Friday, August 22, 2008

Linux Networking with SSH

SSH (Secure Shell)

SSH is a networking tool to enable remote logins to another GNU/Linux computer. It is superior to Samba because it allows you to log in as the user and have the same access to the machine as you would if you were sitting at the machine. It allows you not only to move files around but also to run applications.
Mint comes with the ssh client preinstalled but to be able to access it from another computer you have to install the ssh server. You can install ssh with a package manager like mintinstall or synaptic or it can be easily accomplished in a terminal with:

sudo apt install ssh

Now you can go to the other pc and gain terminal access to your Mint machine or access it using a filemanager like Nautilus or Konqueror. For the purposes of this howto we will pretend that the ip address of your machine is

To gain remote access in a terminal simply enter:

ssh user@ip-address (ie: ssh mintuser@
or if you want to run gui applications enter:
ssh -X user@ip-address
You will then be asked for the user id for the remote computer and be granted a prompt for that machine.

To access the remote pc via ssh using Nautilus:

Toggle to text based location input in browser mode as shown below.


The protocol to use ssh in a browser is called sftp. Enter the address into the location field using the following format:
sftp://user@ip-address (ie sftp://mintuser@

Access via Konqueror is achieved by entering the same thing into it's location field.

Of course, you can now add a bookmark so you don't have to type the address in every time you want to access it.


Remote Access via Internet

The default port for ssh is 22 so make sure that this is port forwarded in your router if you want access through it. (details on changing the port number for greater security are described later in the "Improving SSH Security" section). Setting up port forwarding on the router varies from router to router so you will have to consult your router's manual for information on setting that up.

To access the pc through the router from the outside world you will need to setup a static local IP address so the router knows where to direct the port forwarding. We will continue to use as an example.

Go into Administration > Preferences > Network (or from a terminal: network-admin)
Click "unlock", select the network connection and open Properties
disable "Enable roaming mode" and enter the details which will be something like:

Static IP Address
IP address -
Subnet mask -
Gateway address -

These values can be found by simply looking at what was automatically assigned in the connection information on the network monitor on the task bar. You can also get this info, including the MAC address (HWaddr), by typing in a terminal: ifconfig

Now open the sshd config file by entering in a terminal:

gksu gedit /etc/ssh/sshd_config
(or in kde: kdesu kwrite /etc/ssh/sshd_config)

Look for "#ListenAddress" and replace it with "ListenAddress"

Save it

When accessing the machine from the outside world you need to enter the server's IP address on the internet into the client's terminal/filemanager and not the local LAN address. If you are accesssing it from the local LAN you use the local address. The configuration settings are all the local address, the internet address is just what a client in the outside world has to use, it has nothing to do with the setup of your ssh server.
The internet address for your ssh server can be gained by examining the router or by simply going to in a web browser.

You will now have to restart the ssh server. Do that by entering this in a terminal:
sudo /etc/init.d/ssh restart


Improving SSH security

The default settings with ssh leave a little to be desired but it is quite simple to improve them
To do this you need to edit the sshd config file. Do this by entering in a terminal:

gksu gedit /etc/ssh/sshd_config
(or in kde: kdesu kwrite /etc/ssh/sshd_config)

Now we can make some modifications.

It is wise to operate ssh on a different port to the default one if you can. Choose something out of the range of most port scanners. Something above 5000 is a good idea if your ISP isn't one of those Big Brother types that block ports. I will use 5876 for the example but that is an arbitrary choice. Don't forget to setup your router's port forwarding to use the same port number.
Look for "Port 22" and change this to "Port 5876"
If you do this it changes how you must address it accordingly:
In a terminal: ssh user@ip-address -p5876 (ie: ssh mintuser@ -p5876)
In a filemanager: sftp://user@ip-address:port (ie: sftp://mintuser@

Login Grace Time.
This is how long you allow for the password to be entered. This is set to 120 secs by default, adjust this to a figure you are happy with. 120 is probably ok because we are going to limit the number of retries allowed

Root Login .
Disable this. Why it is on by default baffles me.
Replace "PermitRootLogin yes" with "PermitRootLogin no"

Maximum login attempts.
This is also not set by default. Do it. Add this line to the Authentication section to only allow 2 tries before it boots you out. You can make it 3 if you have really clumsy fingers or a bad memory I guess. Suit yourself but no more than 2 or 3 is probably wise
MaxAuthTries 2

Don't forget to restart the server after making the changes with:
sudo /etc/init.d/ssh restart

It is possible to force ssh to use rsa keys instead of passwords for greater security but I will not go into that here, that is a topic of it's own. I suggest that you use a hard to guess password on your pc anyway.

Now you're all ready to ssh your heart out. Have fun.


Other useful commands:

sudo /etc/init.d/ssh stop - stop ssh server
sudo /etc/init.d/ssh start -start ssh server
man ssh - comprehensive description of ssh commands

No comments: