Secure Shell (SSH) is a cryptographic network protocol for secure data communication, remote command-line login, remote command execution, and other secure network services between two networked computers that connects, via a secure channel over an insecure network, a server and a client (running SSH server and SSH client programs, respectively).
At the Server
Have a seat and login to the server machine to your account. If this is the
root account it’s ok for now but if it’s not I suggest to type these commands:
sudo su passwd
and set a password in order to be able to login as
root from now on. If you did so simply logout (
Ctrl-D) and login as
root by typing
Next we’ll need to create a new user that I suggest to have a strange name. In these article I’ll use the name
saint for username. To do so type these commands:
useradd -d /home/saint -m -U -s /bin/bash saint passwd saint
and set a password for this user. Notice that this user doesn’t belong to
sudoers so he can’t execute commands that require
root account privileges simply by typing his password but if he wants to do so he must know the root’s password and become
root by typing
The next step is to install the OpenSSH server with the command:
apt-get install --yes --no-install-recommends openssh-server
Make a backup of the server’s
sshd_config file and make it read-only with these commands:
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.orig chmod a-w /etc/ssh/sshd_config.orig
Then use your favorite editor to edit the
sshd_config file e.g.
vi /etc/ssh/sshd_config and make the following suggested changes to it.
Change OpenSSH default port
For security reasons you should change the OpenSSH default port
22. To do so locate the following line in the
and change it to something like e.g.
Bind OpenSSH only to your internal interface
Locate the following line in the
and change it to your server’s internal IP address e.g.
Disable root login via SSH
Again, for security reasons disallow the
root account from login via SSH. To do that locate the following line in the
and change it to
Additionally you can add the following line in order to allow only the user
saint that we created previously to use the system via SSH.
At this point you can save the
sshd_config file and check your configuration with the following commands:
restart ssh netstat -tulapn | grep sshd
At the Client
Now change seat and go to the client machine that must be located in your internal network as your ssh server. Login as a normal user and install the OpenSSH client by typing:
sudo apt-get install --yes --no-install-recommends openssh-client
or use the
su - command to install it as
root. After this done―if you login as
root logout (
Ctrl-D) and login as normal user―we’ll need to do the followings:
Create Private/Public Keys to use the private/public key authentication scheme
The first step involves creating a set of RSA keys for use for authentication. (At this point you can check the use of
apg command. I’ll suggest this
apg -m 8 -x 12 -l -M SNCL) Now create the keys by typing this command:
ssh-keygen -t rsa -b 4096 -C "$(whoami)@$(hostname)-$(date -I)"
Take the suggested options and choose a strong passphrase.
After this you’ll get a
.ssh directory with the proper permissions containing your private
id_rsa and public
id_rsa.pub keys having the proper permissions.
Next thing to do is to add the private key identitie to the authentication agent and for that you’ll need to type:
type the passphrace and check if it’s loaded with:
Now your public key
id_rsa.pub must be transfered to the ssh server
saint account. To do this type the command:
ssh-copy-id -i ~/.ssh/id_rsa.pub "-p 48250 firstname.lastname@example.org"
Be careful at this point if you get any command usage error try to leave out the double quotes.
Type whole the word
yes at the prompt and then type user’s
saint password. You’d be informed that this IP was added to the list of
known_hosts. That’s ok!
Remote login to the SSH server
Now it’s time to connect to the SSH server from our client. Type this:
ssh -p 48250 email@example.com
and type user’s
saint password again.
Great… now you should be at the SSH server as
saint. Go on type
su - to become
root for some additional changes.
Some final security brush-strokes
The first thing we should do next is to close the
ssh-copy-id door. For that use your favorite editor to edit the
sshd_config file e.g.
vi /etc/ssh/sshd_config and change the line:
Change the line:
and add these lines next to it
AllowTcpForwarding no PermitTunnel no AllowAgentForwarding no
PrintMotd no to
PrintMotd yes and finally at the end of the
sshd_config file change the line:
and add this line:
We’re done for now. Save the file and restart the ssh service by typing:
Keep in mind you’d need the passphrase to remote login so keep it quick and safe.
Client’s ssh config file
Secure FTP (sftp)
- 5 Useradd Command Examples, With Explanations
- /bin/false, /sbin/nologin and SSH
- Configure SSH for high security
- How can I make a user able to log in with ssh keys but not with a password?
- How to Install and Configure OpenSSH Server In Linux
- Securing your server: SSH and sudo
- SSH: Best Practices
- SSH Security and You
- SSH with authentication key instead of password
- UNIX man pages – sshd_config