Information about SCP can be found in the corresponding note.
Troubleshooting
Info
Executing commands over SSH as sudo can lead to problems if a password is requested from the remote server. This can be mitigated by adding the user on the remote server to the corresponding groups. For instance, if a Docker command shall be executed the user has to be added to the docker group. It is advisable to use users for deploy that only have the needed rights and especially no root rights - for security reasons and to mitigate messing something up during automatic deploy.
Info
When you try to include a private key into a Container - e.g. Docker - via variables it can happen that error in libcrypto occurs. This can be due to reformatting of the key when it is provided by the variable. Depending on the environment it can be necessary to fall back to password authentiuation rather than key based authentication.
Login via public key method not working
Make sure that public key authentication is activated in the remote servers SSH settings (SSH Settings).
Also check if the public key is added to the authorized_keys file on the remote server.
If that does not help check the ssh command with -v option to get verbose information during execution.
You can also force the client to use the public key method with the option -i <path_to_key> if it doesn’t use it.
Different PATH variables set when logged in via SSH
It can happen that PATH is set differently when logged in via SSH than when logged in to the machine directly. This can be changed by using the following command when logged in via SSH:
/bin/bash --login
SSH login only possible through port 22 even though a different one is configured in sshd_config
It can happen that the ssh.socket service binds to port 22 upon startup. This will cause the sshd service to also use this port instead of the one configured in its configuration file.
It can be checked if ssh.socket is enabled using one of the following commands:
If it’s viable, this can be resolved by stopping and disabling the ssh.socket service. This normally does not cause problems. It will normally just cause the sshd service to run continuously to accept incoming connections. This overhead is however minimal.
This is how the ssh.socket service can be stopped and disabled:
To set up key based authentication for SSH follow these steps:
First make sure the SSH service is installed and running. Under most Linux distributions the following command can be used: systemctl status sshd. If it is not running follow the steps in the section Installation & Start of SSH-Services.
create a key pair on your client machine with these commands:
Create SSH-Key
To create a new SSH key use the following command:
ssh-keygen -b 4096 -t rsa
Make sure to set the permissions for the new private key to
chmod 600 id_rsa
To create a SSH key without any prompt outputs use the following command:
Copy the public key you have just generated to the servers ~/.ssh/authorized_keys file. If the file does not exist yet create it and make sure to set it’s permission rights to 600 via chmod.
/etc/ssh/.
Depending on how the SSH service is set up on your server it can be necessary to register your public key in another way so that it will be used for client authentication. This could be for instance via webGUI or you may have to copy it into another folder and / or file. This depends on the SSH configuration which can normally be found in
Try to establish a SSH connection with your client. Try to connect with the newly generated key directly. This can be done with the instructions shown here:
Connect via SSH
To create a SSH connection it can be necessary to define the authentication method exactly when trying to connect, because some servers will block login attempts after a maximum number of authentication tries. This will cause you to be locked out if too many public keys are available on your client machine that have to be tried before finding the right one.
Thus, it can be mandatory to define what should be done for authentication.
If you want to login via password, the following command can be used:
You can also directly define hosts and their authentication method to connect easily with a shorter command. This can be done by creating the file ~/.ssh/config. The content for each host should look like this:
Host <your_host_name> HostName <ip_address> User <user> Port <port> IdentityFile <path_to_key>
You can not reference this host using this command:
At last it is always a good step to disable password based authentication on your server since it is less secure than key based authentication. An automated way to set these configurations up is explained in SSHD configuration.
Installation & Start of SSH-Services
Info
The SSH-Server and Client services require different packages. Take care to install the correct ones when setting up SSH on fresh machines.
SSH-Server
The SSH-Server service is needed to be able to connect to the respective machine from remote ones. The installation and start of the service is done using the following commands.
Warning
When setting up the authorized_keys file make sure that the file has the right owner and permissions!
It is suggested to set the permissions to 600 via chmod and place it in the users or root folder .ssh. The current users folder should be at ~/.ssh, i.e. /home/<username>/.ssh. The folder for the root user should be at /root/.ssh. Only consider using the root user of it is not possible otherwise.
Fedora
Install the SSH-Server service via:
sudo dnf install openssh-server
Run the service like follows if you are on a standard Linux machine:
sudo systemctl start sshd
However if sshd should be run in a container systemctl is most likely not available since containers do not have a init process. In this case run the sshd service manually. The attached & will cause this process to be run in the background so that the command line can still be used for further commands.
/usr/sbin/sshd -D &
Debian
Install the SSH-Server service via:
sudo apt-get install openssh-server
Run the service like follows if you are on a standard Linux machine:
sudo systemctl start sshd
However if sshd should be run in a container systemctl is most likely not available since containers do not have a init process. In this case run the sshd service manually. The attached & will cause this process to be run in the background so that the command line can still be used for further commands.
/usr/sbin/sshd -D &
SSH-Client Service
The SSH-Client service is needed to connect from the respective machine to remote machines. Install the tool like follows.
Fedora
Install the SSH-Client service via:
sudo dnf install openssh-clients
SSHD configuration
To set up a safe initial configuration of the SSHD_config file use the following sed commands that will alter the most important settings.
Warning
Make sure public keys are deployed on the machine you are configuring and you can access it via those keys. Check out the section Setup for more information.
Otherwise you will not be able to login again after setting the following tighter login rules.
To create a SSH connection it can be necessary to define the authentication method exactly when trying to connect, because some servers will block login attempts after a maximum number of authentication tries. This will cause you to be locked out if too many public keys are available on your client machine that have to be tried before finding the right one.
Thus, it can be mandatory to define what should be done for authentication.
If you want to login via password, the following command can be used:
You can also directly define hosts and their authentication method to connect easily with a shorter command. This can be done by creating the file ~/.ssh/config. The content for each host should look like this:
Host <your_host_name> HostName <ip_address> User <user> Port <port> IdentityFile <path_to_key>
You can not reference this host using this command:
ssh <your_host_name>
SSH Settings
The settings of the SSH service is located under /etc/ssh/. Within that folder both the ssh_config for the local SSH program and the sshd_config for the OpenSSH service can be found.
Manage SSH Daemon
Fedora
systemctl <start/restart/stop> sshd
Slackware / unRAID
/etc/rc.d/rc.sshd <start/restart/stop>
FreeBSD
/etc/rc.d/sshd <start/restart/stop>
Configure Sudo without password when using SSH public key authentication
This can be used when doing automatic deploys over SSH. However it is normally easier and more common to add a specific user to a system group (e.g. Docker group).