Introduction
Ubuntu 20.04 Desktop does not include an SSH server preinstalled. In this article, I show how I install OpenSSH, create an SSH keypair, install the keypair Ubuntu for a user and disable password-based SSH logins. I also include a PowerShell script to mimic the base features of ssh-copy-id. This article also applies to configuring OpenSSH that is preinstalled on cloud servers from AWS, Azure, Google, and probably most vendors.
There are many articles on the Internet about installing and setting up OpenSSH. This article documents my steps for my own documentation purposes. I am currently writing a series of articles on Laravel 9 with a focus on storage and mail. My objective is to create recipes for installing and setting up everything related to Laravel 9, PHP 8.1, and Ubuntu running in a Hyper-V VM and in the cloud on Azure and Google Cloud VMs.
My environment:
- Windows 10 Professional for development. This system is the SSH client connecting to Ubuntu running OpenSSH.
- Hyper-V virtual machine running Ubuntu 20.04 Desktop.
- Hyper-V virtual machine running Ubuntu 20.04 Server.
- Azure Virtual Machine running the image Canonical:0001-com-ubuntu-server-focal:20_04-lts-gen2:latest.
- Google Cloud Compute Engine running the image ubuntu-2004-lts.
Update the Operating System
|
1 2 3 |
sudo apt update sudo apt upgrade -y sudo reboot |
After updating the operating system, I always reboot the OS. I am not sure if this is really necessary, but I want to ensure that all processes are using the latest code.
Install OpenSSH Server
Install OpenSSH server:
|
1 |
sudo apt install openssh-server -y |
Verify that the OpenSSH server is now running:
|
1 2 3 4 5 6 7 |
sudo systemctl status ssh Output: ● ssh.service - OpenBSD Secure Shell server Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled) Active: active (running) since Sun 2021-12-12 12:34:00 PST; 48s ago ... |
Determine Ubuntu’s IP address
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
ip addr Output: 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:15:5d:00:34:10 brd ff:ff:ff:ff:ff:ff inet 192.168.10.149/24 brd 192.168.10.255 scope global dynamic noprefixroute eth0 valid_lft 85618sec preferred_lft 85618sec inet6 fe80::797c:7f49:160f:cd69/64 scope link noprefixroute valid_lft forever preferred_lft forever |
For my setup, the IP address is 192.168.10.149.
SSH Connect Test
Test connecting to Ubuntu using SSH. I set up Ubuntu with the username jhanley. Update the ssh command with your username and IP address.
|
1 2 3 4 5 6 7 8 9 |
ssh jhanley@192.168.10.149 Output: The authenticity of host '192.168.10.149 (192.168.10.149)' can't be established. ECDSA key fingerprint is SHA256:DWy/Xszu/Xak8ZbPkzuH+MDTGFTFmqLpYhBkMT/3m0A. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.10.149' (ECDSA) to the list of known hosts. jhanley@192.168.10.149's password: Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.11.0-41-generic x86_64) |
For my Ubuntu installation, the UFW firewall is not active. You may need to allow the SSH port:
|
1 |
sudo ufw allow ssh |
Setup SSH Keypair Authentication
I recommend switching from password-based logins to SSH keypairs. Digital Ocean wrote a nice article on this topic. I used the following steps on my Windows 10 desktop.
Create an SSH keypair:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
ssh-keygen -f C:\Users\john.hanley\.ssh\ubuntu-desktop -t rsa -b 4096 -N "" Output: Generating public/private rsa key pair. Your identification has been saved in C:\Users\john.hanley/.ssh/ubuntu-desktop. Your public key has been saved in C:\Users\john.hanley/.ssh/ubuntu-desktop.pub. The key fingerprint is: SHA256:GUbRq7aS4+Yj8YtgPXvhgcPRfNNICKJsmkftqQoaLJ0 john.hanley@DESKTOP-NUC The key's randomart image is: +---[RSA 4096]----+ | . .. .oo | |.. o ... . | |.o. .o .oo . | |oo ...o.+oo | |o ..oo .So | |.o += o o | |+.E o= = . | |++ ..+X . | |o o*+= | +----[SHA256]-----+ |
Copy/Install the SSH keypair
Windows 10 does not have the equivalent of the Linux ssh-copy-id command. I wrote a PowerShell script that installs the SSH public key onto Linux. Create a file named ssh-copy-id.ps1 and enter the following script.
I also wrap the PowerShell script with a batch script:
Execute the PowerShell script to copy the SSH public key to the user’s .ssh/authorized_keys file.
|
1 |
powershell ./ssh-copy-id.ps1 C:\Users\john.hanley\.ssh\ubuntu-desktop.pub jhanley@192.168.10.149 |
Verify that the SSH login now works using a keypair.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
ssh -i c:\users\john.hanley\.ssh\ubuntu-desktop.pub jhanley@192.168.10.149 Output: Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.11.0-41-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 0 updates can be applied immediately. Your Hardware Enablement Stack (HWE) is supported until April 2025. Last login: Sun Dec 12 13:50:44 2021 from 192.168.10.135 |
Setup .ssh/config
The CLI command ssh supports reading host authentication information in the file ~/.ssh/config.
Edit or create the file config in the .ssh directory. For my Ubuntu desktop configure above, add the following section:
|
1 2 3 4 |
Host ubuntu-desktop HostName 192.168.10.149 User jhanley IdentityFile ~/.ssh/ubuntu-desktop |
Now I can connect to the Ubuntu system with a simplified command:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
ssh ubuntu-desktop Output: Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.11.0-41-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 0 updates can be applied immediately. Your Hardware Enablement Stack (HWE) is supported until April 2025. Last login: Sun Dec 12 17:55:54 2021 from 192.168.10.135 |
Disable Password-Based SSH Authentication
Before completing this step, make sure you can log in using your SSH keypair.
Edit the file /etc/ssh/sshd_config with elevated permissions (sudo). Change the following line to be:
|
1 |
PasswordAuthentication no |
Reload the OpenSSH server:
|
1 |
sudo systemctl reload ssh |
Verify that the OpenSSH server is running without errors:
|
1 2 3 4 5 6 7 |
sudo systemctl status ssh Output: ● ssh.service - OpenBSD Secure Shell server Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled) Active: active (running) since Sun 2021-12-12 12:34:00 PST; 48s ago ... |
As an extra security measure, I reboot the OS to ensure existing connections are terminated.
|
1 |
sudo reboot |
Another method to terminate all SSH sessions without rebooting:
|
1 2 |
sudo killall sshd sudo systemctl start sshd |
Additional Information
- Digital Ocean: How to Set Up SSH Keys on Ubuntu 20.04
- SSH.COM: How to use ssh-keygen to generate a new SSH key
- SSH.COM: Ssh-copy-id for copying SSH keys to servers
- SSH.COM: SSH config file for OpenSSH client
- LearnLinuxTV published an excellent 90-minute video on OpenSSH. Definitely worth watching.
Summary
Installing and setting up OpenSSH on Ubuntu 20.04 Desktop is straightforward. Switching from password to SSH keypair-based logins improves security. Since Windows 10 does not have the program ssh-copy-id, I wrote my own PowerShell script to duplicate the features I require.
Photography Credits
I write free articles about technology. Recently, I learned about Pexels.com which provides free images. The image in this article is courtesy of Pixabay at Pexels.
I design software for enterprise-class systems and data centers. My background is 30+ years in storage (SCSI, FC, iSCSI, disk arrays, imaging) virtualization. 20+ years in identity, security, and forensics.
For the past 14+ years, I have been working in the cloud (AWS, Azure, Google, Alibaba, IBM, Oracle) designing hybrid and multi-cloud software solutions. I am an MVP/GDE with several.
Leave a Reply