1. What is SSH?¶
SSH (Secure Shell) is a secure remote login protocol that allows you to connect to a Linux server securely over the network, like using a key to open the “door” of a remote computer. Unlike early insecure protocols like Telnet or FTP, SSH encrypts transmitted data, preventing passwords or commands from being intercepted by third parties. It is especially suitable for managing multiple servers.
2. Why Configure SSH?¶
When you need to remotely manage servers (e.g., cloud servers on Aliyun/ Tencent Cloud or self-hosted local servers), SSH is the most common tool. Examples include:
- Remote operation of your home Linux server from the office.
- Batch management of multiple servers without physical access.
- Editing code on the server and syncing files directly from your local machine.
3. Server-Side: Install and Start SSH Service¶
3.1 Check if SSH is Installed¶
Linux systems may not have SSH pre-installed. Verify if sshd (SSH server program) is installed:
# Check for Debian/Ubuntu
dpkg -l | grep openssh-server
# Or for CentOS/RHEL
rpm -qa | grep openssh-server
If openssh-server appears in the output, it is installed; otherwise, proceed to install.
3.2 Install SSH Service (Common Systems)¶
- Debian/Ubuntu (using
apt):
sudo apt update
sudo apt install openssh-server
- CentOS/RHEL (using
yum):
sudo yum install openssh-server
- Start and Enable on Boot:
After installation, start thesshdservice and set it to auto-start:
sudo systemctl start sshd
sudo systemctl enable sshd
4. SSH Service Configuration (Key Steps)¶
The core SSH configuration file is /etc/ssh/sshd_config, where you can adjust ports, permissions, etc.
4.1 Backup the Configuration File (Critical!)¶
Always back up the file before modification:
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
4.2 Common Configuration Items (Essential for Beginners)¶
Edit the config file with nano or vim (recommended: nano for simplicity):
sudo nano /etc/ssh/sshd_config
Key configurations to focus on (default values are optional; modifications are highlighted):
| Configuration Item | Default | Recommended Value (Example) | Description |
|---|---|---|---|
Port |
22 | Port 2222 | SSH port (avoid brute-force attacks by changing to a non-default port) |
PermitRootLogin |
yes | PermitRootLogin no | Disable direct root login (more secure) |
AllowUsers |
empty | AllowUsers user1 | Only allow user1 to log in |
PasswordAuthentication |
yes | PasswordAuthentication no | Disable password login (use keys instead, covered later) |
4.3 Restart SSH to Apply Changes¶
After modifying the config file, restart sshd to make changes take effect:
sudo systemctl restart sshd
5. Client-Side Connection: SSH Login from Local Machine¶
5.1 Choose a Client Tool¶
- Windows: PuTTY (free), Xshell (paid), or built-in PowerShell (requires OpenSSH client).
- macOS/Linux: Use the built-in Terminal.
- Mobile: Termius (multi-platform, GUI).
5.2 Command-Line Connection (Linux/macOS)¶
In your local terminal:
ssh [username]@[server IP] -p [port]
Example:
- Connect as user user1 to server 192.168.1.100 with port 2222:
ssh user1@192.168.1.100 -p 2222
- Confirm connection when prompted (type
yes).
5.3 Password vs. Key-Based Login (Security Enhancement)¶
- Password Login: Simple but insecure (prone to brute-force attacks).
- Key-Based Login (Recommended):
1. Generate Key Pair (local terminal):
ssh-keygen -t ed25519 # Press Enter to accept defaults
Your private key (`~/.ssh/id_ed25519`) stays local; the public key (`~/.ssh/id_ed25519.pub`) is uploaded to the server.
- Upload Public Key to Server:
ssh-copy-id -i ~/.ssh/id_ed25519.pub user1@192.168.1.100 -p 2222
The public key is automatically added to `~/.ssh/authorized_keys`, enabling password-free login.
6. Security Best Practices (Essential for Beginners)¶
6.1 Open Firewall for SSH Port¶
If using a firewall (e.g., ufw):
sudo ufw allow 2222/tcp # Allow SSH port (adjust to your custom port)
sudo ufw reload
For cloud servers (Aliyun/Tencent Cloud), open the port in the security group console.
6.2 Disable Root Login Directly¶
Set PermitRootLogin no in sshd_config (as shown earlier). Use a regular user and switch to root with su - (more secure).
6.3 Regularly Update System and SSH¶
# For Debian/Ubuntu
sudo apt update && sudo apt upgrade
# For CentOS/RHEL
sudo yum update
7. Troubleshooting Common Issues¶
| Problem | Possible Cause | Solution |
|---|---|---|
| Connection Timeout | Wrong IP/Network issues | Verify IP and network; ping [server IP] |
| Connection Refused | Port closed/service not running | Check port with telnet [IP] [port]; restart sshd |
| Permission Error | Incorrect ~/.ssh permissions |
Run chmod 700 ~/.ssh and chmod 600 ~/.ssh/authorized_keys |
8. Summary¶
SSH is the “foundation” for Linux remote management. Key steps: Install service → Secure config → Client connection. Focus on: changing port, disabling root login, using keys, and firewall setup. Practice a few times to master remote server management.
If issues occur, first check if the service is running (systemctl status sshd), then verify the firewall and config file. Refer to the troubleshooting steps above to resolve most common problems.