Installing and configuring an SSH server on Linux. How to use the SSH protocol in Ubuntu: installation and configuration Does not connect via ssh ubuntu
This article is about settings remote access to Ubuntu Server. The connection principle is very simple: on the client side we use a program for remote access (for example, Putty), on the server side we install and configure the OpenSSH package. When connecting, the client undergoes an authorization procedure with the server and an encrypted connection is established between them. The principle of operation of the SSH protocol was discussed in more detail in the article on.
The network diagram is shown below. Remote connection to the server will be made from the client computer.
We installed Ubuntu Server on a clean hard drive. After installation, you need to configure the server's network interface to access the network. Namely, set the IP address, network mask, default gateway. If your interface is already configured, you can skip this step. Settings network interfaces are specified in the file /etc/network/interfaces. To edit we will use a text editor nano.
We get into the editing mode of the interfaces file. We are interested in everything below # The primary network interface. IN this moment the server receives an IP address via DHCP, which is not entirely correct. The server must have a static IP so that all nodes on the network know exactly its address. Let's write it down network settings manually.
My server is on the local subnet 192.168.1.0/24. The server is assigned IP 192.168.1.2, mask 255.255.255.0, default gateway 192.168.1.1, DNS server address 192.168.0.1
To save the file, press Ctrl + X –> Y –> Enter. To apply the settings you need to restart the network process. You can also simply reboot the server with the sudo reboot command.
Check (command ifconfig -a) – settings are applied
Everything is ready for OpesnSS, which can be installed from the terminal using the commands
$ sudo apt-get install openssh-client
$ sudo apt-get install openssh-server
You can control starting, stopping and restarting the SSH server using the commands
$sudo service ssh stop | start | restart
In fact, you already have SSH access to the server. But for more fine tuning There is a configuration file at /etc/ssh/sshd_config. Access to configs is only possible from root.
On the client side, download any program to connect via SSH, I recommend Putty. In the program, all you have to do is enter the server’s IP address and connect to it. When connecting, enter the user name and password.
Subscribe to our
To install the ssh server, run in the terminal:
Ubuntu/Debian/Linux Mint
Then edit the ssh server settings in the /etc/ssh/sshd_config file
To do this, in the terminal run:
Also, in order for OpenSSH to listen only to certain IP addresses, for example 192.168.0.50, 192.168.0.51 on port 777, then simply add the following lines:
Restrict access via SSH for users: test test2 test3
The OpenSSH server can use the Rlogin protocol for authorization and can simulate the behavior of the legacy rsh command, so disable reading user files~/.rhosts and ~/.shosts:
Enable the warning banner by editing the following line and creating the following. file:
Save logs, make sure the LogLevel directive is set to INFO or DEBUG
To restart OpenSSH on CentOS, Fedora or RHEL:
In some cases, you can start the server only in this way:
To check the server status use the following command
Now you can log into a computer with OpenSSH-server installed like this:
Ssh [-p port]
For example:
CentOS / RHEL / Fedora Linux - you can disable or remove OpenSSH like this:
| $ chkconfig sshd off $ yum erase openssh-server |
Main SSH files and folders:
~/.ssh/ - user configuration directories
~/.ssh/authorized_keys and ~/.ssh/authorized_keys2 - lists of public keys (RSA or DSA) that can be used to authorize a user account
~/.ssh/known_hosts - server keys
/etc/ssh/sshd_config - OpenSSH server configuration file
/etc/ssh/ssh_config - OpenSSH client configuration file
/etc/nologin - if this file exists, the system will refuse to allow anyone other than the root user. It is better to remove and not use.
/etc/hosts.allow and /etc/hosts.deny - access control lists (ACLs)
In this article, we will show you how to install, configure and use OpenSSH on Ubuntu 16.04. SSH (Secure Shell) is a protocol that allows secure access to a remote machine while OpenSSH is a set of tools based on the SSH protocol. Today we will show you how to install and configure OpenSSH using Ubuntu 16.04 as the operating system.
Installing OpenSSH on Ubuntu 16.04
First, let's install OpenSSH. Update package indexes using the following command:
Sudo apt-get update
To install the OpenSSH server application, as well as other related packages, use the following command:
Sudo apt-get install openssh-server
Please note that the OpenSSH server package may already be installed on your system as part of the initial server installation process. Alternatively, you can install the OpenSSH client application using the following command:
Sudo apt-get install openssh-client
Setting up OpenSSH on Ubuntu 16.04
Before making any changes to the OpenSSH configuration, it is good to know how to manage the OpenSSH service on your . To start the service you can use the following command:
Sudo systemctl start sshd.service
To stop the service you can use:
Sudo systemctl stop sshd.service
To restart the service you can use:
Sudo systemctl restart sshd.service
To check the service status you can use:
Sudo systemctl status sshd.service
To enable the service during system boot you can use:
Sudo systemctl enable sshd.service
To disable the service while the system is booting you can use:
Sudo systemctl disable sshd.service
After making any changes to the OpenSSH configuration, you need to restart the service for the changes to take effect.
The main configuration file for the OpenSSH server application is /etc/ssh/sshd_config . Make sure you back up your original configuration before making any changes:
Sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
You can edit this file with text editor according to your choice. The first thing you can do is . Open the file and find the line that defines the listening port:
Change it to something else. For example 2022
Port 2022
Save the file and close it. Then restart the service for the changes to take effect.
Now you can try using the port number specified in the OpenSSH server configuration file. If you can connect to the server via SSH successfully you can continue with the next step which is to secure OpenSSH.
Secure OpenSSH on Ubuntu 16.04
#PermitRootLogin yes
and change it to:
PermitRootLogin no
Save the changes and restart the service for the changes to take effect. The next time you connect to the server, you can use the newly created SUDO user.
To protect the server, you can also disable password checking and . Additionally, you can.
You can check additional configuration options using the man page:
Man sshd_config
or you can visit the OpenSSH manual pages at https://www.openssh.com/manual.html.
This section of the Ubuntu Server Guide introduces a powerful collection of tools for the remote control of, and transfer of data between, networked computers called OpenSSH. You will also learn about some of the configuration settings possible with the OpenSSH server application and how to change them on your Ubuntu system.
OpenSSH is a freely available version of the Secure Shell (SSH) protocol family of tools for remotely controlling, or transferring files between, computers. Traditional tools used to accomplish these functions, such as telnet or rcp , are insecure and transmit the user"s password in cleartext when used. OpenSSH provides a server daemon and client tools to facilitate secure, encrypted remote control and file transfer operations, effectively replacing the legacy tools.
The OpenSSH server component, sshd , listens continuously for client connections from any of the client tools. When a connection request occurs, sshd sets up the correct connection depending on the type of client tool connecting. For example, if the remote computer is connecting with the ssh client application, the OpenSSH server sets up a remote control session after authentication. If a remote user connects to an OpenSSH server with scp , the OpenSSH server daemon initiates a secure copy of files between the server and client after authentication. OpenSSH can use many authentication methods, including plain password, public key, and Kerberos tickets.
Installation
Installation of the OpenSSH client and server applications is simple. To install the OpenSSH client applications on your Ubuntu system, use this command at a terminal prompt:
sudo apt install openssh-client
To install the OpenSSH server application, and related support files, use this command at a terminal prompt:
sudo apt install openssh-server
The openssh-server package can also be selected to install during the Server Edition installation process.
Configuration
You may configure the default behavior of the OpenSSH server application, sshd , by editing the file /etc/ssh/sshd_config . For information about the configuration directives used in this file, you may view the appropriate manual page with the following command, issued at a terminal prompt:
man sshd_config
There are many directives in the sshd configuration file controlling such things as communication settings, and authentication modes. The following are examples of configuration directives that can be changed by editing the /etc/ssh/sshd_config file.
Prior to editing the configuration file, you should make a copy of the original file and protect it from writing so you will have the original settings as a reference and to reuse as necessary.
Copy the /etc/ssh/sshd_config file and protect it from writing with the following commands, issued at a terminal prompt:
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original sudo chmod a-w /etc/ssh/sshd_config.original
The following are examples of configuration directives you may change:
To set your OpenSSH to listen on TCP port 2222 instead of the default TCP port 22, change the Port directive as such:
To have sshd allow public key-based login credentials, simply add or modify the line:
PubkeyAuthentication yes
If the line is already present, then ensure it is not commented out.
To make your OpenSSH server display the contents of the /etc/issue.net file as a pre-login banner, simply add or modify the line:
Banner /etc/issue.net
In the /etc/ssh/sshd_config file.
After making changes to the /etc/ssh/sshd_config file, save the file, and restart the sshd server application to effect the changes using the following command at a terminal prompt:
sudo systemctl restart sshd.service
Many other configuration directives for sshd are available to change the server application's behavior to fit your needs. Be advised, however, if your only method of access to a server is ssh , and you make a mistake in configuring sshd via the /etc /ssh/sshd_config file, you may find you are locked out of the server upon restarting it. Additionally, if an incorrect configuration directive is supplied, the sshd server may refuse to start, so be extra careful when editing this file on a remote server .
We figured out what it is SSH and what are its advantages, we also implemented the simplest example SSH- server and client.
Today I will talk about more detailed settings SSH- server.
As the famous phrase goes, “in Linux everything is a file", so to configure SSH- server, it is necessary and sufficient to edit one configuration file. His full path — /etc/ssh/sshd_config. To edit, open this file with superuser rights using any text editor.
Before editing, we'll do it just in case. backup file:
Sudo cp /etc/ssh/sshd_config(,.bak)
Now let's look at its contents:
Sudo nano /etc/ssh/sshd_config
After each change to this file you must restart ssh- server to apply our changes.
As we can see, there are quite a lot of parameters here; we will deal with each of them gradually.
Port
Here we specify which port our server will listen to. By default it listens 22 port TCP/IP. Interesting fact that you can specify multiple ports. For example:
ListenAddress
The general view of the settings can be written as follows:
ListenAddress host | IPv4_addr | IPv6_addr ListenAddress :port
Specifies the network address on which the server will “listen”.
If the server has several network interfaces that are configured to use different IP addresses, then you can restrict access by this parameter.
For example, on the server the following 4
network interface:
Eth0 – 192.168.0.1 eth1 – 192.168.0.2 eth2 – 192.168.0.3 eth3 – 192.168.0.4
Default ssh- the server is in a state of waiting for connection at all IP addresses. If you want users to be able to log in only on interfaces 2 And 3 , then you should do this:
ListenAddress 192.168.0.2 ListenAddress 192.168.0.3
You can also specify the port here. For example:
ListenAddress 192.168.0.2:222
If the port is not specified, ssh will listen at this address and
on the port specified in the option Port. If you use ListenAddress without specifying the port, then the option Port must be preceded by an option ListenAddress. If you don't specify it at all ListenAddress, then by default the server listens on all local addresses.
Address Family
Indicates which family IP addresses must be used by the service ssh. Possible options:
“any”- any
"inet"(only IPv4)
"inet6"(only IPv6)
Default - "any".
It makes sense, if possible, to limit the family of addresses processed to those actually used, i.e. if you only use IPv4- disable IPv6, and vice versa.
For example, to resolve IPv4 and ban IPv6:
AddressFamily inet
Protocol
ssh can work with protocols SSH1 And SSH2. At the same time, the use of unsafe SSH1 highly not recommended. Force ssh work only with the protocol SSH2 you can do this:
Protocol 2
PermitRootLogin
By default, log into the remote server as the user root no one forbids it. But it's not entirely safe. Instead, it would be more correct to log in using the username account and increase your privileges using the command ‘su -‘, or use 'sudo'.
If your organization has several system administrators and they all connect to the server as a superuser, then it is not always possible to find out which administrator is on the server. Therefore, after disabling the ability to log in directly under the user root system administrators first they will log in under their account and only after that they will receive superuser privileges; This will make it easier to audit the server and the actions performed by system administrators.
To disable the above function, disable the parameter PermitRootLogin, setting the value “no”.
PermitRootLogin no
PermitEmptyPasswords
Blocking empty passwords
PermitEmptyPasswords no
AllowUsers, AllowGroups
By default, any server user can log in. It is better to limit the circle of users who are allowed access to ssh.
This can be useful when you create a number of users on the system, but allow access by ssh want only some.
To do this, in the configuration file sshd_config you should add specific users that exist on the server. In the example below these are users john, peter And Michael, who are allowed to enter the server. Usernames are separated by spaces.
AllowUsers john peter michael
When adding all users who are present in a specific group, you should specify it as shown in the example below. Groups of users who are allowed to log into the server are also separated by a space.
AllowGroups developers administrators
DenyUsers, DenyGroups
As opposed to allowing access to specific users or groups, you can also specify users or groups that are denied access to the server.
To do this, add to the configuration file sshd_config parameter DenyUsers, in which, separated by a space, indicate those users who are prohibited from accessing the server. In the example below this is system apache and also quite real boris.
DenyUsers apache boris
There is also an option that allows you to deny access not to individual users, but to entire groups that users belong to. This is a parameter DenyGroups and groups are also indicated with a space.
DenyGroups marketing hackers
Please note that you can use combinations of prohibiting and enabling parameters: DenyUsers, AllowUsers, DenyGroups, And AllowGroups.
LoginGraceTime
When trying to log in using ssh on the server you have 2 minutes to enter your username and password. If you do not do this, the connection to the server will be lost. 2 minutes of waiting for authorization data is quite a lot. Should be limited to 1 minutes or even up to 30 seconds
To do this, change the parameter LoginGraceTime by editing the file sshd_config and indicate the required time there. In the example below it is 1 minute.
LoginGraceTime 1m
ClientAliveInterval
Disconnection when there is no activity in the shell
After you have successfully logged into the server, you may want to make it possible to disconnect automatically after some time has passed during which you have not performed any action on the console. This is commonly referred to as idle time.
Using Bash, you can achieve this by changing environment variable TMOUT.
IN OpenSSH this is achieved by a combination of parameters ClientAliveCountMax And ClientAliveInterval in the configuration file sshd_config.
- ClientAliveCountMax— indicates the maximum quantity checkalive messages sent ssh- server where it does not receive any response from ssh- client. The default is 3.
- ClientAliveInterval— indicates the waiting time (timeout) in seconds. After the specified time ssh- the server will send checkalive message to the client, expecting a response from him (response). The default is 0, that is, the server will not send messages for verification.
In order for your ssh- the client automatically disconnected after 10 minutes ( 600 seconds), you should make changes to the configuration file sshd_config in the following way:
ClientAliveInterval 600 ClientAliveCountMax 0
That's all for now. In principle, I think this is already enough for good configuration and improved security ssh. In the next part we will look at some more parameters ssh- server and maybe we can discuss key-based authentication.
Good luck to everyone and see you soon on our blog!
