- About the VM access
- Set up the
SSHaccess to the VM - Set up
SSH(LOCAL) - Set up the
SSHaccess to the VM as the userroot - Set up the
SSHaccess to the VM as the user<user> - Restrict the
SSHconnection
VM access is the process of connecting to a virtual machine over a network using SSH.
The initial connection uses the user root because a fresh VM has no other users.
After that, you create a non-root user and switch to it for all further work.
Working as the user root is risky because every command runs with full permissions β a mistake or a compromised session can modify or delete any file, change system configuration, or break the operating system.
A non-root user operates with limited permissions by default, so accidental damage is contained.
When an administrative action is genuinely needed, the user can escalate temporarily with the sudo command.
After switching to the non-root user, you restrict the SSH connection so that the user root can no longer log in remotely.
This reduces the attack surface of the VM: even if an attacker knows the IP address, the most powerful account is unreachable over the network.
Note
Replace the placeholder <user>.
Complete these steps:
- Set up
SSH(LOCAL). - Create a VM.
- Check that the VM is accessible (LOCAL).
- Set up the
SSHaccess to the VM as the userroot. - Set up the
SSHaccess to the VM as the user<user>. - Restrict the
SSHconnection.
Set up SSH to connect to a remote host.
Complete these steps:
- Check your current shell.
- Create a new
SSHkey (LOCAL). - Find the
SSHkey files (LOCAL). - Get the
SSHpublic key (LOCAL). - Add the
SSHkey to thessh-agent(LOCAL).
-
To generate a new key,
ssh-keygen -t ed25519 -C "se-toolkit-student" -f ~/.ssh/se_toolkit_keyNote: You can replace
"se-toolkit-student"with your email or another label.Note:
-f ~/.ssh/se_toolkit_keysets a custom file path and name.Note We'll use the
ed25519algorithm, which is the modern standard for security and performance. We chose this algorithm because it's used in theGitHubdocs on generating a new SSH key.Note Actually, you generate a key pair: a private key (secret) and a public key (safe to share).
-
Passphrase: When prompted
Enter passphrase, you may type a secure password or pressEnterfor no passphrase.Note: If you set a passphrase, use
ssh-agentto avoid retyping it on every connection.
-
To verify the keys were created,
ls ~/.ssh/se_toolkit_key* -
You should see two files listed.
The file ending in
.pubcontains the public key.Another file contains the private key.
Caution
Never share the private key.
-
To view the content of the public key file,
cat ~/.ssh/se_toolkit_key.pubThe output should be similar to this:
ssh-ed25519 AKdk38D3faWJnlFfalFJSKEFGG/vmLQ62Z+vpWCe5e/c2n37cnNc39N3c8qb7cBS+e3d se-toolkit-student
-
To start the agent,
eval "$(ssh-agent -s)" -
To add the key to the
ssh-agent,ssh-add ~/.ssh/se_toolkit_key -
To list the loaded keys,
ssh-add -lYou should see your key fingerprint in the output.
The agent has no identities.
-
To check that the VM is accessible,
ping <your-vm-ip-address>You should see the output like this:
PING <your-vm-ip-address> (<your-vm-ip-address>) 56(84) bytes of data. 64 bytes from <your-vm-ip-address>: icmp_seq=1 ttl=62 time=4.40 ms 64 bytes from <your-vm-ip-address>: icmp_seq=2 ttl=62 time=5.34 ms 64 bytes from <your-vm-ip-address>: icmp_seq=3 ttl=62 time=3.04 ms ...The lines should continue being printed.
Connection timed out
Complete these steps:
- Update the
SSHconfig to connect to the VM as the userroot(LOCAL). - Connect to the VM as the user
root(LOCAL).
-
Open the file using
code:~/.ssh/config. -
Add this text at the end of the opened file:
-
Linux,Windows(WSL):Host se-toolkit-vm HostName <your-vm-ip-address> User root IdentityFile ~/.ssh/se_toolkit_key AddKeysToAgent yes -
macOS:Host se-toolkit-vm HostName <your-vm-ip-address> User root IdentityFile ~/.ssh/se_toolkit_key AddKeysToAgent yes UseKeychain yes
Replace the placeholder
<your-vm-ip-address>.π© Tip
If
~/.ssh/configalready contains aHost se-toolkit-vmentry, skip this step. -
-
To connect to the VM,
ssh se-toolkit-vm -
If this is your first time connecting:
-
You will see a message:
The authenticity of host ... can't be established. -
Type
yesand pressEnter.
-
-
After a successful login, you should see this
SSHshell prompt:root@<your-vm-name><vm-index>:~#π¦ Note
<your-vm-name>is the same as you specified when creating the VM.
Note
See <user>.
Complete these steps:
- Create the non-root user
<user>(REMOTE). - Set up the
SSHkey authentication for the user<user>(REMOTE). - Update the
SSHconfig to connect to the VM as the user<user>(LOCAL). - Connect to the VM as the user
<user>(LOCAL).
Note
See <user>.
Complete these steps:
- Set the password for the user
<user>(REMOTE). - Provide other information about the user
<user>(REMOTE). - Add the user
<user>to the groupsudo(REMOTE).
Note
See <user>.
-
To create the user
<user>,adduser <user>π¦ Note
This will create a group with the same name as
<user>.We'll refer to this group as
<user-group>.The output should be similar to this:
info: Adding user `<user>' ... info: Selecting UID/GID from range 1000 to 59999 ... info: Adding new group `<user-group>' (1002) ... info: Adding new user `<user>' (1002) with group `<user-group> (1002)' ... info: Creating home directory `/home/<user>' ... info: Copying files from `/etc/skel' ... New password:
-
When prompted for a password (
New password):-
Save it in a password manager to not lose it.
-
Type it in the shell where you were prompted.
π¦ Note
The shell won't show what you type for security reasons.
-
Note
See <user>.
-
Keep the default values for these (press
Enterwhen prompted):Full Name []: Room Number []: Work Phone []: Home Phone []: Other []: -
When prompted
Is the information correct? [Y/n]:-
Type
y. -
Press
Enter.
The output should be similar to this:
info: Adding new user `<user>' to supplemental / extra groups `users' ... info: Adding user `<user>' to group `users' ... -
Note
Replace the placeholder <user>.
-
To add the user
<user>to the groupsudo,usermod -aG sudo <user>There should be no output.
-
To check that the user
<user>was added to the groupsudo,groups <user>The output should be similar to this:
<user> : <user-group> sudo usersπ¦ Note
See
<user-group>.
Note
Replace the placeholder <user>.
-
To create the
.ssh/directory for the user<user>,mkdir -p /home/<user>/.ssh -
To copy the authorized keys from the user
root,cp /root/.ssh/authorized_keys /home/<user>/.ssh/ -
To set the correct ownership on the
.ssh/directory,chown -R <user>:<user-group> /home/<user>/.sshπ¦ Note
See
<user-group>. -
To set the correct permissions on the
.ssh/directory,chmod 700 /home/<user>/.sshπ¦ Note
See Set the permissions.
π¦ Note
SSHrefuses to use keys if the.ssh/directory is accessible by other users.See Mode
700. -
To set the correct permissions on the
authorized_keysfile,chmod 600 /home/<user>/.ssh/authorized_keysπ¦ Note
SSHignoresauthorized_keysif it is readable or writable by other users.See Mode
600.
Note
See <user>.
-
Open the file:
~/.ssh/config. -
Find the
se-toolkit-vmentry. -
Change
User roottoUser <user>:-
Linux,Windows:Host se-toolkit-vm HostName <your-vm-ip-address> User <user> IdentityFile ~/.ssh/se_toolkit_key AddKeysToAgent yes -
macOS:Host se-toolkit-vm HostName <your-vm-ip-address> User <user> IdentityFile ~/.ssh/se_toolkit_key AddKeysToAgent yes UseKeychain yes
Replace the placeholder
<user>. -
Note
See <user>.
-
To connect to the VM as the user
<user>,ssh se-toolkit-vmReplace the placeholder
<your-vm-ip-address>. -
To confirm you are logged in as the user
<user>, not the userroot, look at the shell prompt.You should see:
<user>@<your-vm-name><vm-index>:~$π¦ Note
The current working directory is the home directory (
~).<user>is the same as you specified when updating theSSHconfig to connect to the VM as the user<user>(LOCAL).<your-vm-name>is the same as you specified when creating the VM.<vm-index>is some number.
Complete these steps:
- Restrict the
SSHconfig for the user<user>(LOCAL). - Restrict the
sshdconfig for the user<user>(REMOTE). - Restart
sshd(REMOTE). - Connect to the VM as the user
<user>(LOCAL). - Verify that you can't connect to the VM as the user
root(LOCAL). - Verify that you can still connect to the VM as the user
<user>(LOCAL).
Note
See <user>.
-
Open the file:
~/.ssh/config. -
Add
PasswordAuthentication nothere:-
Linux,Windows:Host se-toolkit-vm HostName <your-vm-ip-address> User <user> IdentityFile ~/.ssh/se_toolkit_key AddKeysToAgent yes PasswordAuthentication no -
macOS:Host se-toolkit-vm HostName <your-vm-ip-address> User <user> IdentityFile ~/.ssh/se_toolkit_key AddKeysToAgent yes UseKeychain yes PasswordAuthentication no
Replace the placeholder
<user>. -
-
Connect to the VM as the user
<user>(LOCAL) to verify you can connect as the user<user>without a password.
Note
See <user>.
-
Connect to the VM as the user
<user>(LOCAL) if not yet connected. -
To open the
sshdconfig:-
sudo nano /etc/ssh/sshd_config
-
-
Find the line
PermitRootLogin yesand set it to:PermitRootLogin no -
Find the line
#PasswordAuthentication yesand set it to:PasswordAuthentication no -
To write the changes:
- Press
Ctrl+O. - Press
Enter.
- Press
-
To close the editor, press
Ctrl+X.
Note
See <user>.
-
To validate the
sshdconfig:-
sudo sshd -t
-
-
If the command prints no output, the config is valid.
If it prints errors, fix them in
/etc/ssh/sshd_configbefore continuing. -
To restart
sshd,sudo systemctl restart sshdThe output should be empty.
-
To try to connect to the VM as the user
root,ssh root@<your-vm-ip-address>Replace the placeholder
<your-vm-ip-address>.The output should be similar to this:
Received disconnect from <your-vm-ip-address> port 22:2: Too many authentication failures Disconnected from <your-vm-ip-address> port 22