Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network.
This details how to install and setup SSH on a Linux system.
-
Install SSH according to the system's Linux distribution.
Arch Linux:
sudo pacman -Syyu sudo pacman -S openssh
Debian/Ubuntu:
sudo apt update sudo apt install openssh-server
Rocky Linux (RHEL):
sudo yum update sudo yum install openssh-server
-
Generate SSH keys of the type
ed25519with the following command:ssh-keygen -t ed25519
[!TIP]
Besides theed25519key type, there are several alternative types such asecdsaandrsa.Go through the SSH key generation process, step by step.
-
When asked for where the key file should be saved, enter a valid path or hit Enter to accept the default (i.e.
~/.ssh/id_ed25519). -
When asked for a passphrase, enter a secure passphrase which will be required each time the key is used or hit Enter to set an empty passphrase. Do the same when prompted for a confirmation.
-
Once the key has been generated, take note of the paths to the newly generated keys. For example:
- Private key:
~/.ssh/id_ed25519 - Public key:
~/.ssh/id_ed25519.pub
- Private key:
This details the process of updating the system's SSH configuration and includes some recommended configuration options.
-
Backup the original SSH configuration file:
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
-
Update the SSH configuration file:
sudo nano /etc/ssh/sshd_config
-
Make any necessary changes and save the SSH configuration file.
-
Once absolutely confident and ready to apply the changes, restart the SSH service
sshd.service.[!NOTE]
The underlying SSH service may be named differently (i.e.ssh.service) depending on your Linux distribution.[!WARNING]
Applying changes to the SSH configuration file without being prepared for the changes to take effect is highly discouraged.
This changes the system's SSH port from its default port 22 for better security.
-
In the SSH config file, search for the
Portparameter. -
Based on the default
Portline:#Port 22 +Port <port-number>
-
Comment the original
Portline if it is not already commented to override it. -
Add a new
Portline underneath the original with<port-number>being the new port number you had chosen (i.e.2222). -
Example changes:
#Port 22 Port 2222
-
This disables logging in as root via SSH.
-
In the SSH config file, search for the
PermitRootLoginparameter. -
Based on the default
PermitRootLoginline:#PermitRootLogin prohibit-password +PermitRootLogin no
-
Comment the original
PermitRootLoginline if it is not already commented to override it. -
Add a new
PermitRootLoginline with its value set toprohibit-password(good security) orno(best security). -
Example changes:
#PermitRootLogin prohibit-password PermitRootLogin no
-
This disables authenticating users with their passwords via SSH, requiring the use of SSH keys instead.
-
In the SSH config file, search for the
PasswordAuthenticationparameter. -
Based on the default
PasswordAuthenticationline:#PasswordAuthentication yes +PasswordAuthentication no
-
Comment the original
PasswordAuthenticationline if it is not already commented to override it. -
Add a new
PasswordAuthenticationline with its value set tonoto only allow user authentication using SSH keys. -
Example changes:
#PasswordAuthentication yes PasswordAuthentication no
-
This details how to copy your SSH keys to a remote system.
-
Generate SSH keys on the local system if they do not already exist.
-
Copy your SSH keys to the remote server using
ssh-copy-id:-
Copy the public key to the remote server:
ssh-copy-id -i <public-key-path> <remote-user>@<ip-address>
<public-key-path>: Replace this with the path to your public key (i.e.~/.ssh/id_ed25519.pub)<remote-user>: Replace this with the username of the remote system (i.e.myuser)<ip-address>: Replace this with the IP address of the remote system (i.e.192.168.0.86)
-
If the remote server's SSH port is not the default (i.e.
22), you could add the-pflag to specify the port number:ssh-copy-id -i <public-key-path> -p <port-number> <remote-user>@<ip-address>
<port-number>: Replace this with the SSH port number of the remote system (i.e.2222)
-
-
Alternatively, you could also do so without
ssh-copy-id:cat <public-key-path> | ssh <remote-user>@<ip-address> -p <port-number> 'mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys'
-
Verify that the key has been copied successfully by remotely accessing the remote server using SSH.
If your public key has been copied successfully, you should not be prompted for a password.
This details how to enable remote access to your machine and to access another machine using SSH.
-
Ensure SSH is installed on both the local and remote system.
-
Start and enable the SSH service
sshd.service.[!NOTE]
The underlying SSH service may be named differently (i.e.ssh.service) depending on your Linux distribution. -
Once the SSH service is active, said machine should now be able to be remotely accessed via another device using SSH.
-
Connect to the another machine (with SSH service enabled) using SSH.
ssh <remote-user>@<ip-address> -p <port-number>
[!TIP]
You could omit the-pflag and value if the remote server's SSH port is the default (i.e.22). -
Enter the password of the remote user when prompted.
[!NOTE]
If you have copied over your public SSH key to the remote server, you should not be prompted for a password.