This article is for people who want to SSH from Windows to Ubuntu (Debian OS) using VPS. We explain it carefully so that even beginners can understand it properly.
Client OS: Windows 10 OS Build 19042.685 Server OS: Ubuntu 20.04.1 LTS
First, log in to your VPS website and open the console. Then log in to the server as the root user.
After logging in, first create and add a general user. Since the root user is free to execute all commands, there is a risk of accidentally deleting files or overwriting settings. To avoid this situation, we usually work with a highly secure general user.
$ useradd -m USER_NAME
To create a general user called hoge
, it will be as follows.
example
$ useradd -m hoge
With the -m
option, the user's home directory will be created with it.
Set a password to prevent someone from using the user without your permission. You will need this password to log in and to use the sudo
command described below.
$ passwd USER_NAME
To create a password for the user hoge
:
example
$ passwd hoge
You will be prompted to enter the password, so enter the password. Nothing is displayed when I enter it, but I entered it correctly. Please be assured that it is such a specification.
Enter the same password again and you're done.
General users usually do not have administrator privileges, so some commands cannot be used. However, by adding a general user to the sudo group and granting administrator privileges, even general users can use all commands.
$ usermod -aG sudo USER_NAME
With the -aG
option, the user will belong to a new group in addition to the group they already belong to.
To add the user hoge
to the sudo group:
example
$ usermod -aG sudo hoge
Now that the general user settings are complete, switch from the root user to the general user.
$ su USER_NAME
To switch to the user hoge
:
example
$ su hoge
For those who want to know the mechanism of public key authentication, we will briefly explain the mechanism. When building this mechanism, first create a public key and a private key using something called RSA cryptography. It doesn't matter who you show the public key to, so keep it on the server. The private key should not be shown to a third party, so keep it in a safe place on the creator's terminal. By arranging the public key and private key in this way, extremely secure communication is possible.
Now, let's create the key. First, create a .ssh
directory directly under your home directory so that you can see where the key is at a glance.
$ cd
$ sudo mkdir .ssh
Running the cd
command will take you to your home directory.
Then open the command line on the client (in this case a Windows PC) and run the ssh-keygen
command. If you are asked Enter file in which to save the key:
and do not enter anything, a .ssh
directory will be created directly under your home directory, and your public and private keys will be directly under your .ssh
directory. It will be created.
Personally, I recommend putting the key in the default location (the .ssh
directory directly under your home directory). The reason is that you can save time when creating the config
file described later.
ssh-keygen -t rsa -b 4096
The -t
option allows you to specify the encryption method, and the -b
option allows you to specify the key length. For security reasons, specify a key length of 2048
bits or 4096
bits when using RSA encryption.
This time the public key must be on the server. Therefore, run the scp
command to copy the key to the server.
cd .ssh
scp id_rsa.pub USER_NAME@IP_ADRESS:~/.ssh
If you did not specify a name when generating the two keys, the public key will be named id_rsa.pub
and the private key will be named id_rsa
. ~
represents your home directory. The public key is copied to the directory specified at the end.
If the server's global IP address is 160.251.22.228
and you want to pass the public key to a user named hoge
:
example
cd .ssh
scp id_rsa.pub [email protected]:~/.ssh
Return to the server console. In the current state, the public key cannot be used for SSH connection. To be able to use your public key, you need to create a authorized_keys
file directly under the .ssh
directory and add your public key to that file.
$ cd .ssh
$ cat id_rsa.pub >> authorized_keys
Edit the file sshd_condfig
to make your SSH connection more secure.
$ cd /
$ sudo nano etc/ssh/sshd_config
I'm sorry for Vimmer, but I haven't mastered Vim yet, so I've shown an example of editing with nano. Here, we will briefly explain how to operate the nano editor for beginners. In the nano editor, you can move the cursor with the arrow keys. You can also save your edits with Ctrl + S
and end your edits with Ctrl + X
.
First, look for the part that says Port
. Remove the #
at the beginning of Port
and change the number 22 to a port number other than well-known ports (0-1023) (a hard-to-guess number such as 3611). Then find the place that says PermitRootLogin
and change yes
to no
. Next, look for the part that says PubkeyAuthentication
, delete the#
at the beginning, and make sure that PubkeyAuthentication
is yes
(if it is not yes). Change it to yes).
Since we will use public key cryptography this time, we will not make an SSH connection with a password. Password login is prohibited as you should not authorize anything you don't need. Find the place that says PasswordAuthentication
and change yes
to no
.
This is the end of editing this file. Save the file by overwriting and finish editing.
Restart the ssh
file for the changes to take effect.
$ sudo etc/init.d/ssh restart
Open the command line of the client (Windows PC in this case) and test the SSH connection.
ssh USER_NAME@IP_ADDRESS -p PORT_NUMBER
Use the port number described in sshd_config
.
If the global IP address of the server is 160.251.22.228
and the user hoge
logs in to port 3611
, it will be as follows.
example
ssh [email protected] -p 3611
If you can log in, the public key authentication settings are complete! !!
Since the command is long as it is now, it is a little troublesome to connect with SSH. In fact, there is an easier way to connect.
You can make an SSH connection with a shorter command by creating a config
file in the .ssh
directory directly under your home directory.
Open the command line of the client (Windows PC in this case) and create a config file.
exit
cd
cd .ssh
type nul > config
notepad config
Exit the ssh connection with exit
. Then create an empty config
file with type nul> config
. Run notepad config
to launch Notepad to edit the config file. Write the following contents in the launched Notepad.
host LOG_IN_NAME
user USER_NAME
hostname IP_ADRESS
port PORT_NUMBER
Then save the file and close Notepad. In the config
file, there is an item called identityfile
that specifies the path of the private key, but this item can be omitted. If you omit the description of identityfile
, the private key named id_rsa
in ~/.ssh
(.ssh
directory directly under your home directory) will be used for SSH connection. That's why I recommended creating a .ssh
directory directly under your home directory. Even if you do not need to write identityfile
, you can dare to write identityfile
to explicitly indicate the private key path.
If you want to do that, it looks like this:
host LOG_IN_NAME
user USER_NAME
hostname IP_ADRESS
port PORT_NUMBER
identityfile ~/.ssh/id_rsa
If the global IP address of the server is 160.251.22.228
and you want to log in to port 3611
with the command ssh hogehoge
as the user hoge
, it will be as follows.
example
host hogehoge
user hoge
hostname 160.251.22.228
port 3611
Let's check if the config
file is set correctly. Try an SSH connection using the word after host
in the config
file.
ssh LOG_IN_NAME
If you write the word hogehoge
after host
, the command will be as follows.
example
ssh hogehoge
If you can log in, the configuration file settings are complete! !!
Recommended Posts