SSH Login

From Roaring Penguin
Jump to: navigation, search

Using SSH is the most convenient way to remotely administer a CanIt server. This article will discuss the basics of doing so. Note that this article assumes the usage of our Debian-based ISO installation and while some parts will be applicable to other types of installations, other instructions may vary.

Enabling SSH Access

A CanIt appliance should comes with the openssh-server package installed unless you explicitly disabled this from the package selection during the installation process. The SSH Daemon (sshd) is automatically started when the system boots so no special steps are necessary on the appliance itself.

However, you may need to take special actions to ensure that the SSH server is available to the network with consideration for any firewalls or other access control systems that might be in the way. For access outside of your network you will need to make the server publicly resolvable either by providing it with an external IP address or by using Port Forwarding on the router.

In order for Roaring Penguin to provide console-level support we will need you to open SSH access publicly for at least our support IP address (below).

SSH Port(s)

The default listening port for SSH is port 22. If you wish to use a non-standard port you can add it to the top of the /etc/ssh/sshd_config file. This should already include Port 22 which you can either append to or replace:

   # Package generated configuration file
   # See the sshd_config(5) manpage for details
   # What ports, IPs and protocols we listen for
   Port 22
   Port 2222

Alternatively you can use Port Forwarding to redirect any external port to port 22 internally.

Roaring Penguin Support SSH Keys

By default, our ISO installations come with our support keys installed and enabled. So long as there is no firewall preventing our access and that your server is publicly resolvable, we will be able to access your machine upon request to assist in a wide variety of tasks. If you want to remove our ability to access your machine you could block the port, but we also provide a simple command to Enable/Disable our keys.

As stated in that article, we always come from:

SSH in Debian Jessie (8) and Above

The default SSH configuration in Debian 8 and above is to only allow the 'root' user to log in using public/private key pairs; password logins are not allowed.

This is a fairly sane default, but it also means that you will only have root access directly from the console unless you do one of the following:

Enable Logins with Passwords

This setting is defined in /etc/ssh/sshd_config.

The default in Jessie is:

   PermitRootLogin without-password

and later versions also support the less ambiguous:

   PermitRootLogin prohibit-password

Both of which mean "with keys only". You can change that to:

   PermitRootLogin yes

You then need to restart sshd. In Jessie and above (versions using systemd) this is done with:

   systemctl restart sshd

Install Your Key(s)

The public keys for authorized logins are stored in ~/.ssh/authorized_keys. Because we are concerned about the 'root' account specifically, this is:


You can add the public key from any other client to this file to allow secure logins without a password.

Linux/OS X Client

Any Unix system should come with an SSH client pre-installed and accessible to any user with a terminal.

SSH key pairs are stored in the same location as the authorized_keys used by a server. Specifically, you want to copy the *public* key which should be in:


If this file does not exist, you can generate it with:


In order to copy the key to the CanIt machine you must already have access to it by some means.

You can enabled root logins with a password temporarily, as above, and then add your key with a single command:

   ssh-copy-id root@your.canit.machine

This will ask you for the 'root' password and if successful it will automatically add the key to the authorized_keys file.

If you have access to the 'root' account by some means other than directly from your client you will need to copy/paste or append your key to the file manually.

Note: If you enabled root logins using a password in order to install your key, be sure to test logging in with the key before reverting back to the 'without-password' option otherwise you may lock yourself back out. It will deliver you directly to the Bash shell without prompting for a password if everything worked correctly.

Windows or Graphical Clients

For non-UNIX machines, or if you don't have a terminal on your workstation you will need to use a dedicated SSH client and consult the documentation for that client in order to find and/or generate this key. A common Windows-based SSH client is PuTTY. You can also get a Linux shell on a Windows machine with the Windows Subsystem for Linux by enabling it from the Windows 10 developer settings, or you can can install Cygwin.

Escalate to 'root' After Login

There is nothing stopping an ordinary user from logging in via SSH using a password - that is, if you have created an ordinary user already.

If you log in with an ordinary user, you can then use the:


or "Switch User" (sometimes "Super User") command without any arguments in order to change to the 'root' user ID.

Alternatively, those who are more familiar with Ubuntu and some other Linux flavours may prefer to use:

   sudo su

in order to escalate to the 'root' user by entering their user's password instead of the password for 'root'. "sudo" is not installed in Debian by default because it is less secure. For instance in this exact scenario where you might as well just allow the 'root' user to log in with a password if it means that knowing just the ordinary "sudoer's" password is enough to become 'root' anyways. That said, 'sudo' is a useful tool for other types for work to discourage ordinary users from running commands with escalated privileges unless they need to, so Debian does make the 'sudo' package available for installation:

   apt-get install sudo

After 'sudo' is installed you will need to add the ordinary user to the /etc/sudoers file to allow them to escalate to 'root' with:

   username  ALL=(ALL:ALL) ALL