How to access remote systems using SSH

Red Hat Enterprise Linux (RHEL) is a multitasking operating system that allows multiple users to connect to it. Two or more users connected to the same server at once? How is this possible? There are two forms of access: physical access (standing in front of the server and a keyboard) or remote access (over a network).

In the modern world, where working from home has become prevalent and most organizations use cloud systems, it's not practical to always be physically at a server to perform an administrative task.

Remote access methods

There are two forms of remote access on RHEL and most Unix and other Linux systems:

• Secure Shell (SSH) provides a text console on a server, with the option to forward graphics as needed.
• Virtual Network Computing (VNC) provides a graphical login to a system, with a full desktop in a VNC client.

Both are common, but most sysadmins default to the simplicity, flexibility, and efficiency of SSH.

The OpenSSH suite contains tools such as sshd, scp, sftp, and others that encrypt all traffic between your local host and a remote server.

The sshd daemon, which runs on the remote server, accepts connections from clients on a TCP port. SSH uses port 22 by default, but you can change this to a different port. To initiate an SSH connection to a remote system, you need the Internet Protocol (IP) address or hostname of the remote server and a valid username. You can connect using a password or a private and public key pair. Because passwords and usernames can be brute-forced, it's recommended to use SSH keys.

For an SSH client and server to establish a connection, the SSH server sends the client a copy of its public key before allowing the client to log in. This process encrypts traffic exchanged between the server and the client.

Install SSH

OpenSSH is usually installed by default on Linux servers. If it's not present, install OpenSSH on a RHEL server using your package manager, and then start and enable it using systemctl:

[server]$ sudo dnf install openssh-server 
[server]$ systemctl enable --now sshd

You can then access the server with most terminal applications that support the SSH protocol (GNOME Terminal, Konsole, PuTTY, mobaxterm, and others). Most Linux and macOS systems have the openssh-clients package installed by default. If not, you can install the client on a RHEL system using your package manager:

[server]$ sudo dnf install -y openssh-clients

You can now initiate a connection to the server using the IP or the hostname.

[ Download the guide to installing applications on Linux. ]

Log in over SSH

To access a server with IP 10.200.1.3 from another Linux system, the syntax is:

ssh user@host

For example, to log in as the user tux to a server located at 10.200.1.3:

[client]$ ssh tux@10.200.1.3

In instances where SSH runs on a different port, say 2345, specify the port number with the -p option:

[client]$ ssh -p 2345 tux@10.200.1.3

The first time you connect to a remote server, you're prompted to confirm the system's identity:

[client]$ ssh tux@10.200.1.3
The authenticity of host '10.200.1.3 (10.200.1.3)' can't be established.
ED25519 key fingerprint is SHA256:55ZkHA/4KU7M9B3je9uj8+oOLjFdV0xHxPTjMvCT0hE.
Are you sure you want to continue connecting (yes/no/[fingerprint])? 

The fingerprint is a unique identifier for the system you're logging into. If you installed and configured the system, you may (or may not) have a record of its fingerprint, but otherwise, you probably have no way to confirm whether the fingerprint is valid. The fingerprint is derived from an SSH key located in the /etc/ssh directory on the remote server. That server's admin can confirm the expected fingerprint using this command on the server:

[server]$ sudo ssh-keygen -v -lf \
/etc/ssh/ssh_host_ed25519_key`

This command extracts a fingerprint from the host's SSH key, which you can use to check that the server you're logging onto is the server you expect.

[ Learn why the operating system matters to your IT infrastructure's foundation. ]

Assuming you're happy with the fingerprint, type yes followed by the user's password, and you have access. When using SSH key authentication, there's no need for a password, and the connection is established. SSH keys help thwart brute-force attacks, and they also prevent you from constantly having to type and retype a password, so they're the safer option.

If a client doesn't have a copy of the public key in its known_hosts file, the SSH command asks you whether you want to log in anyway. If you do, a copy of the public key is saved in your ~/.ssh/known_hosts file so that the server's identity can be automatically confirmed in the future. SSH warns you if the server's fingerprint changes.

Use a remote shell

SSH is a powerful tool for remote access. It allows you to log in and run commands on a remote machine just as if you were sitting in front of it. Many sysadmins use custom prompts for remote machines to avoid confusing a local terminal with a remote one. For instance, you might set the login prompts of remote machines to contain the hostname, use % instead of $, or use a tool like Starship to manage PS1 for you.

Wrap up

OpenSSH is probably already installed on your Linux systems, but refer to the commands above to install it with your favorite package manager. You may use the default settings, such as port 22, or customize the settings. It's usually best to use key-based authentication. You have many options to take full advantage of this robust and critical remote administration tool.