SSH is short for Secure Shell and is a protocol that establishes a secure connection between two systems via a client-server architecture model and operates on the transport, session, presentation and application layers of the OSI model. This article will cover basic information along with information on setting up SSH.
Primary Use and Function
The SSH protocol is used for remote administration through a terminal emulator and automated processes. Once an SSH tunnel is established, a shell session is spawned that allows command line access to the remote host. When issuing commands, they’re sent to the server for execution.
Client – Server Relationship
This section outlines the differences between an SSH client and an SSH server. I will refer to clients as local hosts and servers as target hosts.
SSH Clients
There are a number of SSH clients available. PuTTY, WinSCP, macOS Terminal, Windows Terminal, PowerShell are all commonly used terminal emulators. Some of these are OS native emulators, such as macOS Terminal and Windows PowerShell while others require manual installation. The function of an SSH client is to initiate the connection and to send commands to the remote host for execution. Configurations for a client will vary, with most features being appearance related, though some include features like port forwarding, serial connections, SFTP, snippets, built-in multiplexing, key generation and identity management.
SSH Servers
An SSH server, typically OpenSSH, is required to listen for incoming SSH connection requests. By default, the server listens for SSH requests on port 22 and uses TCP for the transport protocol.
Setting Up OpenSSH Server
In this section, we will be installing OpenSSH and enabling the service necessary for it to run automatically, so that it’s always listening for connections on port 22. It’s pre-installed on macOS but not enabled. It’s pre-installed and even enabled by default on some Linux distributions.
For Debian based systems (Ubuntu, Linux Mint, Kali Linux)
Install OpenSSH
sudo apt install openssh-server
Start and Enable Service (systemd)
sudo systemctl enable --now ssh
For RHEL based systems (RedHat, Oracle Linux, Fedora, Rocky Linux, CentOS)
Install OpenSSH
sudo dnf install openssh
Start and Enable Service (systemd)
sudo systemctl enable --now ssh
For Windows 10 (Using an elevated PowerShell prompt)
Install OpenSSH
Add-WindowsCapability -Online -Name (Get-WindowsCapability -Online | Where-Object { $_.Name -like 'OpenSSH.Server*' }).Name
Start and Enable Service
Start-Service sshd
Set-Service -Name sshd -StartupType 'Automatic'
For macOS
Start and Enable Server
sudo systemsetup -setremotelogin on
Configuring OpenSSH Server
Paths to the sshd_config file:
Linux – /etc/ssh/sshd_config
Windows – %PROGRAMDATA%\ssh\sshd_config
macOS – /private/etc/ssh/sshd_config
We will want to consider making some edits to this file to configure our server as needed. For example, we can change the port the SSH server binds to here. The commonly designated port for SSH communication is port 22. We can also make security changes to root login parameters and forcing key-based authentication. The SSH Best Practices section covers this more. It’s ready to go out of the box and the potential changes mentioned previously will depend on your environment.
SSH Keys
SSH keys are used to access a server via public key authentication. They’re great for automated tasks, like transferring files or remote command execution / system administration. They’re more secure than password authentication. This section goes over generating an SSH key and importing it to a remote host.
Generating an SSH Key
In order to connect to a remote host via SSH with a key, you’ll need to create a key pair where the private key is stored on the local client and the public key is stored on the remote host. This section is specific to the local client that we will be using to initiate the connection. This guide does not cover key generation on Windows or macOS, though the process is very similar.
We’ll use the ssh-keygen command to generate our key. The ED25519 function is currently the most secure and you can specify how many rounds of key derivations to use for increased security by adding a degree of entropy. In addition to this, a passphrase can be set which secures the key further.
On Linux
ssh-keygen -t ed25519 -a 100 -f ~/.ssh/<key_name>
The above command will generate an ed25519 key using 100 rounds of derivation, saving it to the ~/.ssh/ directory with the private key being named <key_name> and the public key being named <key_name>.pub.
Note: You may not have an ~/.ssh folder for your user account. If that’s the case, use the following command to create the ~/.ssh directory and set its permissions to 700. The strict permissions are to ensure that only the folder owner can view or modify its contents.
mkdir ~/.ssh && chmod 700 ~/.ssh
Do not use sudo, or it will set the folder’s user and group ownership to root:root. If this was done accidentally, use the following command to set ownership.
sudo chown <user>:<user> ~/.ssh
It’s important that the private key has a permissions value of 600 (rw- — —) and the public key can have a more lenient value of 644 (rw- r– r–). The contents of the private key should never be shared. The contents of the public key can be viewable by any user, as it’s not any good without the private key. Once complete, we should see something similar when we issue the ls -la command. It’s possible that you don’t have an authorized_keys file as in the image below. That’s okay as this is only needed for host authentication by the server.

Importing an SSH Key
We now need to import the contents of our local public key into the /home/<user>/.ssh/authorized_keys file on our target host. There’s a couple of different ways to do this.
A note for cloud users: It’s typical to be able to import or generate an SSH key during server creation and your provider may have a function to import public keys afterwards. Your provider’s Linux image may also have password authentication disabled, requiring you to perform these steps via a web shell or with the imported/generated key. Some cloud providers may import the default key to the root user account. You must limit access to this account and consider creating an admin account and disabling root.
Method 1 (Preferred) – ssh-copy-id
ssh-copy-id -i ~/.ssh/<key_name>.pub user@target_host
This method requires password authentication to be enabled on the SSH server. You will need to point ssh-copy-id to the location of the public key on the local client and then specify the username and IP or FQDN of the target host. You’ll be prompted for the password of the user you specified.
Method 2 – Manual
Manually Transfer the SSH Key
Use Secure Copy to transfer the key file to the target with an already imported key
scp -i ~/.ssh/<private_key> ~/.ssh/<key_name>.pub user@targethost:~/
You can also copy the contents of the public key to your keyboard.
Set Up Authorized Keys File
Log into the target host either via a web shell or via SSH with another key. The following section has more information on using SSH.
Once on the target host, perform the following steps as needed:
mkdir -p ~/.ssh
cat <key_name>.pub >> ~/.ssh/authorized_keys
chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys
rm <key_name.pub>
Using SSH
Now that we’ve got a private / public key pair generated, with the public key being in the remote host user’s authorized_keys file, we can initiate an SSH session.
This is a generic SSH command, where you specify the user and target host. You’ll be prompted to enter a password.
ssh user@targethost
This command allows us to specify a private key to use for authentication.
ssh -i ~/.ssh/<keyname> user@targethost
This command specifies the port the server is expecting traffic on
ssh -p <port> user@targethost
Configuring ~/.ssh/config
The ~/.ssh/config file is referenced when establishing an SSH connection. It does not need to be configured, all of the connection parameters can be passed to the ssh command. It does allow host-connection specific parameters to be set which can be useful. In the example below, we use the nano text editor to either create or edit the file if it exists and we ensure the permissions for this file is set to 644 (rw- r– r–). We then can add the following entry and edit it as needed.
sudo nano ~/.ssh/config && chmod 644 ~/.ssh/config
Host hostname
User username
IdentityFile ~/.ssh/mykey
SSH Troubleshooting
Authentication failed (publickey)
This error suggests that the private key isn’t generating the value that the server is expecting. This can be due to improper configuration or an incorrect passphrase entry.
- Ensure you’re using the proper key on the client and that its public key value is properly set up on the server
- Ensure you’ve specified the correct remote user
Connection Timeout
This error indicates there’s not a response from the server which suggests there’s a routing issue, the SSH server daemon isn’t running, the SSH server daemon is bound to a port other than 22 or that the remote host’s firewall is dropping the traffic.
- Ensure your remote server is running through your cloud dashboard or by trying to access other services, like a webpage.
- Ensure your sshd_config file on the server is set to listen on the expected port. If you’ve set it to something other than port 22, you can specify the port to use with the -p option.
ssh -p <port> user@targethost
- Ensure there aren’t any firewall rules dropping traffic and check for firewall IP bans if you’ve failed to authenticate multiple times
SSH Best Practices
The use of password authentication is discouraged. Instead, use SSH keys and generate key pairs using a passphrase whenever possible. It’s possible to use ssh-agent to avoid the need of entering the passphrase for each connection. It may be considered acceptable to use keys without a passphrase for automated tasks, but you should add SSH command restrictions for these type of use cases to prevent execution of arbitrary commands.
In sshd_config file, set PasswordAuthentication to no and PermitRootLogin to no or prohibit-password. This forces public key authentication and disallows root login.
Article Directory
This article’s content is incomplete
Leave a Reply