Complete OpenSSH guide in Linux: installation, configuration and best practices

Posted onbyBlockmyIP| Category:Linux Programs

Introduction to OpenSSH

OpenSSH is the most used implementation of the Secure Shell (SSH) protocol in Linux and other Unix-like systems. It provides an encrypted channel to remotely access machines, transfer files and run commands safely.

Brief story

OpenSSH was born in 1999 as a free fork of the original SSH project, developed by Tatu Ylönen. Its aim was to offer a patent-free and BSD-licensed alternative, which has facilitated its adoption in virtually all Linux distributions.

Installation in the most popular distributions

  • Debian / Ubuntu:sudo apt-get update && sudo apt-get install openssh-server openssh-client
  • Fedora:sudo dnf install openssh-server openssh-client
  • RHEL / CentOS:sudo yum install openssh-server openssh-client(in recent versions use dnf)
  • Arch Linux:sudo pacman -S openssh
  • openSUSE:sudo zypper install openssh

Basic daemon sshd configuration

The main configuration file is found in/etc/ssh/sshd_config. Some essential directives are:

  • Port 22- defines the listening port (can be changed to a non-standard port to reduce noise).
  • PermitRootLogin prohibit-password- prevents direct login of root with password, forcing the use of keys.
  • PasswordAuthentication no- disable password authentication after setting SSH keys.
  • AllowUsers usuario1 usuario2- limits access to certain users.

After modifying the file, recharge the service with:

sudo systemctl reload sshd

SSH key generation and management

The key pair is created withssh-keygen. For example:

ssh-keygen -t ed25519 -a 100 -f ~/.ssh/id_ed25519 -C 'comentario opcional'

Then copy the public key to the remote server:

ssh-copy-id -i ~/.ssh/id_ed25519.pub usuario@servidor

It is recommended to protect the private key with a strong passage phrase.

Use of the SSH client

To connect:

ssh -i ~/.ssh/id_ed25519 usuario@servidor

File transfer withscpandsftp:

scp archivo.local usuario@servidor:/ruta/remota/
sftp usuario@servidor

Tuning and forwarding of ports

OpenSSH allows to create safe tunnels:

  • Local shipment:ssh -L 8080:localhost:80 usuario@servidor- access an internal web service by localhost: 8080.
  • Remote shipment:ssh -R 9000:localhost:3000 usuario@servidor- exposes a local service on the server.
  • Dynamic transmission (SOCKS proxy):ssh -D 1080 usuario@servidor- configures a SOCKS proxy for safe navigation.

Best security practices

  • Keep OpenSSH updated by distribution repositories.
  • Use strong key algorithms (ed25519 or RSA ≥ 4096 bits).
  • Disable password authentication after setting keys.
  • Implement fail2ban or similar to block brute force attempts.
  • Review the file regularly/var/log/auth.log(Debian / Ubuntu) or/var/log/secure(RHEL) to detect suspicious accesses.
  • Limit IP access usingtcpwrappersor rules ofiptables/nftables.

Common problem solution

  • Error «Permission denied (publickey)». Check that the public key is in~/.ssh/authorized_keysremote user and that folder permissions.ssh700 and the file 600.
  • Connection rejected: make sure the daemon sshd is running (systemctl status sshd) and that there is no firewall blocking the port.
  • High latency: check that there is no unnecessary X11 (-x) and that the MTU is appropriate.

OpenSSH and automation

Many configuration management tools such as Ansible, Chef and Puppet depend on SSH to run remote tasks. In Ansible, the modulepingverifies connectivity through an SSH connection. It is recommended to use a dedicated user with SSH keys and restrict their access byAllowUsersinsshd_config.

SSH certificates and certification authority (CA)

Instead of managing thousands of individual public keys, you can create a certification authority that signs user keys. The server trusts the CA and accepts any key signed by it. This simplifies key rotation and reduces the administration load. To generate an CA:

ssh-keygen -f ~/.ssh/ca -t ed25519 -N ''

Then sign a user key:

ssh-keygen -s ~/.ssh/ca -I id_ejemplo -V +52w:~1d ~/.ssh/id_ed25519.pub

The resulting fileid_ed25519-cert.pubis sent to the user and the server must have the optionTrustedUserCAKeys ~/.ssh/ca.pubin its configuration.

Use of ssh-agent and agent forwarding

The SSH agent keeps the private keys in memory to avoid typing the passage phrase at a time. It starts witheval $(ssh-agent)and add keys withssh-add. Reshipment of agent (ssh -A) allows an intermediate jump to use the original customer's credentials, useful in base architectures.

Audit and registration of connections

OpenSSH records every connection attempt in/var/log/auth.log(Debian / Ubuntu) or/var/log/secure(RHEL). For more detailed monitoring, the level record can be enabledVERBOSEinsshd_configwithLogLevel VERBOSE. In addition, tools likelastandutmpdumpallow to inspect who has accessed and from where.

OpenSSH in containers and high-availability environments

In Docker containers, it is common to run a SSH server only for debugging, although it is recommended to avoid it in production for safety reasons. If needed, you can use a minimum image likeubuntu:22.04and installopenssh-server, exposing port 2222 and mapping it to the host. In server clusters, a load rocker like HAProxy can distribute SSH connections between several nodes, improving failure tolerance.

Conclusion

OpenSSH remains the cornerstone of safe remote management in Linux environments. Its combination of strong encryption, configuration flexibility and broad support makes it an essential tool for administrators, developers and any professional who needs to access systems safely. Following the practices described in this article you can install, configure and use OpenSSH with confidence, minimizing risks and maximizing productivity.

This work is under aCreative Commons License Attribution 4.0 International for Francesc Roig francesc @ vivaldi.net.

EnglishenEnglishEnglish
SpanishesSpanishEspañolEnglishenEnglishEnglish