Skip to content

SSH - Secure Shell

Setting up an SSH server involves several steps, including installing the SSH server software, configuring it, and ensuring secure access. Here's a step-by-step guide to set up an SSH server on a Linux-based system:

Install SSH Server

The specific command to install the SSH server may vary depending on your Linux distribution. Here are commands for some popular distributions:

  • Ubuntu/Debian:
sudo apt update
sudo apt install openssh-server
  • CentOS/RHEL:

For CentOS 7 and RHEL 7:

sudo yum install openssh-server

For CentOS 8 and RHEL 8:

sudo dnf install openssh-server
  • Arch Linux:
sudo pacman -S openssh
  • Fedora:
sudo dnf install openssh-server
  • OpenSUSE:
sudo zypper install openssh

Start and Enable SSH Service

After installation, start the SSH service and enable it to start on boot:

sudo systemctl start sshd
sudo systemctl enable sshd

Configuring SSH (optional step)

By default, SSH is secure, but you can further enhance security by modifying its configuration. The SSH server configuration file is usually located at /etc/ssh/sshd_config. You can edit it with a text editor like nano or vim.

sudo nano /etc/ssh/sshd_config

Some common configuration changes include:

  • Changing the SSH port (recommended for security):
Port 2222
  • Disabling root login (recommended):
PermitRootLogin no
  • Allowing only specific users to log in:
AllowUsers yourusername

Make your desired changes and save the file. After making changes, restart the SSH service:

sudo systemctl restart sshd

Firewall Configuration

If you have a firewall enabled (e.g., ufw for Ubuntu), you'll need to allow SSH traffic. The default SSH port is 22, so you should allow traffic on this port.

For ufw on Ubuntu:

sudo ufw allow 2222/tcp   # Allow your custom SSH port (if changed)
sudo ufw enable

For firewalld on CentOS/RHEL:

sudo firewall-cmd --add-service=ssh --permanent
sudo firewall-cmd --reload

Accessing the SSH Server

You can now access your SSH server from another machine using an SSH client. Use the following command:

ssh username@server_ip_or_hostname -p 2222  # Use your custom SSH port (if changed)

Replace username with your server username, server_ip_or_hostname with your server's IP address or hostname, and -p 2222 with the custom SSH port if you changed it.

SSH Key Authentication (Optional)

For added security, consider setting up SSH key authentication. This eliminates the need for password-based authentication. Setting up SSH key authentication involves generating an SSH key pair on your local machine and then configuring your remote server to recognize your public key for authentication. Here's a step-by-step guide to set up SSH keys:

Generate SSH Key Pair (on your local machine)

You can generate an SSH key pair using the ssh-keygen command. Open a terminal on your local machine and run the following command:

ssh-keygen -t rsa -b 4096
  • -t rsa specifies that you want to generate an RSA key.
  • -b 4096 specifies the key length. 4096 bits is a good choice for strong security.

You'll be prompted to choose a location to save the key pair. By default, they are usually saved in ~/.ssh/id_rsa for the private key and ~/.ssh/id_rsa.pub for the public key. Press Enter to accept the default location.

You can also provide a passphrase to further secure your private key. This is optional but recommended for additional security.

Copy the Public Key to the Remote Server

Next, you need to copy your public key to the remote server. You can use the ssh-copy-id command for this. Replace username and server_ip_or_hostname with your server's username and address:

ssh-copy-id username@server_ip_or_hostname

You'll be prompted to enter your server password. After successfully entering your password, your public key will be added to the ~/.ssh/authorized_keys file on the remote server.

If you don't have ssh-copy-id available, you can manually copy the public key by running:

cat ~/.ssh/id_rsa.pub | ssh username@server_ip_or_hostname "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

Test SSH Key Authentication

Now, you can test SSH key authentication by attempting to SSH into your remote server without providing a password. Run the following command:

ssh username@server_ip_or_hostname

If you set a passphrase for your SSH key, you'll be prompted to enter it. Otherwise, you should be logged in without a password.

For enhanced security, you can disable password authentication on your SSH server, allowing only key-based authentication. To do this, edit the SSH server configuration file on your server (typically located at /etc/ssh/sshd_config) and set the following options:

PasswordAuthentication no
ChallengeResponseAuthentication no

Save the file and then restart the SSH server:

sudo systemctl restart sshd

With password authentication disabled, you can only log in using your SSH key.

SSH key authentication is a more secure and convenient way to access your remote server compared to password authentication. Be sure to keep your private key secure, as anyone with access to it can log in to your server.