the server | |||
User username // ssh user | |||
Hostname 192.168.10.20 // hostname of the server | |||
Port 22 | |||
Identityfile ~/.ssh/id_rsa // change and make sure this is the path to the location of your keys | |||
Serveraliveinterval 30 | |||
</syntaxhighlight> | |||
Now you can use the short cut to <code>ssh</code>, <code>scp</code>, <code>sshfs</code> to that and any other host in in <code>.ssh/config</code> | |||
using only | |||
<syntaxhighlight lang="bash"> | |||
ssh username@hostname | |||
</syntaxhighlight> | |||
or even | |||
<syntaxhighlight lang="bash"> | |||
ssh hostname | |||
</syntaxhighlight> | |||
== SSHFS: SSH File System == | |||
{{:Mount a file system over SSH using SSHFS}} | |||
[[Category: Cookbook]] | [[Category: Cookbook]] | ||
Latest revision as of 22:36, 24 November 2021
SSH: Secure Shell is an encrypted protocol for a remote shell login. See wikipedia:Secure shell
Ways to SSH
Using a terminal, you may SSH through:
- a local network, by targeting a local IP address
- a public network, by targeting a public IP address
- generating and authorising matching public and private keys
SSH over a local network
To SSH to a computer on a local network, first find the local, or private IP address. To find the IP address of a computer on the local network, such as a Raspberry Pi, boot it and connect it to a screen. Type the command:
ifconfig
If connected over wifi, you should look for the IP listed next to wlan0
In this instance it is 192.168.1.101
inet 192.168.1.101
Now, on another machine you can remotely SSH to a user account on the Raspberry Pi (one that you know the password of).
In this instance, we SSH to the Pi user account on the Raspberry Pi by typing:
ssh pi@192.168.1.101
The first time you do this, an ECDSA key fingerprint is created on your machine, and 192.168.1.101 (ECDSA) is added to a list of known hosts in the file
~/.ssh/known_hosts
It will ask you for a password (most often you won't see what you write, so type carefully), and if it is correct you can access the device.
You are still using the local network, but you (and others who SSH to other accounts on the same network) can now control the Raspberry Pi remotely.
SSH over public IP
Using a public IP address is much the same as a local IP address; however:
- to access it you have to use the Internet which means going "outside" your local area network. This can be confusing when you are self-hosting a service on a machine that is sitting right next to you physically, but has an IP address located on the wide area network.
You can always SSH by entering the public IP address and the correct user credentials each time, however if it is something you have to do often it may be more convenient to generate public and private key pairs using Open SSH.
Generating SSH key pairs
Create a new key for your machine
ssh-keygen -t rsa
CHOOSE A STRONG PASSPHRASE, EMPTY PASSPHRASE == BAD
If someone has access to your machine via social engineering or tech exploit, your key can be stolen and used to login in all the machines and services without password.
Install your key on the machines where you need to log in
Handy function to put in your shell config
In your shell resource file (~/.zhrc, ~/.bashrc,...) add the following function:
ssh-install-key() {
cat ~/.ssh/id_rsa.pub | ssh ${1} "cat - >> ~/.ssh/authorized_keys"
}
Now you can install your main key, id_rsa.pub, directly to a target machine:
ssh-install-key username@super.server.nl
Using your keys
With keychain
Keychain is a software that will keep track of which keys are available in your system and will only ask your passphrase once per session instead. It is a front-end to ssh-add and ssh-agent.
Add the following in your shell resource file:
if [ -e ~/.ssh/id_rsa ]
then
keychain --quiet --nogui ~/.ssh/id_rsa
. ~/.keychain/${HOSTNAME}-sh
fi
Now restart your session and you will be prompted, once for your passphrase. After that you can directly ssh/scp to the machines where your installed your key and you will not be prompted for any passwords!
ssh username@super.server.nl
Using aliases for your SSH connections
To make your life even easier you can edit (create if non existent) the ~/.ssh/config file to create Host SSH aliases for the machines you need to connect to. You can also pass all the SSH options you might want to add, for instance:
Host super
User username
Hostname super.server.nl
Host super2
User anotherusername
Hostname super.serverl.nl
Port 12345
ForwardAgent yes
Now when you want to ssh/scp to your server you can just do the following:
ssh super
SSH configuration file
The SSH configuration file makes it a lot simpler to ssh scp or sshfs. It is especially convenient when you have keys for different servers. It helps you to keep them organised and to ssh into servers with easy to remember shortcuts.
Rather than typing
scp myfile username@host:/path/to/copy/file/to
We can simply do with
scp myfile hostname:/path/to/copy/file/to
Location of the .ssh directory
On Linux-based distributions: /home/<your username>/.ssh
On MacOS: Users/<your username>/.ssh
Create SSH configuration file ~/.ssh/config/
Create the file:
touch ~/.ssh/config
Open the file in your favourite text editor and insert:
Host hostname // name for the shortcut you use to ssh into the server
User username // ssh user
Hostname 192.168.10.20 // hostname of the server
Port 22
Identityfile ~/.ssh/id_rsa // change and make sure this is the path to the location of your keys
Serveraliveinterval 30
Now you can use the short cut to ssh, scp, sshfs to that and any other host in in .ssh/config
using only
ssh username@hostname
or even
ssh hostname
SSHFS: SSH File System
SSHFS (SSH Filesystem) is a filesystem client for mounting remote directories on your machine, using an SSH connection.
By using it you can access, read, edit files from a remote machine on your local machine, as long as you have an account in the remote machine.
Installing
On Debian/Ubuntu
sudo apt update
sudo apt install sshfs
On Mac
Use homebrew. If homebrew is not installed run the installation command:
/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
Once brew is installed, run:
brew cask install osxfuse
brew install sshfs
Mounting the Remote File System with SSHFS
SSHFS command essential parameters:
sshfs user@host:remote_directory local_mount_directory
How to mount
Create a directory in your local machine, to be use as a mount point
mkdir ~/remote
Mount host remote directory onto the ~/remote directory
ssh user@host:/full/path/to/remote/dir ~/remote
That's it :)
How to unmount
To unmount the remote dir from the local directory we use the umount NOT unmount, BUT umount
umount ~/remote