SSH Server - Ubuntu
Ubuntu comes with a native SSH daemon using OpenSSH. We can set it up as a SSH server, listening for SSH client connections.
SSH Server Configuration
The configuration file is in /etc/ssh/sshd_config. It requires sudo to modify the file.
When messing with the SSHD configuration file, do ensure checking the configuration's syntax by running sudo /usr/sbin/sshd -t. Otherwise, if you mess up, you might find yourself not being able to log back in on restart.
The default configuration should be tuned for particular setting needs.
Settings to tune:
- Port: The port that the SSH server listens for connections on, by default, it is 22
- PubkeyAuthentication should be yes, to allow usage of SSH keys
- PasswordAuthentication should be no, to enforce usage of SSH keys, instead of passwords
- PermitEmptyPasswords should be no, to disallow empty passwords
- ClientAliveInterval can be set to 10, sends a packet from the SSH server to all SSH clients every 10 seconds
- ClientAliveCountMax can be set to 2, disconnects after 2 answer misses from the SSH client
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Include /etc/ssh/sshd_config.d/*.conf
Port 3034
AddressFamily any
ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
KbdInteractiveAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
ClientAliveInterval 10
ClientAliveCountMax 2
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
Setting Up a New User
I've personally found the easiest way to create a new standard user in Ubuntu is via the User Interface.
Go to Settings (top right), search for "Users", and you can add a new standard User for SSH and change the user password.
In the command line, you'll have to use a combination of these commands to accomplish the same thing.
sudo adduser <new-user-name> # add a new user
sudo passwd <new-user-name> # change the password
sudo usermod -d /home/<new-user-name> -m <new-user-name> # set a specific home directory for the new user
sudo usermod -aG sudo <new-user-name> # grant user superuser access, this is optional
Restarting the SSH server
One of these commands should restart the ssh daemon.
sudo service sshd restart
sudo /etc/init.d/ssh restart
sudo systemctl ssh reload
sudo systemctl sshd reload
Live Debugging
Run the ssh daemon live in verbose mode to debug why ssh clients may be having trouble connecting:
sudo service sshd stop
sudo $(which sshd) -d -vvv
The flow will provide a general sense of what is failing.
For example, ssh public keys on the SSH server are sensitive to being too exposed to user read/write and you may need to run: chmod 600 <public key> to fix it. Another issue would be supported key exchange algorithms between the SSH client and servers.
Make sure to run sudo service sshd restart to restart the ssh daemon upon completing the debugging.
Setting up a SSH client
Follow the SSH client guide!
Checking SSH connections
- Ensure that the SSH daemon is running:
sudo ps aux | grep sshd. - Check for all established connections:
sudo netstat -tnpa | grep 'ESTABLISHED.*sshd'
Authorized SSH keys
The SSH public key (file ending in .pub) generated by the SSH client should be added to /home/<username>/.ssh/authorized_keys with the permission of the username:username.