DEV Community

Ashen Chathuranga
Ashen Chathuranga

Posted on

The Complete SSH Guide: Server and Client Setup

SSH (Secure Shell Protocol) is a cryptographic network protocol for secure remote access to systems and services.

Table of Contents

  1. What is SSH?
  2. SSH Server Setup
  3. SSH Client Setup
  4. SSH Authentication Methods
  5. Setting Up SSH Keys
  6. Password Authentication
  7. SSH Configuration
  8. Advanced SSH Features
  9. Security Best Practices
  10. Troubleshooting

What is SSH?

SSH operates on a client-server model:

  • SSH Server (sshd): Runs on the remote machine
  • SSH Client (ssh): Runs on your local machine

Key benefits: encryption, authentication, integrity, port forwarding.

SSH Server Setup

Installing SSH Server

Ubuntu/Debian:

sudo apt update && sudo apt install openssh-server
sudo systemctl start ssh && sudo systemctl enable ssh
sudo systemctl status ssh
Enter fullscreen mode Exit fullscreen mode

CentOS/RHEL:

sudo yum install openssh-server  # RHEL 7
sudo dnf install openssh-server  # RHEL 8+
sudo systemctl start sshd && sudo systemctl enable sshd
sudo systemctl status sshd
Enter fullscreen mode Exit fullscreen mode

Fedora:

sudo dnf install openssh-server
sudo systemctl start sshd && sudo systemctl enable sshd
sudo systemctl status sshd
Enter fullscreen mode Exit fullscreen mode

Arch Linux:

sudo pacman -S openssh
sudo systemctl start sshd && sudo systemctl enable sshd
sudo systemctl status sshd
Enter fullscreen mode Exit fullscreen mode

Basic SSH Server Configuration

Backup original config:

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup
Enter fullscreen mode Exit fullscreen mode

Edit configuration:

sudo nano /etc/ssh/sshd_config
Enter fullscreen mode Exit fullscreen mode

Essential settings:

Port 22
Protocol 2
PermitRootLogin no
MaxAuthTries 3
MaxSessions 2
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
PermitEmptyPasswords no
X11Forwarding no
PrintMotd no
SyslogFacility AUTH
LogLevel INFO
Enter fullscreen mode Exit fullscreen mode

Test and restart:

sudo sshd -t
sudo systemctl restart sshd
Enter fullscreen mode Exit fullscreen mode

Firewall Configuration

UFW (Ubuntu/Debian):

sudo ufw allow ssh
sudo ufw enable
Enter fullscreen mode Exit fullscreen mode

Firewalld (CentOS/RHEL/Fedora):

sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --reload
Enter fullscreen mode Exit fullscreen mode

UFW on Arch:

sudo pacman -S ufw
sudo ufw allow ssh
sudo ufw enable
Enter fullscreen mode Exit fullscreen mode

SSH Client Setup

Installing SSH Client

Ubuntu/Debian:

sudo apt install openssh-client
Enter fullscreen mode Exit fullscreen mode

CentOS/RHEL/Fedora:

sudo yum install openssh-clients  # RHEL 7
sudo dnf install openssh-clients  # RHEL 8+/Fedora
Enter fullscreen mode Exit fullscreen mode

Arch Linux:

sudo pacman -S openssh
Enter fullscreen mode Exit fullscreen mode

Basic SSH Client Usage

# Basic connection
ssh username@server_ip

# Custom port
ssh -p 2222 username@server_ip

# Specific private key
ssh -i ~/.ssh/private_key username@server_ip

# Execute command
ssh user@server 'ls -la'
Enter fullscreen mode Exit fullscreen mode

SSH Authentication Methods

Password Authentication

Simple username/password method. Less secure but universally supported.

Public Key Authentication

Uses asymmetric cryptography. More secure and can be automated.

Setting Up SSH Keys

Step 1: Generate SSH Key Pair

Check existing keys:

ls -la ~/.ssh/
Enter fullscreen mode Exit fullscreen mode

Generate new key (Ed25519 recommended):

ssh-keygen -t ed25519 -C "your_email@example.com"
Enter fullscreen mode Exit fullscreen mode

For legacy systems (RSA):

ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
Enter fullscreen mode Exit fullscreen mode

Step 2: Set Proper Permissions

chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_ed25519      # Private key
chmod 644 ~/.ssh/id_ed25519.pub  # Public key
Enter fullscreen mode Exit fullscreen mode

Step 3: Copy Public Key to Server

Method 1: ssh-copy-id (Easiest)

ssh-copy-id username@server_ip
ssh-copy-id -i ~/.ssh/id_ed25519.pub username@server_ip
Enter fullscreen mode Exit fullscreen mode

Method 2: Manual Copy (Detailed Steps)

On your local machine:

# Display your public key
cat ~/.ssh/id_ed25519.pub
Enter fullscreen mode Exit fullscreen mode

Copy the entire output (starts with ssh-ed25519 and ends with your comment).

On the server:

# Create SSH directory
mkdir -p ~/.ssh

# Create or edit authorized_keys file
nano ~/.ssh/authorized_keys
Enter fullscreen mode Exit fullscreen mode

Paste your public key as a single line in the authorized_keys file. Each key should be on its own line.

Example authorized_keys content:

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILw...rest_of_key...xyz user@laptop
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC...rest_of_key...abc user@desktop
Enter fullscreen mode Exit fullscreen mode

Set proper permissions:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
Enter fullscreen mode Exit fullscreen mode

Method 3: One-liner Command

cat ~/.ssh/id_ed25519.pub | ssh username@server_ip "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"
Enter fullscreen mode Exit fullscreen mode

Step 4: Test SSH Key Authentication

ssh username@server_ip
Enter fullscreen mode Exit fullscreen mode

Should connect without password prompt.

Step 5: Disable Password Authentication (Optional)

sudo nano /etc/ssh/sshd_config
Enter fullscreen mode Exit fullscreen mode

Change:

PasswordAuthentication no
ChallengeResponseAuthentication no
Enter fullscreen mode Exit fullscreen mode

Restart SSH:

sudo systemctl restart sshd
Enter fullscreen mode Exit fullscreen mode

Password Authentication

Server Configuration

# In /etc/ssh/sshd_config
PasswordAuthentication yes
PermitEmptyPasswords no
Enter fullscreen mode Exit fullscreen mode

Client Usage

ssh username@server_ip
# Force password auth
ssh -o PreferredAuthentications=password username@server_ip
Enter fullscreen mode Exit fullscreen mode

SSH Configuration

Client Config File (~/.ssh/config)

touch ~/.ssh/config
chmod 600 ~/.ssh/config
Enter fullscreen mode Exit fullscreen mode

Example configuration:

# Global defaults
Host *
    ServerAliveInterval 60
    ServerAliveCountMax 3

# Production server
Host prod
    HostName production.example.com
    User admin
    Port 2222
    IdentityFile ~/.ssh/prod_key

# Development server
Host dev
    HostName 192.168.1.100
    User developer
    LocalForward 8080 localhost:80

# Jump host
Host internal
    HostName 10.0.1.100
    ProxyJump jumphost

Host jumphost
    HostName jump.example.com
    User jump_user
Enter fullscreen mode Exit fullscreen mode

Usage:

ssh prod  # Connects using prod alias
ssh dev   # Connects using dev alias
Enter fullscreen mode Exit fullscreen mode

Advanced SSH Features

SSH Agent

# Start agent
eval "$(ssh-agent -s)"

# Add keys
ssh-add
ssh-add ~/.ssh/id_ed25519

# List keys
ssh-add -l

# Remove keys
ssh-add -D
Enter fullscreen mode Exit fullscreen mode

Port Forwarding

Local Port Forwarding

# Forward local port 8080 to server's port 80
ssh -L 8080:localhost:80 user@server

# Background process
ssh -f -N -L 8080:localhost:80 user@server
Enter fullscreen mode Exit fullscreen mode

Remote Port Forwarding

# Forward server's port 8080 to local port 3000
ssh -R 8080:localhost:3000 user@server
Enter fullscreen mode Exit fullscreen mode

SOCKS Proxy

ssh -D 1080 user@server
Enter fullscreen mode Exit fullscreen mode

File Transfer

SFTP

sftp user@server
sftp> get file.txt
sftp> put file.txt
sftp> get -r directory/
Enter fullscreen mode Exit fullscreen mode

SCP

# Upload
scp file.txt user@server:/path/

# Download
scp user@server:/path/file.txt ./

# Recursive
scp -r directory/ user@server:/path/
Enter fullscreen mode Exit fullscreen mode

Security Best Practices

Server Hardening

# /etc/ssh/sshd_config
Port 2222
PermitRootLogin no
PasswordAuthentication no
MaxAuthTries 3
MaxSessions 2
AllowUsers user1 user2
X11Forwarding no
ClientAliveInterval 300
ClientAliveCountMax 2
Enter fullscreen mode Exit fullscreen mode

Key Management

Generate strong keys:

ssh-keygen -t ed25519 -a 100 -C "user@host-$(date +%Y%m%d)"
Enter fullscreen mode Exit fullscreen mode

Rotate keys regularly and use SSH agent for convenience.

Monitoring

Check logs:

# Ubuntu/Debian
sudo tail -f /var/log/auth.log

# CentOS/RHEL/Fedora/Arch
sudo tail -f /var/log/secure
sudo journalctl -u sshd -f
Enter fullscreen mode Exit fullscreen mode

Install Fail2Ban

Ubuntu/Debian:

sudo apt install fail2ban
Enter fullscreen mode Exit fullscreen mode

CentOS/RHEL/Fedora:

sudo dnf install fail2ban
Enter fullscreen mode Exit fullscreen mode

Arch Linux:

sudo pacman -S fail2ban
Enter fullscreen mode Exit fullscreen mode

Configure SSH protection:

sudo nano /etc/fail2ban/jail.local
Enter fullscreen mode Exit fullscreen mode
[sshd]
enabled = true
maxretry = 3
bantime = 3600
Enter fullscreen mode Exit fullscreen mode

Troubleshooting

Common Issues

Connection Refused

# Check service
sudo systemctl status sshd

# Check port
sudo grep "^Port" /etc/ssh/sshd_config

# Check firewall
sudo ufw status
Enter fullscreen mode Exit fullscreen mode

Permission Denied (publickey)

# Debug connection
ssh -v user@server

# Check agent
ssh-add -l

# Fix permissions
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
Enter fullscreen mode Exit fullscreen mode

Host Key Verification Failed

# Remove old key
ssh-keygen -R hostname
Enter fullscreen mode Exit fullscreen mode

Debugging

# Verbose output
ssh -vvv user@server

# Test config
sudo sshd -t

# Network test
nc -zv server_ip 22
Enter fullscreen mode Exit fullscreen mode

Performance

Add to /etc/ssh/sshd_config:

UseDNS no
Enter fullscreen mode Exit fullscreen mode

Add to ~/.ssh/config:

GSSAPIAuthentication no
Enter fullscreen mode Exit fullscreen mode

Top comments (0)