Article

Table of Contents
Theme:
Was this article helpful?

1  out of  1 found this helpful

Try Vultr Today with

$50 Free on Us!

Get started now
Want to contribute?

You could earn up to $600 by adding new articles.

Learn more!

How to Connect to a Linux Cloud Server from your Windows Desktop

Author: Quan Hua

Last Updated: Wed, May 25, 2022
System Admin Windows Guides

Introduction

Connecting to a Linux server for the first time may seem confusing, especially if you have a strong Windows background. SSH allows you to establish a secure connection between your computer and the Linux server and manage it remotely.

This article explains how to use PuTTY and OpenSSH client on Windows to connect to a Linux server.

In the end of this tutorial, you know:

  • How to install PuTTY and OpenSSH client on Windows
  • How to connect to the server using password authentication
  • How to create public and private key pairs
  • How to connect to the server using public key authentication
  • How to enhance the security of your Linux server

Prerequisites

  • A Windows workstation
  • A Linux server instance

Get Your Linux Server Credentials

  1. Navigate to your Customer Portal
  2. Click "Products"
  3. Click your instance.
  4. Copy your credentials
    1. IP Address
    2. Username
    3. Password

Install PuTTY

PuTTY is an open-source SSH and Telnet client for Windows which is available for all versions of Windows.

  1. Download PuTTY from the official website.
  2. Run the PuTTY installer to install PuTTY.

Connect to The Server with PuTTY Using Password

  1. Open up the Windows Start menu, search for "PuTTY" and launch the application.
  2. Enter the following information into the window named "PuTTY Configuration"
    • Host Name (or IP address) - this is the IP address of your Vultr server
    • Port - the default port for SSH is 22. See the "Server hardening" section if you want to change the default port.
  3. Click "Open" to start the connection
  4. In the "PuTTY Security Alert" dialog, choose "Accept". You can check the message in the dialog for more information about the security alert.

  5. Enter your username from the previous step. Here is an example result

    login as: root

  6. Copy the password from the previous step. Paste the password by clicking the right mouse on the terminal. Here is an example result. The password is not visible.

    root@149.28.148.36's password:

  7. You are now logged into your server. Here is an example result with a Ubuntu 22.04 server.

    login as: root
root@149.28.148.36's password:
Welcome to Ubuntu 22.04 LTS (GNU/Linux 5.15.0-25-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat Apr 23 09:49:11 AM UTC 2022

  System load:  0.0                Processes:               134
  Usage of /:   27.0% of 24.41GB   Users logged in:         0
  Memory usage: 23%                IPv4 address for enp1s0: 149.28.148.36
  Swap usage:   0%

0 updates can be applied immediately.

root@vultr:~#

  8. Type exit then press Enter to log out of your server.

Install OpenSSH Client on Windows

OpenSSH Client is another option to connect to your server through SSH included in Windows 10 and Windows Server 2019.

  1. Open up the Windows Start menu, search and open "Manage optional features".
  2. Check the list "Installed features" to see if "OpenSSH client" is already installed.
  3. Click "Add a feature". Find "OpenSSH Client", then click "Install".
  4. Open Command Prompt

  5. Check OpenSSH version:

    $ ssh -V

The result should be like:

OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2

Connect to The Server with OpenSSH Using Password

  1. Open Command Prompt or Windows PowerShell

  2. Run the following command to connect to your server. Replace root with your server username. Replace servername with the IP address of your server.

    $ ssh root@servername

  3. After connected, answer yes when you get a message like:

    The authenticity of host '149.28.148.36 (149.28.148.36)' can't be established.
ECDSA key fingerprint is SHA256:ZbS/36vzv0lEzwkSkFGwA8A7gh/GWGFaQFeeC7fPAcY.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

  4. Copy the password from the previous step. Paste the password by clicking the right mouse on the terminal. Here is an example result. The password is not visible.

    root@149.28.148.36's password:

  5. You are now logged into your server. Here is an example result with a Ubuntu 22.04 server.

    login as: root
root@149.28.148.36's password:
Welcome to Ubuntu 22.04 LTS (GNU/Linux 5.15.0-25-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat Apr 23 09:51:22 AM UTC 2022

  System load:  0.0                Processes:               134
  Usage of /:   27.0% of 24.41GB   Users logged in:         0
  Memory usage: 23%                IPv4 address for enp1s0: 149.28.148.36
  Swap usage:   0%

0 updates can be applied immediately.

root@vultr:~#

  6. Type exit then press Enter to log out of your server.

Benefits of Public & Private SSH Keys

Public key authentication provides a reliable and secure alternative to the password authentication. It frees the users from remembering complicated passwords.

Public key authentication also allows secured, automated login in countless automation tools.

In public key authentication, the SSH key pairs includes two keys:

  • A public key is on the SSH server. Anyone can encrypt the data using the public key. Using the private key is the only way to decrypt the data.
  • A private key remains with the user. The user can use a passphrase to protect the private key files from unauthorized access.

In this article, you generate an ED25519 format keypair. Here are some advantages of ED25519 format compared to other formats:

  • Small public and private key length for the same level of security.
  • Fast key generation and verification.

Create an ED25519 format keypair with PuTTY

Create an ED25519 format keypair with PuTTY

  1. Open up the Windows Start menu, search for "PuTTYgen" and launch the application.
  2. Under the "Parameters" section, select "EdDSA". Make sure that the selection box is "Ed25519 (255 bits)"
  3. Click "Generate".
  4. Move the mouse over the blank area to generate the keys.
  5. Click "Save private key" to save the private key. You can set a passphrase to protect the private key from unauthorized access.
  6. Copy the content of under "Public key for pasting into OpenSSH authorized_keys" file.

The public key is a string as follows:

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAWT7d2UKNJJ6jurMml+6tCktL4dWuWtvTOomJ1rQv12 eddsa-key-20220424

The private key is a file with extension .ppk that you need to login to the server.

Here is the content of the generated private key

PuTTY-User-Key-File-3: ssh-ed25519
Encryption: none
Comment: eddsa-key-20220424
Public-Lines: 2
AAAAC3NzaC1lZDI1NTE5AAAAIAWT7d2UKNJJ6jurMml+6tCktL4dWuWtvTOomJ1r
Qv12
Private-Lines: 1
AAAAIGb7S+9kgp96L9HUUY04rgE7laU86BO1scZv8WBSAoo4
Private-MAC: f956dd2563aeb14132be4ea22d22a29ac16733b3285fd07876049226e6774ca5

Create an ED25519 format keypair with OpenSSH on Windows 10 & 11

  1. Open Command Prompt or Windows PowerShell.

  2. Run the following command to generate an ED25519 format key pair. Replace <comments> with your own comment to organize the keys easier.

    $ ssh-keygen -t ed25519 -C "<comment>"
  3. (Optional) Enter the name of the private key when asked "Enter file in which to save the key".
  4. (Optional) Enter the passphrase to protect the private key from unauthorized access. Leave empty for no passphrase.

Here is an example output

Generating public/private ed25519 key pair.
Enter file in which to save the key (C:\Users\quanh/.ssh/id_ed25519): 
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in my-vultr-key.
Your public key has been saved in my-vultr-key.pub.
The key fingerprint is:
SHA256:tmAS/9vfH6prgMC3sZkd2yGxUKW6zN7jgrx2oaX1jmg <comment>
The key's randomart image is:
+--[ED25519 256]--+
|        ....     |
|       . ..      |
|    o   ..o      |
|     = o.+ .     |
|    . *.S = .    |
|     oo&.= .     |
|    . *+= .    . |
|     Eooo= . .. .|
|    oooo=++++....|
+----[SHA256]-----+

Here is the content of the Public key named my-vultr-key.pub:

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILuIiHMAsxs5KEfZp6JTp+qP2oqRLqryI0Yc8Ksan9Ft my-vultr-key

Here is the content of the Private key named my-vultr-key:

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACA1qB9J7bfq9x9uxn+y1jmUY6m8h774k6oq1IyRC4nudAAAAJD16Q3I9ekN
yAAAAAtzc2gtZWQyNTUxOQAAACA1qB9J7bfq9x9uxn+y1jmUY6m8h774k6oq1IyRC4nudA
AAAEA/gZuKIFDh6iYkEXYS8N9bl/9w98B6DrpzzHlG8T67EzWoH0ntt+r3H27Gf7LWOZRj
qbyHvviTqirUjJELie50AAAADG15IHZ1bHRyIGtleQE=
-----END OPENSSH PRIVATE KEY-----

Install the Public Key on an Existing Server

  1. Log in to your server using password by following the step at the beginning of this article using PuTTY or OpenSSH Client.

  2. Edit the ~/ssh/authorized_keys with your favorite text editor. Paste your public key into a new line.

    nano ~/.ssh/authorized_keys

  3. Type exit then press Enter to log out of your server.

Install the Public Key on a Server Through the Customer Portal when Deploying

Follow this article to deploy a new server with your SSH key.

Connect to the Server with PuTTY Using SSH Key

Connect to the Server with PuTTY Using SSH Key

  1. Open up the Windows Start menu, search for "PuTTY" and launch the application.
  2. Enter the following information into the window named "PuTTY Configuration"
    • Host Name (or IP address) - this is the IP address of your Vultr server
    • Port - the default port for SSH is 22.
  3. On the left sidebar, select "Connection" > "SSH" > "Auth".
  4. Click the "Browser" button and select your private key from PuTTYgen
  5. Click "Open" to start the connection

  6. Enter your username from the previous step. Here is an example result

    login as: root

  7. You are now logged into your server. Here is an example result with a Ubuntu 22.04 server.

    login as: root
Authenticating with public key "eddsa-key-20220424"
Welcome to Ubuntu 22.04 LTS (GNU/Linux 5.15.0-25-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sun Apr 24 07:33:03 AM UTC 2022

  System load:  0.0                Processes:               134
  Usage of /:   27.2% of 24.41GB   Users logged in:         0
  Memory usage: 23%                IPv4 address for enp1s0: 149.28.148.36
  Swap usage:   0%

 * Super-optimized for small spaces - read how we shrank the memory
   footprint of MicroK8s to make it the smallest full K8s around.

   https://ubuntu.com/blog/microk8s-memory-optimisation

0 updates can be applied immediately.

root@vultr:~#

Connect to the Server with OpenSSH Using SSH Key

  1. Open Command Prompt or Windows PowerShell.

  2. If your private key is in the default location ( ~/.ssh/id_ed25519) then run the following command to connect to the server. Replace root with your server username. Replace servername with the IP address of your server.

    $ ssh root@servername

  3. If your private key is in not the default location. Run the following command to connect to the server. Replace root with your server username. Replace servername with the IP address of your server. Replace private_key_path with your private key path.

    $ ssh root@servername -i private_key_path

  4. (Optional) Set your private key as default for all servers. Replace private_key_path with your private key path.

    $ cp private_key_path ~/.ssh/id_ed25519

  5. You are now logged into your server. Here is an example result with a Ubuntu 22.04 server.

    Welcome to Ubuntu 22.04 LTS (GNU/Linux 5.15.0-25-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sun Apr 24 07:35:01 AM UTC 2022

  System load:  0.0                Processes:               134
  Usage of /:   27.2% of 24.41GB   Users logged in:         0
  Memory usage: 23%                IPv4 address for enp1s0: 149.28.148.36
  Swap usage:   0%

 * Super-optimized for small spaces - read how we shrank the memory
   footprint of MicroK8s to make it the smallest full K8s around.

   https://ubuntu.com/blog/microk8s-memory-optimisation

0 updates can be applied immediately.

root@vultr:~#

Server Hardening

Create a sudo User

A best practice for security is to perform server administration as a non-root user.

  1. Follow one of the following article to create a sudo user on your Linux server:

  2. Create a .ssh folder in the home directory

    $ mkdir -p ~/.ssh

  3. Edit the ~/ssh/authorized_keys with your favorite text editor. Paste your public key into a new line.

    $ nano ~/.ssh/authorized_keys

Disable Empty Password

Some Linux distributions allow to create users without passwords.

Set the value of PermitEmptyPasswords to no in /etc/ssh/sshd_config file to disable SSH connections with empty passwords.

PermitEmptyPasswords no

Limit Users Login Access Using SSH

SSH server allows all users to access remotely. Following below steps to override the default setting and limit users access using SSH

  1. To allow specific users to access using SSH, set the value of AllowUsers in /etc/ssh/sshd_config file as follows. Replace user1, user2, and ubuntu with your selected usernames.

    AllowUsers user1 user2 ubuntu

  2. To prevent specific users to access using SSH, set the value of DenyUsers in /etc/ssh/sshd_config file as follows. Replace user3, and user4with your selected username.

    DenyUsers user3 user4

Disable SSH Password Authentication

Follow below steps to disable password authentication to your server.

  1. Make sure you can login using SSH keys

  2. Set the value of PasswordAuthentication to no in /etc/ssh/sshd_config file to disable password authentication.

    PasswordAuthentication no

Disable SSH Login for root User

Disabling access for the root user is a good security practice.

Set the value of PermitRootLogin to no in /etc/ssh/sshd_config file to disable log in with root

PermitRootLogin no

Change Idle Timeout Interval

Users often keep their SSH connection idle for a long period of time. Setting a timeout after a period of inactivity is a good practice.

Set the value of ClientAliveInterval to your desirable idle timeout in /etc/ssh/sshd_config file. For example, change the timeout value to 360 seconds.

ClientAliveInterval 360

Disable Tunneling and Port Forwarding

To disable tunneling and port forwarding, set the following values in /etc/ssh/sshd_config file.

AllowAgentForwarding no
AllowTcpForwarding no
PermitTunnel no

Apply the New SSH Configuration

  1. Check if there is any error in the configuration

    $ sudo sshd -t

  2. Restart the sshd service

    $ sudo systemctl restart sshd

(Optional) How to Change SSH Default Port 22

Changing the default SSH port is a good practice to avoid unusual traffic to open ports. Before changing the port, you may need to configure the SELinux and the firewall on your system.

Port 2233 is the custom port in this article.

Check if your desirable unused port number is in use

$ sudo lsof -i -P -n | grep LISTEN

Configure SELinux to allow the Custom Port for Incoming SSH traffic

Some Linux distributions such as CentOS, RHEL, Alma Linux and Rocky Linux uses SELinux, a built-in security mechanism.

Follow the below steps to configure SELinux to allow your custom port for incoming SSH traffic.

  1. Run the following command to check if your server is using SELinux. Skip this section if you are not using SELinux.

    $ sestatus

  2. Change to 2233

    $ sudo semanage port -a -t ssh_port_t -p tcp 2233

  3. Check if SELinux allows the custom port for incoming SSH traffic

    $ sudo semanage port -l | grep ssh

The result should looks like:

ssh_port_t tcp 2233, 22

How to Open A Port with firewalld

Some Linux distributions use firewalld as the default firewall. You need to open the custom port on firewall.

  1. Check if you are usingfirewalld

    $ sudo systemctl status firewalld

  2. Open the custom port with firewalld. Replace 2233 with your custom port.

    $ sudo firewall-cmd --add-port=2233/tcp --permanent

  3. Reload the settings

    $ sudo firewall-cmd --reload

How to Open A Port with ufw

Some Linux distributions use ufw as the default firewall. You need to open the custom port on firewall.

  1. Check if you are using ufw

    $ sudo systemctl status ufw

  2. Check the ufw status

    $ sudo ufw status

  3. Open the custom port with ufw. Replace 2233 with your custom port.

    $ sudo ufw allow 2233 comment 'SSH'

  4. Enable ufw if it is not running

    $ sudo ufw enable

Add a custom Port to the SSH Configuration

  1. Set the value of Port to your desirable unused port number in /etc/ssh/sshd_config file. For example, change SSH port to 2233

    Port 2233

  2. Restart the sshd service

    $ sudo systemctl restart sshd

Connect to the Server with OpenSSH Using SSH Key on a Custom Port

Add -p port to your ssh command to connect to the server on a custom port. Replace port with your custom port.

$ ssh root@servername -p port

More Information

Want to contribute?

You could earn up to $600 by adding new articles.

Submit your article Request an article