SETUP an SSH SERVER
Install the OpenSSH server:
sudo apt-get install openssh-server
Note: The OpenSSH server can also be installed when doing a server installation as an option from the LiveCD.
Note: An OpenSSH server can also be set up on a Windows server using Cygwin. See these instructions.
Limit authorized SSH users
See Limit the user accounts that can connect through OpenSSH remotely
OpenSSH Public Key Authentication
See this OpenSSH Public Key Authentication Tutorial.
In brief, it is necessary to generate a public / private key pair. On your client machine, generate the pair:
ssh-keygen
A prompt asks for a passphrase. If you wish to use OpenSSH without a password from a secure client (to which no one but you has access), leave the passphrase blank. If you enter a passphrase, you will be asked for this passphrase each time you use the SSH client. By default, a 2048-bit RSA SSH-2 key pair is generated and stored in the /home/user/.ssh folder. The private key is named id_rsa and is meant to stay in that folder. (The public key is id_rsa.pub and is meant to be copied to the OpenSSH server.)
The private key must only be accessible (and should be read-only) to user, the owner of the file:
chmod 600 /home/user/.ssh/id_rsa
You could also make the entire .ssh folder accessible only to user:
chmod 700 /home/user/.ssh
Copy the public key ( /home/user/.ssh/id_rsa.pub ) to the server that is hosting the OpenSSH server, into the /home/serveruser/.ssh (for whichever user is the administrative user for the server -- generally the user that installed the server initially). If the SSH tunnel is (still) set at default port 22, you can copy the key using the utility:
ssh-copy-id serveruser@remoteserver.computer.xyz
The ssh-copy-id utility only works over port 22. An alternative if you have changed your SSH port is to copy the /home/user/.ssh/id_rsa.pub key to the server manually. On the server make sure the directory /home/serveruser/.ssh exists and that there is a file authorized_keys (with write privileges) in that folder. If not, create such a file while logged into the server as serveruser (the touch command creates an empty file):
mkdir ~/.ssh
cd ~/.ssh
touch authorized_keys
Then concatenate the id_rsa.pub key you have copied to the ~/.ssh folder. (Make sure the owner of id_rsa.pub, after copying, is serveruser.):
cd ~/.ssh
chown serveruser id_rsa.pub
cat authorized_keys id_rsa.pub >> authorized_keys
Make sure the OpenSSH server knows to look for the key file. On the remote server, edit the OpenSSH configuration file:
sudo nano /etc/ssh/sshd_config
Uncomment the line (i.e. remove the # at the beginning of the line):
#AuthorizedKeysFile %h/.ssh/authorized_keys
Remove the ability to login to the OpenSSH server using password authentication:
sudo nano /etc/ssh/sshd_config
Change the line
#PasswordAuthentication yes
to
PasswordAuthentication no
Restart the OpenSSH server:
sudo /etc/init.d/ssh restart
Now you can connect securely with an SSH tunnel without requiring a password, logging in as serveruser.
ssh -l serveruser -L 5900:127.0.0.1:5900 remoteserver.computer.xyz -p 22
Connect with SSH and start an application with a single command
If you have created an OpenSSH key pair (without a password), you can start both the SSH tunnel and a VNC program (such as Krdc or Vinagre) to run through the SSH tunnel with a single command:
ssh -f -l serveruser -L 5900:127.0.0.1:5900 remoteserver.computer.xyz -p 22 sleep 5; krdc vnc://127.0.0.1::5900
Alternatively (and probably preferably) you can create a Menu Item / Shortcut with the above command.
Note: This command is a command-line mini-script. The SSH option -f option tells the SSH client to fork into the background after starting. (This option is not available in the PuTTY client.) This allows the command line to continue to proceed to the next command(s) listed on the command line mini-script. The 5 second wait ("sleep") timeout allows time for the SSH tunnel to be created before proceeding to the next command. (This can be lengthened if necessary.) After the wait period, the program (Krdc VNC in this example) is started.
Of course, any program could be started (to be run through the SSH tunnel) in this fashion, not just a VNC program.
Automate SSH connections that require a password
This method is strongly advised against. Transmitting an unencrypted password through the Internet (in order to establish an SSH connection) invites password sniffing. Use the OpenSSH key pair methods described above, instead. This method is listed here for reference.
Terminal interactions (such as the SSH password challenge) can be automated using the expect utility. Install:
sudo apt-get install expect
If, for example, your SSH client ID is clientuserID, yourpassword is not#1sostrong, and the remote SSH server is remoteserver.computer.xyz (using the default SSH port of 22), then use this command to start the SSH tunnel:
expect -c 'spawn ssh -l clientuserID -L 5900:127.0.0.1:5901 remoteserver.computer.xyz -p 22; expect assword ; send "not#1sostrong\n" ; interact'
There are other parameters in this example. 5900 and 5901 are the ports to be used on either side of the tunnel (port 5900 is used for VNC, for example). See Port forwarding through SSH for more details.
You can use the entire command as a menu item (must be "Run in terminal" in the Advanced menu options).
0
