SSH Essentials: Working With SSH Servers, Clients, And Keys

Server-Side Configuration Options

This section contains some common server-side configuration options that can shape the way that your server responds and what types of connections are allowed.

Disabling Password Authentication

If you have SSH keys configured, tested, and working properly, it is probably a good idea to disable password authentication. This will prevent any user from signing in with SSH using a password.

To do this, connect to your remote server and open the /etc/ssh/sshd_config file with root or sudo privileges:

sudo nano /etc/ssh/sshd_config

Inside of the file, search for the PasswordAuthentication directive. If it is commented out, uncomment it. Set it to no to disable password logins:

/etc/ssh/sshd_config PasswordAuthentication no

After you have made the change, save and close the file. To implement the changes, you should restart the SSH service.

On Ubuntu/Debian:

sudo service ssh restart

On CentOS/Fedora:

sudo service sshd restart

Now, all accounts on the system will be unable to log in with SSH using passwords.

Changing the Port that the SSH Daemon Runs On

Some administrators suggest that you change the default port that SSH runs on. This can help decrease the number of authentication attempts your server is subjected to from automated bots.

To change the port that the SSH daemon listens on, you will have to log in to your remote server. Open the sshd_config file on the remote system with root privileges, either by logging in with that user or by using sudo:

sudo nano /etc/ssh/sshd_config

Once you are inside, you can change the port that SSH runs on by finding the Port 22 specification and modifying it to reflect the port you wish to use. For instance, to change the port to 4444, put this in your file:

/etc/ssh/sshd_config #Port 22 Port 4444

Save and close the file when you are finished. To implement the changes, you must restart the SSH daemon.

On Ubuntu/Debian:

sudo service ssh restart

On CentOS/Fedora:

sudo service sshd restart

After the daemon restarts, you will need to authenticate by specifying the port number (demonstrated in an earlier section).

Limiting the Users Who can Connect Through SSH

To explicitly limit the user accounts who are able to log in through SSH, you can take a few different approaches, each of which involve editing the SSH daemon config file.

On your remote server, open this file now with root or sudo privileges:

sudo nano /etc/ssh/sshd_config

The first method of specifying the accounts that are allowed to login is using the AllowUsers directive. Search for the AllowUsers directive in the file. If one does not exist, create it anywhere. After the directive, list the user accounts that should be allowed to login through SSH:

/etc/ssh/sshd_config AllowUsers user1 user2

Save and close the file. Restart the daemon to implement your changes.

On Ubuntu/Debian:

sudo service ssh restart

On CentOS/Fedora:

sudo service sshd restart

If you are more comfortable with group management, you can use the AllowGroups directive instead. If this is the case, just add a single group that should be allowed SSH access (we will create this group and add members momentarily):

/etc/ssh/sshd_config AllowGroups sshmembers

Save and close the file.

Now, you can create a system group (without a home directory) matching the group you specified by typing:

sudo groupadd -r sshmembers

Make sure that you add whatever user accounts you need to this group. This can be done by typing:

sudo usermod -a -G sshmembers user1 sudo usermod -a -G sshmembers user2

Now, restart the SSH daemon to implement your changes.

On Ubuntu/Debian:

sudo service ssh restart

On CentOS/Fedora:

sudo service sshd restart

Disabling Root Login

It is often advisable to completely disable root login through SSH after you have set up an SSH user account that has sudo privileges.

To do this, open the SSH daemon configuration file with root or sudo on your remote server.

sudo nano /etc/ssh/sshd_config

Inside, search for a directive called PermitRootLogin. If it is commented, uncomment it. Change the value to “no”:

/etc/ssh/sshd_config PermitRootLogin no

Save and close the file. To implement your changes, restart the SSH daemon.

On Ubuntu/Debian:

sudo service ssh restart

On CentOS/Fedora:

sudo service sshd restart

Allowing Root Access for Specific Commands

There are some cases where you might want to disable root access generally, but enable it in order to allow certain applications to run correctly. An example of this might be a backup routine.

This can be accomplished through the root user’s authorized_keys file, which contains SSH keys that are authorized to use the account.

Add the key from your local computer that you wish to use for this process (we recommend creating a new key for each automatic process) to the root user’s authorized_keys file on the server. We will demonstrate with the ssh-copy-id command here, but you can use any of the methods of copying keys we discuss in other sections:

ssh-copy-id root@remote_host

Now, log into the remote server. We will need to adjust the entry in the authorized_keys file, so open it with root or sudo access:

sudo nano /root/.ssh/authorized_keys

At the beginning of the line with the key you uploaded, add a command= listing that defines the command that this key is valid for. This should include the full path to the executable, plus any arguments:

/root/.ssh/authorized_keys command="/path/to/command arg1 arg2" ssh-rsa ...

Save and close the file when you are finished.

Now, open the sshd_config file with root or sudo privileges:

sudo nano /etc/ssh/sshd_config

Find the directive PermitRootLogin, and change the value to forced-commands-only. This will only allow SSH key logins to use root when a command has been specified for the key:

/etc/ssh/sshd_config PermitRootLogin forced-commands-only

Save and close the file. Restart the SSH daemon to implement your changes.

On Ubuntu/Debian:

sudo service ssh restart

On CentOS/Fedora:

sudo service sshd restart

Forwarding X Application Displays to the Client

The SSH daemon can be configured to automatically forward the display of X applications on the server to the client machine. For this to function correctly, the client must have an X windows system configured and enabled.

To enable this functionality, log in to your remote server and edit the sshd_config file as root or with sudo privileges:

sudo nano /etc/ssh/sshd_config

Search for the X11Forwarding directive. If it is commented out, uncomment it. Create it if necessary and set the value to “yes”:

/etc/ssh/sshd_config X11Forwarding yes

Save and close the file. Restart your SSH daemon to implement these changes.

On Ubuntu/Debian:

sudo service ssh restart

On CentOS/Fedora:

sudo service sshd restart

To connect to the server and forward an application’s display, you have to pass the -X option from the client upon connection:

ssh -X username@remote_host

Graphical applications started on the server through this session should be displayed on the local computer. The performance might be a bit slow, but it is very helpful in a pinch.