OpenSSH Full Guide - Everything you need to get started!

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] so [Music] hello and welcome back to learn linux tv in today's video i am going to show you guys all about openssh ssh is awesome we can use it to manage linux servers from wherever we might be maybe our home office our company office a coffee shop maybe even our bedroom i don't judge and that's awesome because that allows us as linux administrators to basically be able to connect to the servers that we need to manage anytime anywhere and that's an amazing benefit to have in today's video i'm going to show you all kinds of things about openssh for example how to use it how to use ssh keys the ssh agent things like that it's going to be awesome but before we get into it i have a few notes about my channel and then we'll get started thank you for checking out learn linux tv your source for linux related fun and learning and i just love making this content for you guys but producing it isn't cheap if you enjoy my content please consider supporting my channel and you can do so by visiting support.learnlinux.tv where you can check out the official shop become a patron and find other ways to help and among the perks for becoming a patron you'll get access to select videos before the rest of the world but even if you're not able to donate right now no problem you can support this channel simply by sharing this video with your colleagues or even simply clicking the like button which lets youtube know that you want to see more awesome linux content just like this and if you're looking for something to read well i write books and you can check out my books at learnlinux.tv books if you want to suggest a topic for a future video send your ideas to suggest at learnlinux.tv or if you notice that something is broken or not working right then you can let me know by sending an email to fsck at learnlinux.tv and finally i'd like to mention the sponsor for today's video lenode has been doing cloud computing since 2003 which is actually before amazon web services was even a thing on the nodes platform you can get your server up and running in minutes and they include all of the popular distributions such as centos debian ubuntu fedora and get this also arch linux and let's be honest what could be better than a linux cloud server provider that allows you to tell all of your friends i run arch lenod has multiple server plans available to make any app scalable and flexible you can use it to host a blog set up a vpn server a minecraft server or you could do what i did and set up a website for your youtube channel because the official website for learn linux tv runs on lenode and lenode offers 24x7 support regardless of plan size so you can get live help from a real person when you need it new users can get started right now with 100 in credit towards a new account and i highly recommend you check them out because lenode is awesome and with that out of the way let's get right into today's video so open ssh one of my favorite utilities and i'm very eager to teach you all about it but before i do that i want to give you guys an overview to kind of just give you some general information about openssh and just talk about the basics now if you're eager to get started you can move on to the next section but i do think that there are some important things that you should know and that's what this section is for so first and foremost what is openssh openssh is basically a remote management tool it's a tool that you can use to connect to a remote server and bring up a shell prompt on that server to run commands as if you are actually standing right in front of it and issuing commands right from the keyboard but you can actually issue those commands right from the comfort of your own home home office business cubicle or wherever you may be and if you didn't already know you might be surprised to find out that openssh was developed by the openbsd project and the reason why i think some of you might be surprised by that is because openssh is something that you'll find in just about every linux distribution so you'd be forgiven if you thought it was a linux technology it's actually an open bsd technology but it's so useful that you'll find it in just about every linux distribution nowadays because you know why develop your own if someone else has developed something that's awesome and works quite well and open ssh it works quite well and it's basically the closest thing to a standard that we linux people have when it comes to remote access tools like i've mentioned most distributions of linux include open ssh if not all of them so it's definitely something that i recommend you learn and there's a full suite of utilities openssh isn't just one binary there's actually multiple binaries and the most important of which are the server and client components and we'll talk more about those two components but it's important to keep in mind that we primarily have a server and client component there are other components but those are the two to keep in mind as we go through this tutorial and let's look at a hypothetical scenario here now i am not very good when it comes to drawing diagrams as you can see but i wanted to show you guys a very common scenario that we would use openssh for so on the left-hand side basically everything right here can be your home office maybe your business basically you have a laptop and you have an internet connection so i have a cable modem right here and that's how you are connected to the internet most likely so let's assume that we are in michigan like i am and here on the right we have a business that wants our help with configuring a server they have the server right here they want to get this racked but before they rack it they want us to configure it what we could do is actually drive to florida it'd be a fun road trip we could pack some snacks it'll be awesome then we could actually attach a keyboard and a monitor and we're there in person we can configure the server and then when we're done we'll get it racked but that's not very convenient is it a company would have to actually pay the travel expenses to get you there and you know that's all well and good but you know we have the internet and we can configure this remotely so what we can actually do is use openssh and the reason why i'm actually showing the cable modems and the switch right here is because it's important to understand while you're using openssh that there's going to be several hops in between point a where you are and point b the destination for example if you want to use ssh to configure this server right here we're going to need someone that is locally available here to plug it in and get it connected to the switch assuming that it's connected and powered on then what we can do is actually trigger an open ssh connection from the laptop which means we're going to go through the cable modem in your local area network there which is connected to the internet and then the business is going to have their own internet device could be a cable modem it doesn't really matter and it's connected to a switch the switch is connected to the server and what this means is we need to actually get through our modem to the internet through their modem through their switch and then the destination is their server openssh by default uses port 22 assuming that 22 is not blocked and it's often not we can go through the internet and then we have the ip address to the server and it's behind a firewall right here we're not going to talk about nat or port forwarding or anything like that in this video but we're going to assume that the route is straight through to the server but if 22 is not allowed from your local ip address here well you're not even going to make it past the modem and if you do and 22 is not allowed through the switch well that stops you right there then the server also has to have the open ssh server component installed and it has to be listening for connections on 22 and as long as it is then you can actually get all the way to the server now a full walkthrough of networking and everything is beyond the scope of this video but the reason why i bring this up is because whenever you are working with open ssh and you have problems you have to frame your thinking by thinking how far are you getting to the destination and that might help you understand why it's failing because when open ssh fails it's not always very obvious why it's failing openssh is a very simple utility but troubleshooting it and we will get into troubleshooting later on in the video now in the next section what i'm going to do is walk you through an ssh connection and i'm going to show you how to connect how the connection actually works and then in later sections we're going to get into openssh keys and finally troubleshooting so let's go ahead and continue on into the next section [Music] in this section i'm going to walk you through connecting to a remote server via ssh and yes it's open ssh but i say open ssh and ssh interchangeably so you know keep that in mind but basically here i have my local laptop and this laptop is running ubuntu but it really doesn't matter what the distribution is that you're running locally and you don't even have to be running linux locally either you can be running mac os mac os actually has the ssh client built in and then in windows there's actually the windows services for linux that allows you to install ubuntu or other distributions that'll also get you a local linux shell on your windows machine now regardless of whether you are running linux locally mac os locally where you're on windows with windows services for linux in all of those scenarios you should have the ssh client already installed and every linux distribution that i've ever run on a local computer has always had the ssh client installed locally and that makes sense because that gives you the ability to connect to a remote server but having the ssh client doesn't give permission to people outside of your network to connect to your machine because the ssh client allows you to connect to other servers but doesn't let anyone connect to you and the easiest way to see if you have the ssh client installed is just type which and then ssh and the output that i get as you see is user bin ssh the which command just tells you where the binary is that you're searching for so i search for ssh and it's located in user bin ssh if i didn't have the ssh client installed i would get no output here and the ssh client itself is provided by a package that is often installed by default and the package that you need to install at least in terms of ubuntu debian and similar distributions is going to be simply called ssh client so for example i could type apt and then search open ssh hyphen client just like that and we can see the package is right here this is the package that provides us with the ssh binary that allows us to connect to other servers that are running ssh as you can see it's installed i didn't install it it was installed by default so we already know that we have everything that we need locally in order to connect to a remote server that is running the ssh server component now in my end on lenode i've actually set up an instance that we are going to use as an example of a remote server now you don't actually have to be using lenode it's just very easy for me to set up a server on lenode because well i have the account why not use it but on your end it doesn't really matter it doesn't have to be lenode it could be a virtual box vm on your local network you could have a remote server in aws google cloud wherever your server happens to be it doesn't really matter we just need the ip address and i have that right here so let's get connected since we have the ssh client installed locally i can just type ssh and then the username of the user on the remote server that i want to connect as in the case of lenode it's root by default it might be something else it could be a username that you've already set up maybe a username that you were provided by a network administrator doesn't really matter in my case it's root then you type the at symbol and then you paste in the ip address as i'm doing here now as long as the remote server is running the open ssh server component and the server allows traffic incoming via port 22 i should at least be able to get a password prompt so i'll press enter and this prompt right here comes up anytime you are connecting to a server for the very first time i've never connected to the server ever before so it's just asking me are you sure you want to connect is giving me a fingerprint and each server is going to have its own host key that is going to represent the server in the connection and when it comes to cryptography that's a bit beyond the scope of this video we're just going to say yes and it says permanently added and then it gives me the ip address to the list of known hosts i'll go over that in a moment but what i'll need to do is type in the password and now i'm actually connected to the remote server that i set up and i can actually run commands on that server which well that's the whole point of ssh so we were able to successfully connect but what i'm going to do is actually press control d to disconnect and now i'm back on my local laptop because we need to understand what exactly happened here now if i use ls against my home directory and i'm actually in my home directory i didn't need to type the path but you get the idea then i use the option dash a to show all files we're going to see a lot of hidden files hidden files begin with a period as you might already know but we have this ssh directory right here dot ssh so let's go inside that directory and we have these three files right here now i'm going to get into ssh key management later in this video in a different section so we're going to ignore these two files for now but we're going to take a look at this file right here known host so if i was to go ahead and cap the contents of that we can actually see quite a bit of information here now i've been using this laptop to connect to a lot of different servers so every time i connect to a server it's going to ask me the first time are you sure you want to connect is going to actually show me the fingerprint and if i say yes it's going to save the fingerprint in this file so that way it's not going to ask me again the next time i go to connect so for example if i recall the ssh command and i go ahead and connect again notice how it's immediately asking me for a password it didn't ask me are you sure you want to connect it didn't bring up the prompt about the fingerprint it's going to store that fingerprint in the known host file so that way it doesn't actually have to ask me again and again and again so i'm going to disconnect and again we have the known host file right here now what i'm going to do is remove it which i've done and now when i connect to the ssh server again it's going to ask me are you sure you want to connect which it's doing right now because by removing the known host file i've removed every known server that i've connected to via ssh it's as if i've never connected to any servers via ssh on this laptop which is going to be the case if you're just starting out so i'm going to say yes type in the password and i'm connected so now if i disconnect and i take a look at the known host file again first of all we can see that the known host file was created today it takes me a while to edit my videos so december 3rd might seem like a while ago by the time i get this edited but we can see that the file was created today and just to confirm it is december 3rd so if i cut out the contents of that file we can see that we actually have the fingerprint right there for the server that i connected to that's how your local ssh client keeps track of which servers it has or has not connected to because again each time you connect to a server for the very first time it's going to bring up that prompt are you sure you want to connect it's going to show the fingerprint if you say yes and you connect it's going to store that fingerprint right here in the known host file which is in your ssh directory you might be wondering why is this important what this helps you do is avoid a man-in-the-middle attack for example i'm connecting to a server with this ip address right here so what if someone created a malicious server from scratch that has set up a new ubuntu server and they were able to apply this ip address to their server rather than the server that i actually want to connect to if that's the case it's actually going to see that the fingerprint has changed and when that happens it's going to give you a warning the fingerprint has changed for this ip address are you sure you want to connect which is going to help you avoid a situation where you are not connecting to the server that you think you're connecting to now what i'm going to do is activate tmux i have a whole tutorial series on tmux so don't worry too much about what tmux actually is i'm just going to use it to show you guys what happens when you connect to a server via ssh so that way you get a full visual on what goes on behind the scenes and what tmux allows me to do is actually split the screen so i can have a few terminals going at the same time so i'm going to split the screen which i've done so now i have two terminals so what i'm going to do on the bottom terminal is i'm going to connect to the server via ssh and i'm connected now since i'm logged in as root i have full access to the log file so what i'm going to do is cd into var log and you can see i have a bunch of log files here and what i'm going to do is follow the auth.log file and i could do that with the tail command dash f and then auth.log just like that you need root access to get to this log file but i'm going to press enter and the text size is a little big so we'll try to ignore that and since i'm following the authorization log on the server in the second half of the screen it's going to automatically update as soon as i try to connect so back up here on my local laptop i'm going to try to initiate a connection to the server from here as well so again i'll paste in the ip address type in the password now notice that when i connected to the server from the top half of this terminal window the log file automatically updated here and is telling me that it accepted password for root it's giving me the local ip address and it's telling me that this session was opened now why is this important as a linux administrator it's going to happen again and again and again that you'll have a user come to you and they'll say i can't connect to the server via ssh can you please help now it'd be nice if they gave you an error message but the problem is there's not always going to be an error message because the more information that the person has when they try to connect to a server via ssh and it fails the more that they can actually use that to their advantage if they're a hacker we don't want them to have full details on exactly why they can't connect but you as the administrator what you can do is actually tail the authorization log on that server while they try to connect and if they weren't able to do so you would actually see here in the bottom half you would actually see the problem oh there's something wrong with your key or you're typing in the password wrong whatever it is you'll know because you'll see the output in the log file as they try to connect but anyway now we'll get more into troubleshooting later in the video but for now i wanted to show you in real time what actually happens you saw me connect to a server at the same time you saw the log file for the authorization log update to show that the connection was attempted and that it was successful and we also know now how to connect to a server via ssh it's just a matter of typing ssh the username the at symbol and then the ip address which we've done in the next section what i'm going to do is go over the config file for the ssh client and how you can use it to simplify your connection requests so i'll see you over there in the next section [Music] in this section i'll show you how to create a config file that you can use with the ssh client to greatly simplify the connections that you make in the future and one of the main reasons why you might want to do this is because remembering an ip address like this is actually kind of hard to do now to be fair in a perfect world we would have had dns set up for this ip address so we wouldn't even have to remember the ip address but it doesn't really matter if you are using dns or not the whole idea is we want to simplify this quite a bit so here's what we're going to do inside the dot ssh directory that's inside my home directory we currently have these files right here but there's another file that we can create that's not created by default that's named simply config so if i use the touch command for example to create a file called config now it exists as you can see here but it's completely useless because it's empty let's go ahead and change that so let's open it up in an editor and we'll get working on the file so to better understand what this config file is for and how it helps us i'm going to actually type out some code right here and then i'll explain what it does so first of all we'll have a host line and we can name the host whatever we want this is what we're going to be referring to the host as and it really doesn't matter what we name it i'll just call mine my server that's simple enough then i'll go down a line and then i'll indent a few spaces here then i'll give it the host name and then the host name is going to be the ip address for the server that i want to connect to the one i've been connecting to which i'll paste right here and there's the ip address then i'll do port 22 which is the default anyway and then user will be root so let's walk through this a bit so inside this config file which is inside the dot ssh directory if the ssh client sees that this file exists it's actually going to load the file in memory and when it does it's going to actually have an entry for my server i could have called this potato pizza doesn't matter you can name it whatever you want it doesn't have to match anything it's completely up to you and then here we have hostname which is set to the ip address of the server that we want this name to refer to now port 22 is the default i didn't have to include this but the reason why i did is because you might have a server on the remote end that's not using port 22. sometimes the administrator will actually change the port to something else and if they do you can actually change the port right here maybe it's 22 22. i'll show you later in the video how to change the port so we're not going to worry about that too much right now and then the username so in my case the user is root since it's a lenode instance it uses root by default on the nodes platform they actually use root for the username on their ubuntu image which is why i'm using the username root but if you've created a different user on that server you can actually change it here as well so let's save the file i'll close out so now what i can do instead of this which is a command that's going to be you know a bit hard to remember i can actually simplify that down to ssh and then my server just like that that's all i need to type i'll press enter it's asking for the password and now i'm connected so that was a lot easier i think now just to give you an example i can just go ahead and change this to something else i'll simplify that down to lltv which means i can now do ssh ll tv and i'm connecting to that same server as you can see here and now i'm connected to the server on the node's platform i can execute whatever commands i want do whatever administration i want to do and then i can exit by holding ctrl and then pressing d and now i'm back to my local laptop so back in the config file i can actually include multiple servers here and that's where this really starts to help so for example i can have host i'll just call it server 2 i'll indent a few spaces and i'll type an ip address of another server that's actually on my local network port is also 22 but the user this time is actually me so anyway i could type ssh and then server 2 and i'll say yes because you know this is the first time that i've ever connected to that server from this laptop at least since i've cleared out that known host file and notice that it actually logged me in immediately and it didn't ask me for a password this right here is an actual server that i use on pretty much a daily basis i have an ssh key set up that allows me to connect immediately without even needing to enter a password but the point is now i have two servers in the ssh config file and i don't need to remember the username the port or the host name for either of these servers i've simplified it quite a bit and that's really the benefit of the ssh config file because it allows you to set up entries for all of the servers that you want to connect to and you could come up with whatever naming scheme you want that makes it easier for you to remember which server is which and this allows you to get into the servers much more quickly because you don't even have to remember the details for the server you just actually type ssh and then the name that you gave it in this file and then you connect right to that server it makes it a lot easier now there's other things that you can actually include in the ssh config file they're a bit out of scope but i want to make sure that you guys know the basics and well now you do now you know how to create an ssh config file in the next section what i'm going to do is show you how to create an ssh key that is going to simplify this even further [Music] in this section of the video i'm going to go over ssh keys ssh keys are a very important part of openssh because it allows you even greater security and also gives you additional convenience now as a recap here's the command that i've been using to manually connect via ssh to the server that i set up on the node i'm using username at and then the ip address now when i connect to it i have to type the password and once i do i'm connected to the server now openssh is actually very secure but if my password is lame and easy to guess then honestly it's not going to be very hard for a hacker to break into the server even though using ssh is relatively secure it would be a lot better if we weren't using passwords at all ssh keys allow us to avoid actually having to type a password because we can use the key to connect now the downside to that though is if we fail the key or we don't have the key it'll still fail over to ask us for the password which means a hacker can still try to guess the password and actually still get into the server now in a section later in this video i'm going to show you how to disable password authentication and by using ssh keys and then also disabling password authentication that's actually a recommended security approach because if you don't have password authentication enabled then a hacker can't try to guess the password because they'll never even have a chance to enter the password but you'll still be able to access the server because you have the key now this server we don't actually have a key relationship with this server it asked us for the password and once i typed it in we're connected back on my local laptop if i connect to my other server and in the previous section we created a config file so i didn't have to remember the ip address and i was able to type ssh and then server 2 which i'll do right now it didn't even ask me for a password password authentication on this server is disabled if you don't have the key you can't get in and because i did have the key on this laptop it recognized that and it logged me right in no problem so when i go into the ssh directory in my home directory and lists the storage we have these two files right here so what i'm going to do right now is i'm going to show you how to create an ssh key how to add it to the remote server and then i'm going to show you how to disable password authentication as well now first of all back in my home directory there's another binary that we can use to create a key and that binary is ssh keygen we can give it arguments which we're not going to do right now we're just going to use ssh hyphen keygen by itself to generate a brand new key so what i'm going to do is press enter and now it's asking me where to save the file by default it's going to choose your home directory and then dot ssh and it's going to come up with the name id underscore rsa rsa is the type of key that it is there are several different types this is the default and if i press enter here it's going to accept this default path and it's going to create the key at this file name inside this directory now before we continue we do want to make sure that we don't already have a key that's in that directory if we do it's going to be overwritten which could be very very bad because if that key was our only way into a server and we overwrite it with a new key we've actually lost our ability to access that server again potentially so i already know that i don't have a key with this name so i'm going to proceed right here so i'll press enter now we can enter a passphrase if we want to and i will do so in a moment but right now i'm going to press enter to bypass this a passphrase is very important you might think that by entering a passphrase you might be defeating the purpose of actually having a key because when you have a key relationship with the server and you use ssh to get into that server it's not going to ask you for your password it's just going to use the key now what a passphrase is is an added layer of security that makes it so that you need to know that passphrase to begin using that key and that passphrase is something that you type locally not on the server end which means if someone steals that key and they get a hold of it they're not going to be able to use it because they don't know the passphrase if you don't have a passphrase on your key and someone gets a hold of that key they can use it to do whatever they want because they can get right into that server without any problems at all so i always recommend that you use a passphrase we're going to skip it for now but i just wanted to make sure that you are aware of that so i'll press enter to bypass this and it says enter the same passphrase again well i didn't enter one so i'll just press enter again and it's telling me here that it's created the ssh key in this path it also created this one as well i'll get into that in a moment it gives me the ssh key fingerprint and it gives us this random art image so now if i go into the ssh directory i just do a long listing because it's a lot easier to see anyway we have this file here and we have this file here those two files did not exist before so if you remember when it was prompting me where to save the key it came up with this file name right here as the default and again if i already had a file with this name it would have been overwritten but it also created this right here and the file names are the same except this one has a file name extension and the extension is dot pub it's short for public this is the public key if you've ever heard anybody refer to public key when it comes to ssh this is the file that they're talking about now what i'm going to do is i'm going to show you the contents of that file and here it is this is the public key like i mentioned and it doesn't matter who sees this now thousands of people are going to watch this video so right now thousands of people have access to this information they can actually copy this down i mean it's a video it's actually quite time consuming to jot all of this down but if somebody wanted to break into a server bad enough they could do that but it doesn't matter because this is the public key anybody can see this if they don't have the private key then the public key is pretty much useless what i could do is add the public key on the server end and that will allow me to connect to the server with that key but again it doesn't matter if you guys see it because there's a reason why it's called the public key i could put this on a billboard right on an interstate where you know tens of thousands of cars are going to pass by again it doesn't matter but what i shouldn't ever do is actually show you the private key the private key is the file with the same name as the public key but without the dot pub extension and now i have just shown everybody watching this video my private key and as soon as this private key leaks out which it just has it can no longer be trusted you'll want to remove it from all of your servers and delete it because now you can't trust it the private key has leaked out everybody knows what it is they can actually recreate the key with this information and then get into my server now in my end it doesn't matter if i show you guys the private key because i'm going to delete the private key and the public key and even the server that i'm connecting to so none of this will even exist by the time you guys see it so i wanted to show you guys just so you can see generally speaking what a private and public key actually looks like which is going to be just a bunch of random gibberish as you see here but you get the idea so how do i actually set up the server so that i can use the key to authenticate and bypass the password well here's what you do i'm going to show you the long way which i think is actually important so that you'll better understand the easy way the hard way is to actually cut out the public key which i have right here i'm just going to copy all of this copy it to the clipboard and then i'll connect to the remote server which is this one right here it's going to ask me for the password which i've entered in and now we can go ahead and set up the server to accept connections via that key so i'll go into the ssh directory but it's telling me that there isn't one well that's fine we can go ahead and create it so my current working directory is slash root the home directory for root what i could do is make dur dot ssh and now we have a dot ssh directory that didn't exist before inside there it's currently empty so what i'm going to do is just use a text editor and i'm going to edit a file called authorized underscore keys i'll press enter and since the file doesn't exist i'm creating it right now so i will paste that public key right here and it's all on one line it's wrapped and it kind of looked like it was on multiple lines in the previous example when i catted out the contents of the file it's actually just in one line and you could have multiple public keys in this file each one is actually going to go on its own line but i'll save the file then close out and then i'll disconnect so now i'm back on my local computer so what i'm going to do is just recall the ssh command again and let's see if it's different i'll press enter and i was immediately connected with no password prompt at all whatsoever the reason why is because i was able to do so with the key i've added the key to the authorized keys file so again in the dot ssh directory i've created an authorized keys file as you see here inside there on its own line i added my public key when i used the ssh command to connect to the server it checked my private key against the public key on the remote end they're mathematically linked and if the link is correct and they are a successful match then it's going to allow me to connect and this is why you can actually have the public key leak out and it's not a problem because it's verified against the private key which stays with me it stays secret the public key is added to the remote server and when i connect to the remote server it's going to check that the public key is a match to my local private key and if they are it's going to allow me in so i'm going to connect to the remote server again but i'm going to add an option here v for verbose i want more information about this connection so i'll press enter now i'm connected but you just saw a bunch of text pass by the screen as you can see here i got a lot more information on what it's exactly trying to do when it connects to the remote server so as we know it's connecting to the remote ip right here via port 22 which we already knew and it's basically looking for identity files so it actually found my id rsa type 0 but it found the file it's not a negative number didn't find this it didn't find a key with this file name nor this one nor this one nor this one it did find this one because i did have a file with this file name already on my system that's a different key that i use for other purposes but that's not going to help us because i didn't add that public key to the remote end and it actually was able to use the key so let me scroll down a bit here and so we see that we have a match it's authenticating as root it's going through the key there's the key algorithm and so on we can actually see exactly what's happening when we make that connection and now what i'm going to do is actually remove the id underscore rsa now obviously if we have disabled password authentication already we don't want to remove the key but in my case it's just going to fail over to password authentication because i'm no longer going to have the keys that i set up here locally so now the keys are gone so what i'm going to do now is actually recreate the key and again that's just ssh hyphen keygen i'm going to accept the default path again and it wants me to type a passphrase so i'm going to do that and i'm going to do that again to confirm it and now we have a brand new key so now i'm going to cap the contents of the public key just like before i'm going to copy that and i'll connect to the remote server again i'll take off the dash v we don't need that now so now i've got to type the password in and i'm connected to the server so what i want to do actually is open up the file the authorized keys file and i'm going to delete the line that i've already added and i will paste in the brand new public key right here and i'll disconnect so i've added the new public key so let's see what happens when i try to connect now that i've added the new public key to the authorized keys file enter and now it's asking me for the passphrase to unlock the key now what i could do is check this box right here to always have the key unlocked anytime i'm logged in that's just going to unencrypt the key locally when it actually goes to connect but it still secures the key because if the key falls into the wrong hands they'll still need to enter the passphrase they won't have the passphrase they won't be able to use it so i'll type in the passphrase and press enter and as you can see here we are now connected now notice if i disconnect and then i go to connect again it's not going to ask me for the password why well you just saw me actually unlock the key that's in memory and i also check the box to always unlock the key when i go to use it and now i don't need to actually type that passphrase again which is pretty awesome because i get the benefit of a passphrase and i also still get the benefit of not having to enter any kind of password to connect to the remote server it still works just fine so i've mentioned earlier that copying the public key into the authorized keys file was the hard way so what's the easy way so what i've done off camera is i've actually cleared the authorized keys file so that way the key is not present on the target so to prove that i'll go ahead and log in it's prompting me for the password now i'm logged into that server so if i go into the ssh directory well i can't i've actually purged all of the ssh client configuration on the remote server let's go ahead and see the easy way of adding that key to the remote server and this process actually has its own dedicated command and that command is ssh hyphen copy hyphen id ssh copy id then we're going to do dash i that's the input file then we'll type the path to the public key that we want to copy to the remote server and as before root at and then i'll paste in the ip so what we're doing here is ssh hyphen copy hyphen id and this command is dedicated for the job of copying ssh keys to remote servers dash i for input file then we're typing the path to the public key that we want to actually add to the remote server and then like always we have the username at and then the ip address it's asking me for the password for the user on the remote end which i've entered and it tells me number of keys added one so now if i log into that server it logged me right in i have an ssh key set up that's why i did that and now i have an ssh directory which i've cleared previously so now you could tell that the ssh copy id command will create the dot ssh directory on the remote server if it's not already there and inside there i have the authorized keys file i didn't have to create it and if i cap the contents of that i have the same public key inside that file as i have on my local server so that command actually not only created the ssh directory on the remote server it also went ahead and created the authorized keys file as well and then populated that file with my public key it did all of that for me i didn't even have to copy and paste anything now in the next section what i'm going to show you guys how to do is actually configure the ssh server component and what we'll do in particular is actually disable password authentication so that we have to have the key and it won't actually fail over to password authentication which is going to make everything more secure so i'll see you in that section [Music] in this section we're going to talk a little bit more about ssh keys specifically how to manage them in my case you can actually see that i have a few key pairs i have this one right here which matches this public key and then i have this key which matches this public key so i have two now it's not very uncommon that you'll have a bunch of ssh keys in your ssh directory a very common example of that is perhaps your company provide services for other companies maybe linux server support and if that's you you might actually generate a key that is specific for that client or that client server to differentiate that key from all the others now you very well could just create one ssh key and give that one public key to every client that you support but the problem with that is if that key ever falls into the wrong hands then that person has access to every single one of your clients so by creating a key that is specific to a specific client then you are basically limiting the attack vector that a person might have if they get that key when it all comes down to it having a separate key per client is usually a good idea but you have to be careful because if you have a bunch of keys in your ssh directory and you don't actually tell ssh which key you want to use then it's going to try all of them which might result in you getting locked out of the server if it's trying too many keys so what do you do about this so what i'm going to do is walk you through a hypothetical scenario where i am going to be assisting with a client server and i want to generate a key specific to that client server and use that key to support their server so let's do it so what i'm going to do is generate an ssh key that is specific to that client in the previous section where we went over ssh keygen we accepted all of the defaults and we just entered ssh keygen by itself but let's go ahead and do it a little bit differently this time first of all i want to create a key with a different type an rsa key is the default at least it's the default as of the time i'm recording this video if you want to create a key with a different type then you could use the t option like i'm about to do here and then you tell it which type of key you actually want to create if it's not rsa and in my case i want to create a key of type ed25519 now without going into too much detail this type of key is actually more secure than the default rsa and not only is it more secure the public key is actually going to be noticeably shorter as well which in my opinion makes it easier to manage i mean if it has more security and it doesn't even contain as many characters so everything fits better on one line then why not use this type now in addition to that we can also add a comment to the key as well if you don't actually add this option that i'm about to add it'll automatically default the comment to be your username at your machine name so if you want to add a comment it's dash capital c and then in double quotes and i'm just going to type acme because that's who this key is actually going to be used for so i'm going to press enter and we can already see that it wants to create a key with a different file name by default if you recall when we ran ssh keygen earlier it defaulted to id underscore rsa but since we chose a different type like you can see right here it's going to name the key accordingly if we press enter and we accept the defaults here then this is exactly what it's going to create but what i want you to consider is naming the key in a way that actually makes logical sense giving it a name that matches its purpose so what i'm going to do is type out the home directory ssh so that part's all the same and then i'm going to name the key acme underscore id underscore ed25519 and for the name it really doesn't matter what you name the key i chose to name it acme and then id underscore ed25519 and i only chose to keep this part of the name because it just helps me understand what type of key it is but i didn't have to do that this name doesn't have to actually match anything it's just the format that i go with because i know who the client is and i also know what type of key it is so i'll press enter and now it's asking me if i want to create a passphrase which again is optional but i highly recommend it and especially if you are working with a client you definitely want to create a passphrase for the key because you definitely don't want to risk a lawsuit if that key was to actually fall into the wrong hands and it's not encrypted and that person was to use it to be able to take over that company's entire server that would not be a fun day so i'm going to add a passphrase and the key has now been generated now let's go ahead and compare the new key with the old one so what i'll do is i'll show the contents of the public key for the original key that we've generated which is this one right here and this key is very long it's a perfectly valid key it's fine but like i've mentioned the new key is more secure and shorter we'll see that in a moment but another thing here is we see the comment we see that right here now this actually has no bearing on anything whatsoever i could actually delete this comment from this key and nothing would change it would still be a valid key all this is is simply a comment earlier when i generated the new key i used the dash capital c option to give it a different comment which we'll see in a moment but if you don't actually include the dash capital c option it's going to default to your username at the name of your computer so if i look at this key all i really know is the machine name that it was generated on and the user that generated it but i don't actually know its purpose i don't know what this key is for that's why i like to actually include a comment so let's compare that to the new key now this key right here is a lot shorter isn't it we see the key type at the beginning and the entire public key is just this section right here and believe it or not this key type is actually more secure it uses a stronger type of cryptography and we also see the comment right here as well so by looking at this key right here i know it's being used for acme now i could obviously tell that by the name but i do like to have a comment that actually helps me understand what the key is for and it actually has value because when you add it to the authorized keys file you can't go by this name anymore but you will actually see this in the authorized keys file as i'm about to show you so now what i'm going to do is copy this key over to the remote server i'm just going to use the same server again but we're going to pretend that it's a different server it's for acme so we'll just go ahead and pretend that but let me go ahead and copy that over and i'm using the same command syntax as i've done earlier paste in the ip and let's do it and now the key has been copied over to the server so what i can do because i'm lazy i'm just going to recall the previous command and then simplify it i'm going to ssh in now it did ask me for a password which i wanted it to more on that in a moment but if i actually take a look at the ssh directory and then the authorized keys file we can actually see the new key right here that i copied over and this is exactly the same thing that is inside the public key file for the acme key that i've just created so by looking at this you can see that the purpose of this key is for acme it's on the server and this is the key and if my font size wasn't so darn big then all of this would fit neatly on one line which actually makes it much more easier to manage in my opinion so anyway back to my local shell so now that we have a key that is specific for the acme server so to speak how would we differentiate what key we want to use for an ssh connection well i'm going to show you an example of that so what we're going to do is do ssh and then dash i for input file and then i'm going to type the path to the key and notice that i'm actually using the private key i didn't actually type dot pub at the end because for this command i do need to reference the private key that's the one that it's interested in because for this command i do need to actually target the private key and then just like before i could type the username and then the add symbol and i'll paste in the ip address and then enter so now it's going to ask me for my passphrase so i'll type that in and now i'm connected to the server so the key works just fine so i'm going to disconnect and now i will reconnect and it's asking me for my passphrase yet again even though i just typed it in and i don't know about you but typing in my passphrase every single time i want to connect that's going to be a little annoying so what can we actually do about that so i'll disconnect from there and now i'll show you an example of using the ssh agent to cache the key in memory so that i only need to enter the passphrase just one time and then the key is unlocked for every single connection attempt thereafter until i close the terminal window the ssh agent is the mechanism by which is going to retain the key in memory and allow you to use it to connect to the server and i'm using a laptop that is using a desktop distribution of linux which means it's going to have the ssh agent automatically loaded by the gnome desktop and that means that the ssh agent is already running and the reason why i've done that is because i want to show you guys how to trigger the ssh agent yourself without relying on the ssh agent that's built in now if you are starting your ssh connections from a server that doesn't have a graphical user interface then you won't have an ssh agent running by default so here's what i'm going to do so what i'm going to do is show you how to start the ssh agent which will allow you to add the key in memory and this is especially useful like i've mentioned on a server without a gui where you normally wouldn't have this loaded in memory automatically sometimes you actually want the key to be in memory on a server because a lot of people will actually use what's called a bastion host which is essentially a linux server without a gui that you will start all of your ssh connections from and that bastion server likely won't have a gui so this is the way that you would most likely load your key into memory the way i'm about to show you now first of all i'm going to run ps aux i'm going to grep for ssh agent and it's not going to find it this command that it did find is actually the grep that i'm doing right here because we see the word grep so ssh agent isn't actually running so let's see how we actually it so what we're going to do is run eval and then double quotes we're going to type a dollar sign and then parentheses and then inside the parentheses we're going to type ssh hyphen agent just like that and then we will press enter and now it's telling us that the pid of the agent is 26815. so if i recall the ps aux command from earlier we actually see that same pid right here that it mentioned here is in fact running in the background and the command is ssh agent now if i was to disconnect from this terminal the ssh agent is gone just keep that in mind but while it is in memory and while we do have the shell open we can actually use it to cache the key so that we don't have to actually unlock the key manually so to add a key to the ssh agent here's what we'll do we'll simply type ssh hyphen add and then the path to the key that we want to add and unlike the other commands we are actually going to cache the private key so notice that i am not going to type pub when it comes to this command right here i am simply going to unlock the key and store it in memory in the ssh agent so i'll press enter and now it's asking me for the passphrase so i'll type that in and then it returns back to the shell so if i enter the ssh command again as you can see i was logged directly into the server it didn't ask me for a passphrase or anything and that's because i started the ssh agent in the background then i added the key to the agent with the ssh add command which allowed me to unlock the key store in memory and now i will never have to add that passphrase again unless i close the terminal window and that makes it a lot more convenient than adding the passphrase every single time i want to use it so now you know how to create a separate key for every use case and also how to use the ssh agent to cache the key in memory to make it that much more easier to use and again if you are using a desktop distribution of linux like i am the ssh agent is automatically running in the background and it will unlock your key as soon as you log into the desktop but if you're logged into a server well you don't have a graphical user interface so you have to actually activate the ssh agent manually which is what we've just done so with that out of the way let's go ahead and move on to the next section [Music] in this section i'm going to show you guys how to configure the server component of openssh so far throughout the video we've been using the ssh client but now it's time to focus a bit more on the server so what i'm going to do is connect to the server on the remote end and now what we could do is take a look at the server side now first of all we have to have the ssh server component running now most distributions of linux are going to have the sshd binary to represent the server as you can see we have that right here so previously we were using ssh to connect sshd which is short for ssh daemon is a service that runs in the background that accepts connections most distributions of linux nowadays use systemd so we can check the status of that with systemctl status sshd and we can see that it's actually active and running well it would have had to have been because how else would we have been able to connect to the server if this is actually not running well that's a problem because then we wouldn't be able to connect to the server at all via ssh you can also see that this service is enabled which means that it's automatically going to start as soon as the server starts with the ssh server component we can use all of the standard system ctl commands to manage the service running in the background so for example we could do system ctl restart sshd that's going to restart the service which i've done we can also stop the ssh service by changing restart to stop now notice that i'm still connected to the remote server when you stop the sshd service it's not going to actually terminate any connections that are existing so my current connection is going to stay alive but if i disconnect i won't be able to connect back to the server because by disconnecting the session i'm actually terminating the connection i no longer have a connection at that point and i can't start a new connection while the ssh service is not running so i'd better start that just in case i accidentally drop my shell and then i can no longer access the server and as we can see now it's running as of three seconds ago if the service is not enabled at boot then you won't be able to connect to the server when it restarts via ssh because again it needs to be running so for that you can actually just change the keyword here to enable which isn't actually going to work because on ubuntu and debian it's actually technically ssh but it's already enabled anyway so it doesn't matter sshd is actually linked to ssh most distributions call the binary sshd ubuntu and debian for example decide to simplify that down to ssh when it comes to the service name but that doesn't matter it was already enabled anyway so we're good to go now when we go into the etsy directory and then inside there we have an ssh directory we have a lot of files here now here we have ssh host keys when we actually connected to the server for the first time it asked us do you want to accept the fingerprint we said yes and then we were able to connect these keys right here are used for the fingerprint you do not want to delete the host keys though if you do delete these host keys and then try to reconnect to the server you won't be able to now one thing to keep in mind when you have these host keys though is that if you create an image of a server that you want to deploy or clone to other machines these host keys are actually going to be cloned along with the rest of the file system in that case you actually would want to regenerate the keys and that differs from one distribution to another but basically just keep in mind you will want to change those host keys perhaps i'll do a different video that will teach you guys how to do that just keep that in mind you don't want the same host keys on all of your servers because your ssh client is going to be very very confused it's actually going to think that it's connecting to the same server every single time even though it's not because when it finds the same host keys it assumes that it's the same server and when it has a different you know ip address and everything else is different it's like hey wait a minute it's actually going to think that there's a man in the middle attack going on so if you ever get a prompt that says the keys don't match that is the reason why that's beyond the scope of this video though but i do want to mention at least don't delete these keys unless you actually intend to change them which again i'll do probably in a different video anyway the config file that we actually care about here is the sshd config file now we also have an ssh config file as well this is actually for the client this is for global client configuration settings across the entire distribution when you use the ssh client it's actually going to configure itself along with this config file your local ssh config file that i showed you how to create earlier will override this but we're not going to focus on this file we want to focus on this one here because this is the file that we will actually use to configure the server service basically the process that's listening for connection so if i bring that up in an editor which i'll need to be logged in as root as you can see that i am or i'll need to use sudo if i'm not because in order to make changes to this file i'll need permission to do so now i'm not going to go over this entire file in all its detail but there's a few configuration options here that we want to pay special attention to now first of all i could change the port number it defaults to port 22 and if we have a hash symbol in front of a line it's just commented out in this case it implies that port 22 is the default if i want to change it i could uncomment that and i could change it to 2222 for example and you know what i'm going to leave that there because there's an important option that i want to show you guys later so i'm going to leave the port at 22.22 scrolling down a bit more we have this option here permit root login yes now i'm not going to do it but you actually want to set this to no and you only want to set this to know if you already have another user that you can log in with via ssh outside of root because root is the account that all of the hackers out there are going to try to log in with and if you actually shut this down then they can't do that i'm going to leave it as yes on my end but again if you already have a non-root user to use and that already works consider setting this to no scrolling down a little bit more though see if i could find it here it is password authentication is set to yes now this is the single most important security configuration change that you can possibly make with the ssh server and literally everybody should set this to no now you should only set this to know if you already have an ssh key relationship already set up you want to make sure that you can log in with your ssh key before you actually set this to no which i already know that i can so i'm going to set it to no now i'm going to save the file and close out and as a recap we have made two changes to this file we have changed the port from 22 to 2222 and we have also disabled password authentication as well so what i'm going to do is restart the ssh service and then i'll check the status to make sure that it didn't fail and it's running so now what we need to do is test the configuration changes and make sure that ssh still works what we absolutely don't want to do is disconnect our session because if i was to disconnect right here and then i had some kind of error well not going to be able to get back into the server as i mentioned earlier existing connections are not going to be terminated when you restart ssh but if i disconnect and then reconnect i'm reconnecting to the ssh server with its new settings so what i want to do instead is open up a new tab or a new window doesn't matter i just want to keep the original one running so again i'm going to ssh root and then the ip address already it's telling me connection refused but that's okay because we changed the port so what i will need to do is type dash p as the option here 22 22 and i'm basically setting the port that i want to use if you don't actually include the dash p option it's going to assume 22. if the port is not 22 then you need to include dash p with the port number it actually is so let's try it now and now i was successfully able to log in and everything is working perfectly fine so i no longer need to worry about maintaining the very first connection that i have right here because again everything tests out perfectly fine now one thing i want to mention about the port number is that changing the port number to something else outside of 22 it does actually help your security it helps make your server more secure however changing the port number doesn't add much security maybe like one percent or something i don't know i don't want to put an arbitrary number on it but basically any hacker that really wants to break into your server they can find what the ssh port actually is without too much trouble but what this does help is that only the hackers that are really determined to get into your server will continue to try there's actually a lot of bots out there that are looking for open port 22s out there on the internet and when it finds one it's going to try it but if it actually looks at your server and it doesn't see that port 22 is open it's just going to skip it and move on to the next but any hacker that's really determined and they really want to log into your server in particular they'll probably find that port within one to five minutes or something like that but it's a very easy change to make so why not and password authentication is disabled as well so as an example of that i'm actually going to temporarily move the dot ssh folder which means all of my keys will not be found so i'll just do mv i'll just rename it to that so what i'm going to do is actually log out of my computer and log in to make sure that any instance of that key is no longer in memory all right so i've logged back in and i'll bring up a terminal let's try this again permission denied public key and this is the error that you are going to get if you do not have a key relationship with the server that you are trying to connect to and password authentication is disabled which is why it didn't ask me for the password it just flat out denied me it's not going to let me in if i was a hacker i would already be able to tell that i can't brute force the password because password authentication isn't even allowed i need that public key in order to get into that server it makes it extremely hard for a hacker to get into the server at this point now because i tried to use the ssh command it actually created an ssh directory for me so what i'm going to do is just get rid of that one [Music] and i'm going to move the backup back to its original name and now let's try that again and now i'm logged in so as you can see disabling password authentication makes it a lot harder i wasn't even able to get into the server without the key but now that i have the key in the appropriate place i was able to go ahead and log in and no matter what i highly recommend that you create a key and disable password authentication on all of your linux servers it's the most important security tweak that you will ever make on a linux server there's actually quite a few different things that you can do to harden a linux server but the very first thing is definitely to disable password authentication so basically you create a key you add that key to each of your servers and you're good to go so with that out of the way there's one more section for us to go through and i'll see you there [Music] so in this section we're going to go through a few troubleshooting tips for when openssh isn't quite working the way that we expect or hope and openssh is one of those things that can actually be a little complicated to troubleshoot so i'm actually not going to be able to tell you every single possible thing that could go wrong but i am going to go over the most common things that you'll likely deal with now first and foremost we have to check the network layer this pretty much has nothing to do with openssh itself but openssh is only able to work if there is a path from point a to point b and this brings us full circle back to the very first section of the video and here we have one of the slides from the presentation at the beginning and what i really want to drive home is the networking side of things to basically condition your mindset to think of ssh as you would anything else if you want to access a website for example you have to be able to get out of your local area network to the internet and then through the internet to the remote web server which should serve the web page and that logic actually works here too because you're going to have your local laptop or desktop right here maybe again this is your house or office or whatever you're going to go out your cable modem or whatever your internet device happens to be to the internet and then you have to be able to get to the remote side which in this case is actually somewhere else geographically you need to be able to get through that internet device on the remote end to that switch that switch has to allow traffic to the server you are trying to connect to and if anything fails along the way you will not be able to connect now as i've mentioned openssh uses port 22 by default so first and foremost you have to have the openssh client installed on your local computer in the case of linux most likely you already have that i have yet to see a distribution that doesn't include the open ssh client by default and again mac os includes that by default as well and in windows it's very easy to install an ssh client now assuming that your isp doesn't have port 22 blocked which is very rare but it does happen you should have no trouble getting out of your local area network out to the internet that's the easiest part now when you get to the remote server the internet device on the remote end has to allow traffic via port 22. most often it's just going to be a dumb cable modem that passes everything through regardless of the port and blindly accepts all traffic that's usually how it works and then here you have a switch most likely probably a firewall which is actually making decisions as far as which ports are allowed through so assuming that port 22 is allowed in the switch router firewall whatever that is then it's going to pass the traffic through now i've actually glossed over the fact that you need port forwarding to forward port 22 to the server we're going to ignore that for now because that's beyond the scope of the video but the point is you have to have 22 allowed straight through if you get a timeout message that could very well mean that port 22 is not listening on the remote end or the firewall is actually blocking port 22 most of the time when you have a firewall that is blocking a particular port it's not actually going to tell you that the port is blocked if it did that then a hacker would know oh that's an actual server there it's telling me that port 22 is blocked but by the firewall saying nothing which is what a timeout is no response then the hacker doesn't really know oh that's weird why is it not responding is there no server there is there no service listening is there a firewall that is listening but it's blocking me the hacker doesn't know because the firewall isn't telling that person why their connection isn't going through which is why it times out basically when it comes to security you want to give the outside world as little information as you can so let's assume then that everything here on this diagram checks out 22 is allowed through here it's allowed through here it forwards to the server everything checks out but you still get an error what i'm going to do now is talk to you about some of the most common errors that you might get now one common problem actually comes in the form of invalid permissions so if i do ls and then dash l for a long listing i'll add a because i want to show a hidden file and i will grepford.ssh so the ls command will only show that one folder and here it is now notice the permissions i'll have a separate video on my channel that'll go over permissions there's actually already a few on my channel that goes over permissions but really quickly we can see that it's a directory which is why it starts the d read write and execute for the user the first group of three after the d which this d can also be a hyphen after the first character the first set of three refers to the user which is me the second set of three characters here refers to the group which is me and then the last set of three refers to basically everyone else now in this case the user has full access read write and execute group has nothing because all of those are hyphens and when it comes to other the last section here that's all hyphens as well so what we can glean from this is that only my user can do anything with this folder and if i set the permissions to anything else and open this up to everyone for example then ssh isn't actually going to allow the connection via a key for example because it's not going to trust a folder that is open and writeable by everybody that is highly suspicious the ssh directory should only be viewable and readable by you and no one else but that's not actually where the permission stopped though if i go inside that directory we have a bunch of files here now notice that the public key i have a public key here and i have another public key here they are readable by the user group and other same thing here that's okay because this is a public key and this is a public key they can be readable by everybody that's why they're called a public key it doesn't matter again you can actually put your public key on a billboard that is alongside a busy interstate highway the public key is public it doesn't matter who sees it but notice that the private keys this one and this one we know that these are the private keys because they don't have the dot pub extension these are only readable and writeable by the user that owns the files if you set the permissions to something else ssh will not work so basically if you have a problem connecting to a server via ssh one of the first things you should do is check the permissions you may or may not get an error that tells you that permissions are the problem that's important to keep in mind but it's very easy to check to make sure that your private keys are readable and writeable only by you and your public keys again can be readable by everyone the ssh directory itself should only be readable writable and executable by your user if all of that checks out you should be fine when it comes to your client but when it comes to the remote end you also want to make sure the same thing make sure the ssh directory on the remote server is also only readable in writable by you and the authorized keys file is also only readable and writable by you if all of that checks out permissions are probably not the issue so like i showed you near the beginning of the video we should also take a look at the log files so i'm going to log into the remote server i'll get rid of this port here i'm logged into the server and then in this tab i have a session open on my local laptop so again what i'm going to do is go into the var log directory and at least as far as debian and ubuntu is concerned we have an off log if you are using a different distribution you might actually have something like secure instead of authlog that's very common you can actually tail that file and i can actually press enter a bunch of times to get rid of the previous output and if i try to connect again it was a successful connection since i'm telling the log if there was a problem i would actually be able to see that here so basically if you have a user that can't connect you can have them try to connect while you tail the logs and if there's an error you'll see that right here so let me show you guys an example of this failing so what i'm going to do is move the ssh directory that's inside the root directory to a different name and i'll tell that log file again let's try it again i've disconnected and i'll try to connect now i need to enter the password okay i typed the wrong password actually on purpose i want to do it again i'm going to do it again and it only lets you try so many times until it just stops you so basically on this tab here you can see everything that was attempted authentication failure you see that right here it failed the password it repeated two more times failed the password and then eventually it gave up and closed the connection because i wasn't able to type the right password so you could see a user trying to log in and they're complaining that they can't and then you'll see right here they're typing the wrong password and i don't know what it is but users always forget their password i don't know why they do that but it's often the case and sometimes they will insist that they're typing the correct password well clearly they are not because it's telling me right here it failed the password and we would see their username right here instead of root whatever username they're trying to log in with and then we will immediately know that it is actually a problem with their password they need to either remember their password or maybe put in a request to have their password changed and there's all kinds of things that you can see here in the log file and there's other problems such as you know i mentioned permissions with key files or just not having a key file you will see in the log file some information as far as why it's actually failing now i showed you how to manually follow the log files but technically that's the old way of doing it because nowadays we are using systemd on most distributions and logging is actually built right into systemd so we technically should be using journalctl to follow log files so i'll give you an example of that the command is journalctl dash u and then the unit name unit it just means service daemon whatever you want to call it it's the ssh service that we want to follow and on some distributions it'll be known as sshd so just keep that in mind if this doesn't work add the d at the end and as you can see we get a bunch of log entries here but we can also follow log entries by adding the f option which stands for follow which kind of creates a funny command here journalctl-fu and then the unit name which again is either ssh or sshd depending on your distribution and what this will do is do the equivalent of tail dash f but with journal ctl similarly it's going to follow all log entries here i'll just press enter a bunch of times then here in this tab i can try to connect again i'll fail the password on purpose did it again and again and as you can see i have failed the password three times so in this tab right here i was following the log messages and i see the failed password prompts right here that i saw earlier and again this is the preferred way to do it when it comes to following the logs it's just the journal ctl command as you see here ssh on debian and ubuntu and also distributions that are based on debian and ubuntu sshd on other distros you get the idea by following the log file you will actually find the majority of the reasons why this is failing and if you yourself are not able to get into the server you as the administrator then you could ask one of your team members to follow the log and then they can tell you why you're not able to log in but between the log files and permissions that's going to catch most of the problems and of course the ssh service has to be running and like i mentioned earlier you have to have the ability to get a tcp ip connection to the server via the port that ssh is listening on for you to be able to connect to it in the first place so i hope this video was helpful in teaching you all about openssh as i mentioned ssh is awesome it's a great utility it allows us to manage our linux servers from wherever we might be and that's pretty cool so let me know what you think of this video in the comments down below subscribe if you haven't already done so and i will see you again in the next video thanks for watching [Music] you
Info
Channel: LearnLinuxTV
Views: 117,639
Rating: 4.9729729 out of 5
Keywords: Linux, Tutorial, Review, Howto, Guide, Distribution, Distro, Learn Linux, operating system, os, open-source, open source, gnu/linux, LearnLinuxTV, LearnLinux.tv, ssh, openssh, linux ssh, ssh tutorial, openssh tutorial, openssh full course, full course, linux full course, ssh course, linux course, secure shell, command line, secure shell tutorial, ssh server, linux commands, how to, ssh keys, linux tutorial, ssh client, secure shell ssh, secure shell explained, ubuntu, debian, network
Id: YS5Zh7KExvE
Channel Id: undefined
Length: 87min 59sec (5279 seconds)
Published: Fri Dec 18 2020
Related Videos
Ubuntu Complete Beginners Guide (Full Course in one video!)
LearnLinuxTV
73K
Having trouble getting into IT? You CAN do it! Here's my story.
LearnLinuxTV
19K
Linux File System/Structure Explained!
DorianDotSlash
2.5M
Using Ansible to automate your Laptop and Desktop configs!
LearnLinuxTV
47K
Beginner's Guide to the Bash Terminal
Joe Collins
1.7M
Billionaire Mathematician - Numberphile
Numberphile
3.2M
Proxmox VE Full Course: Class 1 - Getting Started
LearnLinuxTV
12K
Linux Server Course - System Configuration and Operation
freeCodeCamp.org
304K
Linux for Noobs: Choosing a Distro (10 distributions shown!)
LearnLinuxTV
39K
Linux Logical Volume Manager (LVM) Deep Dive Tutorial
LearnLinuxTV
36K
Arch Linux: Full Installation Guide - A complete tutorial/walkthrough in one video!
LearnLinuxTV
183K
Linux Essentials - The find command
LearnLinuxTV
13K
How to Make Your Own VPN (And Why You Would Want to)
Wolfgang's Channel
1.2M
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.