How to Install and Configure SSH on an Ubuntu Server

Technical writer

Ubuntu

24.11.2023

Reading time: 10 min

Secure Shell (SSH) is a network protocol for secure client-server communication. Each interaction is encrypted. It allows you to securely manage the server, transfer files, and perform other tasks.

For example, you have ordered a cloud server on Hostman and want to manage it from your laptop. To do this, you only need to set up SSH access. Through a secure connection, you will be able to perform all necessary administration actions.

For successful configuration, you need to:

Install the SSH server components on your server. The openssh-server package will cover that.
Have the SSH client on your local machine from which you will connect to the remote host.

For this purpose, the openssh-client package is usually used. It's pre-installed in most Linux and BSD distributions and also in the latest Windows versions. On older versions of Windows, you'll need to install additional utilities. One of the most popular solutions is PuTTY.

Enabling SSH

By default, remote access via a secure network protocol is forbidden. However, installing SSH in Ubuntu is very easy.

Start the console of the server where you need to configure SSH.

Update the package manager:

sudo apt update

Install the software:

sudo apt install openssh-server

Both operations require superuser rights, which you get with sudo.

On Ubuntu, the OpenSSH starts automatically after installation but you can check its status using the command:

sudo systemctl status ssh

The output should indicate that the service is running and allowed to start on system boot:

ssh.service - OpenBSD Secure Shell server
    Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
    Active: active (running) since Mon 2022-03-21 12:34:00 CEST; 1m ago

This means that the installation was successful. To return to the command prompt, press the q key.

If the service is not active, start it manually with the command:

sudo systemctl enable --now ssh

Ubuntu comes with a firewall configuration tool called UFW. If you have a firewall enabled on your system, be sure to open the SSH port:

sudo ufw allow ssh

Now you can connect to your Ubuntu system via SSH from any remote computer.

Creating an SSH key pair

To make the connection even more secure and authentication more convenient, use an SSH key pair: a public and a private SSH keys. The public key is stored on the host, and the private key is stored on the user's computer.

Let's see how to create keys in different operating systems. Let's start with Ubuntu.

To generate a new 2048-bit RSA key pair, open a terminal and run the command below:

ssh-keygen -t rsa

A prompt will appear asking you where to save the keys. If you press Enter, the system will save the key pair in the default .ssh subdirectory of the home folder. You can also specify an alternate path where you want to save the key pair. However, it is recommended to use the default directory. It makes further management much easier.

If you have already created a key pair on the client computer, the system will prompt you to overwrite it. The choice is entirely up to you, but be careful. If you choose to overwrite it, you will not be able to use the previous key pair to log in to the server. It will be deleted. Fixing the conflict is easy; just specify a unique name for each new pair. The storage folder can remain the same.

You will also be prompted to enter a passphrase to add an extra layer of security that prevents unauthorized users from accessing the host. Press Enter if you do not want to use it.

To verify that the keys have been created, run the command:

ls -l ~/.ssh/id_*.pub.

The terminal will display a list of keys.

Similarly, you can generate a pair on macOS or newer Windows versions.

If you're using an older Windows OS, you'll need to download the PuTTY utility suite. It contains the PuTTYgen application. To create an SSH key pair, all you need to do is run the PuTTYgen and swipe with your mouse. You can also select a folder to store the keys and add a passphrase for maximum protection.

Adding the SSH key to the server

The private key is stored on the computer. You should never transfer it to anyone. But you need to transmit the public part to the server.

If you have password access to the host, you can transfer the public key using ssh-copy-id. Example command:

ssh-copy-id hostman@123.456.78.99

Instead of hostman enter your username, instead of 123.456.78.99 enter the server IP address. Enter the password when prompted, and after which the public key will be transferred to the host.

To connect to the server using the SSH keys, run the command:

ssh hostman@123.456.78.99

Instead of hostman enter your username, instead of 123.456.78.99 enter the server IP address. If you have not set a passphrase, you will log in without further authentication. The security system will check the public and private parts of the key and establish a connection if they match.

Configuring SSH

You can configure your Ubuntu Server through the /etc/ssh/sshd_config file. Before making changes to it, make a backup copy. It will keep you from wasting time on reinstallation if you suddenly make a mistake.

To make a copy, run the command:

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.factory-defaults

The /etc/ssh/sshd_config.factory-defaults will store the default settings. You will be editing the /etc/ssh/sshd_config file.

Disabling password authentication

SSH password authentication on the Ubuntu Server isn't bad. But if you create long, complex passwords, you can be tempted to store them insecurely. Using encryption keys to authenticate the connection is a more secure alternative. In this case, the password may be unnecessary and you can disable it.

Before proceeding, keep the following in mind:

Disabling password authentication increases the likelihood of being locked out of your server. You can be locked out if you lose your private key or break the ~/.authorized_keys file .

If you are locked out, you can no longer access any application files.

You should only disable password authentication if you are very familiar with the key authentication mechanism and understand the potential consequences of losing access to your server.

To disable password authentication, connect to the server as root and edit the sshd_config file. Change the PasswordAuthentication parameter value to No instead of Yes.

Then restart the SSH service by running the following command:

sudo systemctl restart sshd

After that, you will no longer be able to use passwords for authentication. You will only be able to connect using Linux SSH keys.

Disabling root access

To improve security on your remote Ubuntu system, consider disabling root user login via SSH.

To do this, edit the configuration file:

sudo vi /etc/ssh/sshd_config

Change the PermitRootLogin value to No.

Another option is allowing the root user to log in using any authentication mechanism other than a password. To do this, set the PermitRootLogin parameter to prohibit-password.

This configuration lets you log in as the root user with a private key. The main thing is to ensure that you have copied the public key to the system before restarting the SSH service.

To apply the updated configuration, restart the service:

sudo systemctl restart sshd

Changing the default port

By default, the SSH server uses port 22. To increase security, you can set it to any other value. We recommend using ports from the upper range, from 50000 to 65000. It is also preferable to pick numbers in which all digits are different, for example, 56713.

Open the configuration file:

sudo vi /etc/ssh/sshd_config

Uncomment the line Port 22. Instead of 22, specify another number, for example, Port 56713. Save the changes and close the file.

To apply the configuration, restart the service:

sudo systemctl restart sshd

After a successful restart, verify that the connection is now on a different port:

ssh -p 56713 user@server_ip

Remember to restart the service after each change. Otherwise, SSH connections will follow the old rules.

Configuring tunneling

Tunneling is a method of transmitting unencrypted traffic or data over an encrypted channel. In addition to file transfers, tunneling can also be used to access internal network services through firewalls and to create a VPN.

There are three types of tunneling (forwarding):

Local,
remote,
dynamic.

To configure some of them, you will need to edit the SSH configuration file.

Local forwarding

It is a port forwarding from a client computer to a remote computer. The connection is then redirected to another port on the target computer.

The SSH client checks for a connection on the given port. When it receives a connection request, it tunnels it with the specified port on the remote host. The host then connects to another target computer through the configured port.

Mostly, local forwarding is used to connect externally to a service from an internal network. For example, this is how you can configure access to a database. It is also used for remote file sharing.

The -L argument is used for local forwarding. For example:

ssh hostman@server.example -L 8080:server1.example:3000

Now open a browser on the local computer. You can use localhost:8080 to access the remote application instead of accessing it using the address server.example:3000.

Remote redirection

Remote redirection allows you to connect to a local computer from a remote computer. SSH does not support remote port forwarding by default. Therefore, you need to enable it in the SSH configuration file. It will require some additional configuration of the Ubuntu server.

Open the configuration file:

sudo vi /etc/ssh/sshd_config

Set the GatewayPorts parameter to Yes.

Save the changes and restart the service:

sudo systemctl restart sshd

Use the -R argument to configure forwarding. Example command:

ssh -R 8080:127.0.0.0.1:3000 -N -f user@remote.host

After running this command, the host will listen on port 8080 and redirect all traffic to port 3000, which is open on the local computer.

Remote redirection is mainly used to give someone from outside access to an internal service.

Dynamic forwarding

Local and remote forwarding methods allow you to tunnel and communicate with a single port. With dynamic forwarding, you can tunnel and communicate with multiple ports.

Dynamic tunneling creates a socket on the local computer. It works like a SOCKS proxy server. Basically, your local computer is used as a SOCKS proxy server and listens on port 1080 by default. When the host connects to this port, it is redirected to the remote machine and then to the dynamic machine through the dynamic port.

The -D argument is used to configure dynamic tunneling. Example command:

ssh -D 9090 -N -f user@remote.host

Once you have set up tunneling, you can configure your application to use it. For example, to add a proxy to the browser. You'll need to configure redirection separately for each application you want to tunnel traffic for.

Disabling SSH

To disable the Open SSH server, stop the SSH service by running the command:

sudo systemctl disable --now ssh

To start the service back up, run the command:

sudo systemctl enable --now ssh

The enable command in Ubuntu does not reinstall the software, so you don't have to reconfigure anything. It simply starts up the previously installed and configured service.

Conclusion

In this article, we have covered the basics of using SSH on an Ubuntu machine. Now you know how to install the necessary software to set up a secure connection, configure it, route the tunnel, and even disable the service when it is not in use.

Connecting via SSH in Ubuntu is a common task, so you'll definitely need this knowledge. If not in development and administration, then for personal purposes, such as establishing a secure connection between devices in a local network.