How to Set Up SSH For Remote Access to your Homelab Server

by
Ssh Remote Access Homelab Featured

The beauty of a homelab server is that you can securely connect to it wherever you are. However, for that to happen, you need to set up SSH (Secure Shell) on your homelab for remote access. SSH only allows authenticated login and provides encrypted communication. This ensures that your login credentials and commands remain safe from eavesdropping. Here we show you how to set up SSH on your homelab for secure remote access.

Prerequisites

Before getting started, ensure you have the following:

  • A homelab server running Linux (Ubuntu, Debian, Arch Linux or any other distribution)
  • Another computer with a SSH client installed
  • A stable network connection

Install SSH Server

You need a SSH server for SSH to work. Most Linux distributions come with OpenSSH server pre-installed, but if your homelab doesn’t come with it, you can install it manually:

For Ubuntu/Debian:

sudo apt update && sudo apt install openssh-server -y

For Fedora/CentOS/RHEL:

sudo yum install openssh-server -y

For Arch Linux:

sudo pacman -S openssh

Once installed, enable and start the SSH service:

sudo systemctl enable ssh
sudo systemctl start ssh

To verify that SSH is running:

sudo systemctl status ssh

With the SSH server up and running, you can now access your homelab from another PC using the command:

ssh username@homelab_ip_addr

You will be prompted to enter your password. Once that is verified, you will be logged in to your homelab remotely.

Set Up SSH Key Authentication

By default, SSH uses password authentication to log you in, which is not secure as your password is sent in plain text and can be easily sniffed by a Man-in-the-Middle attack. Hackers can also do a brute force password attack to gain entry to your server.

Instead, you should set up a key-based authentication for SSH. It is like installing a lock on your SSH server – without the right key, no one can access your server.

Generate SSH key pair on the client machine

On the client PC that you are using to access your homelab, enter the following command to generate a SSH key pair:

ssh-keygen -t ed25519

Note: we are using ed25519 instead of the usual rsa because “ed25519” is faster, smaller and more secure.

Ssh Key Gen Ed25519

It will prompt you to enter the file (name and path) to save the key to. You can press Enter to select the default, or enter the file path and name and press Enter.

You can set a passphrase for additional security, but it is optional.

Once it is done, you will find two files in your “.ssh” folder, in this case, “homelab-server” and “homelab-server.pub”.

Ssh Key Gen Folder

The “homelab-server.pub” file is the public key and you need to upload it to your homelab.

The “homelab-server” file is the private key used to authenticate your login.

Copy the public key to homelab server

Still on the client PC, enter the following command to copy the public key to your homelab:

ssh-copy-id -i public-key-filename your_username@your_server_ip

In my case, it will be:

ssh-copy-id -i ~/.ssh/homelab-server.pub damien@homelab_ip_addr

If that doesn’t work, either because the ssh-copy-id command is not available or for any other error, use this command instead:

cat ~/.ssh/homelab-server.pub | ssh your_username@homelab_ip_addr 'mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys'

When that is done, you can now log in to your homelab using the command:

ssh username@homelab_ip_addr

Secure SSH

Now that you have set up key-based authentication, you should take extra steps to secure SSH and prevent unauthorized access.

All the configuration options are found in the “/etc/ssh/sshd_config” file, so that is what we are going to edit.

Open the SSH configuration file with a text editor:

sudo nano /etc/ssh/sshd_config

Change the default port

The default SSH is 22, but you can change it to another port to hide your ssh presence.

Scroll down the configuration file till you find the line:

# Port 22

Remove the “#” and change the “22” to another port, say “1010”

Sshd Conf Change Port

Disable root login

A root user has all the rights and permissions to destroy the server, so you want to prevent a root user for logging in at all.

Scroll down the file until you want the line:

#PermitRootLogin

Remove the “#” and change it to:

PermitRootLogin no

In addition, add a new line:

AllowUsers username

This will only allow specific user(s) to log in to your homelab.

Disable password authentication

Password authentication is insecure, so you should disable it as a login method.

Find the line:

#PasswordAuthentication yes
#PermitEmptyPasswords no
#UsePAM no

Remove the “#” and change it to:

PasswordAuthentication no
PermitEmptyPasswords no
UsePAM no

Lastly, save the changes (Ctrl + O) and exit the editor (Ctrl + X).

Restart the SSH service to apply changes:

sudo systemctl restart ssh

With this newly updated SSH configuration, you now have to specify the port to be able to log in:

ssh -p 1010 username@homelab_ip_addr

What’s Next

Now that you’ve set up SSH for secure remote access to your homelab server, you can proceed to install docker on your server so you can start installing free and open-source apps.

Be the first to comment! Get the discussion going.

Leave a Comment

Yeah! You've decided to leave a comment. That's fantastic! Check out our comment policy here. Let's have a personal and meaningful conversation.