Linux - How to Enable SSH
We’re going to show you how to enable an SSH server on Linux. This will give you easy remote access to the system from the terminal. Once setup, you will be able to login with SSH and transfer files with SCP. SSH is the standard, secure way to connect to Linux and Unix systems.
Basic Steps:
- Install the SSH Server ( sshd )
- Enable it
Optional Steps:
- Setup SSH keys
- Configure sudo
- Setup firewall
- Change port
- Disable root access
We are going to cover Ubuntu, Debian, RHEL, CentOS, Fedora, and Arch.
Quick Basic Steps
Assuming you are running a somewhat recent version of Ubuntu ( or Debian ), these are the quick, basic steps to get you up and running with SSH server:
sudo apt update
sudo apt install openssh-server
sudo systemctl enable ssh
sudo systemctl start ssh
sudo systemctl status ssh
ssh user1@my-server1
That’s it! You are all set. If you are using a different distro or want to understand the process better, keep reading. We also have instructions for further customization.
Install OpenSSH Server
For Ubuntu:
Update your repository info:
sudo apt updateActually install the package:
sudo apt install openssh-serverFor Centos 8, RHEL 8, and Newer Fedora Versions:
dnf install openssh-serverFor Centos 6/7 or RHEL 6/7:
sudo yum -y install openssh-server openssh-clientsFor Arch Linux:
pacman -S opensshEnable OpenSSH Server
The server will probably be enabled and running once you install it. You can use these step to enable it if you need to and to verify that it is up and running. This should be pretty close to the same thing for any distro so long as you are using systemd. If you aren’t running systemd, this will be a bit different.
With Systemd ( RHEL 7/8 and Recent Ubuntu )
Make sure the ssh service is enabled and will start on boot:
sudo systemctl enable sshStart the server:
sudo systemctl start sshCheck the status of the service:
sudo systemctl status sshManually check that the process is running:
ps -ef | grep -i sshdVerify that you can connect to the system with SSH. This is assuming that your username is “user1” and that the hostname is “my-server1”.
ssh user1@my-server1Without Systemd ( RHEL 6 )
Enable it to start on boot:
chkconfig sshd onStart it up:
service sshd startVerify ( similar to above steps for systemd ):
ps -ef | grep -i sshd
ssh user1@my-server1Setup Firewall
For Ubuntu:
The firewall is disabled by default on Ubuntu but if you want to enable it you can. It can be setup to allow access to ssh like this. Just be careful that you don’t disconnect yourself by accidentally blocking ssh. Allow SSH before you enable the firewall.
sudo ufw allow ssh
sudo ufw enable
sudo ufw statusFor Centos 8 or RHEL 8:
firewall-cmd --zone=public --permanent --add-service=ssh
firewall-cmd --reloadDisable Root Login Over SSH
It is a good idea to disable root login through SSH. This is a good security measure. It is best practice to login as an unprivileged user and then either change to the root user after you have connected or use sudo.
WARNING - Don’t lock yourself out. Before disabling root login over SSH you should make sure that you can change to the root user from your own account. This can be done either by using the root password or by using sudo. See the section on setting up sudo.
Use either vim or nano to edit your ssh config file:
sudo vim /etc/ssh/sshd_config
sudo nano /etc/ssh/sshd_configMake sure that you have a line like this and that it is uncommented:
PermitRootLogin noReload the service ( or just restart it ) so that the changes will be live:
systemctl reload sshdChange What Port SSHD Runs On
Changing the port that SSH runs on can help to avoid potential attacks. People are constantly running automated scans looking for vulnerable ports. When they are looking for an SSH server to attack they will usually just scan for port 22 across all hosts in a range. Just by changing your port you can avoid being detected by these automated scans. It doesn’t make you invisible. It just makes it easier to stay under the radar. It reduces the chances that you will become a target.
Use either vim or nano to edit your ssh config file:
sudo vim /etc/ssh/sshd_config
sudo nano /etc/ssh/sshd_configFind the line that specifies the port and uncomment it if needed. Update the port number to the number that you want.
Port 1234Reload the service ( or just restart it ) so that the changes will be live:
systemctl reload sshdWhen you login using a non-standard port you will need to specify the number from your client.
Sudo Access
Sudo can be used to run commands as root or as another user. There is a good chance that you already have this access. If not, we will show you how to enable it.
If you want to run a command as root you can just put the sudo command before the actual command that you want to run with root privileges:
sudo cat /etc/shadowIf you want to change user to root without sudo you would use the following command but you will need the root password:
su -If you want to change user to root without the root password and you have sudo access you can run the following which will require your own password:
sudo su -If you don’t have sudo access you will get an error running the sudo command. You will need to add yourself to the sudoers file. To do this you will need to edit the file using either vim or nano.
vim /etc/sudoers
nano /etc/sudoersYou can directly add yourself to this file by adding a line like this ( assuming your user name is “user1” ):
user1 ALL=(ALL:ALL) ALLAlternatively you could specify a group in the sudoers file and just make sure that your user is added to that group. There is a good chance that a group like this is already defined:
%sudo ALL=(ALL:ALL) ALLIf you see something like this already defined, you will just need to uncomment that group and make sure that your user is a member of the group.
You can add a user to the sudo group, for example, by adding a line like this to the /etc/group file. Edit this file using either nano or vim.
sudo:x:1000:steve,greg,user1,tom,user2Disabling SSH
On a system with systemd it is easy to disable SSH. Just stop the service and then disable it so that it won’t start on boot.
sudo systemctl stop ssh
sudo systemctl disable ssh