SSH and Remote Machine Access

SSH and terminal multiplexers like tmux and screen are essential tools for working on remote servers. Tools like tmux and screen allow you to start a long-running job on a remote system, close the window and SSH session and return later to the same session.

Most of our systems use SSH public and private keypairs to improve their security. Usually this means you have a local password on the remote system that is used for commands like sudo, but you do not use this password for logins. Instead, you use a public/private keypair

High-level Tips:

  • Use a public/private keypair with a passphrase, especially for keys that you will reuse. The tutorials below will show you how to set this up. Your public key can be placed on remote servers while your private key should be kept secure.
  • You can increase the security of your private key by learning to use SSH agent forwarding. See below for more details.
  • Use a tool like Keychain to store your private key and reuse it between terminals.
  • Learn how to use either tmux or screen!

Georgia Tech's VPN

  • If you can't log in initially, don't panic! Some machines on GT's campus are behind either ECE or CS firewalls. If a machine is not responding to a simple ping, try connecting to the Georgia Tech VPN and then try sshing again.

Understanding public/private keypairs

This OpenSSH Tutorial provides a very good overview of how public and private keys work as well as how to generate your own RSA keypair. There are three pages that cover 1) generating keys, 2) key management with ssh-agent and keychain, and 3) using ssh agent forwarding to reduce the need to copy your private key to other machines.

File transfers

Files can be transferred via the SCP command. Some OSes provide GUI-based tools that provide an easy-to-use interface for this.

X11 Forwarding

To run graphical applications from a remote server on your local machine, you must use X Forwarding. In a Linux environment, you can usually do this by logging in with the -X flag, but other OSes require specific tools to open the forwarded application. Currently XMing and XQuartz are recommended for Windows and Linux, respectively.

Windows-Specific Information

While you can use cygwin or Bash for Windows with the Linux-specific directions, PuTTY and WinSCP provide GUI-based tools that allow you to SSH to remote servers and copy files to and from them.

  • To generate a new key with PuTTY, see the following guide.
  • You can then store and reuse that key with Pageant. To integrate Pageant with cygwin see here.
  • X11 Forwarding to a Windows machine (not running Bash for Windows is enabled by XMing. See PuTTY-related instructions here.

Linux

Create your key as detailed in the OpenSSH tutorial above with ssh-keygen -t rsa. You then can copy your public key (id_rsa.pub) to the remote server and store your private key (id_rsa) in your local .ssh folder.

jeff@mybox:~$ ls -all .ssh/ 
total 16
drwx------  2 jeff jeff 4096 Oct  5 17:23 .
drwxr-xr-x 19 jeff jeff 4096 Oct  7 12:52 ..
-rw-------  1 jeff jeff  395 Oct  5 17:23 authorized_keys
-rw-------  1 jeff jeff 1743 Oct 1  2015 id_rsa
-rw-------  1 jeff jeff 1743 Oct 1  2015 id_rsa.pub
-rw-r--r--  1 jeff jeff  444 Oct  4 12:48 known_hosts
  • Note: If you add or modify files in .ssh you will need to set your permissions to 600 (for private files) or 644 (for public files). Otherwise you may not be able to log in.

Next, look into how to minimize typing in your passphrase for multiple logins with ssh-agent or Keychain.

Mac OS X

Mac OS X uses a very similar setup to Linux since it includes a standard terminal setup. The main difference with OS X is that X forwarding is enabled by XQuartz.

Miscellaneous Tips

  • The ServerAliveInterval can be used to keep an SSH session alive. For more information on its use, see here.
  • Patrick Lavin (CSE) has shared a nice page he found for setting up ssh to work with tmux, which you can find here.
  • Marat Dukhan has also created some nice slides on using ssh here.

Hardening your SSH Server and Connections

Server-side options to secure SSH can usually be found in Use theAllowUsers` option in /etc/ssh/sshd_config to

  • First of all, use SSH keypairs! You can disallow using passwords by updating the following lines:

    PasswordAuthentication no
PermitEmptyPasswords no
  • Disable root logins: PermitRootLogin no
  • Use the AllowUsers option in sshd_config to restrict who can try to log in to specific users. This prevents some pings from bots.

  • Run a server like fail2ban, which can limit repeated pinging by bots.