Click on each book below to review & buy on Amazon.
As an Amazon Associate, I earn from qualifying purchases.
RHCSA - Understand and Use Essential Tools: Access Remote Systems Using SSH
This guide introduces the key concepts and practical applications of SSH (Secure Shell) for remote system access, tailored for the RHCSA certification. It covers essential topics such as basic SSH operations, host verification, accessing remote systems, alternative SSH port connections, and troubleshooting techniques.
What is SSH?
Secure Shell (SSH) is a network protocol that allows secure remote access to systems over an unsecured network. By default the SSH protocol will communicate over port 22.
It provides a secure channel for transmitting data, executing commands, and managing remote systems, whilst also ensuring confidentiality and integrity of data exchanged between the client and the server.
Host-Based Verification Message on First Login
When connecting to a remote server for the first time using SSH, you may encounter a host-based verification message. This message serves to verify the authenticity of the remote host and ensure that you are connecting to the intended server.
The verification message typically includes the remote server's fingerprint and asks for your confirmation to proceed with the connection.
The authenticity of host '192.168.0.235 (192.168.0.235)' can't be established.
ED25519 key fingerprint is SHA256:XXxxxXXXXXx0xxXxxx000xx0xX00Xx0xXX/XXxxx0xX.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
Upon confirming the connection by typing yes, the remote server's key will be saved on your local system in the known_hosts file. This file stores the fingerprints of previously connected servers to streamline future connections and detect potential tampering.
Accessing Remote Systems Using SSH
With SSH you can connect remotely to a system using your current username or by specifying a different remote user.
Tip
Ensure you are logged onto server1 so you can follow along.
For me the server1 ip is 192.168.0.219 and the server2 ip is 192.168.0.235.
If prompted to confirm a servers fingerprint, respond with yes.
Access Remote System With Your Current Username
To access a remote system using your current username you would run ssh remote_host without specifying a user.
Exercise: Connecting to server2 from server1, no user specified:
ssh 192.168.0.235
Enter password when prompted.
user1@192.168.0.235's password:
Last login: Sun Jun 25 07:55:53 2023
Access Remote System With a Different Username
To access a remote system using a different username you would run ssh remote_user@remote_host.
Exercise: Connecting to server2 from server1, specifying a user:
Info
If you have been following this guide in order you would not have created any additional users yet, which is ok. Connecting to your current username still proves the command syntax is working.
ssh user1@192.168.0.235
Enter password when prompted.
user1@192.168.0.235's password:
Last login: Sun Jun 25 08:07:20 2023 from 192.168.0.219
Connecting Over SSH to a Different Port
There may be occasions where, for security reasons, SSH is setup to listen on a different port other than port 22.
The ssh command allows you to connect to a remote system listening on a different port by using the -p port option.
Exercise: Connecting to server2 from server1, specifying a different port:
ssh -p 2222 192.168.0.235
As we have not configured SSH to listen on a different port, an error will occur. However this at least shows that the correct command syntax was used as the output contains the port we requested.
ssh: connect to host 192.168.0.235 port 2222: No route to host
Troubleshooting SSH Access
You may be required to troubleshoot your connection over SSH. This can be achieved by using the -v flag for verbose output.
It will display details on, but not limited, the following, which may assist in troubleshooting:
- Configuration files
- Identity files
- Versions in use
- Known_hosts checks
- Key algorithm
- Key attempts
Exercise: Connecting to server2 from server1, with verbosity on:
ssh -v 192.168.0.235
Enter password when prompted.
OpenSSH_8.7p1, OpenSSL 3.0.1 14 Dec 2021
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/ 50-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/ back-ends/openssh.config
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/ 50-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/ back-ends/openssh.config
debug1: Connecting to 192.168.0.235 [192.168.0.235] port 22.
debug1: Connection established.
debug1: identity file /home/user1/.ssh/id_rsa type -1
debug1: identity file /home/user1/.ssh/id_rsa-cert type -1
debug1: identity file /home/user1/.ssh/id_dsa type -1
debug1: identity file /home/user1/.ssh/id_dsa-cert type -1
debug1: identity file /home/user1/.ssh/id_ecdsa type -1
debug1: identity file /home/user1/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/user1/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/user1/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/user1/.ssh/id_ed25519 type -1
debug1: identity file /home/user1/.ssh/id_ed25519-cert type -1
debug1: identity file /home/user1/.ssh/id_ed25519_sk type -1
debug1: identity file /home/user1/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/user1/.ssh/id_xmss type -1
debug1: identity file /home/user1/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.7
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.7
debug1: compat_banner: match: OpenSSH_8.7 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 192.168.0.235:22 as 'user1'
debug1: load_hostkeys: fopen /home/user1/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:8SlebGVMEWr0gpQscw929cd6wA54Wd0oZH/EElzh0nQ
debug1: load_hostkeys: fopen /home/user1/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '192.168.0.235' is known and matches the ED25519 host key.
debug1: Found key in /home/user1/.ssh/known_hosts:1
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: /home/user1/.ssh/id_rsa
debug1: Will attempt key: /home/user1/.ssh/id_dsa
debug1: Will attempt key: /home/user1/.ssh/id_ecdsa
debug1: Will attempt key: /home/user1/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/user1/.ssh/id_ed25519
debug1: Will attempt key: /home/user1/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/user1/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519, sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512, ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384, ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com, webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey, gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: No credentials were supplied, or the credentials were unavailable or inaccessible
No Kerberos credentials available (default cache: KCM:)
debug1: No credentials were supplied, or the credentials were unavailable or inaccessible
No Kerberos credentials available (default cache: KCM:)
debug1: Next authentication method: publickey
debug1: Trying private key: /home/user1/.ssh/id_rsa
debug1: Trying private key: /home/user1/.ssh/id_dsa
debug1: Trying private key: /home/user1/.ssh/id_ecdsa
debug1: Trying private key: /home/user1/.ssh/id_ecdsa_sk
debug1: Trying private key: /home/user1/.ssh/id_ed25519
debug1: Trying private key: /home/user1/.ssh/id_ed25519_sk
debug1: Trying private key: /home/user1/.ssh/id_xmss
debug1: Next authentication method: password
user1@192.168.0.235's password:
Authenticated to 192.168.0.235 ([192.168.0.235]:22) using "password".
debug1: pkcs11_del_provider: called, provider_id = (null)
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: filesystem full
debug1: client_input_global_request: rtype hostkeys-00@openssh. com want_reply 0
debug1: client_input_hostkeys: searching /home/user1/.ssh/ known_hosts for 192.168.0.235 / (none)
debug1: client_input_hostkeys: searching /home/user1/.ssh/ known_hosts2 for 192.168.0.235 / (none)
debug1: client_input_hostkeys: hostkeys file /home/user1/.ssh/ known_hosts2 does not exist
debug1: client_input_hostkeys: no new or deprecated keys from server
Last login: Sun Jun 25 08:39:50 2023 from 192.168.0.219
Summary
In this guide, we have explored the fundamentals and advanced aspects of using SSH for secure remote access. We delved into understanding SSH, managing host-based verification, accessing remote systems with different credentials, connecting via alternative ports, and effectively troubleshooting SSH connections.
Support DTV Linux
Click on each book below to review & buy on Amazon. As an Amazon Associate, I earn from qualifying purchases.
NordVPN ®: Elevate your online privacy and security. Grab our Special Offer to safeguard your data on public Wi-Fi and secure your devices. I may earn a commission on purchases made through this link.