Author: Quan Hua
Last Updated: Wed, May 25, 2022Connecting to a Linux server for the first time may seem confusing, especially if you have a strong Windows background. SSH allows you to establish a secure connection between your computer and the Linux server and manage it remotely.
This article explains how to use PuTTY and OpenSSH client on Windows to connect to a Linux server.
In the end of this tutorial, you know:
PuTTY is an open-source SSH and Telnet client for Windows which is available for all versions of Windows.
Enter your username from the previous step. Here is an example result
login as: root
Copy the password from the previous step. Paste the password by clicking the right mouse on the terminal. Here is an example result. The password is not visible.
root@149.28.148.36's password:
You are now logged into your server. Here is an example result with a Ubuntu 22.04 server.
login as: root
root@149.28.148.36's password:
Welcome to Ubuntu 22.04 LTS (GNU/Linux 5.15.0-25-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sat Apr 23 09:49:11 AM UTC 2022
System load: 0.0 Processes: 134
Usage of /: 27.0% of 24.41GB Users logged in: 0
Memory usage: 23% IPv4 address for enp1s0: 149.28.148.36
Swap usage: 0%
0 updates can be applied immediately.
root@vultr:~#
Type exit
then press Enter
to log out of your server.
OpenSSH Client is another option to connect to your server through SSH included in Windows 10 and Windows Server 2019.
Check OpenSSH version:
$ ssh -V
The result should be like:
OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2
Run the following command to connect to your server. Replace root
with your server username. Replace servername
with the IP address of your server.
$ ssh root@servername
After connected, answer yes
when you get a message like:
The authenticity of host '149.28.148.36 (149.28.148.36)' can't be established.
ECDSA key fingerprint is SHA256:ZbS/36vzv0lEzwkSkFGwA8A7gh/GWGFaQFeeC7fPAcY.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
Copy the password from the previous step. Paste the password by clicking the right mouse on the terminal. Here is an example result. The password is not visible.
root@149.28.148.36's password:
You are now logged into your server. Here is an example result with a Ubuntu 22.04 server.
login as: root
root@149.28.148.36's password:
Welcome to Ubuntu 22.04 LTS (GNU/Linux 5.15.0-25-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sat Apr 23 09:51:22 AM UTC 2022
System load: 0.0 Processes: 134
Usage of /: 27.0% of 24.41GB Users logged in: 0
Memory usage: 23% IPv4 address for enp1s0: 149.28.148.36
Swap usage: 0%
0 updates can be applied immediately.
root@vultr:~#
Type exit
then press Enter
to log out of your server.
Public key authentication provides a reliable and secure alternative to the password authentication. It frees the users from remembering complicated passwords.
Public key authentication also allows secured, automated login in countless automation tools.
In public key authentication, the SSH key pairs includes two keys:
In this article, you generate an ED25519 format keypair. Here are some advantages of ED25519 format compared to other formats:
The public key is a string as follows:
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAWT7d2UKNJJ6jurMml+6tCktL4dWuWtvTOomJ1rQv12 eddsa-key-20220424
The private key is a file with extension .ppk
that you need to login to the server.
Here is the content of the generated private key
PuTTY-User-Key-File-3: ssh-ed25519
Encryption: none
Comment: eddsa-key-20220424
Public-Lines: 2
AAAAC3NzaC1lZDI1NTE5AAAAIAWT7d2UKNJJ6jurMml+6tCktL4dWuWtvTOomJ1r
Qv12
Private-Lines: 1
AAAAIGb7S+9kgp96L9HUUY04rgE7laU86BO1scZv8WBSAoo4
Private-MAC: f956dd2563aeb14132be4ea22d22a29ac16733b3285fd07876049226e6774ca5
Run the following command to generate an ED25519 format key pair. Replace <comments>
with your own comment to organize the keys easier.
$ ssh-keygen -t ed25519 -C "<comment>"
Here is an example output
Generating public/private ed25519 key pair.
Enter file in which to save the key (C:\Users\quanh/.ssh/id_ed25519):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in my-vultr-key.
Your public key has been saved in my-vultr-key.pub.
The key fingerprint is:
SHA256:tmAS/9vfH6prgMC3sZkd2yGxUKW6zN7jgrx2oaX1jmg <comment>
The key's randomart image is:
+--[ED25519 256]--+
| .... |
| . .. |
| o ..o |
| = o.+ . |
| . *.S = . |
| oo&.= . |
| . *+= . . |
| Eooo= . .. .|
| oooo=++++....|
+----[SHA256]-----+
Here is the content of the Public key named my-vultr-key.pub
:
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILuIiHMAsxs5KEfZp6JTp+qP2oqRLqryI0Yc8Ksan9Ft my-vultr-key
Here is the content of the Private key named my-vultr-key
:
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACA1qB9J7bfq9x9uxn+y1jmUY6m8h774k6oq1IyRC4nudAAAAJD16Q3I9ekN
yAAAAAtzc2gtZWQyNTUxOQAAACA1qB9J7bfq9x9uxn+y1jmUY6m8h774k6oq1IyRC4nudA
AAAEA/gZuKIFDh6iYkEXYS8N9bl/9w98B6DrpzzHlG8T67EzWoH0ntt+r3H27Gf7LWOZRj
qbyHvviTqirUjJELie50AAAADG15IHZ1bHRyIGtleQE=
-----END OPENSSH PRIVATE KEY-----
Edit the ~/ssh/authorized_keys
with your favorite text editor. Paste your public key into a new line.
nano ~/.ssh/authorized_keys
Type exit
then press Enter
to log out of your server.
Follow this article to deploy a new server with your SSH key.
Enter your username from the previous step. Here is an example result
login as: root
You are now logged into your server. Here is an example result with a Ubuntu 22.04 server.
login as: root
Authenticating with public key "eddsa-key-20220424"
Welcome to Ubuntu 22.04 LTS (GNU/Linux 5.15.0-25-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sun Apr 24 07:33:03 AM UTC 2022
System load: 0.0 Processes: 134
Usage of /: 27.2% of 24.41GB Users logged in: 0
Memory usage: 23% IPv4 address for enp1s0: 149.28.148.36
Swap usage: 0%
* Super-optimized for small spaces - read how we shrank the memory
footprint of MicroK8s to make it the smallest full K8s around.
https://ubuntu.com/blog/microk8s-memory-optimisation
0 updates can be applied immediately.
root@vultr:~#
If your private key is in the default location ( ~/.ssh/id_ed25519
) then run the following command to connect to the server. Replace root
with your server username. Replace servername
with the IP address of your server.
$ ssh root@servername
If your private key is in not the default location. Run the following command to connect to the server. Replace root
with your server username. Replace servername
with the IP address of your server. Replace private_key_path
with your private key path.
$ ssh root@servername -i private_key_path
(Optional) Set your private key as default for all servers. Replace private_key_path
with your private key path.
$ cp private_key_path ~/.ssh/id_ed25519
You are now logged into your server. Here is an example result with a Ubuntu 22.04 server.
Welcome to Ubuntu 22.04 LTS (GNU/Linux 5.15.0-25-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sun Apr 24 07:35:01 AM UTC 2022
System load: 0.0 Processes: 134
Usage of /: 27.2% of 24.41GB Users logged in: 0
Memory usage: 23% IPv4 address for enp1s0: 149.28.148.36
Swap usage: 0%
* Super-optimized for small spaces - read how we shrank the memory
footprint of MicroK8s to make it the smallest full K8s around.
https://ubuntu.com/blog/microk8s-memory-optimisation
0 updates can be applied immediately.
root@vultr:~#
A best practice for security is to perform server administration as a non-root user.
Follow one of the following article to create a sudo user on your Linux server:
Create a .ssh
folder in the home directory
$ mkdir -p ~/.ssh
Edit the ~/ssh/authorized_keys
with your favorite text editor. Paste your public key into a new line.
$ nano ~/.ssh/authorized_keys
Some Linux distributions allow to create users without passwords.
Set the value of PermitEmptyPasswords
to no
in /etc/ssh/sshd_config
file to disable SSH connections with empty passwords.
PermitEmptyPasswords no
SSH server allows all users to access remotely. Following below steps to override the default setting and limit users access using SSH
To allow specific users to access using SSH, set the value of AllowUsers
in /etc/ssh/sshd_config
file as follows. Replace user1
, user2
, and ubuntu
with your selected usernames.
AllowUsers user1 user2 ubuntu
To prevent specific users to access using SSH, set the value of DenyUsers
in /etc/ssh/sshd_config
file as follows. Replace user3
, and user4
with your selected username.
DenyUsers user3 user4
Follow below steps to disable password authentication to your server.
Set the value of PasswordAuthentication
to no
in /etc/ssh/sshd_config
file to disable password authentication.
PasswordAuthentication no
Disabling access for the root user is a good security practice.
Set the value of PermitRootLogin
to no
in /etc/ssh/sshd_config
file to disable log in with root
PermitRootLogin no
Users often keep their SSH connection idle for a long period of time. Setting a timeout after a period of inactivity is a good practice.
Set the value of ClientAliveInterval
to your desirable idle timeout in /etc/ssh/sshd_config
file. For example, change the timeout value to 360 seconds.
ClientAliveInterval 360
To disable tunneling and port forwarding, set the following values in /etc/ssh/sshd_config
file.
AllowAgentForwarding no
AllowTcpForwarding no
PermitTunnel no
Check if there is any error in the configuration
$ sudo sshd -t
Restart the sshd
service
$ sudo systemctl restart sshd
Changing the default SSH port is a good practice to avoid unusual traffic to open ports. Before changing the port, you may need to configure the SELinux and the firewall on your system.
Port 2233
is the custom port in this article.
Check if your desirable unused port number is in use
$ sudo lsof -i -P -n | grep LISTEN
Some Linux distributions such as CentOS, RHEL, Alma Linux and Rocky Linux uses SELinux, a built-in security mechanism.
Follow the below steps to configure SELinux to allow your custom port for incoming SSH traffic.
Run the following command to check if your server is using SELinux. Skip this section if you are not using SELinux.
$ sestatus
Change to 2233
$ sudo semanage port -a -t ssh_port_t -p tcp 2233
Check if SELinux allows the custom port for incoming SSH traffic
$ sudo semanage port -l | grep ssh
The result should looks like:
ssh_port_t tcp 2233, 22
firewalld
Some Linux distributions use firewalld
as the default firewall. You need to open the custom port on firewall.
Check if you are usingfirewalld
$ sudo systemctl status firewalld
Open the custom port with firewalld
. Replace 2233
with your custom port.
$ sudo firewall-cmd --add-port=2233/tcp --permanent
Reload the settings
$ sudo firewall-cmd --reload
ufw
Some Linux distributions use ufw
as the default firewall. You need to open the custom port on firewall.
Check if you are using ufw
$ sudo systemctl status ufw
Check the ufw
status
$ sudo ufw status
Open the custom port with ufw
. Replace 2233
with your custom port.
$ sudo ufw allow 2233 comment 'SSH'
Enable ufw
if it is not running
$ sudo ufw enable
Set the value of Port
to your desirable unused port number in /etc/ssh/sshd_config
file. For example, change SSH port to 2233
Port 2233
Restart the sshd
service
$ sudo systemctl restart sshd
Add -p port
to your ssh
command to connect to the server on a custom port. Replace port
with your custom port.
$ ssh root@servername -p port