Connecting to a server using SSH on Linux or Mac OS
This article provides the steps for connecting to your cloud server from a computer running Linux or Mac OS X by using SSH. It also discusses generating an SSH key and adding a public key to your server.
Secure Shell (SSH) is a protocol through which you can access your cloud server and run shell commands. You can use SSH keys to identify trusted computers without the need for passwords, and to interact with your servers.
SSH is encrypted with SSL, which makes it difficult for these communications to be intercepted and read.
Note: Many of the commands in this article must be run on your local computer. The default commands listed are for the Linux command line or Mac OS X Terminal. To make SSH connections from Windows, you can use a free program called PuTTY. To generate keys, you can use a related program, PuTTYGen. Use WinSCP to run SCP or SFTP on Windows.
Using the IP address and password for your cloud server, log in by running the
ssh command with
username@ipaddress as the argument.
You are prompted to enter the password for the account to which you're connecting.
Remote host identification
If you rebuilt your cloud server, you might get the following message:
WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
One of the security features of SSH is that when you log in to a cloud server, the remote host has its own key that identifies it. When you try to connect, your SSH client checks the server's key against any keys that it has saved from previous connections to that IP address. When you rebuild a cloud server that remote host key changes, so your computer warns you of possibly suspicious activity.
To ensure the security of your server, you can use the web console in the Cloud Control Panel to verify your server's new key. If you're confident that you aren't being spoofed, you can skip that step and delete the record of the old SSH host key as follows:
On your local computer, edit the SSH
known_hosts file and remove any lines that start with your cloud server's IP address.
If you are not using Linux or Mac OS X on your local computer, the location of the
known_hosts file might differ. Refer to your OS for information about the file location. PuTTY on Windows gives you the option of replacing the saved host key.
Generate a new SSH key pair
You can secure SSH access to your cloud server against brute force password attacks by using a public/private key pair. This means that a public key is placed on the server and a matching private key is placed on your local computer. If you configure SSH on your server to accept only connections using keys, then no one else can log in using just a password. Connecting clients are required to use a private key that has a public key registered on the server.
- Run the following command using your email address as a label. Substitute your email address for
email@example.com the command.
ssh-keygen -t rsa -C "firstname.lastname@example.org"
A message indicates that your public/private RSA key pair is being generated.
You are prompted to enter a file in which to save the key. Press Enter to use the default location.
- If you want the additional security of a password for the key pair, enter a passphrase. If you don't want to use a password with the key pair, press Enter to continue without setting one.
Your key pair is generated, and the output looks as follows:
Your identification has been saved in /LocalFileLocation/id_rsa. Your public key has been saved in /LocalFileLocation/id_rsa.pub. The key fingerprint is: 01:0f:f4:3b:ca:85:d6:17:a1:7d:f0:68:9d:f0:a2:db email@example.com
Optionally, add your new key to the local
ssh-agentfile to enable SSH find your key without the need to specify its location every time that you connect:
You can use an SSH config shortcut instead of the
ssh-agentfile by following the instructions in the Shortcut configuration section later in this article.
Add the public key to your cloud account
To make it easy to add your key to the new cloud servers you create, upload the public key to your cloud account by following these steps:
- Log in to the Cloud Control Panel.
- In the Servers section, click SSH Keys.
- Click Add Public Key.
- Enter a key name to remind you which computer this key is for; for example, Work Laptop.
- Select the region for which you want to store the public key. To store your key in multiple regions, repeat these steps for each region.
- Paste the contents of the
id_rsa.pubfile that you created into the Public Key field. You can get the file contents by either opening the file in a text editor or by running the following command:
- Click Add Public Key.
Create a new server by using a stored key
When you create a new Cloud Server, you can add a stored key to the new server.
In the SSH Key section of the server creation page, click the drop-down menu and select your key from the list. If you don't see a stored key in the list, you must switch the region for the new server to the region where you've stored the SSH key.
Add the key to an existing server
You cannot use the Cloud Control Panel to add a public key to an existing server. Follow these steps to add the key manually:
- On your cloud server, create a directory named
.sshin the home folder of the account you will connect to via SSH.
mkdir -p ~/.ssh
- Create or edit the
authorized_keysfile and add your public key to the list of authorized keys.
A key is all on one line, so ensure that the key isn't broken by line breaks. You can have multiple keys in the
authorized_keysfile, with one key per line.
- Set the correct permissions on the key.
chmod 700 ~/.ssh chmod 600 ~/.ssh/authorized_keys
With the public key added to the
authorized_keys, you can make an SSH connection using your key pair instead of the account password.
You can set up a connection shortcut by creating a
~/.ssh/config file on your local computer and adding your server and key details by using a text editor.
- Add the following text to the
~/.ssh/configfile, changing the values to match your server information:
Host shortcutName HostName serverAddressOrIPAddress User remoteUsername IdentityFile /path/to/appropriate/ssh/rsa/private/key
Each entry describes a feature of the server:
- Host: A shortcut name you will use to tell SSH to use this connection
- HostName: The address of the server you will connect to
- User: The name of the user account to connect to on the server
- IdentityFile: The location of the private key file (id_rsa)
- After you set up the
configfile, connect to the server by using your shortcut name with SSH, as follows:
If you have trouble making a new connection after you restart the server, use the following steps to help you resolve the issue:
- If you get a
connection timeouterror, check the IP address that you used to ensure that it's correct. You might also check the server's iptables to ensure it isn't blocking the port used by SSH.
- If you get a
connection refusederror, you might be trying to use SSH with the wrong port. If you changed your server to listen to a port other than 22, use the
-poption with SSH to specify the port.
- If you are getting a rejected login, then you might have an issue with your key. Change the sshd configuration to allow password connections by setting
yes. Restart the server and try again. If you connect after these changes, then the issue is with the key and you must verify the key is in the right place on the server.
- If all else fails, review your changes and restart the SSH daemon on the server by running the following command:
sudo service ssh restart
If you get a message that the service SSH is unknown, run the command with
sshdas the service name instead.
© 2014 Rackspace US, Inc.
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License
See license specifics and DISCLAIMER