Introduction
SSH (Secure Shell) is a cryptographic protocol for securely connecting to a remote server over an unsecured network. It is essential for managing remote systems, networking, and communicating with remote servers.
The protocol provides a secure connection between a client and a server. It enables managing other computers, transferring files, and executing commands on a remote machine.
This guide explains how to SSH to a remote server from Windows, Linux, or Mac.
Prerequisites
- The remote computer must be turned on and have a network connection.
- The IP address or the name of the remote machine.
- Permission to access the remote computer.
- Firewall settings to allow SSH connections.
What Is SSH?
Secure Shell, sometimes called Secure Socket Shell, is a protocol that allows you to securely connect to a remote computer or a server using a text-based interface.
When a secure SSH connection is established, a shell session starts. It enables manipulating the server by typing commands within the client on your local computer.
System and network administrators use this protocol to manage remote servers and machines. Anyone who requires managing a computer remotely in a highly secure manner uses SSH.
Note: SSH and SFTP protocols are frequently conflated, but have unique and distinct roles. Learn about the similarities and differences between SSH and SFTP.
How Does SSH Work?
Both the client and server participate in establishing a secure SSH communication channel. Creating an SSH connection relies on the following components and steps:
- Client-side component. A client-side component is an application or program used to connect to another machine. The client uses remote host information to initiate the connection through the program. If the credentials are verified, the program establishes an encrypted connection.
- Server-side component. On the server's side, an SSH daemon constantly listens to a specific TCP/IP port (the default SSH port number is 22) for possible client connection requests. Once a client initiates a connection through the defined port, the SSH daemon responds with the software and the protocol versions it supports. The default protocol version for SSH communication is version 2.
- Key exchange. The client and server exchange cryptographic keys to create a secure communication channel. The keys help encrypt subsequent communication.
- Authentication. When establishing a connection, the client provides identification data to the server (as a username/password or SSH keys). If the provided credentials are correct, SSH creates a new encrypted communication session.
Note: For more details, check out our comprehensive guide on how SSH works.
How to Enable an SSH Connection
Since creating an SSH connection requires both a client and a server component, ensure they are installed on the local and remote servers. The sections below demonstrate how to install a client-side and server-side component depending on the OS.
Install SSH Component on Mac
macOS typically has the SSH client preinstalled. Open the terminal and check with the following command:
ssh -v
The command shows the installed SSH version. To use a third-party SSH application, such as OpenSSH, use the following Homebrew command:
brew install openssh
Note: If you don't have Homebrew installed, check out our guide on how to install Homebrew on Mac.
The installation allows managing a separate version from the system's default SSH component. Alternatively, install PuTTY on macOS to use a GUI-based SSH client.
To enable SSH server remote login on a macOS, do the following:
1. Go to System Settings.
2. Click General in the left menu.
3. Locate and open Sharing.
4. Enable Remote Login to allow SSH access to the device.
Install SSH Component on Linux
Some Linux distributions do not have an SSH component installed by default. Typical solutions are installing OpenSSH or a GUI solution, such as the PuTTY client for Ubuntu.
Installing OpenSSH requires access to the terminal on the server and the computer you use for connecting. The steps for installing and setting up the OpenSSH client and server component are below:
1. To install the client component, run one of the following commands on the client machine:
For Debian/Ubuntu-based Systems:
sudo apt install openssh-client
For Red Hat-based systems (such as CentOS or Fedora):
sudo dnf install openssh-clients
sudo yum install openssh-clients
2. Next, install the server component on the server machine:
For Debian/Ubuntu-based Systems:
sudo apt install openssh-server
For Red Hat-based systems (such as CentOS or Fedora):
sudo dnf install openssh-server
sudo yum install openssh-server
3. After installing the components, the SSH service automatically starts. View the service status with:
systemctl status sshd
In case the service is not running, run it with the following command:
sudo systemctl start sshd
The command does not print an output.
4. To have the service start automatically on boot, run:
sudo systemctl enable sshd
Enabling the sshd service starts it during the boot process.
Note: On some systems, sshd is the service name alias, and the commands will not work. In that case, replace sshd
with ssh
in the previous commands.
Install SSH Component on Windows
SSH is not a default component on Windows systems. Windows 10 and later versions include a native OpenSSH app.
To enable SSH, do the following:
1. Open Settings -> Apps & features -> Optional features.
2. Click the Add a feature button.
3. Search for and install the OpenSSH app.
Alternatively, a popular option is to install PuTTY on Windows or to use a Linux distribution through the WSL (Windows Subsystem for Linux) feature.
How to Connect via SSH
After installing and setting up the SSH client and server on each machine, you can establish a secure remote connection. To connect to a server, do the following:
1. Open the command line/terminal window and run the following ssh command:
ssh [username]@[host_ip_address]
Provide the username and host IP address. If the username is the same as the local machine, omit the username from the command. To test if SSH is installed correctly, try creating an SSH connection to localhost.
2. When connecting to the server for the first time, a message appears asking to confirm the connection. Type yes and press Enter to confirm the remote server identification on the local machine.
3. Provide the password when prompted and press Enter. The screen does not display characters as you are typing.
A digital signature ECDSA key fingerprint helps authenticate the machine and establishes a connection to the remote server.
If the computer you are trying to connect to is on the same network, then it is best to use a private IP address instead of a public IP address.
Note: Learn about the differences between a private and public IP address and the roles of each.
Additionally, ensure the correct TCP port listens for connection requests and that port forwarding settings are correct. The default port number is 22 unless the configuration has been changed. You may also append the port number after the host IP address.
When using a port number, the following two examples are valid:
ssh [username]@[host_ip_address]:[port]
ssh [username]@[host_ip_address] -p [port]
If there are any issues connecting to the remote server, make sure that:
- The IP address of the remote machine is correct.
- The port the SSH daemon is listening to is not blocked by a firewall or forwarded incorrectly.
- The username and password are correct.
- The SSH software is installed correctly.
Note: If SSH responds with a message "Connection refused", please refer to our article How To Fix The SSH "Connection Refused" Error for possible reasons and solutions.
SSH Further Steps
After establishing a connection to your server using SSH, there are additional steps to improve SSH security. Default values should always be changed; not changing them leaves a server vulnerable to attacks. Some of the suggestions require editing the SSH configuration file.
Below is a list of practical steps to secure the SSH connection:
Change the Default TCP Listening Port
Instead of using the default port 22, try a higher number. Avoid using a port number that is easy to guess, such as 222, 2222, or 22222.
Use SSH Key Pairs for Authentication
Passwordless SSH login is safer and allows logging in without using an SSH key pair (which is faster and more convenient).
Disable Password-Based Logins on Your Server
If your password gets cracked, this will eliminate the possibility of using it to log into your servers. Before you turn off the option to log in using passwords, ensure that authentication using key pairs works.
Disable Root Access
Removing default root access to your server makes accessing the root account harder for unwanted solicitors. Instead, use a regular account with the su - command to switch to a root user.
Use TCP Wrappers
TCP wrappers enable restricting access to specific IP addresses or hostnames. Configure which host can connect by editing the /etc/hosts.allow and /etc/hosts.deny files. Note that the first file has higher authorization than the second.
For example, to allow SSH access to a single host, first deny all hosts by adding these two lines in the /etc/hosts.deny file:
sshd : ALL
ALL : ALL
Then, in the /etc/hosts.allow file, add a line with the allowed hosts for the SSH service:
sshd : 10.10.0.5, LOCAL
The host can be an IP address, an IP range, or a hostname.
Secure Login Information and Employ Multilayer Security
Use different methods to limit SSH access to your servers, or use services that block anyone using brute force to gain access. Fail2ban is one example of such a service.
VNC Over SSH
In a Virtual Network Computing (VNC) environment, it is possible to encrypt connections using SSH tunneling via the ssh
command and through PuTTY.
To tunnel VNC connections over SSH, run the following command in the command line/terminal:
ssh -L [local_address]:[local_port]:[VNC_server_address]:[VNC_server_port] -N -f -l [username] [hostname_or_IP]
The command does the following:
ssh
. Starts the SSH client program on your local machine and enables secure connection to the SSH server on a remote computer.-L [local_address]:[local_port]:[VNC_server_address]:[VNC_server_port]
. The local address and port for the client on the local machine are to be forwarded to the specified server host and port of the remote machine.-N
. Forwards ports without executing a remote command.-f
. Sends SSH to the background after the password is provided. This allows typing commands in the local terminal.-l [username]
. The username for connecting to the SSH server.[hostname_or_IP]
. The hostname or IP of the SSH server.
You can also connect to a remote server via SSH tunnel using PuTTY. In the PuTTY configuration window, do the following:
1. Go to Connection -> SSH -> Tunnels.
2. Type in the source port number in the Source port field.
3. Type the VNC server address and port in the Destination field.
4. Start the SSH session as you normally would.
5. Connect to your server with a VNC client of your choice.
Conclusion
You should now be able to connect to a remote server with SSH. There are many other methods to establish a connection between two remote computers, but the ones covered here are most common and secure.
Next, see how to mount a remote file system using SSH with the SSHFS on Windows and Linux or SSHFS on macOS.