Skip to content

Authentication#

Now we must talk about the two primary ways to authenticate to a remote Linux system over SSH. SSH itself isn't doing the authentication, the operating system is. SSH is just the connection mechanism to the operating system.

Firstly, we have password-based authentication. If you login to a remote system and you don't have an SSH key installed on it (see below), then you might get the opportunity to type in the user's password. A lot of systems disable password-based authentication these days, however. That's considered best practice, although that's somewhat debatable1.

The most common way of authenticating is via an SSH key pair. We've talked about this concept before: public-key cryptography.

We'll explore both options now.

Password authentication#

On Ubuntu Server 20.04, the openssh-server package (the one you may have had to install above) allows password based authentication by default. This is good for us, because we're just learning, and it allows us to login using a password first and then manage SSH keys for the next section.

Note

If you've using the VirtualBox Virtual Machine we set up earlier in the course, then you'll need to setup port forwarding for SSH on your VM before it can be accessed. We did this in the VM set up section. If you skipped this, then you'll need to go back and set it up otherwise you won't be able to follow along.

Inside of your terminal emulator, connect to your server: ssh ubuntu@<IP>

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
$ ssh ubuntu@33.26.237.203
ubuntu@33.26.237.203's password:
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-1018-aws x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Mon Apr  4 00:47:16 UTC 2022

  System load:           0.02
  Usage of /:            2.6% of 58.10GB
  Memory usage:          12%
  Swap usage:            0%
  Processes:             105
  Users logged in:       0
  IPv4 address for eth0: 172.26.1.163
  IPv6 address for eth0: 2406:da1c:56f:b000:dcc4:1f61:dfaf:2007

 * Ubuntu Pro delivers the most comprehensive open source security and
   compliance features.

   https://ubuntu.com/aws/pro

266 updates can be installed immediately.
148 of these updates are security updates.
To see these additional updates run: apt list --upgradable


Last login: Mon Apr  4 00:45:34 2022 from 103.246.29.22

This is a Ubuntu Server 20.04 server I created in AWS for testing and developing this course.

Reviewing the command I ran, we can see: 

1
2
$ ssh ubuntu@33.26.237.203
ubuntu@33.26.237.203's password:

The IP 33.26.237.203 was the public IP address of the remote server at the time. I was then prompted to provide my password, which I did, and I was granted access to the system and presented with a shell prompt.

You will need to use the local loopback address on your system because you're forwarding 127.0.0.1 port 2222 to the VM's internal network, on port 22.

Note

We set this up many chapters ago, but if you're struggling then review the chapter again or join the Discord community and let us know what you're having trouble with and we'll try to help.

So your SSH command will be simple: ssh ubuntu@127.0.0.1 -p 2222.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
(C:\Users\Michael Crilly)
> ssh superman@127.0.0.1 -p 2222
superman@127.0.0.1's password:
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-104-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Mon 04 Apr 2022 06:39:41 AM UTC

  System load:  0.16               Processes:               134
  Usage of /:   39.6% of 19.56GB   Users logged in:         1
  Memory usage: 14%                IPv4 address for enp0s3: 10.0.2.15
  Swap usage:   0%

 * Super-optimized for small spaces - read how we shrank the memory
   footprint of MicroK8s to make it the smallest full K8s around.

   https://ubuntu.com/blog/microk8s-memory-optimisation

3 updates can be applied immediately.
To see these additional updates run: apt list --upgradable


*** System restart required ***
Last login: Mon Apr  4 06:37:30 2022 from 10.0.2.2
superman@develop:~$

Above, we can see I've used the ssh command inside of a PowerShell prompt made available via Windows Terminal. I then provided my password (badpassword for this demonstration) and I was given access to a shell prompt.

And that's that. We've connected to port TCP/22 on the remote system, established an SSH connection, authenticated using our user's password, and then got access to the system.

Let's explore a method of authentication that's considered better practice and much more aligned with what you're going to be doing out in the real-world.

SSH Keys#

Imagine a really, really long password. That's sort of what SSH keys are like. Here's an example SSH keypair (this is the private key) I generated locally and then deleted:

1
2
3
4
5
6
7
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEArgLyykRLz+0P0J6kVok1RQaiSyMtV0gHAKC5CjSspIN5/5A2DXa+
...
ZGJx9yOSRGjv9+3CmXpx5ON/991aUpSQIJccDwJn7fHXIX4hYTwwrJgTz5U6YD3XCi1T+X
q6+SEjH5sH2vi5AAAAHm1pY2hhZWwgY3JpbGx5QERFU0tUT1AtUDFQSklHVQECAwQ=
-----END OPENSSH PRIVATE KEY-----

I've chopped this down a bit in the interest of keeping things simple. There is a public key too:

1
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCuAvLKREvP7Q/QnqRWiTVFBqJLIy1XSAcAoLkKNKykg3n/kDYNdr6qGW2+PR/1SeSsHQGjxwGs7oWLail5wdrDkaEygxmWiQg+LzHOZmsarxaxMJQjXCeXvsSYQS3K3D7fmnviTUvtNkqS98Oq4sLjVbgBPu7Xgl/xcOhiDyVYmMyVunNoVIpxmFBFh9k98vUtWYhGOF/HaMnDAvbSl399kZg4mpUOPsfr8LjCKsvyUpwGTR8bJFRjDcohtcNbH8492j+6CGpzw9lS+7QS9963lDMw1F872U/dp8za9mih45d5DaBK+eWvmAKPEnqQ5euRYWGxLACrtQwA0eUinbldH9V0g/p259qMRlTcoQK/28H+36vGBGnzt6h70hGK/gZLrmfKnwxvIgRvjCn2oiveLiyjHKXZhlhxTNm9brRf0uOoqiaCqv8hkCqfX/INDc9xlDsNeit0qcugzNKZaWqH67c3bBURHGVa2+h9LeWLDTqUaGRG29jeMtHr39gtwRU=

The public part of the keypair is much, much shorter. It's also public, so you can feel safe exposing this information if you need to. The private keep should**never** be shared, however. If it's compromised, it has to be replaced on all systems it's installed on.

Let's generate a keypair for ourselves: ssh-keygen

1
2
3
> ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (C:\Users\Michael Crilly/.ssh/id_rsa):

So the command is asking me where I want to save the file to, and it's defaulting to C:\Users\Michael Crilly/.ssh/id_rsa. The keyname id_rsa is the default name. I'm going to provide the command with a new path, for demonstration purposes:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
> ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (C:\Users\Michael Crilly/.ssh/id_rsa): C:\Users\Michael Crilly\newkey
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in C:\Users\Michael Crilly\newkey.
Your public key has been saved in C:\Users\Michael Crilly\newkey.pub.
The key fingerprint is:
SHA256:gos0pHzJID++SlBsy8gtkOiQLAb8ogslYraO5LCzyko michael crilly@DESKTOP-P1PJIGU
The key's randomart image is:
+---[RSA 3072]----+
|o                |
|+=               |
|O+*              |
|%%=o..           |
|OBX=. . S        |
|==o+ . .         |
|BEo .            |
|Oo .             |
|B=.              |
+----[SHA256]-----+

I was also prompted to provide a password too. I highly recommend you password protect your SSH keys. In the even the private key is compromised or accidentally copied/shared, it will give you (probably a lot) of time to discard the keypair, generate a new one, and install it on the servers you have access to, after, of course, deleting the now compromised keypair.

I gave the prompt my terrible (but OK for demonstration purposes) password of badpassword. In return for my effort, I got the following back:

1
2
3
4
Your identification has been saved in C:\Users\Michael Crilly\newkey.
Your public key has been saved in C:\Users\Michael Crilly\newkey.pub.
The key fingerprint is:
SHA256:gos0pHzJID++SlBsy8gtkOiQLAb8ogslYraO5LCzyko michael crilly@DESKTOP-P1PJIGU

So I have two new files: newkey and newkey.pub. We've already seen what these look like, so I won't share them.

The "art" you can see at the bottom of the output, above, is just a bit of fun and doesn't need to be saved, scanned or given much attention.

Installing the key#

We now have a "remote" Ubuntu Server VM we can access via SSH. We have a username and password we can access the server with. Now we have a new SSH keypair. How do we use it to authenticate with the remote server? We install it into our user's account.

Normally we could use the ssh-copy command, but it's not available on Windows 10/11 by default. In light of this, I want to show you how-to do this manually so that you become familiar with a few key files.

First, SSH into your Ubuntu VM using your password: ssh ubuntu@127.0.0.1 -p 2222.

Second, in another PowerShell window/prompt, get your local SSH public key:

1
2
> cat ~/newkey.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCtFEgeCNGUhuJ6VZkToQ5yIqU7tBsI/Qv6wZ4tGCVWTm05Ardhf9IxSiRc2+i3LyiqhqPPLQqdteuzRuhp26czx/Ud1hmhKBWCbTj/0Y0q1Lj9YFCD7bU0MgKsK9SsFhCW3E1ZOSeu4gB3IW1j/NRJ9y4zkMSfvfo5Ev6bKiGMf5rpRIHmHc5KIvRvSyxqHU8Cgio8mYJU977VdWWeB4WArWf4RqUk66n/9zw7L5+FkHP6rqR/c4HdXYA9BPSoV0+yUJ5bq1OF3obfgwsb/dn67GnPW5x4bGW92n9MH0heA+lNZHBCwPXQi4PIvOxRuebqpz3+Bzcs6/rWfWhcsFm02YKgcsmDXsjpQe9Jj/T/Vjeoe1izHF8piivaYtcpRA/yPncdr0Mx51XkDN65ozneCFzimALIpzzJ0Ix0tPPpsLED+Q4SZjN8+Bl7LPm4TiSEKQUxo6hXf3lh2jtmQVcNWXpj+ZIGnrCVBfpzSaF/sluhd2EuOUhEZHeVvwiFgOU= michael crilly@DESKTOP-P1PJIGU

Note

Depending on where you installed your SSH key, you will need to change ~/newkey.pub to your key's public key location. If you never changed the default, then your key will very likely be ~/.ssh/id_rsa.pub.

Third, I want you to copy everything below, but you'll need to replace the public key with your own, from the above work you did. I recommend copying the below into notepad, or some other very basic editor (don't use WordPad or Microsoft Word!), and then editing it, and copying the changes.

1
2
3
4
mkdir -f ~/.ssh
cat >> ~/.ssh/authorized_keys <<EOF
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCtFEgeCNGUhuJ6VZkToQ5yIqU7tBsI/Qv6wZ4tGCVWTm05Ardhf9IxSiRc2+i3LyiqhqPPLQqdteuzRuhp26czx/Ud1hmhKBWCbTj/0Y0q1Lj9YFCD7bU0MgKsK9SsFhCW3E1ZOSeu4gB3IW1j/NRJ9y4zkMSfvfo5Ev6bKiGMf5rpRIHmHc5KIvRvSyxqHU8Cgio8mYJU977VdWWeB4WArWf4RqUk66n/9zw7L5+FkHP6rqR/c4HdXYA9BPSoV0+yUJ5bq1OF3obfgwsb/dn67GnPW5x4bGW92n9MH0heA+lNZHBCwPXQi4PIvOxRuebqpz3+Bzcs6/rWfWhcsFm02YKgcsmDXsjpQe9Jj/T/Vjeoe1izHF8piivaYtcpRA/yPncdr0Mx51XkDN65ozneCFzimALIpzzJ0Ix0tPPpsLED+Q4SZjN8+Bl7LPm4TiSEKQUxo6hXf3lh2jtmQVcNWXpj+ZIGnrCVBfpzSaF/sluhd2EuOUhEZHeVvwiFgOU= michael crilly@DESKTOP-P1PJIGU
EOF

For the fourth step, using the SSH session on your Ubuntu VM, paste the results from your editor after changing the key to your own. I have these results:

And when I press Enter I get the following:

1
2
3
4
superman@develop:~$ cat >> ~/.ssh/authorized_keys <<EOF
> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCtFEgeCNGUhuJ6VZkToQ5yIqU7tBsI/Qv6wZ4tGCVWTm05Ardhf9IxSiRc2+i3LyiqhqPPLQqdteuzRuhp26czx/Ud1hmhKBWCbTj/0Y0q1Lj9YFCD7bU0MgKsK9SsFhCW3E1ZOSeu4gB3IW1j/NRJ9y4zkMSfvfo5Ev6bKiGMf5rpRIHmHc5KIvRvSyxqHU8Cgio8mYJU977VdWWeB4WArWf4RqUk66n/9zw7L5+FkHP6rqR/c4HdXYA9BPSoV0+yUJ5bq1OF3obfgwsb/dn67GnPW5x4bGW92n9MH0heA+lNZHBCwPXQi4PIvOxRuebqpz3+Bzcs6/rWfWhcsFm02YKgcsmDXsjpQe9Jj/T/Vjeoe1izHF8piivaYtcpRA/yPncdr0Mx51XkDN65ozneCFzimALIpzzJ0Ix0tPPpsLED+Q4SZjN8+Bl7LPm4TiSEKQUxo6hXf3lh2jtmQVcNWXpj+ZIGnrCVBfpzSaF/sluhd2EuOUhEZHeVvwiFgOU= michael crilly@DESKTOP-P1PJIGU
> EOF
superman@develop:~$

And if I look inside the ~/.ssh/authorized_keys I get:

1
2
3
superman@develop:~$ cat ~/.ssh/authorized_keys

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCtFEgeCNGUhuJ6VZkToQ5yIqU7tBsI/Qv6wZ4tGCVWTm05Ardhf9IxSiRc2+i3LyiqhqPPLQqdteuzRuhp26czx/Ud1hmhKBWCbTj/0Y0q1Lj9YFCD7bU0MgKsK9SsFhCW3E1ZOSeu4gB3IW1j/NRJ9y4zkMSfvfo5Ev6bKiGMf5rpRIHmHc5KIvRvSyxqHU8Cgio8mYJU977VdWWeB4WArWf4RqUk66n/9zw7L5+FkHP6rqR/c4HdXYA9BPSoV0+yUJ5bq1OF3obfgwsb/dn67GnPW5x4bGW92n9MH0heA+lNZHBCwPXQi4PIvOxRuebqpz3+Bzcs6/rWfWhcsFm02YKgcsmDXsjpQe9Jj/T/Vjeoe1izHF8piivaYtcpRA/yPncdr0Mx51XkDN65ozneCFzimALIpzzJ0Ix0tPPpsLED+Q4SZjN8+Bl7LPm4TiSEKQUxo6hXf3lh2jtmQVcNWXpj+ZIGnrCVBfpzSaF/sluhd2EuOUhEZHeVvwiFgOU= michael crilly@DESKTOP-P1PJIGU

Now log out of your SSH session by simply typing exit and then repeat your ssh command from earlier. You will be automatically logged into your system without having to type in the password of your user. You should be asked for your SSH key's password, however. You can use ssh-add on your Windows host to add the key to SSH Agent, allowing you to login and out freely, without the password.

If you've had any issues with the above, reach out to us on the Discord community.

  1. https://www.youtube.com/watch?v=fKuqYQdqRIs&t=107s