Linux users and administrators often need to get shell access to a remote system by connecting to it over the network. In a modern computing environment, many headless servers are actually virtual machines or are running as public or private cloud instances. These systems are not physical and do not have real hardware consoles. They might not even provide access to their (simulated) physical console or serial console.
In Linux, the most common way to get a shell prompt on a remote system is to use Secure Shell (SSH). Most Linux systems (including Red Hat Enterprise Linux) and macOS provide the OpenSSH command-line program ssh for this purpose.
In this example, a user with a shell prompt on the machine host uses ssh to log in to the remote Linux system remotehost as the user remoteuser:
[user@host ~]$ ssh remoteuser@remotehost remoteuser@remotehost's password: password [remoteuser@remotehost ~]$
The ssh command encrypts the connection to secure the communication against eavesdropping or hijacking of the passwords and content. Some systems (such as new cloud instances) do not allow users to use a password to log in with ssh for tighter security. An alternative way to authenticate to a remote machine without entering a password is through public key authentication.
With this authentication method, users have a special identity file containing a private key, which is equivalent to a password, and which they keep secret. Their account on the server is configured with a matching public key, which does not have to be secret. When logging in, users can configure ssh to provide the private key and if their matching public key is installed in that account on that remote server, it will log them in without asking for a password.
In the next example, a user with a shell prompt on the machine host logs in to remotehost as remoteuser using ssh, using public-key authentication. The -i option is used to specify the user’s private key file, which is geeklab.pem. The matching public key is already set up as an authorized key in the remoteuser account.
[user@host ~]$ ssh -i geeklab.pem remoteuser@remotehost [remoteuser@remotehost ~]$
For this to work, the private key file must be readable only by the user that owns the file. In the preceding example, where the private key is in the geeklab.pem file, the command chmod 600 geeklab.pem could be used to ensure this.
[user@host ~]$ chmod 600 geeklab.pem
The first time you log in to a new machine, you will be prompted with a warning from ssh that it cannot establish the authenticity of the host:
[user@host ~]$ ssh -i mylab.pem remoteuser@remotehost The authenticity of host 'remotehost (192.0.2.42)' can't be established. ECDSA key fingerprint is 47:bf:82:cd:fa:68:06:ee:d8:83:03:1a:bb:29:14:a3. Are you sure you want to continue connecting (yes/no)? yes [remoteuser@remotehost ~]$
Each time you connect to a remote host with ssh, the remote host sends ssh its host key to authenticate itself and to help set up encrypted communication. The ssh command compares that against a list of saved host keys to make sure it has not changed. If the host key has changed, this might indicate that someone is trying to pretend to be that host to hijack the connection which is also known as a man-in-the-middle attack. In SSH, host keys protect against man-in-the-middle attacks, these host keys are unique for each server, and they need to be changed periodically and whenever a compromise is suspected.
You will get this warning if your local machine does not have a host key saved for the remote host. If you enter yes, the host key that the remote host sent will be accepted and saved for future reference. Login will continue, and you should not see this message again when connecting to this host. If you enter no, the host key will be rejected and the connection closed.
If the local machine does have a host key saved and it does not match the one actually sent by the remote host, the connection will automatically be closed with a warning.
When you are finished using the shell and want to quit, you can choose one of several ways to end the session. You can enter the exit command to terminate the current shell session. Alternatively, finish a session by pressing Ctrl+D. The following is an example of a user logging out of an SSH session:
[remoteuser@remotehost ~]$ exit logout Connection to remotehost closed. [user@host ~]$