📒 

SSH (Secure Shell) is a protocol used to securely connect to remote systems, execute commands, and transfer data. It provides a secure method for system administrators, developers, and users to manage servers and other devices remotely, using encrypted connections. Installing and configuring SSH is essential for securely accessing servers, whether for system administration, remote work, or development purposes.

In this article, we’ll walk you through how to install and configure SSH on Linux, covering the basics, configuration options, and security recommendations.


What is SSH?

SSH stands for Secure Shell, and it allows users to securely connect to a remote system via a command-line interface. The protocol encrypts the data between the client and the server, making it a secure method of communication, especially for accessing servers over an unsecured network like the internet.

SSH operates over port 22 by default and can be used for:

  • Remote login to servers
  • Secure file transfer (using SCP or SFTP)
  • Remote command execution
  • Port forwarding and tunneling

Step 1: Installing SSH

Most Linux distributions come with SSH pre-installed, but if it’s not installed, you can easily install it using the package manager for your distribution.

For Ubuntu/Debian:

sudo apt update sudo apt install openssh-server

For CentOS/RHEL:

sudo yum install openssh-server

For Fedora:

sudo dnf install openssh-server

For Arch Linux:

sudo pacman -S openssh

After installation, you will have the OpenSSH server and client installed, allowing you to both run an SSH server and connect to other SSH servers.


Step 2: Starting and Enabling the SSH Service

Once installed, you need to start the SSH service (also known as sshd – SSH daemon) and enable it to run at system startup.

Starting the SSH Service:

sudo systemctl start ssh

Enabling SSH to Start on Boot:

sudo systemctl enable ssh

You can check if SSH is running correctly by typing:

sudo systemctl status ssh

If the service is running, you’ll see an active status indicating that SSH is ready to accept connections.


Step 3: Basic SSH Configuration

SSH’s behavior is controlled by the configuration file located at:

/etc/ssh/sshd_config

You can edit this file to modify SSH settings, such as changing the default port, disabling root login, or setting up key-based authentication.

To edit the file, use a text editor like nano or vim:

sudo nano /etc/ssh/sshd_config

Some common configuration changes include:

1. Change the Default SSH Port

For security reasons, it’s a good idea to change the default SSH port from 22 to something else. This helps reduce the risk of automated attacks that target the default SSH port.

Find the following line in the configuration file:

#Port 22

Uncomment it and change the port number:

Port 2222

After saving the file, restart the SSH service to apply the changes:

sudo systemctl restart ssh

Make sure to update your firewall rules to allow connections on the new port.

2. Disable Root Login

Allowing root login via SSH is a security risk. To prevent this, find the following line in the configuration file:

PermitRootLogin yes

Change it to:

PermitRootLogin no

This will prevent direct root access via SSH. Users can still log in with a regular account and then switch to root using sudo or su.

3. Enable Key-Based Authentication

SSH key-based authentication is a more secure method than using passwords. This involves generating an SSH key pair (public and private keys) and using the private key to authenticate.

To enforce key-based authentication, find the following lines and ensure they are set to yes:

PubkeyAuthentication yes PasswordAuthentication no

This disables password-based login and only allows SSH access through key-based authentication.


Step 4: Generating SSH Keys (Key-Based Authentication)

SSH key pairs provide a secure way to log in without a password. Here’s how to generate and set up SSH keys:

Step 1: Generate the SSH Key Pair

On your local machine, run the following command to generate a key pair:

ssh-keygen -t rsa -b 4096

You will be prompted to enter a filename to save the key (or press Enter to use the default location) and an optional passphrase for extra security.

This creates two files:

  • ~/.ssh/id_rsa: Your private key (keep this secure and do not share it).
  • ~/.ssh/id_rsa.pub: Your public key (this can be shared and added to remote servers).

Step 2: Copy the Public Key to the Server

To use the key for SSH login, copy the public key to the remote server you want to access. You can do this with the ssh-copy-id command:

ssh-copy-id username@remote_host

Replace username with your remote server’s username and remote_host with the server’s IP address or hostname.

This will copy your public key to the server and add it to the ~/.ssh/authorized_keys file, allowing you to log in without a password.

Step 3: Log in Using SSH Key

Now, you can log into the remote server using your private key:

ssh username@remote_host

If you have set a custom port, specify it with the -p option:

ssh -p 2222 username@remote_host

Step 5: Securing Your SSH Configuration

After setting up SSH, it’s important to follow security best practices to ensure that your server is protected from unauthorized access.

1. Use Strong Passwords (If Using Password Authentication)

If you are not using key-based authentication, ensure that all user accounts use strong, complex passwords.

2. Use a Firewall

Ensure that your server’s firewall only allows traffic on the SSH port you’re using. For example, if you changed SSH to port 2222, allow traffic on that port using ufw (on Ubuntu/Debian) or firewalld (on CentOS/RHEL).

sudo ufw allow 2222/tcp sudo ufw enable

3. Limit SSH Access

Limit SSH access to specific IP addresses or ranges by configuring the firewall or using /etc/hosts.allow and /etc/hosts.deny.


Step 6: Testing and Troubleshooting SSH

After configuring SSH, it’s important to test your setup. Attempt to log in using SSH to ensure everything works correctly.

Common SSH Troubleshooting Tips:

  1. Check Firewall Settings: Ensure the firewall is not blocking the SSH port.
  2. Check SSH Service Status: Ensure the SSH service is running with systemctl status ssh.
  3. Verify Configuration: Double-check the /etc/ssh/sshd_config file for any misconfigurations.
  4. Use Verbose Mode for Debugging: If there are issues, use the -v option when connecting to see detailed output:
ssh -v username@remote_host

Conclusion

Installing and configuring SSH is a fundamental skill for any Linux administrator or user who needs to manage remote systems securely. By following this guide, you can set up SSH, configure it for secure access, and implement best practices to protect your server from unauthorized access. Once configured, SSH becomes a powerful tool for remote management, automation, and secure communication between systems.