Using SSH (Secure Shell) is a common and widly used way to access and manage a server from remote. Finally, “after” telnet and rlogin, your communication with the server gets encrypted.
Although all up to date Linux distributions provide a secure configuration of the SSH server by default, it does not hurt to check for yourself and get familiar with the options the SSH server has to offer.
I will just cover the very basics and most important flags of the configuration. You can do a lot more with it like tunneling ports, forwarding X11 session and many more.
The daemon behind SSH listens (by default) on TCP port 22 but can easily be reconfigured to listen on a different port. You can connect to the server by typing
in a shell or, if you are on Windows, you might want to try the tool Putty (Main page).
The location of the main configuration file differs from on distribution to the other but can usually be found at
Open it up with your favorite text editor (like vi)
The following snippet is the default configuration which comes with Ubuntu.
# What ports, IPs and protocols we listen for
# Use these options to restrict which interfaces/protocols sshd will bind to
# HostKeys for protocol version 2
#Privilege Separation is turned on for security
# Lifetime and size of ephemeral version 1 server key
# Don't read the user's ~/.rhosts and ~/.shosts files
# For this to work you will also need host keys in /etc/ssh_known_hosts
# similar for protocol version 2
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
# To enable empty passwords, change to yes (NOT RECOMMENDED)
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
# Change to no to disable tunnelled clear text passwords
# Kerberos options
# GSSAPI options
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
- First we can configure the listening port of the SSH server with the Port directive. Some people change that to a different value than “22” for security reasons.
- Next up you can specify on what IP addresses you want the server to listen on (if you have more than on). Use 0.0.0.0 to listen on every available interface/address (You can use IPv6 too).
- Due to historical reasons you can specify a different version of SSH by changing the Protocol directive. I strongly recommend to leave it on the value “2” to ensure up to date security and encryption of the communication.
- If you have a user account for your everyday work on the server (which I do recommend – please don’t use the root account for this) you can change PermitRootLogin to “no” to log in with your username and change to the root account later (if required).
- For additional security you can generate a key file which can be used for login instead of a username/password combination.
- Further down you find the X11Forwarding directive. If you don’t have X11 (aka GUI) on your server you can safely disable this (X11Forwarding no)
This is it for now – I will cover special aspects of SSH in a later post.
EDIT (16022012): As I received valuable input by aj, thanks for that :), I recommend reading his comment and consider using his additions in your server configuration.