Using SSH is the most convenient way to remotely administer a CanIt server. This article will discuss the basics of doing so. Note that this article assumes the usage of our Debian-based ISO installation and while some parts will be applicable to other types of installations, other instructions may vary.
Enabling SSH Access
A CanIt appliance should comes with the openssh-server package installed unless you explicitly disabled this from the package selection during the installation process. The SSH Daemon (sshd) is automatically started when the system boots so no special steps are necessary on the appliance itself.
However, you may need to take special actions to ensure that the SSH server is available to the network with consideration for any firewalls or other access control systems that might be in the way. For access outside of your network you will need to make the server publicly resolvable either by providing it with an external IP address or by using Port Forwarding on the router.
In order for Roaring Penguin to provide console-level support we will need you to open SSH access publicly for at least our support IP address (below).
The default listening port for SSH is port 22. If you wish to use a non-standard port you can add it to the top of the /etc/ssh/sshd_config file. This should already include Port 22 which you can either append to or replace:
# Package generated configuration file # See the sshd_config(5) manpage for details # What ports, IPs and protocols we listen for Port 22 Port 2222
Alternatively you can use Port Forwarding to redirect any external port to port 22 internally.
Roaring Penguin Support SSH Keys
By default, our ISO installations come with our support keys installed and enabled. So long as there is no firewall preventing our access and that your server is publicly resolvable, we will be able to access your machine upon request to assist in a wide variety of tasks. If you want to remove our ability to access your machine you could block the port, but we also provide a simple command to Enable/Disable our keys.
As stated in that article, we always come from: 126.96.36.199.
SSH in Debian Jessie (8) and Above
The default SSH configuration in Debian 8 and above is to only allow the 'root' user to log in using public/private key pairs; password logins are not allowed.
This is a fairly sane default, but it also means that you will only have root access directly from the console unless you do one of the following:
Enable Logins with Passwords
This setting is defined in /etc/ssh/sshd_config.
The default in Jessie is:
and later versions also support the less ambiguous:
Both of which mean "with keys only". You can change that to:
You then need to restart sshd. In Jessie and above (versions using systemd) this is done with:
systemctl restart sshd
Install Your Key(s)
The public keys for authorized logins are stored in ~/.ssh/authorized_keys. Because we are concerned about the 'root' account specifically, this is:
You can add the public key from any other client to this file to allow secure logins without a password.
Linux/OS X Client
Any Unix system should come with an SSH client pre-installed and accessible to any user with a terminal.
SSH key pairs are stored in the same location as the authorized_keys used by a server. Specifically, you want to copy the *public* key which should be in:
If this file does not exist, you can generate it with:
In order to copy the key to the CanIt machine you must already have access to it by some means.
You can enabled root logins with a password temporarily, as above, and then add your key with a single command:
This will ask you for the 'root' password and if successful it will automatically add the key to the authorized_keys file.
If you have access to the 'root' account by some means other than directly from your client you will need to copy/paste or append your key to the file manually.
Note: If you enabled root logins using a password in order to install your key, be sure to test logging in with the key before reverting back to the 'without-password' option otherwise you may lock yourself back out. It will deliver you directly to the Bash shell without prompting for a password if everything worked correctly.
Windows or Graphical Clients
For non-UNIX machines, or if you don't have a terminal on your workstation you will need to use a dedicated SSH client and consult the documentation for that client in order to find and/or generate this key. A common Windows-based SSH client is PuTTY. You can also get a Linux shell on a Windows machine with the Windows Subsystem for Linux by enabling it from the Windows 10 developer settings, or you can can install Cygwin.
Escalate to 'root' After Login
There is nothing stopping an ordinary user from logging in via SSH using a password - that is, if you have created an ordinary user already.
If you log in with an ordinary user, you can then use the:
or "Switch User" (sometimes "Super User") command without any arguments in order to change to the 'root' user ID.
Alternatively, those who are more familiar with Ubuntu and some other Linux flavours may prefer to use:
in order to escalate to the 'root' user by entering their user's password instead of the password for 'root'. "sudo" is not installed in Debian by default because it is less secure. For instance in this exact scenario where you might as well just allow the 'root' user to log in with a password if it means that knowing just the ordinary "sudoer's" password is enough to become 'root' anyways. That said, 'sudo' is a useful tool for other types for work to discourage ordinary users from running commands with escalated privileges unless they need to, so Debian does make the 'sudo' package available for installation:
apt-get install sudo
After 'sudo' is installed you will need to add the ordinary user to the /etc/sudoers file to allow them to escalate to 'root' with:
username ALL=(ALL:ALL) ALL