Skip to main content

Configuring & Using SSH

All dedicated ARM Linux servers provided by OakHost come with SSH pre-installed and configured. By default, root access with a random password is provided to get you started right away. Although encrypted, the default password can be viewed through the Customer Panel for initial configuration. Therefore, it is strongly advised to change the password as soon as you connect to your server for the first time.

For additional security, we also recommend enabling SSH Public/Private Key authentication, disabling password login and disallowing the root user to sign in through SSH entirely. Please read on to learn about these best practices.

Connecting via SSH#

To initially connect to your OakHost Server, navigate to the Customer Panel, click on your server and then select the Remote Access tab. There, you will find your initial login credentials.

You will need an SSH client to connect to the Server. On macOS or Linux, this client comes pre-installed and can be access through the Terminal application. Just copy the line beginning with ssh root@... from the customer panel. When prompted for a password, type in the initial password provided. Don't worry if it won't show up on the screen.

On Windows, you have multiple options to proceed. You can either install Windows Subsystem for Linux and proceed as above, which we would recommend, or you can use an external SSH client like PuTTY.

Changing the Root Password#

Once connected to your server, changing a user password is as simple as typing the following command and hitting enter:

passwd

You will be prompted to enter a new password and confirm it once. Don't worry if the password won't show up on the screen, it will still register.

Once done, verify whether the password works by initiating a new SSH connection using the new password. We recommend keeping the old connection open, in case the password doesn't work.

Disallow Root Login via SSH#

To increase security, the root user should not be able to connect via SSH directly. Instead, you should create a new user, and then use this user to change to the root user when necessary (sudo).

  1. First, create a new user that will be used to sign in. You can choose any name, as long as it doesn't contain special characters or spaces. Type in the following command, hit enter and walk through the assistant. It will also ask for a new password. This will later be used to sudo into the root user.
adduser myuser
  1. Next, add the newly created user to the sudo group. This is needed so you can later switch to the root user. Make sure to replace myuser with the username you picked in the comment above.
usermod -a -G sudo myuser
  1. Once the user is set up, we need to disallow the root user from signing in via SSH. For that, open up the SSH configuration using a text editor. For example, nano:
nano /etc/ssh/sshd_config
  1. Locate the following line (probably at the end of the file), and change no to yes, and add a AllowUsers line below:
# Locate:
PermitRootLogin yes
# Change to:
PermitRootLogin no
AllowUsers myuser
  1. Save the file to the file by hitting Ctrl+X and then y to confirm the changes.

  2. Restart the SSH server to apply the new configuration file by using the following command:

service ssh restart
caution

Please leave the SSH connection open in case anything goes wrong. Otherwise you may lose access to your server.

  1. Test your changes by opening a new connection via SSH. This time, you shouldn't be able to login as root. So, instead of root@..., try:
ssh myuser@[your-ip]
  1. In case everything is set up correctly, you should be able to sign in using the newly chosen password and username. Lastly, check whether you are able to sudo to the root account:
sudo su
  1. This should ask for a password. It's the same password you used to log in via SSH. Once done, you should be root. Check by typing
whoami

It should return root.

Disallow SSH Login via Password#

The last step in securing your SSH access is to disable password logins entirely. With passwords, there is always the chance that they may be guessed by an attacker. To avoid this, SSH allows login via SSH Keys, which consists of two files. One containing a private key which resides on the connecting device, an one containing a public key which will be put on the server. That way, a secure connection can always be established without the need of a password.

  1. First, you need to generate a public and private key pair which we will use to connect to your server. Do so by running the following command on your client PC, NOT the server:
# On your PC, run:
ssh-keygen
  1. Confirm the default values. If you want, you can provide a password. This will then be used to decrypt your private key every time you connect. This is however optional and can be left blank.
caution

Your SSH-Keyfile has now been generated at the indicated location (by default, in your home folder in a hidden .ssh-directory). Make sure that you do not lose or share this key. Otherwise, access to your server will be lost. There is however always the option to add additionaly SSH keys, as long as you still have access to your server.

  1. Now, we need to copy the newly generated public key to the server. This will authorize this key (and therefore you) to access the server. On your PC, execute the following command:
# On your PC, run:
ssh-copy-id myuser@[your-ip]

Replace myuser with the username created on your sever, and [your-ip] with the IP address of the server.

  1. Once complete, this should already give you access to your server without the need of the user password. Try connecting via SSH, like you normally would and verify that it's not requesting your user password. If you opted to enter a password during the generation of the SSH key, you will however be asked for this password instead.

  2. When connected, type in the following command to verify whether the key was correctly placed:

cat .ssh/authorized_keys

It should return a long string of random characters, beginning with ssh-rsa and ending with what looks like an email address. For example:

$ cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCbFkMavQRMKwXo7jdF3DJIeS07N9BP8OBdohEAhK0DbN2hWWu2lXlwYlkM2uY35SSGR1RguP27QaoalntsD1jFQl36uQOybhwB5/b3vu9bBmVa0IxC6sANEpH+xVl/g4AC/SOG7iEwZinOYcrHTHnjYLIJ41wevISa0jqq7RBvYokuh/pEgKm/TyH3esNtgX4gZbr/H4v5v8wKHtPPxEy2EeY5lRmj/ldGmK0lGgyr8hQ8wNjV+19YkjRI6Oj5Sm60qZcxLx1dWRopIdwbGXrcd7zcUuwVGANyNXmMNeOHD5GlR+u95u9JNQPcI/GIycJ5Ko+xCIJ6pifvbVND9Pnz [email protected]
  1. Lastly, we need to disable password logins via SSH. Otherwise, a malicious attacker may still be able to brute-force the password, even though you're using a key to log in.

To do so, once again open up the SSH configuration using a text editor:

nano /etc/ssh/sshd_config

Now, you should search for a line starting with PasswordAuthentication and change its value from yes to no. If you can't find it, just add it to the bottom of the file.

# Locate:
PasswordAuthentication yes
# Change to:
PasswordAuthentication no

Again, save the file to the file by hitting Ctrl+X and then y to confirm the changes, then restart the SSH server:

service ssh restart
caution

Please leave the SSH connection open in case anything goes wrong. Otherwise you may lose access to your server.

  1. To complete the process, try to log in via SSH with a new connection again. If it works, everything should be set up correctly. If the login fails, try to revert the changes to the SSH configuration file and restart the SSH server once more.