IT Tutorial

Administer Your Server Remotely

Install and configure SSH to securely connect and administer your server from any machine with a network connection.
Apart from when you are doing the base installation or some sort of local maintenance, generally a Linux server is meant to be run without a monitor connected. Most tasks you would need to perform on a server can be done via the command line, and these days Telnet is out and SSH is in. SSH provides you with the ability to remotely log in to your server and run commandsall over an encrypted channel. Plus, SSH offers a number of advanced functions that can make remote administration simpler.
First things first: Ubuntu (at least the desktop version) does not install the SSH server by default, so you will need to install it. Either use your preferred package manager to install the openssh-server package or run:

$ sudo apt-get install openssh-server

The installation scripts included with the package will take care of creating the initial RSA and DSA keys you need, as well as providing you with a good default SSH config. Once the install finishes, you should be able to log in to the machine from other machines on the network by typing:

$ ssh

ip_address

(Replace ip_address with the IP address or hostname for your remote Ubuntu server.)
Configure SSH

One issue with the default SSH config (/etc/ssh/sshd_config) that ships with Ubuntu is that it enables remote root logins and X11 forwarding, which create potential security concerns. Since the root account is disabled on Ubuntu by default anyway, it doesn't hurt to disable the root login option. Just find the line that says:

PermitRootLogin yes

and change it to say:
PermitRootLogin no

If you aren't planning on using X11 forwarding, you can disable that as well. Find the line that says:

X11Forwarding yes

and change it to:

X11Forwarding no

Once you have made your changes, type:

$ sudo /etc/init.d/ssh restart
to load the new configuration.

X11 Forwarding

Now while X11 forwarding should be disabled if you aren't planning to use it, if you are planning to use it, it can allow you to do some pretty interesting things. Essentially, X11 forwarding allows you to set up a secure communication channel between you and the remote server over which you can run graphical applications. The performance of these applications will vary depending on the speed of your network connection. To take advantage of X11 forwarding, add the -X argument to ssh when connecting to the server:

$ ssh -X

ip_address



Then start a graphical program such as xterm (which, when you think about it, wouldn't make much sense to run since you're already in a shell) or perhaps Synaptic. Give the application some time if you are on a slower network link; eventually, the graphical program should appear on your local desktop. This feature can be particularly useful if your server needs third-party graphical programs to manage hardware RAID volumes or backup programs and you need to manage these tools remotely.

Configure Passwordless Authentication

If you find yourself connecting to the same machine frequently, or you want to be able to set up a script to run commands on the machine when you aren't around, you will want to set up passwordless authentication. Essentially, this requires that you set up a public and private key on your local machine and then add the public key to a particular configuration file on the remote machine. First, generate your keys on the local machine with the ssh-keygen program:

greenfly@ubuntu:~$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/greenfly/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/greenfly/.ssh/id_rsa.
Your public key has been saved in /home/greenfly/.ssh/id_rsa.pub.
The key fingerprint is:
b7:db:cc:2c:81:c5:8c:db:df:28:f3:1e:17:14:cd:63 greenfly@ubuntu

(If you want to generate DSA keys instead, replace rsa with dsa in the above command.) Notice that it prompted for a passphrase. If you want to use this key for passwordless authentication, just hit Enter for no passphrase. When the program finishes, you will have two new files in your ~/.ssh/ directory called id_rsa and id_rsa.pub, which are your private and public keys, respectively. Now, for security reasons, the id_rsa file is set to be readable only by your user, and you should never share that file with anyone else, since she would then be able to log in to any machine that you could with that key. The public key is the one you will share with remote servers to allow you to log in passwordlessly. To do so, copy the id_rsa.pub file to the remote machine and append its contents to the ~/.ssh/authorized_keys file. You can do this step by step, or you can use this handy one-liner to do it all in one fell swoop:
$ ssh

user@remotehost

"cat >> ~/.ssh/authorized_keys" < ~/.ssh/id_rsa.pub Replace user@remotehost with your username and the hostname of the remote server. You will be prompted for your password one final time, and then the key will be appended to the remote host's authorized_keys file. You should now be able to ssh to the remote machine and log in without being prompted for a password.
If you do include a passphrase when you generate the key, you will be prompted for that key's passphrase every time you log in. You can make this step almost as convenient as passwordless login by running the command ssh-agent bash on your local machine; this starts up a bash shell session under the control of an SSH agent process.You can then add your key to the agent with ssh-add. You'll be prompted once for your password, and then you can ssh to remotehost without being prompted for your password, unless you exit that shell that you started with ssh-agent.

Copy Files Securely

Another common need is to be able to copy files between servers you are administering. While you could set up FTP on all of the servers, this is a less-than-ideal and potentially insecure solution. SSH includes within it the capability to copy files using the scp command. This has the added benefit of copying the files over a secure channel along with taking advantage of any key-based authentication you might have already set up.

To copy a file to a remote machine, type:

$ scp /path/to/file user@remotehost:

/path/to/destination

Or, if you need to copy from the remote host to the local host, reverse the two arguments:

$ scp user@remotehost:/path/to/file
/path/to/destination

scp supports recursion, so if you need to copy an entire directory full of files to a remote location, use the -r argument:

$ scp -r
/path/to/directory/ user@remotehost:/path/to/destination/

If you are transferring logfiles or other highly compressible files, you might benefit from the -C argument. This turns on compression, which, while it will increase the CPU usage during the copy, should also increase the speed in which the file transfers, particularly over a slow link.
Alternatively, if you want to copy a file but can't afford to saturate your upload with the transfer, use the -l argument to limit how much bandwidth is used. Follow -l with the bandwidth you want to use in kilobits per second. So, to transfer a file and limit it to 256 Kbps, type:

$ scp -l 256

/path/to/file user@remotehost:/path/to/destination








Administer Your Server Remotely