A Comprehensive Guide to SSH: Setup, Security, and Usage in Homelab. SSH Key-Based Authentication. MOTD. Run GUI apps remotely.

Irony is wasted on the stupid, Oscar Wilde

SSH (Secure Shell) is a widely used secured network protocol to access remote computers in a network.

• OpenSSH server is the best connectivity tool for remote login with the SSH protocol.

1. Let’s install it (Ubuntu, Debian): sudo apt install openssh-server.

   Enable SSH in a Raspberry Pi. It allows you access the command line of a Raspberry Pi remotely from another computer or device on the same network: sudo raspi-config, Interface Options, SSH.

   raspi-config helps you to configure your Raspberry Pi. It enables you to configure various settings of your Raspbian PI, such as the keyboard layout, the timezone, the password for the pi user, the SSH access, etc.

2. Display the IP addresses assigned to all interfaces: ip address show. If you don’t know your Raspberry Pi’s IP address, open a Terminal window and type: hostname -I.

3. If you want to connect to your server, you can use Putty (Windows) or need to invoke the ssh command followed by your username, the arroba @, and the IP address in the following format:

   ssh myUserName@myIpAddress
   
   # You may want to create an alias in your .bashrc:
   alias sshServer = 'ssh myUserName@myIpAddress'
   

4. You may want to change the default behavior of the OpenSSH server application by editing the file sudo vi /etc/ssh/sshd_config. man sshd_config is the man’s page about the OpenSSH daemon configuration file.

       Port 2134 # By default the sshd daemon listens on port 22. We can change the port used by the server.
       PermitRootLogin no # It does not allow the root user to login directly.
       Banner /etc/issue.net # It displays a banner or message (it specifies the file containing this message) when a user tries to authenticate cto our server
       PasswordAuthentication no # It disables authentication by password. It only allows login by public keys.
   

5. Then, you should check or test the validity of your configuration file, sudo sshd -t -f /etc/ssh/sshd_config and restart the daemon sudo systemctl restart sshd.service

6. Troubleshooting: Is ssh running? sudo systemctl status ssh.

7. If the firewall is enabled on your system, you need to open up the SSH port: sudo ufw allow ssh

8. To start the sshd service: sudo systemctl start sshd.service. To enable and start sshd at boot time: sudo systemctl enable sshd.service.

• SSH Key-Based Authentication.

1. Generate an SSH key pair on the client (your local computer): ssh-keygen. By default, the keys will be stored in the ~/.ssh directory, the private key will be called id_rsa and the associated public key will be called id_rsa.pub.

2. Next, copy the public key to the SSH server:

     ssh-copy-id -i ~/.ssh/id_rsa.pub userName@ServerIPAddress
   

   It uses a locally available public key to authorize logins on a remote machine. ssh_copy uses ssh to log into a remote machine and adds the local computer’s public key to the remote server’s ~/.ssh/authorized_keys, e.g., cat .ssh/authorized_keys:

   ssh-rsa CSDAAAB3NzaC1yc……asdSRTXmRQ.== myName@gmail.com

3. Import SSH keys to a new machine

  mkdir -p ~/.ssh/ # First, we need to create the .ssh directory, copy the public and private keys to this directory.
  # Set the right permissions
  chmod 700 ~/.ssh/
  chmod 600 ~/.ssh/id_rsa
  chmod 600 ~/.ssh/id_rsa.pub

• Create a Custom MOTD or Login Banner

  # Credits: Putorius.net. Create a Custom MOTD or login banner in Linux
  sudo bash -c $'echo "neofetch" >> /etc/profile.d/mymotd.sh && chmod +x /etc/profile.d/mymotd.sh'

Please observe that any script in the /etc/profile.d folder will run when a user logs in.

• Set up and use X11 forwarding.

It allows you to run GUI-based applications that are running on the remote server, but they are being displayed on your local machine.

1. vim /etc/ssh/sshd_config: “X11Forwarding yes”
2. Restart the sshd service: sudo systemctl restart ssh.
3. If you want to allow the use of graphical applications, you need to add -Y flag:

     ssh -Y userName@ServerSSHIPAddress
   

4. Finally, you can try to run graphical X applications over SSH: vlc & or geany &.

• Keep Alive SSH Sessions

To enable the keep-alive system-wide SSH Sessions, edit vim /etc/ssh/ssh_config:

    TCPKeepAlive yes
    ClientAliveInterval 600 # It send a null packet to the client every 600 seconds (10 minutes)
    ClientAliveCountMax 3 # It will abort the session if it does not receive any response after 3 tries.

• Install and configure SSH to use two-factor authentication

1. sudo apt install openssh-server libpam-google-authenticator.
2. sudo vi /etc/pam.d/sshd: auth required pam_google_authenticator.so (it makes SSH use the Google Authenticator PAM module).
3. Restart the sshd daemon using: sudo systemctl restart sshd.service.
4. sudo vi /etc/ssh/sshd_config:

   ChallengeResponseAuthentication yes
   PasswordAuthentication no (Disable Password Authentication because a lot of people with SSH servers use weak passwords)
   Banner /etc/issue.net (Display warning message)
   PermitRootLogin no (Disable root SSH login)
   

5. vi /etc/ssh/sshd-banner:

   WARNING: Unauthorized access to this system is forbidden and will be prosecuted by law. By accessing this system, you agree that your actions may be monitored if unauthorized usage is suspected.

6. google_authenticator: Do you want authentication tokens to be time-based, select y(es).
   Use Google Authenticator, scan the QR code, and enter the code from the app.
   Do you want me to update your $HOME/.google_authenticator file? y(es).
   Do you want to disallow multiple uses of the same authenticaation token? y(es)
   Do you want to do so?(Increase the original generation time limit) n(o).
   Do you want to enable rate-limiting? y(es, it limits attackers to no more than 2 login attempts every 30s).

The user is temporarily locked

Because the user is temporarily locked (after failed attempts), you can reset the consecutive-fail counter so the user can try again: faillock --user YOUR-USER --reset.

If you do not want the login to lock after failed attempts, remove or comment out the references to pam_faillock.so in /etc/pam.d/sshd or in an included file (e.g. /etc/pam.d/system-auth):

auth  required  pam_faillock.so preauth
auth  required  pam_faillock.so authfail
account required pam_faillock.so

# Then, restart sshd:
systemctl restart sshd

Set up password-less SSH access to the Proxmox server

Allows password-less access to ProxMox (e.g., 192.168.1.33) or a VM/CT (e.g., 192.168.1.38) from our client machine (e.g., a Windows or a NixOS system): ssh-copy-id devuser@< container-ip >, e.g., ssh-copy-id root@192.168.1.38.

Using ssh-copy-id is an effective way to set up password-less SSH access. By copying your public key to the Proxmox server, you ensure that your client computer can connect remotely (SSH) without requiring a password each time.

Upon success, your ~/.ssh/id_rsa.pub (or ed25519 key) will be appended to /home/devuser/.ssh/authorized_keys on the container.

Now that you can SSH in as devuser with a key, you can enhance security by disallowing direct root login and turning off password auth for SSH:

nvim /etc/ssh/sshd_config (inside the container)

pct exec $CTID -- sed -i 's/^#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
pct exec $CTID -- sed -i 's/^#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
pct exec $CTID -- systemctl restart sshd

Remote Host Identification Has Changed

You may find this problem. This means that the SSH host key for the remote server has changed (e.g., the server was reinstalled or its SSH configuration was modified) since the last time you connected. SSH uses host keys to verify the identity of the server you are connecting to, preventing man-in-the-middle attacks

scp -r /root/terraform/myNewPython/ root@192.168.1.38:/home/nmaximo7/backup/
# Or maybe,
scp -r /home/nmaximo7/dotfiles/proxmox/myNewPython root@192.168.1.38:/root/terraform/
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:tOrb9W2PZlmu8fegrEZVrZbXGvfz7NKuAFrj6PpV0MA.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /root/.ssh/known_hosts:9
  remove with:
  ssh-keygen -f "/root/.ssh/known_hosts" -R "192.168.1.38"
Host key for 192.168.1.38 has changed and you have requested strict checking.
Host key verification failed.
scp: Connection closed

# SOLUTION
ssh-keygen -f "/root/.ssh/known_hosts" -R "192.168.1.38"
# Or
ssh-keygen -f "/home/nmaximo7/.ssh/known_hosts" -R "192.168.1.38"
# This command will remove the entry for 192.168.1.38, allowing you to add the new key the next time you connect.

Run individual GUI apps remotely

You may want to use SSH with X11 forwarding (or VNC) to run individual GUI apps —from text editors to file managers— on your workstation, while they display remotely.

# On Proxmox server: enable X11 forwarding
echo "X11Forwarding yes" >> /etc/ssh/sshd_config
systemctl restart ssh

# On Linux/Mac client: make sure you have an X server
sudo apt install x11-apps # Debian/Ubuntu
brew install xquartz # On macOS

# From your client, connect with X11 forwarding
ssh -X root@proxmox`

# Then, you can run GUI apps, e.g.:
mousepad/leafpad # Lightweight text editors (sudo apt install mousepad/leafpad)
pcmanfm # Lightweight file manager (sudo apt install pcmanfm)
feh /path/to/image # Simple Image viewer (sudo apt install feh).