Basic Server Connectivity
This a refresh of an earlier article where I described how to connect to a Raspberry Pi via SSH. This article is geared towards OpenSSH on Ubuntu. Part 1 describes an initial (read unsecure) set-up for SSH, while Part 2 delves into a (somewhat more) secure set-up.
Do not attempt the steps in these articles on machines exposed to the Internet. Steps are intended for local networking, testing and troubleshooting!
Part 1 will require a server and client connected on a local network. You will also need to have a monitor and keyboard connected to your server to confirm SSH is running, making adjustments to sshd_config, etc.
Initial Set-up
Log-in to your server using a monitor and keyboard.
Run ssh -V to check the OpenSSH version.
If not already installed, install openssh-server via:
sudo apt install openssh-server
Confirm SSH is running:
sudo service ssh status
Edit Configuration for SSH Service
Edit the SSH daemon configuration via:
sudo nano /etc/ssh/sshd_config
Enter or modify the following parameters:
# Added YYYY-MM-DD by <author>.
PermitRootLogin yes
PermitEmptyPasswords no
PubKeyAuthentication no
PasswordAuthentication yesAdd an AllowUsers line directly below PasswordAuthentication as follows:
AllowUsers <user_1> <user_2> etc
AllowUsers helps limit which users can log-in via SSH.
Comment-out AllowGroups if it is present:
# AllowGroups …
Cntl-O to save, Cntl-X to exit.
Confirm the modified value in in sshd_config are GTG:
sudo sshd -t
Re-open and correct any syntax errors in the config file as appropriate, then save and close.
Restart SSH daemon:
sudo service ssh restart
Confirm SSH is working on your server via:
ssh -v localhost
Next, try to connect to your server from a client on the local network via:
ssh -v <server_user>@<server_ip>
You *should* be able to specify <server_hostname> in lieu of <server_ip> provided it is configured in Client Settings in your router.
If you do not get ‘Welcome to blah blah’ message in the above tests, proceed with Troubleshooting.
Initial Troubleshooting
SSH is very finnicky about log-ins, as well it should be.
The Stale hostname problem
During authentication you may receive cryptic error messages.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@Remove stale hostnames via:
ssh-keygen -f "/home/<client_user>/.ssh/known_hosts" -R "<server_hostname>"
Too many Authentication Failures
You may receive a Too Many Authentication Failures error. If this occurs, specify -o IdentitiesOnly=yes when attempting to SSH into your server:
ssh -o IdentitiesOnly=yes <server_user>@<server_ip>
Username or Password Mis-match
If one single character is off in regard to your <server_user> or password, you will likely get:
Permission denied, please try again.
SSH uses the same password as the one used by <server_user> to log-in to their machine.
Verify that your <server_user> is specified correctly in the AllowUsers line in the sshd_config on your server.
Specify the correct <server_user> and password when attempting to SSH into your server!
Additional Troubleshooting
Still no luck with SSH’ing into your server? Here are some additional steps to try:
- Ensure you have edited the daemon configuration on your server ie:
sshd_config - Ensure your keyboard layout is correct between both the server and client!
- Do not use a UK layout on your client when using an American-layout on the host.
- Ensure caps-lock key is turned off…
- Confirm keyboard is set to the correct language when entering special characters for password.
- If your SSH connection is closing abruptly try running
dpkg-reconfigure openssh-serveron the server. - Verify static IP address is set in Client Settings of your router.
- Verify
<server_hostname>is assigned to your server device in Client Settings of your router.
Postscript
I strongly recommend you take additional steps to harden your SSH following this tutorial. There are several posts that go into further detail in this regard such as this one. And also this. This one too.
What steps have you taken to set up SSH on your server?