This is the first part in a four part series covering remote access to Linux machines using SSH.
Everything in this tutorial should apply to most Linux distributions, however some of the commands may be specific to Ubuntu. You may need to modify some commands to work with your Linux distribution. This is an advanced tutorial, so most instructions will be given as text commands.
Allowing outside machines to access your computer is inherently risky. Assuming your router and/or firewall is properly configured, you will need to poke some holes in it. This potentially leaves you vulnerable to attack. Proceed at your own risk. Because security is a constantly changing issue, you are responsible for securing your own computer and network. You have been warned. If you are not behind a router or other physical firewall and you can’t explain why this is the case, do not proceed. I would also advise you to only try this on your home network, because your employer will probably dislike you messing with SSH, unless, of course, that’s your job.
SSH stands for secure shell. It is a protocol that allows you to access a computer across a network. We will use OpenSSH, an implementation of SSH, since it is the default on most Linux systems.
SSH is installed by default on almost every Linux distribution, however there is usually no SSH server, which is required to actually share your machine with SSH. Use your preferred package manager to install openssh-server
.sudo apt-get install openssh-server
To check if OpenSSH is running type this:
ps -e | grep ssh
This command will list all running processes and then filter the list to only display processes that include “ssh”. You should see a line like this:
11032 ? 00:00:00 sshd
This means that OpenSSH is running. If you don’t see a line like that, try running this command:
sudo /etc/init.d/ssh start
(If two sshd instances are running, it may cause problems. You can usually fix this problem by issuing the command sudo killall sshd followed by sudo /etc/init.d/ssh start.)
There are two steps to configuring your SSH sever. First you must edit the OpenSSH configuration file, then you have to open a hole in your firewall. To start, open the OpenSSH configuration file, which is usually located in /etc/ssh/sshd_config, with your favorite text editor.
gksudo gedit /etc/ssh/sshd_config
Part 2 of this series will discus more configuration options. For now, most of the default configuration should be fine. The one part that you should change now is the port. Your computer has a bunch of different ports (specifically 65535 of them). Each port is like a door that other computers can knock on. For example, when you visit a website, the request goes out through port 80 and the website comes back in through port 80. The first 1024 ports are reserved for specific protocols. Port 22 happens to be reserved for SSH. It is not advisable, however, to let your SSH server listen on that port, though, because an attacker would most likely be scanning for open port 22′s. It is best to change the port option in your OpenSSH configuration to a port number greater than 1024 (and less than 65535). This makes it harder for an attacker to guess which door to knock on. If none of that makes sense, that’s OK. Just change the number after “Port” to a number between 1500 and 5000. While you might be able to use higher numbers, really high port numbers will get you in trouble. See the IANA website for more information about port numbering.
# What ports, IPs and protocols we listen for Port 4005
Next you need to open whatever port you choose in your software firewall, if you are using one. Most Linux distributions have one installed by default, so if you don’t know, you probably are using one. Most people should probably install Firestarter, which is a GUI front end to managing IPTables.
sudo apt-get install firestarter
Open Firestarter and follow the setup wizard. Then click on the Policy tab. Select “Inbound Traffic Policy” and click in the box that has “Allow Service | Port | For” at the top. Then click on the Add Rule button. Enter the port you choose and SSH as the name. Then select “Everyone” and click Add.
You are now ready to test it out. Get your IP address on your local network with this command:
You will need to dig through the output to find your IP address. Here is the relevant piece of the output I see:
wlan0 Link encap:Ethernet HWaddr 00:00:00:00:00:00 inet addr:<strong>192.168.1.175</strong> Bcast:192.168.1.255 Mask:255.255.255.0
Now go to another Linux or Mac OS X computer on the same network. Technically you can use the same computer, but it’s not as good of a demo. Type this:
ssh -p <em>port number</em> <em>username</em>@<em>ip address</em>
For example, I would type:
ssh -p 4005 firstname.lastname@example.org
You may get a message about the server’s RSA key. This is normal and typing yes will bypass the message. Then you should get a prompt for your password. Enter your password and you will be inside your other machine.
Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.175' (RSA) to the list of known hosts. email@example.com's password:
Congratulations! SSH is up and running. Part 2 will teach you how to access your computer from another computer across the internet.