Mastering SSH: Secure Remote Access with Keys and Configurations

In a world where remote access to systems is essential, SSH (Secure Shell) is the silent workhorse that makes it all possible — safely and efficiently. Whether you're deploying code to a server, managing cloud infrastructure, or just remotely logging into a Linux system, SSH is the trusted tool behind the scenes.

Let’s break it down and walk through both the theory and the practical setup.

What is SSH?

Secure Shell (SSH) is a network communication protocol that enables two computers/ devices to communicate and share data. This communication is encrypted. It’s widely used for:

• Remote system login

• File transfers

• Running commands on remote machines

• Tunneling and port forwarding

The default port for SSH connection is: Port 22. We can also change it.

How SSH Works?

1. Client initiates the connection to the SSH server.

2. Server responds with its public key.

3. Client checks the key (and may verify it using known_hosts).

4. If verified, a secure channel is established using encryption.

5. User logs in with a password or a private key.

SSH Components

SSH Client (ssh)

• It is a program used to initiate a secure connection with another computer using SSH protocol.

• ~/.ssh directory has keys and configs on the client.

SSH Server (sshd - SSH Daemon)

• It is a program running on remote machine that listens for and manages secure connections from SSH clients.

• /etc/ssh directory has Server configuration files on SSH

Practical: Setting up and Using SSH on Ubuntu

Step 1: Check if SSH is Installed

• Client Side

  • Most Ubuntu systems have the SSH client pre-installed. We can check it using:

      ssh -V
    

  • If not found, run the following commands:

      sudo apt update
      sudo apt install openssh-client
    

• Server Side

  • Install the SSH server:

      sudo apt update
      sudo apt install openssh-server
    

Step 2: Check if SSH Server is Running

• To check status of SSH server, run following command on server(remote) machine:

    systemctl status ssh
  

• If inactive, start and enable it:

    sudo systemctl start ssh
    sudo systemctl enable ssh
  

Step 3: Connect to Server Machine via SSH

• To connect to a remote server machine via SSH Client, run

    ssh username@remote_ip_or_hostname
  

  You’ll be asked for the password (or use a key if set up). But it is always recommended to use key-based authentication over password-based authentication, as it more secure.

Password-based Authentication

User has to enter a password when connecting via SSH. Following are the steps to enable this:

1. Open /etc/ssh/sshd_config in any editor on the server and set:

PasswordAuthentication yes

2. Restart SSH server:

sudo systemctl restart ssh

Key-based Authentication

SSH key-based authentication is a method where you use a pair of cryptographic keys instead of a username/password to securely log in to a remote server.

• Private Key: Stays on your client machine (keep it secret).

• Public Key: Shared with any server you want to connect to (can be public).

Together, they form a matched pair. The private key proves you are the rightful owner of the public key without revealing it.

How does it work?

1. Client generates a key pair using ssh-keygen.

2. Public key is added to the ~/.ssh/authorized_keys file on the server.

3. When you connect, the server:

   • Sends a challenge encrypted with your public key.

4. Your client decrypts the challenge using your private key.

5. If the response is valid, you’re authenticated — no password required!

Ways to Set Up SSH Key Authentication

1. Basic Setup

• Generate key pair on client machine. This is done using cryptographic algorithms:

  • rsa - Older, widely supported. Usually 2048 or 4096 bits

  • ed25519 - Modern, fast, secure (we will use this)

ssh-keygen -t ed25519 -C "your_email@example.com"

• Copy public key to server:

ssh-copy-id username@remote_host

• On server ensure that /etc/ssh/sshd_config has:

PubkeyAuthentication yes
PasswordAuthentication no   # Optional but improves security

• Restart SSH Server:

sudo systemctl restart ssh

• To connect, run the following command on client machine:

ssh user@server_ip

• If your private-key is encrypted with a passphrase, run:

ssh-add ~/.ssh/id_ed25519

This command adds your private SSH key (id_ed25519) to the ssh-agent, a helper program that manages your keys and remembers your passphrase so you don’t have to type it every time you use the key. But, the key stays in RAM only (not written to disk). On system reboot or logout, you’ll need to re-add the key.

• If you get an error like Could not open a connection to your authentication agent. Then restart the agent:

eval "$(ssh-agent -s)"

Then tryssh-add again.

We can also, automate ssh-agent and ssh-add so your SSH keys are loaded automatically at login or terminal start.

2. SSH with a Specified Private Key File (like.pem file from AWS)

ssh -i path/to/downloaded_key.pem user@server_ip

• We can make this easier by adding it to your ~/.ssh/config (optional):

Host myserver
    HostName server_ip
    User myuser
    IdentityFile ~/.ssh/key.pem

• Then we can just do:

ssh myserver

These are the two methods we need to know in key-based authentication as beginners. There are others methods as well, such as SSH Agent Forwarding (Advanced Use) and Hardware-Backed Authentication (YubiKey, SmartCards).

Conclusion

SSH is a cornerstone of secure remote system administration. By understanding its theoretical foundation and mastering practical setup—especially key-based authentication—we can achieve both security and convenience.